nac_bypass开源项目

我要开发同款
匿名用户2021年11月09日
51阅读
开发技术SHELL
所属分类终端/远程登录、应用工具
授权协议MIT License

作品详情

bypass/nac_bypassRequirements

ThebasicrequirementforanNACbypassisaccesstoadevicethathasalreadybeenauthenticated.Thisdeviceisusedtologintothenetworkandthensmuggleinnetworkpackagesfromadifferentdevice.Thisinvolvesplacingtheattacker’ssystembetweenthenetworkswitchandtheauthenticateddevice.OnewaytodothisiswithaRaspberryPiandtwonetworkadapters.

Installation

TheNACkeredscriptandournac_bypass_setup.shsolutionwerewrittenandtestedonDebian-basedLinuxdistributions,butbothshouldbeexecutableonotherLinuxdistributionsaswell.Thefollowingsoftwarepackagesarerequired:

Installtools,onDebian-likedistros:bridge-utilsmacchangerarptablesebtablesiptablesnet-toolstcpdumpLoadkernelmodule:modprobebr_netfilterPersistkernelmodule:br_netfilterinto/etc/modules

Forarptables,iptablesandebtables,makesurenottouseNetfilterxtabletools(nft),orthescriptwillnotworkasdesired.

Thenac_bypass_setup.shscripthasthefollowingparameters:

nac_bypass_setup.shv0.6.4usage:-1<eth>networkinterfacepluggedintoswitch-2<eth>networkinterfacepluggedintovictimmachine-aautonomousmode-cstartconnectionsetuponly-g<MAC>setgatewayMACaddress(GWMAC)manually-hdisplaythishelp-istartinitialsetuponly-rresetallsettings-RenableportredirectionforResponder.py-SenableportredirectionforOpenSSHandstarttheservice

Theparameters-1and-2definewhichnetworkadapterswillbeused.Youcanalsoeditthemdirectlyinthescript:-asuppressestheoutputofthescript’sloganddebugginginformationandnomanualinteractionisrequiredwhenrunningit.Theparameters-Rand-SactivateportforwardingfortheuseofSSHandResponder.Theparameters-c,-iand-ronlyinitiatecertainsequenceswithinthescript.

Use

Thelegitimatedevice,client,isnotinitiallyconnectedtothenetworkswitch.Nowthescriptisstartedontheattackerdevice,bypass.Bypassandattackerareonephysicaldevice.TheattackerfiguresymbolizesactionscarriedoutbytheattackerontheNACbypassdevice.Thefirststepistheinitialconfiguration:Tostartwith,unwantedservices,suchasNetworkManager,arestopped,IPv6isdisabledandanyDNSconfigurationsareinitialized.Next,thebridgeisconfiguredandstarted.Toensurebridgingworksasdesired,thekernelhastobeconfiguredtoforwardEAPOLframes.Withoutthisadjustment,802.1Xauthenticationwillnotbecarriedout.

Oncetheconfigurationiscomplete,thenetworkcablescanbeconnectedandthebridge’sswitchsideisnowenabledasapassiveforwarder.Thebypassdeviceforwardsallnetworktrafficbackandforthbetweentheswitchandtheclientbutcannotsendanypacketsitself.Theclientshouldnowbeauthenticatedwiththenetworkswitchandcanlogintothenetworksuccessfully.

Allnetworktrafficpassesthroughthebridgeandcanbeanalyzedaccordingly.ThisisdonetocaptureKerberosandSMBpacketswithtcpdump–asthesearenormallyfoundinseveralplacesonaWindowsnetwork,makingitpossibletoseethenetworkconfiguration,suchastheclient’sIPandMACaddress.Thisinformationisusedtoautomaticallyconfiguretheclientsideofthebridge.However,thebypass’sconnectiontothenetworkremainsblockedtoensurethatnetworkpacketsfromtheattackerdevicefindtheirwayontothenetworkandaredetected.Ifpacketsfromtheattackeraresentontothenetworklater,anebtablesrulewilloverwritetheMACaddress,meaningthatthepacketswillappearasiftheyoriginatedfromtheclient.ThesameprocedureisimplementedusingiptablesrulesatIPlevel,sothatoutgoingTCP,UDPandICMPpacketsalsohavethesameIPaddressastheclient.Finally,theattackerisabletoconnecttothenetworkandcancarryoutactionsfromtheirowndevice.

IfportforwardinghasbeenenabledforSSHandResponder,thebridgeforwardsallrequestsfortherespectiveportstotheattacker’sservices.Fromthere,aResponderinstancecanberuntocarryoutmulticastpoisoningandtoperformauthenticationforprotocolssuchasSMB,FTP,orHTTP.Thisinstancecanbereachedfromthenetworkusingtheclient’sIPaddress.

Responder

Respondermustberunonthebridgeinterface.ToensurethatResponderusesthecorrectIPaddressforpoisoningmulticast,theIPaddressoftheclientshouldbedefinedwithparameter-e.

./Responder.py-I<bridge_interface>-e<client_address>...BypassingNACinaninfiniteloop

Thescenariodescribedaboveisonlypossibleiftheattackerisinpossessionofalegitimatedevice.Butiftheattackeronlyhasphysicalaccesstoabuildinganditsroomsanddoesnothavetheirowndevice,additionalstepsarenecessary.Ifaroomhasanetworkinstallation–e.g.ameetingroomorsharedworkspace–thebypassdevicecanstillbeinstalled.However,itmustbenotedthattheNACbypasssetupisagileandcanrespondtochangessuchasswitchingdevices.Withasharedworkspace,forexample,User1connectstheirdevicetothedockingstationinthemorning.ThehiddenbypassdeviceinstallsitsconfigurationonUser1’sdevice.Assoonastheyleavethesharedworkspace,thebypassdeviceresetstotheinitialstateandwaitsfornewdevices.IfUser2connectstheirdevicetothedockingstation,thebypassdeviceisnolongerallowedtorunwithUser1’sconfiguration.Instead,itmustuseUser2’scredentialstoconnecttothenetwork.

ThebypassdevicethereforechecksnetworkconnectivityatcertainintervalsandthenrespondstostatuschangesandtheninvokestheappropriateNACbypassprocedure.Wecreatedasimpleimplementationofthischeckwiththeawareness.shscript,whichchecksanadapter’snetworkstatuseveryfivesecondsandrespondsaccordinglywhenthestatuschanges.

First,thebasicsetupfortheNACbypassisconfigured.Next,aloopisstartedtomonitorthestateofthenetworkinterface.ThesecondpartoftheNACbypasssetupisthenexecutedassoonastheinterfaceisactivated.Ifthenetworkconnectionislost,theconfigurationisresetandinitialized.Configurablecyclesarealsosetbetweenthestatuschangestoavoidprematureconfigurationchangeswhennetworkconnectivityislosttemporarily,forexample.Thisscriptallowsabypassdevicetorespondtodeviceswitching;thiscanbedonewithoutanymanualinterventionoveranextendedperiodoftimebyplacingthedeviceinanappropriateroom.

NextSteps

Theawareness.shscriptrespondstostatuschangesandmodifiestheNACbypassconfigurationaccordingly.AllotheractionsmustbecarriedoutmanuallyatpresentusingthelikesofSSHonthedevice.ThisSSHserviceisonlyavailableonthevictim’snetwork,however.OneofthenextstepsistheplannedintegrationofanadditionalmanagementinterfaceusingaWLANorcellularnetworkadapter.Thisadaptercouldthenbeusedtoestablishanautonomousconnection,allowingtheattackertoaccessthedevicewithouthavingtobephysicallyonthepremisesornetwork.Theawarenessscriptcouldalsobeenhancedtoincludemodulesthatensuremoreautonomy.Forexample,communicationviaacommandandcontrolserver(C2)canbeconfiguredtoreceivecommandsorextractdata.

声明:本文仅代表作者观点,不代表本站立场。如果侵犯到您的合法权益,请联系我们删除侵权资源!如果遇到资源链接失效,请您通过评论或工单的方式通知管理员。未经允许,不得转载,本站所有资源文章禁止商业使用运营!
下载安装【程序员客栈】APP
实时对接需求、及时收发消息、丰富的开放项目需求、随时随地查看项目状态

评论