ThebasicrequirementforanNACbypassisaccesstoadevicethathasalreadybeenauthenticated.Thisdeviceisusedtologintothenetworkandthensmuggleinnetworkpackagesfromadifferentdevice.Thisinvolvesplacingtheattacker’ssystembetweenthenetworkswitchandtheauthenticateddevice.OnewaytodothisiswithaRaspberryPiandtwonetworkadapters.
InstallationTheNACkeredscriptandournac_bypass_setup.shsolutionwerewrittenandtestedonDebian-basedLinuxdistributions,butbothshouldbeexecutableonotherLinuxdistributionsaswell.Thefollowingsoftwarepackagesarerequired:
Installtools,onDebian-likedistros:bridge-utilsmacchangerarptablesebtablesiptablesnet-toolstcpdumpLoadkernelmodule:modprobebr_netfilterPersistkernelmodule:br_netfilterinto/etc/modulesForarptables,iptablesandebtables,makesurenottouseNetfilterxtabletools(nft),orthescriptwillnotworkasdesired.
Thenac_bypass_setup.shscripthasthefollowingparameters:
nac_bypass_setup.shv0.6.4usage:-1<eth>networkinterfacepluggedintoswitch-2<eth>networkinterfacepluggedintovictimmachine-aautonomousmode-cstartconnectionsetuponly-g<MAC>setgatewayMACaddress(GWMAC)manually-hdisplaythishelp-istartinitialsetuponly-rresetallsettings-RenableportredirectionforResponder.py-SenableportredirectionforOpenSSHandstarttheserviceTheparameters-1and-2definewhichnetworkadapterswillbeused.Youcanalsoeditthemdirectlyinthescript:-asuppressestheoutputofthescript’sloganddebugginginformationandnomanualinteractionisrequiredwhenrunningit.Theparameters-Rand-SactivateportforwardingfortheuseofSSHandResponder.Theparameters-c,-iand-ronlyinitiatecertainsequenceswithinthescript.
UseThelegitimatedevice,client,isnotinitiallyconnectedtothenetworkswitch.Nowthescriptisstartedontheattackerdevice,bypass.Bypassandattackerareonephysicaldevice.TheattackerfiguresymbolizesactionscarriedoutbytheattackerontheNACbypassdevice.Thefirststepistheinitialconfiguration:Tostartwith,unwantedservices,suchasNetworkManager,arestopped,IPv6isdisabledandanyDNSconfigurationsareinitialized.Next,thebridgeisconfiguredandstarted.Toensurebridgingworksasdesired,thekernelhastobeconfiguredtoforwardEAPOLframes.Withoutthisadjustment,802.1Xauthenticationwillnotbecarriedout.
Oncetheconfigurationiscomplete,thenetworkcablescanbeconnectedandthebridge’sswitchsideisnowenabledasapassiveforwarder.Thebypassdeviceforwardsallnetworktrafficbackandforthbetweentheswitchandtheclientbutcannotsendanypacketsitself.Theclientshouldnowbeauthenticatedwiththenetworkswitchandcanlogintothenetworksuccessfully.
Allnetworktrafficpassesthroughthebridgeandcanbeanalyzedaccordingly.ThisisdonetocaptureKerberosandSMBpacketswithtcpdump–asthesearenormallyfoundinseveralplacesonaWindowsnetwork,makingitpossibletoseethenetworkconfiguration,suchastheclient’sIPandMACaddress.Thisinformationisusedtoautomaticallyconfiguretheclientsideofthebridge.However,thebypass’sconnectiontothenetworkremainsblockedtoensurethatnetworkpacketsfromtheattackerdevicefindtheirwayontothenetworkandaredetected.Ifpacketsfromtheattackeraresentontothenetworklater,anebtablesrulewilloverwritetheMACaddress,meaningthatthepacketswillappearasiftheyoriginatedfromtheclient.ThesameprocedureisimplementedusingiptablesrulesatIPlevel,sothatoutgoingTCP,UDPandICMPpacketsalsohavethesameIPaddressastheclient.Finally,theattackerisabletoconnecttothenetworkandcancarryoutactionsfromtheirowndevice.
IfportforwardinghasbeenenabledforSSHandResponder,thebridgeforwardsallrequestsfortherespectiveportstotheattacker’sservices.Fromthere,aResponderinstancecanberuntocarryoutmulticastpoisoningandtoperformauthenticationforprotocolssuchasSMB,FTP,orHTTP.Thisinstancecanbereachedfromthenetworkusingtheclient’sIPaddress.
ResponderRespondermustberunonthebridgeinterface.ToensurethatResponderusesthecorrectIPaddressforpoisoningmulticast,theIPaddressoftheclientshouldbedefinedwithparameter-e.
./Responder.py-I<bridge_interface>-e<client_address>...BypassingNACinaninfiniteloopThescenariodescribedaboveisonlypossibleiftheattackerisinpossessionofalegitimatedevice.Butiftheattackeronlyhasphysicalaccesstoabuildinganditsroomsanddoesnothavetheirowndevice,additionalstepsarenecessary.Ifaroomhasanetworkinstallation–e.g.ameetingroomorsharedworkspace–thebypassdevicecanstillbeinstalled.However,itmustbenotedthattheNACbypasssetupisagileandcanrespondtochangessuchasswitchingdevices.Withasharedworkspace,forexample,User1connectstheirdevicetothedockingstationinthemorning.ThehiddenbypassdeviceinstallsitsconfigurationonUser1’sdevice.Assoonastheyleavethesharedworkspace,thebypassdeviceresetstotheinitialstateandwaitsfornewdevices.IfUser2connectstheirdevicetothedockingstation,thebypassdeviceisnolongerallowedtorunwithUser1’sconfiguration.Instead,itmustuseUser2’scredentialstoconnecttothenetwork.
ThebypassdevicethereforechecksnetworkconnectivityatcertainintervalsandthenrespondstostatuschangesandtheninvokestheappropriateNACbypassprocedure.Wecreatedasimpleimplementationofthischeckwiththeawareness.shscript,whichchecksanadapter’snetworkstatuseveryfivesecondsandrespondsaccordinglywhenthestatuschanges.
First,thebasicsetupfortheNACbypassisconfigured.Next,aloopisstartedtomonitorthestateofthenetworkinterface.ThesecondpartoftheNACbypasssetupisthenexecutedassoonastheinterfaceisactivated.Ifthenetworkconnectionislost,theconfigurationisresetandinitialized.Configurablecyclesarealsosetbetweenthestatuschangestoavoidprematureconfigurationchangeswhennetworkconnectivityislosttemporarily,forexample.Thisscriptallowsabypassdevicetorespondtodeviceswitching;thiscanbedonewithoutanymanualinterventionoveranextendedperiodoftimebyplacingthedeviceinanappropriateroom.
NextStepsTheawareness.shscriptrespondstostatuschangesandmodifiestheNACbypassconfigurationaccordingly.AllotheractionsmustbecarriedoutmanuallyatpresentusingthelikesofSSHonthedevice.ThisSSHserviceisonlyavailableonthevictim’snetwork,however.OneofthenextstepsistheplannedintegrationofanadditionalmanagementinterfaceusingaWLANorcellularnetworkadapter.Thisadaptercouldthenbeusedtoestablishanautonomousconnection,allowingtheattackertoaccessthedevicewithouthavingtobephysicallyonthepremisesornetwork.Theawarenessscriptcouldalsobeenhancedtoincludemodulesthatensuremoreautonomy.Forexample,communicationviaacommandandcontrolserver(C2)canbeconfiguredtoreceivecommandsorextractdata.
评论