When a customer tells me they have NAC implemented, I tell them they shouldn’t trust it. That it is only a deterrent or it slows someone that is determined to infiltrate your network. Most of the time customers believe you and just give you access to the network without having to deal with NAC hassle or you circumvent it using the printer or a flawed port configuration. Sometimes the customer wants you to show them though… Usually because their network admin told them it was impossible for an attacker to access the network, even with physical access to workstations.
This is were my little project comes in. It implements a layer2 and layer3 NAT and MitM (now also known as Beagle-in-the-Middle) built by information gathered in the passive network reconaissance stage. As long as it doesn’t leak it’s real mac address to the interface on the switch it will bypass all types of NAC based on 802.1x. This is not new (link to Defcon presentation by Duckwall) ofcourse, but I could not find anything that did it in embedded form factor (Beaglebone) and fully automated. Except for the Pwnplug ofcourse but that costs
$1000 $695 and for that money I want something more advanced then “the first packet addressed to port 80” for network reconaissance and loads of ICMP redirects.
It looks something like this (have to finish cutting the holes for ethernet):
Inside the box is a Beaglebone, USB-hub and two USB-ethernet dongles (builtin Ethernet doesn’t support promiscuous mode apparently).
- Figures out which port is incoming (switchside) and which is outgoing (client)
- Builds NAT rules for ebtables and iptables
- Supplies easy (DHCP) connectivity to the attacker on the management interface (lan,wireless,3g etc.)
- Built for the Beaglebone for its small form factor and faster than the RPi
- It can provide the pentester with the basic information it gathered to build it’s NAT-ing rules i.e. subnet information so the pentester can get right to finding other vulnerable systems. (not visible on the serial output yet… only in /root/subnetinfo or stdout)
- Avoids the ICMP redirect spam associated with connections to the local subnet. It passively learns mac addresses.
- It’s ArchLinux so install all the pentest goodies you like :)
- Implement RC6 encrypted tunnel over UDP ;-)
- Ephemeral ports detection to avoid collisions with victim. (planned using p0f or something)
I have pushed the code and a simple installation manual to my Github repo. It works but, you need to make a Archlinux ARM installation with the dependencies but no network services that will start automatically that could burn the device. Basically it’s Alpha POC stage, but I will improve on it to make it usable as a Redteaming dropbox or a useful demo for customers on a pentest. There is useful information and some snippets that made my BitM completely dark on a mirrored switchport in the README included in the repo.
Advancement of NAC evasion
A network admin that pays attention or maybe some brands of IDS will complain about the amount of ICMP-redirects that traffic destined for the localnet will generate using just the default route to the gateway. This is the only method I could find in earlier research (just bouncing off the gateway for all traffic).
This problem is partially solved in the BitM by passively learning ARP entries and generating host routes with static arp entries for these hosts in the kernel tables.
The code isn’t very advanced at the moment. If it sees a bogus subnet first, it will assume the real subnet is a flaw… It tries to filter obvious bogus subnets ofcourse. Also… No IPv6, haven’t tried yet, it just burned the device on the first few tries (leaked mac-address).
Simple Demo a.k.a. “My Mac is scanning the network?!”
The screenshot shows the packet capture on the mirror-port filtered for the MAC-addresses of the Beaglebone including a reboot of the Beaglebone.
Traffic generated by the Beaglebone will show up as coming from and going to the hardware being attacked (printer, workstation etc.).
The Mac is the victim in this scenario. For the targeted localnet machine it looks as if the Mac is scanning him. The Beagle changes the L3 and L2 addresses with the NAT rules so for the network it is almost indistuingishable from normal traffic. Traffic to hosts that the Beagle didn’t see an ARP request from would still be bounced off the router.
Here you can see how the Mac is authenticated to the switch through 802.1x, the switch has only learned one mac-address but I did not make a screenshot of that.
This isn’t really interesting but that is a good thing in this case! :D
The response looks like this:
Remote Access or C2
Maybe I will include some possible payloads. For the time being though, you have to do it yourself. Should be simple enough to implement some simple egress with a reverse ssh tunnel. In the code I have uploaded I opted for a wireless access point hosted on the Beagle.