LIFARS your digital world, secured
Case Study– NAC bypass & ARP spoofing
To ensure the effectiveness of our client’s security implementations LIFARS frequently conducts penetration tests evaluating their systems can hold up to real world scenarios and stay resilient. Our cyber resiliency experts deliver calculated attacks against systems the same way black hat hackers. In December, our client requested that LIFARS Pen Testing Team perform an internal black box penetration test as part of a due diligence exercise. The client, an international financial organization with over 10000 employees and 500 IPv4 addresses, understands the risks they face on a daily basis and the importance of meeting compliance standards. Therefore, this client requested an external black box penetration test on their network. The intent of this assessment was to identify weaknesses in the company’s internet facing infrastructure and to detail how these vulnerabilities could impact the organization. Therefore, the team used ARP poisoning as a main target for mounting other attacks, such as Man-in-the-middle (MiTM). This security testing effort was conducted with emphasis on the actual state of the systems examined and no documentation to the client was provided.
Note: All information in this case study has been modified to maintain confidentiality of our client
PENETRATION TESTING PHASES
There are various methodologies and approaches that can be used during penetration testing. LIFARS Pen Testing Team, follows the Penetration Testing Execution Standard (PTES) as the basis for penetration testing execution. The main phases of PTES are listed below. 1. Pre-engagement Interactions 2. Intelligence Gathering 3. Threat Modeling 4. Vulnerability Analysis 5. Exploitation 6. Post Exploitation 7. Reporting
KEY FINDINGS
While conducting the penetration test, we discovered that the client network had implemented Network access control (NAC). This solution is often used on corporate networks to prevent unauthorized hosts from accessing internally systems and services.
Bypassing Network Access Control
HUB Switch
~ ... ~ [~s:1lccccl - Atta cker §@ lI Authenticator r•1• Victim
Figure 1 NAC Bypass scheme (incogbyte.github.io) Hardware Used
100 Mb Hub – multiport repeater and PoE injector
Steps to reproduce NAC bypass:
1. First, we had to find an authenticated host and connect it to our hub. As we have PoE injector, we can also connect to VoIP Phone and PC.
2. After that, we connected to the hub, and start intercepting ARP frames to identify the valid host MAC address. C;;>>; l >;U i<.>;i, ,,.,; . <;_ ; ; .. , , ff. '11"1 l
> ~• ·• •" 'II -I: l'..<1lo :,1- .. • • ,.. ; ,.► (.1\11,-, ·•i 1• :• . ,.,-, ·•.t'"' , .,1, 11. , ·- ol ( t-1tth i1, :
V ~• ••.. ••• ► • II ~ -., ~ : • •• : ,_~1, 1 IJ,, 1! ~ , , . " < I" L't ~tt r ,t 1or ; :,f r (.JJ
• • 0 •• •• • • l•3 tin : ,:;1ct ->U y .1,tn: ~cc r-: ~~ ( r>ctc -r,• cc r >utt ) • •• • • •• •"I • •• ••• •• . . •• • - -5 1,; 1, f ,.,,;_.;,1• ., . I ,11.,:,...,,., ( m i .. . , t ; , ...... , .• ► , •: ...... I •'A.ire : : : <.~~ce_l'J ...... 'J, ...... l-:, bit : -:.lch ll •, ,n k .. e b~H t H (f ,cte ri.• ~ef, uh j ...... i ...... •• - :,:; bit : l fl( ~·,.i
3. At this point, we can connect the hub to the switch, and we wait for Victim authentication.
4. After successful authentication, we cloned the valid MAC and IP address and connect to HUB. Now the switch does not recognize the difference between the attacker and the PC client.
Killer E2400G1gab1t Eth ernet Contro ller Properties X
Events Resources Power Management General Advanced Driver Details
The following properties are available for this network adapter. Click the propertyyo u want to change on the left. and then select its value on the right.
f.roperty: Value: ARP Offload " ECMA Energy Efficient Bhemet Present Row Control r Not lntenupt Moderation 1Pv4 Checksum Offload Jumbo Frame Large Send Offload (1Pv4) Large Send Offload v2 (1Pv4) Large Send Offload v2 (1Pv6) Max IRQ per Second RSS Queues
V
Cancel
Figure 3 MAC address change ARP Spoofing
ARP poisoning is when an attacker sends false ARP messages over a local area network to link an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is linked to an authentic IP address, the attacker can receive anything directed to the legitimate MAC address. As a result, the attacker can make an Man-in-the-middle attack (MiTM).
Switch
Alice Bob IP: 10.0.0.7 IP: 10.0.0.1 MAC: [aa:aa :aa:aa:aa:aa] MAC: [bb:bb:bb:bb:bb:bb)
Attacke r IP 10.0.0 .3 MAC: [cc:cc:cc:cc:cc:cc] Figure 4 Representation of ARP spoofing
We have used bettercap on Windows to launch an ARP spoofing attack.
Steps to reproduce ARP spoofing attack:
1. We need to scan the network for all hosts, using module net.recon and net.probe. (! Gt ID © , 21.o.o.11•11an ... 0* Ill ID ill
2. With this newly obtained set of hosts, we can choose which specific host we want to target. We can either use the console command or the GUI to execute this.
From the console command we can type in the cmdlet:
Set arp.spoof.targets TARGET IP
From the GUI we can go to the IP address on the left corner, in this case it is 192.168.1.161. From the pull down menu, we can then choose add to arp.spoof.targets
792.768.7.767 • 30:24:32 .... Copy \D evice\NPF_ {10B87E 4E-D3D 1-4 1 Scan Ports
Add to arp.spoof.targets
3. Before starting the ARP spoofing module, we need to start net.sniff . We can either use the console command or the GUI to execute this.
From the console command we type in the following cmdlet:
net.sniff on
From the GUI we can go to: Advanced -> net.sniff -> net.sniff.on
We have now successfully launched ARP spoofing:
0. 12:56 PM net.sniff.mdns mdn s 192.16 8.1.25 : PTR que ry for _airplay._tcp.local
0. 12:56 PM net.sniff.mdns mdns 192.168.1.25 : PTR que ry for _raop._tcp.local
0. 12:56 PM endpoint.new Detected 192. 168.1.25 84 :AD:8D:
0. 12:56 PM endpoint.lost Lost 192. 168. 1.25 84:AD:8D:
0. 12:56 PM mod.started arp.spoof
0. 12:56 PM sys.log WARNING : arp.spoof full dup lex spoo fing enabled. if the router has ARP spoo fing mechanisms. the att ack will fail. 0. 12:56 PM sys.log INFO : arp.spoof arp spoole r starte d. probing 3 targets.
Verification of ARP spoofing using Wireshark:
36776 304 . 468178 Micro-St 84 :ad: Bd ARP 60 192 . 168 . 1. 92 is at dB :cb:Ba 3682 5 304.47 3401 Micro - St 84 :ad: Bd ARP 60 19 2 .168 . 1.141 i s at d8:cb :8a 370 17 304.851396 30 : 24:32 84 :ad: Bd ARP 60 192 . 168 . 1. 161 i s at 30:24 :32 37435 305 . 554 225 Micro - St 30:24 :32 ARP 60 192 . 168 . 1. 205 is at d8:cb :8a (d uplicat e use of 192 .168 . 1.16 1 de t e cte d !) 37436 305. 554 32 8 30 : 24: 32 Mic ro - St ARP 60 19 2 . 168 . 1. 161 is at 30: 24 :32 37437 305. 554439 Micr o-St 30 : 24 : 32 ARP 60 192 . 168 . 1. 0 is at dB:cb :Sa (duplic ate use of 192 . 168 . 1 . 1 6 1 det ected!) 37439 305 . 554640 Micro - St 30 : 24 : 32 ARP 60 192 . 168 . 1. 1 is at dB :cb:Ba (duplic ate us e of 192 . 168 . 1 . 161 det e cted!) 37440 305. 554786 Micro -St B4 :ad: Bd ARP 60 192 . 168 . 1. 1 is at d8 :cb:8a
CONCLUSION
With ARP spoofing & Man-in-the-Middle (MiTM) attack we were able to sniff user login data and critical password hashes. These attacks were only successful because we were able to bypass NAC.
REPORTING
Key issues listed in this case study, and many others, were put into the final report. The issues were identified at risk levels: low, medium, high and critical. The executive summary provided a brief summary of vulnerabilities discovered during this assessment broken down by category. Many of these issues were presented graphically with recommendations given for resolution of each.
Worried about Attacks Against Your Organization? For Incident Response and Threat Intelligence consultancy Contact LIFARS Today Email:[email protected] | Call us at:(212) 222-7061