Professional Documents
Culture Documents
Case Study–
NAC bypass & ARP spoofing
To ensure the effectiveness of our client’s security implementations LIFARS frequently
conducts penetration tests evaluating their systems can hold up to real world scenarios
and stay resilient. Our cyber resiliency experts deliver calculated attacks against
systems the same way black hat hackers.
In December, our client requested that LIFARS Pen Testing Team perform an internal
black box penetration test as part of a due diligence exercise. The client, an
international financial organization with over 10000 employees and 500 IPv4
addresses, understands the risks they face on a daily basis and the importance of
meeting compliance standards. Therefore, this client requested an external black box
penetration test on their network.
The intent of this assessment was to identify weaknesses in the company’s internet
facing infrastructure and to detail how these vulnerabilities could impact the
organization.
Therefore, the team used ARP poisoning as a main target for mounting other attacks,
such as Man-in-the-middle (MiTM). This security testing effort was conducted with
emphasis on the actual state of the systems examined and no documentation to the
client was provided.
Note: All information in this case study has been modified to maintain confidentiality
of our client
PENETRATION TESTING PHASES
There are various methodologies and approaches that can be used during penetration
testing. LIFARS Pen Testing Team, follows the Penetration Testing Execution Standard
(PTES) as the basis for penetration testing execution. The main phases of PTES are
listed below.
1. Pre-engagement Interactions
2. Intelligence Gathering
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post Exploitation
7. Reporting
KEY FINDINGS
While conducting the penetration test, we discovered that the client network had
implemented Network access control (NAC). This solution is often used on corporate
networks to prevent unauthorized hosts from accessing internally systems and
services.
HUB Switch
~ [~s:1lccccl ...
- §@
~
Atta cker
lI Authenticator
•
r•1
Victim
2. After that, we connected to the hub, and start intercepting ARP frames to
identify the valid host MAC address.
C;;>>; l >;U i<.>;i, ,,.,; . <;_ ; ; .. , , ff.
'11"1 l <lll),.1'-. 1:,,. , . II_ I i • < ,_~1, '• :--
:. l :. l J UU .:.1:.:+.1, t.. <.:'.~:o _ HI ::., :erie \ll ' t,tc, lb! l 'J, 1'>1 ,
~?~ noa~:;uc-, . . ~ c::s :o_ , ., S!l.)tr>e GO l-.. C> lb$ l i . lSl .
B l l3$:i'='i ll7' . i- c:: ; :o .;<3 i rr_,:,, , e 1-.N • ,.~~ 10. a 1.
> ~• ·• •" 'I I -I: l'..<1lo:, 1- .. •• ,.. ; ,.► (.1\11,-, ·•i 1• :• . ,.,-, ·•.t' "' , .,1, 11., ·- ol ( t-1tt h i1, :
V ~• ••.. ••• ► • II ~ -., ~ : • •• : ,_~1, 1 IJ,, 1! ~ , , . " <
I" L't ~tt r ,t 1or ; :,f r (.JJ
• • 0 •• •• • • l•3 tin : ,:;1ct ->U y .1,tn: ~cc r-: ~~ ( r>ctc -r, • cc r >utt )
• •• • • •• •"I • •• ••• •• . . •• • - -5 1, ; 1, f ,., , ;_.;,1•.,. I ,11.,:,... ,,., ( m i .. . , t ;
, ... ..... , .• ► , •: .... .. ... I
•'A.i re : : : <.~~ce_ l'J
. . . . .. 'J, . . . ... . . l-:, bit : -:.l ch ll •, ,n k .. e b ~H t H (f ,cte ri.• ~e f , uh j
. .. . . .. i . .. . .. . . . . •• - :,:; bit : l fl( ~·,.i<lu l b( c r .eH ( Jfl ic H t :,
Ty, : : ,_~., ~G~3$EI:-)
1\ A Ii • ~ : 111'6.l- "II I l >l:\-"IIV,'
(,-.l,"l,,. 1 >;,"\AH;.; ,.,. .(,-.l,"IAAfi~,
) ,•,.-J, ,,... ~.., ,, 1 ,i ; ,, .. ... ,, .. ,: ., 1 ,:, ,.. , ,,. - .. 1)
3. At this point, we can connect the hub to the switch, and we wait for Victim
authentication.
4. After successful authentication, we cloned the valid MAC and IP address and
connect to HUB. Now the switch does not recognize the difference between
the attacker and the PC client.
The following properties are available for this network adapter. Click
the propertyyou want to change on the left. and then select its value
on the right.
f.roperty: Value:
ARP Offload "
ECMA
Energy Efficient B hemet
Row Control
r Not Present
lntenupt Moderation
1Pv4 Checksum Offload
Jumbo Frame
Large Send Offload (1Pv4)
Large Send Offload v2 (1Pv4)
Large Send Offload v2 (1Pv6)
Max IRQ per Second
RSS Queues
V
Cancel
ARP poisoning is when an attacker sends false ARP messages over a local area
network to link an attacker’s MAC address with the IP address of a legitimate
computer or server on the network.
Once the attacker’s MAC address is linked to an authentic IP address, the attacker
can receive anything directed to the legitimate MAC address. As a result, the attacker
can make an Man-in-the-middle attack (MiTM).
Switch
Alice
Bob IP: 10.0.0.7
IP: 10.0.0.1 MAC : [aa:aa :aa:aa :aa:aa]
MAC: [bb:bb:bb:bb:bb:bb)
Attacke r
IP 10.0.0 .3
MAC : [cc:cc:cc:cc:cc :cc]
1. We need to scan the network for all hosts, using module net.recon and
net.probe.
(! Gt ID © , 21.o.o.11•11an ... 0* Ill ID ill
2. With this newly obtained set of hosts, we can choose which specific host we
want to target. We can either use the console command or the GUI to execute
this.
From the GUI we can go to the IP address on the left corner, in this case it is
192.168.1.161. From the pull down menu, we can then choose add to
arp.spoof.targets
3. Before starting the ARP spoofing module, we need to start net.sniff . We can
either use the console command or the GUI to execute this.
net.sniff on
From the GUI we can go to: Advanced -> net.sniff -> net.sniff.on
We have now successfully launched ARP spoofing:
0. 12:56 PM net.sniff.mdns mdns 192 .168 .1.25 : PTR que ry for _raop._tcp .local
0. 12:56 PM sys.log WARNING : arp.sp oof full dup lex spoo fing enable d. if the rout er has ARP spoo fing mechanis ms. the att ack will fail.
0. 12:56 PM sys.log INFO : arp.spoof arp spoole r starte d. prob ing 3 targe ts.
CONCLUSION
With ARP spoofing & Man-in-the-Middle (MiTM) attack we were able to sniff user login
data and critical password hashes. These attacks were only successful because we
were able to bypass NAC.
REPORTING
Key issues listed in this case study, and many others, were put into the final report.
The issues were identified at risk levels: low, medium, high and critical. The executive
summary provided a brief summary of vulnerabilities discovered during this
assessment broken down by category. Many of these issues were presented graphically
with recommendations given for resolution of each.