The document discusses Network Access Control (NAC), which is designed to prevent unauthorized access to internal networks by assessing devices' identity and security posture. It identifies two NAC bypass techniques, including exploiting vulnerabilities in non-authentication capable devices like VoIP phones, and suggests mitigations such as restricting access to network configurations and implementing firewalls between VLANs. Overall, it highlights critical security concerns and responses in managing network access.

1. Bypassing NAC Solutions and
Mitigations
Suraj Khetani
Regional Associate Security Consultant
Gulf Business Machines

2. Topics
• What is Network Access Control and how it works
• Inherent issue with NAC
• 2 NAC Bypass techniques
• Possible Mitigations

3. What is NAC?
Network Access Control or NAC is solution to prevent
unauthorized access to internal networks. It restricts access
to the network based on identity or security posture of the
device that is trying to connect.

4. How NAC works
• When a device connects to the network, the NAC relies
on one or more detection techniques to detect the devices’
presence.
• DHCP Proxy
• Broadcast Listener
• Listening to (sniffing) IP traffic
• SNMP Traps

5. NAC flow
1. When a client connects,
network component detects
presence of new client
2. Network component then seeks
for posture credentials
3. Posture credentials –
information like installed OS,
patch level, AV engine is up and
running, AV signatures are up to
date, etc.
4. Posture credentials are then
transmitted to a backend policy
server
5. Information is then compared to
the defined policy
6. Token is allocated to the client
(eg: quarantined, infected,
allowed)
7. Access restrictions are
implemented for the specific
framework

6. Scenario
• Internal Network PT
• Client refused to whitelist my IP on the NAC
• I hit a wall

8. Analysis
• We have a client who wishes to access the network.
• And network wants to give access based on the policy.
• So the NAC needs to get the information from the client.
• And the client is asked to provide that information.

10. Issue
• The NAC is asking an untrusted client to provide
information which will then be used to give access to the
client.
• How can the NAC check if the information given by the
client is valid?

11. Now What???

12. Back to Basics

13. How????

14. Information Gathering

15. Bypass Scenario#1
• Had a VoIP phone next to me of an employee who was on
leave
• Started fidgeting with it

16. Bypass Scenario#1
• It had a settings option

17. Bypass Scenario#1

18. Bypass Scenario#1
I got the following:
• Call Manager TFTP server IP address,
• DHCP server IP,
• Default gateway,
• MAC Address of VoIP phone, etc.

19. Thinking to myself

20. Bypass Scenario#1
• Most VoIP phones and network printers are non dot1x
authentication capable devices
• They need to be whitelisted based on MAC as there is no
mechanism for the NAC to assess these kinds of devices.
• If I spoofed the MAC address, then I should be seen as
that VoIP phone by the NAC.

21. Converting my thoughts
to actions

22. Access to Domain

23. Vuln in CallManager

24. Able to reach AD

25. Bypass Technique#2
• Converted IPv4 address to IPv6
• Link: https://www.trustwave.com/Resources/SpiderLabs-
Blog/NAC-doesn-t-like-your-penetration-testing-device--
IPv6-to-the-rescue!/

26. Mitigations
• Lock down access to view network configuration on VoIP
phones.
• A core firewall in the network will help that restricts
traffic from Voice VLAN to Data VLAN. Not all traffic
should be trusted from Voice VLAN.
• Devices could be identified by analyzing the TTL value
of the ICMP ECHO response