Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > bypass Cisco NAC

Reply
Thread Tools

bypass Cisco NAC

 
 
brightwell
Guest
Posts: n/a
 
      10-01-2010
Dear all,

I have been asked to perform a quick pen test of a CIsco VOIP system.
I'm not a VOIP or NAC expert so this is going to be basic stuff - only
the most obvious of tests (this is just a favour).

The VOIP system uses Cisco 7962 phones connected to the Cisco LAN
infrastructure using some form of NAC.

looking for an obvious approach I thought I might try to bypass the
NAC by plugging a hub inline between the phone and the LAN. i.e. to
allow the phone to authenticate with the hub allowing me to then
remove the phone (unknown to the LAN) and to configure my laptop with
the phones' MAC and IP Address.

i.e. the phone uses the EAP password and other authenticaiton info to
login. the LAN puts it (including the hub) into the appropriate VLAN.
And then I can use the laptop masquerading as the phone to further
test teh VOIP system.

But this doesn't appear to work - so was I wrong to think that NAC
only tests the machine at initial login?



Brightwell
 
Reply With Quote
 
 
 
 
alexd
Guest
Posts: n/a
 
      10-01-2010
Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, brightwell
chose the tried and tested strategy of:

> looking for an obvious approach I thought I might try to bypass the
> NAC by plugging a hub inline between the phone and the LAN. i.e. to
> allow the phone to authenticate with the hub allowing me to then
> remove the phone (unknown to the LAN) and to configure my laptop with
> the phones' MAC and IP Address.
>
> i.e. the phone uses the EAP password and other authenticaiton info to
> login. the LAN puts it (including the hub) into the appropriate VLAN.


Are you sure? Do a packet capture from the hub; you may find that the phone
encapsulates it's own traffic on the voice VLAN and passes through traffic
for the PC connected to it on the default VLAN.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
21:34:24 up 8 days, 3:54, 7 users, load average: 0.00, 0.01, 0.07
Qua illic est accuso, illic est a vindicatum
 
Reply With Quote
 
 
 
 
brightwell
Guest
Posts: n/a
 
      10-06-2010
On Oct 1, 9:38*pm, alexd <(E-Mail Removed)> wrote:
> Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, brightwell
> chose the tried and tested strategy of:
>
> > looking for an obvious approach I thought I might try to bypass the
> > NAC by plugging a hub inline between the phone and the LAN. i.e. to
> > allow the phone to authenticate with the hub allowing me to then
> > remove the phone (unknown to the LAN) *and to configure my laptop with
> > the phones' MAC and IP Address.

>
> > i.e. the phone uses the EAP password and other authenticaiton info to
> > login. the LAN puts it (including the hub) into the appropriate VLAN.

>
> Are you sure? Do a packet capture from the hub; you may find that the phone
> encapsulates it's own traffic on the voice VLAN and passes through traffic
> for the PC connected to it on the default VLAN.
>
> --
> *<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
> *21:34:24 up 8 days, *3:54, *7 users, *load average: 0.00, 0.01, 0.07
> *Qua illic est accuso, illic est a vindicatum


I plug the phone into hub and the hub into the switch (it is a very
dumb hub - it won't be doing anything clever). I've plugged my phone
into the hub and it logs in and works ok.
I've plugged my test PC into the hube (configured with a spare IP
Address in the phone's subnet)

I've run a packet capture and I appear to see traffic to and from the
phone (as well as traffic from other subnets - bizarrely) but I can't
even ping the phone - even though it is in the same hub and the IPs
are in the same subnet. I see the ARPs going out but nobody responds,
so I presume the phone must be throwing the packets away. If I try and
ping other IP addresses in the phone subnet, again I see the ARPs
going out but I get no reply so the switch might be throwing these
away.

On the face of it it is looking quite secure... Which is a good
thing... But I would be interested to know what is going on so that I
know I'm not being defeated by my stupidity rather than by a good
security measure.
 
Reply With Quote
 
Gary
Guest
Posts: n/a
 
      10-12-2010
On Wed, 6 Oct 2010, brightwell wrote:

> I've run a packet capture and I appear to see traffic to and from the
> phone (as well as traffic from other subnets - bizarrely) but I can't
> even ping the phone - even though it is in the same hub and the IPs
> are in the same subnet. I see the ARPs going out but nobody responds,


Are you sure it's a hub and not really a switch? And are all the devices
you want to sniff traffic for connected to the hub? If not, you won't
necessarily see them. q.v. the following docs for more info:

http://tinyurl.com/5bs385
http://tinyurl.com/2f53sc8
http://wiki.wireshark.org/HubReference

-Gary
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco NAC & IP spoofing TheDood Cisco 0 08-13-2006 10:02 PM
Cisco NAC & IP Phones firecodex Cisco 0 07-25-2006 01:29 PM
Cisco NAC - Usage of Cat6500's Martin Bilgrav Cisco 1 06-20-2006 08:42 PM
NAC support on switches? slizer Cisco 1 05-25-2005 07:33 PM
Cisco NAC with windows 2003 network Joris Deschacht Cisco 0 12-23-2004 10:45 PM



Advertisments