bypass Cisco NAC

Discussion in 'Cisco' started by brightwell, Oct 1, 2010.

  1. brightwell

    brightwell Guest

    Dear all,

    I have been asked to perform a quick pen test of a CIsco VOIP system.
    I'm not a VOIP or NAC expert so this is going to be basic stuff - only
    the most obvious of tests (this is just a favour).

    The VOIP system uses Cisco 7962 phones connected to the Cisco LAN
    infrastructure using some form of NAC.

    looking for an obvious approach I thought I might try to bypass the
    NAC by plugging a hub inline between the phone and the LAN. i.e. to
    allow the phone to authenticate with the hub allowing me to then
    remove the phone (unknown to the LAN) and to configure my laptop with
    the phones' MAC and IP Address.

    i.e. the phone uses the EAP password and other authenticaiton info to
    login. the LAN puts it (including the hub) into the appropriate VLAN.
    And then I can use the laptop masquerading as the phone to further
    test teh VOIP system.

    But this doesn't appear to work - so was I wrong to think that NAC
    only tests the machine at initial login?



    Brightwell
    brightwell, Oct 1, 2010
    #1
    1. Advertising

  2. brightwell

    alexd Guest

    Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, brightwell
    chose the tried and tested strategy of:

    > looking for an obvious approach I thought I might try to bypass the
    > NAC by plugging a hub inline between the phone and the LAN. i.e. to
    > allow the phone to authenticate with the hub allowing me to then
    > remove the phone (unknown to the LAN) and to configure my laptop with
    > the phones' MAC and IP Address.
    >
    > i.e. the phone uses the EAP password and other authenticaiton info to
    > login. the LAN puts it (including the hub) into the appropriate VLAN.


    Are you sure? Do a packet capture from the hub; you may find that the phone
    encapsulates it's own traffic on the voice VLAN and passes through traffic
    for the PC connected to it on the default VLAN.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    21:34:24 up 8 days, 3:54, 7 users, load average: 0.00, 0.01, 0.07
    Qua illic est accuso, illic est a vindicatum
    alexd, Oct 1, 2010
    #2
    1. Advertising

  3. brightwell

    brightwell Guest

    On Oct 1, 9:38 pm, alexd <> wrote:
    > Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, brightwell
    > chose the tried and tested strategy of:
    >
    > > looking for an obvious approach I thought I might try to bypass the
    > > NAC by plugging a hub inline between the phone and the LAN. i.e. to
    > > allow the phone to authenticate with the hub allowing me to then
    > > remove the phone (unknown to the LAN)  and to configure my laptop with
    > > the phones' MAC and IP Address.

    >
    > > i.e. the phone uses the EAP password and other authenticaiton info to
    > > login. the LAN puts it (including the hub) into the appropriate VLAN.

    >
    > Are you sure? Do a packet capture from the hub; you may find that the phone
    > encapsulates it's own traffic on the voice VLAN and passes through traffic
    > for the PC connected to it on the default VLAN.
    >
    > --
    >  <http://ale.cx/> (AIM:troffasky) ()
    >  21:34:24 up 8 days,  3:54,  7 users,  load average: 0.00, 0.01, 0.07
    >  Qua illic est accuso, illic est a vindicatum


    I plug the phone into hub and the hub into the switch (it is a very
    dumb hub - it won't be doing anything clever). I've plugged my phone
    into the hub and it logs in and works ok.
    I've plugged my test PC into the hube (configured with a spare IP
    Address in the phone's subnet)

    I've run a packet capture and I appear to see traffic to and from the
    phone (as well as traffic from other subnets - bizarrely) but I can't
    even ping the phone - even though it is in the same hub and the IPs
    are in the same subnet. I see the ARPs going out but nobody responds,
    so I presume the phone must be throwing the packets away. If I try and
    ping other IP addresses in the phone subnet, again I see the ARPs
    going out but I get no reply so the switch might be throwing these
    away.

    On the face of it it is looking quite secure... Which is a good
    thing... But I would be interested to know what is going on so that I
    know I'm not being defeated by my stupidity rather than by a good
    security measure.
    brightwell, Oct 6, 2010
    #3
  4. brightwell

    Gary Guest

    On Wed, 6 Oct 2010, brightwell wrote:

    > I've run a packet capture and I appear to see traffic to and from the
    > phone (as well as traffic from other subnets - bizarrely) but I can't
    > even ping the phone - even though it is in the same hub and the IPs
    > are in the same subnet. I see the ARPs going out but nobody responds,


    Are you sure it's a hub and not really a switch? And are all the devices
    you want to sniff traffic for connected to the hub? If not, you won't
    necessarily see them. q.v. the following docs for more info:

    http://tinyurl.com/5bs385
    http://tinyurl.com/2f53sc8
    http://wiki.wireshark.org/HubReference

    -Gary
    Gary, Oct 12, 2010
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joris Deschacht

    Cisco NAC with windows 2003 network

    Joris Deschacht, Dec 23, 2004, in forum: Cisco
    Replies:
    0
    Views:
    649
    Joris Deschacht
    Dec 23, 2004
  2. slizer

    NAC support on switches?

    slizer, May 25, 2005, in forum: Cisco
    Replies:
    1
    Views:
    405
    Walter Roberson
    May 25, 2005
  3. Martin Bilgrav

    Cisco NAC - Usage of Cat6500's

    Martin Bilgrav, Jun 9, 2006, in forum: Cisco
    Replies:
    1
    Views:
    483
  4. firecodex

    Cisco NAC & IP Phones

    firecodex, Jul 25, 2006, in forum: Cisco
    Replies:
    0
    Views:
    708
    firecodex
    Jul 25, 2006
  5. TheDood

    Cisco NAC & IP spoofing

    TheDood, Aug 13, 2006, in forum: Cisco
    Replies:
    0
    Views:
    467
    TheDood
    Aug 13, 2006
Loading...

Share This Page