bypass Cisco NAC

Discussion in 'Cisco' started by brightwell, Oct 1, 2010.

  1. brightwell

    brightwell Guest

    Dear all,

    I have been asked to perform a quick pen test of a CIsco VOIP system.
    I'm not a VOIP or NAC expert so this is going to be basic stuff - only
    the most obvious of tests (this is just a favour).

    The VOIP system uses Cisco 7962 phones connected to the Cisco LAN
    infrastructure using some form of NAC.

    looking for an obvious approach I thought I might try to bypass the
    NAC by plugging a hub inline between the phone and the LAN. i.e. to
    allow the phone to authenticate with the hub allowing me to then
    remove the phone (unknown to the LAN) and to configure my laptop with
    the phones' MAC and IP Address.

    i.e. the phone uses the EAP password and other authenticaiton info to
    login. the LAN puts it (including the hub) into the appropriate VLAN.
    And then I can use the laptop masquerading as the phone to further
    test teh VOIP system.

    But this doesn't appear to work - so was I wrong to think that NAC
    only tests the machine at initial login?

    brightwell, Oct 1, 2010
    1. Advertisements

  2. brightwell

    alexd Guest

    Meanwhile, at the Job Justification Hearings, brightwell
    chose the tried and tested strategy of:
    Are you sure? Do a packet capture from the hub; you may find that the phone
    encapsulates it's own traffic on the voice VLAN and passes through traffic
    for the PC connected to it on the default VLAN.
    alexd, Oct 1, 2010
    1. Advertisements

  3. brightwell

    brightwell Guest

    I plug the phone into hub and the hub into the switch (it is a very
    dumb hub - it won't be doing anything clever). I've plugged my phone
    into the hub and it logs in and works ok.
    I've plugged my test PC into the hube (configured with a spare IP
    Address in the phone's subnet)

    I've run a packet capture and I appear to see traffic to and from the
    phone (as well as traffic from other subnets - bizarrely) but I can't
    even ping the phone - even though it is in the same hub and the IPs
    are in the same subnet. I see the ARPs going out but nobody responds,
    so I presume the phone must be throwing the packets away. If I try and
    ping other IP addresses in the phone subnet, again I see the ARPs
    going out but I get no reply so the switch might be throwing these

    On the face of it it is looking quite secure... Which is a good
    thing... But I would be interested to know what is going on so that I
    know I'm not being defeated by my stupidity rather than by a good
    security measure.
    brightwell, Oct 6, 2010
  4. brightwell

    Gary Guest

    Are you sure it's a hub and not really a switch? And are all the devices
    you want to sniff traffic for connected to the hub? If not, you won't
    necessarily see them. q.v. the following docs for more info:

    Gary, Oct 12, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.