CompTIA Pentest+ PT0-002 – Section 10: Network Attacks Part 3

90. MAC Spoofing (OBJ 3.1)

Spoofing is a category of network attacks that occurs when an attacker masquerades as another person by falsifying their identity. Just like a person in real life might use a mask to cover their face and hide their true identity, spoofing is the electronic equivalent. Really, anything that identifies a user or system can be spoofed. But in this lesson, we’re going to focus on MAC spoofing. Now, before we dive into MAC spoofing though let’s quickly review what a MAC address actually is. Now a MAC address or Media Access Control Address is a means for identifying a device physically and allowing it to operate on a logical topology.

MAC addresses are used in switch based networks to communicate using frames on a Layer 2 network, while IP addresses are used by routers to help identify networks and clients on different subnets or networks, MAC addresses are used to identify devices on the same subnet or same network. A MAC address is going to be assigned to each device based on its network card. Each network card manufacturer assigns a unique 48 bit physical address to every network interface card that they produce.

This 48 bit physical address is written as a 12 digit sequence of hexadecimal numbers that are used to represent the interface’s MAC address. Each hexadecimal character is going to represent four bits. The first 24 bits which is the first six hex digits are going to be used to identify the particular vendor who made that card. The second 24 bits of the address or the second six hex digits are going to be used to represent the exact machine that it belongs to. When frames are being sent around the network, they use the full 48 bits to use uniquely identify the network interface card that’s being used by a given workstation.

Now Layer 2 devices like switches and bridges use MAC addresses to associate which device is connected to which physical port on a given switch or bridge. When a device communicates using Layer 2, the switch is going to identify which physical port it’s on and its MAC address. And then it adds that information into the switches cam table. This allows a switch to only send data to the physical ports that are associated with the destination MAC address of any given frame. This will be used to speed up the network and it also increases the security of the data, because only the device that the frame is addressed to, should be able to see that data. Now, MAC addresses are also used in security though through the use of MAC filtering. For example, in wireless networks it’s quite common to use an allowed list of the MAC addresses that are allowed to connect to a given access point or alternatively you can use a block list that are going to say which devices are not allowed to connect.

This is a basic form of network access control or NAC. To overcome this as a penetration tester, you can simply change your MAC address from the one assigned by the manufacturer to another value. For example, if the network uses an allow list containing all the MAC addresses that are authorized to connect to the network, you can change your MAC address to one that is in the allow list. MAC spoofing is actually really easy to do, even though MAC addresses are burned into a network interface card, most operating systems do allow you to overwrite this value inside of the operating system. For example, I use a MacBook and I can change my MAC address of my wireless adapter in that MacBook using a single command inside of the terminal. I simply enter, sudo ifconfig en0 ether and the MAC address that I want to use. Now, all of a sudden my MAC address has been changed to the MAC address that I specified in that command. Now, if I reboot my laptop though it’s going to reset my MAC address back to the one that was burned into my wireless adapter by the manufacturer. This allows me to change my MAC temporarily during an engagement if I need to, by using this command.

Now in Kali Linux, you can also use a command line tool called MAC changer to change your MAC address. If you want to learn more about MAC changer, simply type in, MAC changer dash H at the Kali prompt to bring up the help file and this will show you all the options that are available in this tool. To change the MAC address of your Kali machine, you can simply enter MAC changer dash M, the MAC address, and then the interface. This will assign the MAC address that you specify to the network interface card you listed in the command. This is really useful if you need to impersonate another device in order to bypass and allow list inside of the network. If you’re trying to avoid a block list in the network though you can instead choose any random MAC address and have it assigned to your network interface card instead of specifying the MAC address like we did with a dash M option. To assign a random MAC address to your network interface card, simply enter MAC changer dash r in the interface.

For example, back in the old days if you went to a coffee shop or an airport and you tried to use their wireless network, they might give you 15 minutes of free Wi-Fi. Now, after the 15 minutes they would automatically add your MAC address to their block list and kick you off of the network until midnight, when the block list was reset and cleared that everyone can start using the network again. Now, if you wanted more time, you could simply assign yourself a new, random MAC address. And this way you could get another 15 minutes each time you reset it to a new, random value. So as you can see, MAC changer can be really useful when you’re trying to impersonate other Layer 2 devices on the network or for bypassing MAC filtering on a given network.

91. VLAN Hopping (OBJ 3.1)

Another network attack we need to cover is known as VLAN hopping, or virtual local area network hopping. Now, a virtual local area network, or VLAN, is used to partition a broadcast domain and isolate it from the rest of the computer network at the data link layer or layer 2 of the OSI model. VLANs are commonly used in intranets and local of networks to increase the security of the network by creating segmentation between different portions of the larger network. This forces all the traffic to use layer 3 routing to move between the different VLANs. And this gives the network defenders a chance to apply access control lists to the layer 3 switch or router ports that are providing the segmentation and filtering of the traffic between the two VLANs. As a network penetration tester, if you gain access to a user’s workstation that’s located in one VLAN, you’re going to need to learn how to break out of that VLAN in order to gain access to other sensitive areas of the network that you’re going to want to access, things like the server VLAN that houses all the critical business servers, for example.

This involves VLAN hopping. Now, VLAN hopping is the technique that exploits a misconfiguration to direct traffic to a different VLAN without proper authorization. VLAN hopping is usually accomplished using either double tagging, switch spoofing, or a MAC table overflow attack. Double tagging is a method where the attacker tries to reach a different VLAN using vulnerabilities in the trunk port configuration as a form of VLAN hopping. This can occur when the threat actor is connected to an interface port on a switch using access mode with the same VLAN as the native untagged VLAN on that trunk. Then whenever the attacker sends a frame on the network, they instead send it with two 802.Q tags, which is why we call this double tagging. The inner tag is going to contain the true destination that the attacker wants to reach, while the outer tag is going to contain the native VLAN. The native VLAN is the one VLAN that normally travels across the trunk port without a VLAN tag by itself. So when the switch receives the double-tagged frame, it’s first going to remove that outer tag that contains the native VLAN. And then it’s going to forward the frame to the VLAN of the second tag, which had the inner tag with the location that the attacker really wanted to get their traffic to. The result of this double-tagging attack is that the attacker can now break out of the current VLAN, in this case, the native VLAN, and then migrate themselves into the destination VLAN, resulting in a successful VLAN hop. Unfortunately, though, for us as attackers, this technique is really a one-way trip for those frames that are being double tagged, because the destination is not going to double tag the return data and send it back to us as attackers.

Instead, the returned frames are sent to the initial tag. Now, you may be wondering, why would an attacker or a penetration tester want to use double tagging to send data into a VLAN without being able to receive any responses back? Well, usually, this double-tagging technique is going to be used as part of a blind attack or part of a denial of service or stress testing attack. A blind attack is one where commands are sent to the victim, but the attacker, or in our case, a pen tester, doesn’t get to see any of the responses. For example, if I knew that a machine in that VLAN was vulnerable to a specific exploit that could allow me to perform a remote code execution, I could send the exploit into the VLAN using double tagging with that payload that can then establish a beacon. And that would call out to my command and control server every morning at 3:00 AM, for example. Now, when the beacon goes out and connects to my server, this is going to be outside of the local area network. And therefore, I can establish two-way communications with that device from the internal network in that other VLAN out to my server out in the internet and back again. The other reason for using this type of VLAN hopping is from when you don’t necessarily need to get a response back.

This is the case if you’re doing a denial of service attack or a stress test. In a denial of service attack, the attacker won’t need to receive a response for any of the data being forwarded into that VLAN using the double-tagging technique, because they’re simply trying to flood that VLAN with a bunch of data as part of their attack. And they don’t care about the response. To prevent a double-tagging attack from being successful, cyber security professionals always need to ensure they change the default configuration of their native VLAN from VLAN ID one to something else. And also, they should never add user devices into the native VLAN inside of their network. Now, the second method of conducting a VLAN hopping attack is known as switch spoofing. Switch spoofing occurs when an attacker attempts to use the dynamic trunking protocol, or DTP, to negotiate a trunk port with a switch. Normally, DTP negotiations are only performed by the switch when it initially connects to a trunk port. Now, by default, trunk ports are set up to support auto negotiation between two different switches. This way they can share their VLAN information. But if an attacker configures their attack workstation to look like it’s a switch, they can configure it to be set up as dynamic auto or dynamic desirable when they’re in switch port mode. Then, when they connect to the trunk port, it’s going to automatically negotiate a trunking connection, just like a switch would. Now, once that trunk is established with the attacker’s works station by the switch, that attacker works station now has access to all the VLANs inside of the network. To prevent a switch spoofing attack from being used during a VLAN hopping exploit, cybersecurity professionals should always configure their switch ports have dynamic switch port modes disabled by default.

This will ensure your switch doesn’t support auto negotiation by default, and you can then prevent switch spoofing from allowing VLAN hopping to occur in your network. The final method of conducting VLAN hopping isn’t as much of a technique that allows VLAN hopping as it is one that allows VLANs to no longer be enforced. Do you remember how switches maintain a CAM table that remembers all the MAC addresses that are being used by the different switch ports? Well, switch manufacturers built in a backup method in case those CAM tables became overloaded, or they couldn’t be read at a given time. If these CAM tables become overloaded, the switch will stop acting like a switch, and essentially it will fail open and start to act like a hub.

Now, just in case you don’t remember the difference between a switch and a hub from your earlier network studies, a switch uses intelligence to only transmit frames out to the switch ports that are involved in a given conversation. A hub, on the other hand, doesn’t have any intelligence. And so, it just repeats out every frame it receives out every single port that’s connected to it, and it relies on the network clients on the other end of those ports to ignore any frames that aren’t addressed to them. So as a penetration tester, you can go ahead and overload the CAM table of the switch by flooding it with MAC addresses, which will then cause a switch to fail open and begin acting like a hub. This will start sending out all the frames it receives out on every port, including the port that you have a packet sniffer hooked up to, so you can read the traffic destined for other VLANs.

92. NAC Bypass (OBJ 3.1)

Network access control, or NAC, is used to protect our network from both known and unknown devices. Network access control is a technology that’s used to keep unauthorized users or devices from accessing a private network. With NAC, a device is scanned to determine its current state prior to being allowed access to the network. NAC can be used for computers within our internal network that are physically located inside of our buildings or even applied to devices that are remotely connected into our network through a VPN. Now in its most basic form, NAC might only check for something like a MAC address of the network card to determine if your device is allowed to connect to that network. To bypass this type of NAC, it’s really easy because you can just change your MAC address using MAC’s spoofing. Newer forms of NAC, though, are much more complex. In these systems, when a device attempts to connect to the network, it’s placed into a virtual holding area while it’s being scanned. That device can be checked for a number of different factors, including if any virus definitions are up to date, the status of its security patching, and other items that might introduce a security threat into the network. If the device passes this examination, it’s then allowed to enter and receive access to all the resources provided by that network. If the device fails the inspection, though, it’s going to be placed into a digital quarantine and remediation area.

While it’s in this area, that device can receive antivirus updates, operating system patches, and other security services, but it cannot logically communicate with the other portions of the network. Just like a bad child, the device has been placed into timeout until it can be rehabilitated and meet the requirements of the initial NAC examination. Once it successfully meets the NAC requirements, it’s moved into the network and receives full access to those network resources. Now there are three different types of network access control systems that you might run into. These are persistent, non-persistent, and volatile agents. Persistent agents are pieces of software that are installed on the device that’s requesting access to the network. This works well in corporate environments because the organization owns all of the devices and controls their software baseline. A non-persistent agent solution is quite popular on college campuses. These solutions require the user to connect to the network, usually over WiFi, and then log into a web-based portal and click on a link.

This link then downloads an agent that scans the device for compliance and then deletes itself from the user’s machine once it finishes with the scan. Agentless NAC solutions, on the other hand, install the scanning engine on the domain controller instead of on the endpoint device. This works well when the organization uses a bring-your-own-device policy or doesn’t have access to the endpoint devices to install the agent-based NAC solution. Agent-based NAC solutions can usually provide us with a deeper examination of a device, but agentless solutions are getting better and more in-depth all the time. Agentless solutions are also called volatile solutions because they completely run in the volatile RAM of that device once the scan begins from the Active Directory controller. So how can you bypass these more complex network access control solutions? Well, you really have two options.

One, you can exploit an authorized host, or two, you can make your device look like something else. Now the first option is to exploit an authorized host and then use that to access the network and bypass the NAC appliance. For example, if a victim’s corporate laptop has already been approved and authorized to use the network, even if that NAC solution relies on digital certificates with 802.1x authentication, you’re still going to be able to get past that NAC device. Why? Well, it’s because this authorized device is, well, authorized. And since you’ve hacked into that device, you can now use it as a pivot point to send your traffic through this authorized device and into the rest of the network while bypassing the NAC appliance and its inspection. The second option is for you to spoof your attacking workstation and make it appear as if it’s something else, something like a Voice over IP handset, for example, that isn’t subject to NAC inspection. Now many NAC appliances have an allowed list of devices, usually based on their MAC addresses, and these things are allowed to connect without being inspected.

Most commonly, you’re going to find things like VoIP handsets, VTC terminals, and printers included on this list because they don’t have a native operating system, like Windows or Linux, that can support NAC inspection. Since these devices are all often considered accepted devices, though, if you can trick the NAC appliance into thinking you are one of these devices, you can bypass the NAC inspection completely. The only real downside of this strategy is that most networks are designed to segment out these VoIP devices and printers into their own separate VLANs since they can’t be inspected or trusted by the NAC appliance. So while you may end up bypassing the NAC device by pretending to be a VoIP handset, you may then find yourself in an isolated VLAN that you’re now going to have to use VLAN hopping to escape from.

• Category: Uncategorized