An interesting reflexion about a situation I faced while performing a pentest for a customer. The scope was the internal network or “show me what an attacker could access from a rogue device“. A very wide scope indeed… The customer is using a NAC (“Network Access Control“) solution to allow only corporate devices to connect to the network. To briefly explain, a NAC is based on tools and protocol to identifiy end-point devices and grant (or deny) access to resources based on multiple factors like the operating system, the installed patches, the presence of a firewall, an antivirus, a security component or a specific software configuration. A device granted on the network will usually by switched to a specific VLAN corresponding to its profile. Some firewalls may also be dynamically reconfigured to allow new traffic flows. If you are interested, Google has plenty of results on this topic. Most security $VENDORS have a NAC solution in their portfolio.
The first idea to perform the pentest is to try to understand how the NAC is implemented. How to try to simulate a “good” device on a “rogue” one… Wait, wait, stop! Let’s take a deep breath… What will happen if a rogue device is detected? In most cases, it will be moved to a quarantine or guest VLAN. This allows the owner to access basic services on the Internet (web surfing, email, VPN) or to perform some remediation and solve the configuration issues (like upgrading the antivirus signatures).
How to take advantage of this? We could imagine the following scenario: Let’s connect a rogue laptop on the network. It will be logically be connected in the guest VLAN. Now, let’s wait for another device, try to pwn it and setup a permanent reverse backdoor. If you’re lucky, the next time it connects, it will join the right VLAN. In my case, it was even more easy: the guest VLAN was not properly configured and it was possible to reach servers as well as other devices in internal VLANs!
Attackers, don’t try to attack the big wall facing you, always try circumventing the difficulty by exploiting weaknesses on the side:
Defenders, don’t ruin your $$$ security solution by implementing poor controls or no control at all!