Dear Robin, Personally I haven't tested a NAC environment but there are a few hints I have got from @j0emccray. Get his talk "you spent all that money and still got owned", he recommends get voip devices or printers. He used a tool vlan to impersonate a voip device
In "the evolution of pen testing high security environment" he says look for a printer, printers and voip are usually excluded from the 802.1x protocol. print the default test page, you will get the mac and ip of the printer. Spoof the mac. On Fri, Aug 30, 2013 at 10:04 AM, Robin Wood <[email protected]> wrote: > > > > On 30 August 2013 14:19, Joshua Wright <[email protected]> wrote: > >> Hi Robin, >> >> On Aug 29, 2013, at 6:57 PM, Robin Wood <[email protected]> wrote: >> >> > As I asked about recently, I'll soon be testing a NAC type device and >> so I was wondering, is there a tool which will let me watch a device then >> clone its network fingerprint? By fingerprint I mean things like network >> settings such as TTLs but also open ports (probably couldn't spoof the >> service but at least open the port). >> > >> > I know there is a tool that is designed to fool attackers by having a >> list of different OS's and you chose which you want to pretend to be but >> rather than pick from a list I want to be able to point it at another >> machine and say "clone that". >> >> I don't think that exists. When I want to evade NAC systems, I usually >> start with a Scapy-generated 3-way handshake that mimic's an iPad or other >> device that I put together manually. >> >> > What do you do for IP? Do you work out what is on the network through > passive observation and then pick something that looks appropriate? > > Any other suggestions on testing/avoiding NAC? I've not tested with one in > action before and don't have anything to practice against. This particular > test is to see if it is doing its job properly so specifics on testing a > NAC would be good. > > >> > If a tool doesn't exist, and I don't think it will, can someone remind >> me of the name of the tool I described above and I'll have a look see if >> that can be modified. >> >> I think you mean OSFuscate by Irongeek: >> http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools >> . >> >> > Thats the one. > > Robin > > >> -Josh >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Regards Charles Watathi http://netsecuritystuff.wordpress.com<https://netsecuritystuff.wordpress.com/> <http://netsecuritystuff.blogspot.com>
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
