If you think you are safe having adequate NAC (Network Access Control) but not controlling local administrative access and application execution on your workstations, you should think again. This post will go through some of the risks as well as some of the controls in an enterprise environment. This is an example of bypassing a NAC and the controls what you can put in place to ensure that your risk is mitigated.
The weakest point is normally an unsuspecting administrator, lack of proper configuration, and simple default installs. In this example, let’s look at a complete CISCO ISE implementation whereby
the workstations have been locked down to a secure realm and the MAC Address is used as one of the authentication mechanisms. Here, for argument, we will be using an user connected to the network using a physical cable. The user has a laptop with a Wireless LAN adapter as well. (As we can see, a compromise will depend on many requirements to be met).
I will not go in detail on the actual application that compromises access, but the normal PowerShell command are in the public domain.
The workflow of the penetration is to activate the WLAN card on the laptop to act as a Access Point and use the authenticated users credentials without his knowledge to access the Internet. This of course may lead to implicating the user into actions against the Acceptable Use Policy.
The windows commands are as follows:
- NETSH WLAN set hostednetwork mode=allow ssid=Your_SSID key=Your_Passphrase
- NETSH WLAN start hostednetwork
- The next step is to enable sharing on the WLAN device and this is done normally through the Network Connection Properties. This can be done programatically via updating registry keys.
- In order to stop the share the following command must be entered NETSH WLAN stop hostednetwork
- and then NETSH WLAN set hostednetwork mode= disallow
Now visualize a possible compromise
- Develop and application requiring UAC elevation privileges and give this to a user with local administrative rights
- This application will execute the above commands using either PowerShell or an API
- The unsuspecting user’s laptop is Wireless Access Point (AP) with your predefined SSID and Password
- One this is done, any wireless device can connect to the AP and access the Internet
- If the local user has authentication to the Domain/LDAP (or other authentication mechanism) to access the Internet, any access via the local AP will be through his account using his MAC address of the wired connection.
Controlling the risk
- A simple to control to the risk by ensuring users do not have local administrative access.
- Ensure only known (white-listed) applications can run on administrator workstations
- Monitor and report on user behavior (access to the Internet)
- Monitor, log and react on system changes outside the acceptable defined control framework