1. Home
  2. Cisco Systems
  3. bypass Cisco NAC

bypass Cisco NAC

Dear all,

I have been asked to perform a quick pen test of a CIsco VOIP system. I'm not a VOIP or NAC expert so this is going to be basic stuff - only the most obvious of tests (this is just a favour).

The VOIP system uses Cisco 7962 phones connected to the Cisco LAN infrastructure using some form of NAC.

looking for an obvious approach I thought I might try to bypass the NAC by plugging a hub inline between the phone and the LAN. i.e. to allow the phone to authenticate with the hub allowing me to then remove the phone (unknown to the LAN) and to configure my laptop with the phones' MAC and IP Address.

i.e. the phone uses the EAP password and other authenticaiton info to login. the LAN puts it (including the hub) into the appropriate VLAN. And then I can use the laptop masquerading as the phone to further test teh VOIP system.

But this doesn't appear to work - so was I wrong to think that NAC only tests the machine at initial login?

Brightwell

Reply to
brightwell
Loading thread data ...

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, brightwell chose the tried and tested strategy of:

Are you sure? Do a packet capture from the hub; you may find that the phone encapsulates it's own traffic on the voice VLAN and passes through traffic for the PC connected to it on the default VLAN.

Reply to
alexd

I plug the phone into hub and the hub into the switch (it is a very dumb hub - it won't be doing anything clever). I've plugged my phone into the hub and it logs in and works ok. I've plugged my test PC into the hube (configured with a spare IP Address in the phone's subnet)

I've run a packet capture and I appear to see traffic to and from the phone (as well as traffic from other subnets - bizarrely) but I can't even ping the phone - even though it is in the same hub and the IPs are in the same subnet. I see the ARPs going out but nobody responds, so I presume the phone must be throwing the packets away. If I try and ping other IP addresses in the phone subnet, again I see the ARPs going out but I get no reply so the switch might be throwing these away.

On the face of it it is looking quite secure... Which is a good thing... But I would be interested to know what is going on so that I know I'm not being defeated by my stupidity rather than by a good security measure.

Reply to
brightwell

Are you sure it's a hub and not really a switch? And are all the devices you want to sniff traffic for connected to the hub? If not, you won't necessarily see them. q.v. the following docs for more info:

formatting link

-Gary

Reply to
Gary

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.