In this post i’ll describe how to bypass NAC ( Network Access Control ). During an internal pentest, I had a problem connecting to the client network ( all network zipbits 802.1x (including VoIP zipbits), after a few hours trying to find out why, I found out that the client had implemented NAC, but what is Network access protocol (NAC) ?

Network Access Control (NAC) is a solution used on corporate networks to prevent, or even hinder, unauthorized hosts from accessing internally available services and systems. This access restriction can occur only at the network layer, preventing an IP address from being obtained through the DHCP service, or completely segmenting the wrong hosts from the valid ones at the link layer level. Below are descriptive steps to circumvent NAC, remembering that this does not work in all cases.

1º Connect a valid host to hub

2º Attach the attacker’s host to the hub

3º Intercept the ARP frames to identify the valid host MAC address

4º Connect hub / switch to the network point

5º Wait for authentication of valid host

6º Clone the valid host MAC address into the attacker’s host

7º Enter the victim’s IP address statically in the attacker’s host

This will allow the attacker to communicate with corporate networks without requiring authentication. The following illustration shows the diagram representing such a bypass of the NAC:

After setup, wireshark was used to get IP and MAC address from ARP packets. As ilustrate bellow

The next step was to clone the victim’s MAC address, IP address, configure network settings, and then connect the attacker’s machine to the hub. The following illustration shows when the required NAC bypass settings are made:

As a proof of concept concept, a scan was performed on the 10.75.X.X/X subnet to find available hosts with the nmap tool. The image below reveals the fact:

Thats all folks.. If you would like more posts related to internal pentest, leave your comment at

• twitter.com/incogbyte