Introduction to NAC Security
Remember our deep dive in the first part (view part 1: https://soc-blog.approach-cyber.com/raspberry-pi-and-stealthy-snooping-a-red-teams-secret-weapon) about the not-so-secret vulnerabilities of NAC Security (network access control) employing IEEE 802.1X? We delved into the nitty-gritty of this standard and shed light on its susceptibility to the age-old man-in-the-middle attack.
NAC Security: Network infiltration
Isn’t it fascinating how such an inoffensive device such as the Raspberry Pi is able to trick such a big standard? The implant’s main purpose for the operators is to avoid getting caught while trying to access the available resource. Allowing every step of the Lockheed Martin Cyber Kill Chain just by dropping the rogue device on the network.
Let’s delve into it!
The IEEE 802.1D standard, in the world of cyber security, is nothing short of magical. For our implant, it serves the same purpose as the invisibility cloak did for Harry Potter. Just as Harry navigated the halls of Hogwarts unseen, evading prying eyes and eavesdropping on secrets, our device, shrouded by this standard, seamlessly blends into the network. It operates undetected, collecting invaluable data while the rest of the digital world remains oblivious.
Ever heard of the Polyjuice Potion? The one that allowed its drinker to assume the identity of another. Well, after meticulously collecting data about our digital environment, our tools gain the ability to masquerade. We can flawlessly spoof the identity of an end user. Unlike Svyatoslav Pidgorny’s version we’re able to use stateless and stateful protocol all thanks to a combination of routing and natting.
Alright, let’s pause for a moment. So, we’ve seamlessly integrated our implant into the network. However, here’s the catch: while it’s adeptly communicating within this network, our operators are still on the outside looking in, unable to directly influence the implant’s actions. What’s the solution? Enter the remote-control mechanism I devised. And before your mind starts envisioning overly intricate systems or advanced rocket science algorithms, let me simplify it’s essentially a dynamic remote port forward (DRPF) that paves a path straight to our own infrastructure. This gateway allows operators to either jump aboard and elevate privileges from the Raspberry Pi directly or unleash tools straight from their machines into the unsuspecting heart of the target’s network.
Hang on a second!” you might ask, “Don’t most firewalls stop things like this?” You’re right. But here’s where it gets interesting. Some of you might know about an ‘out-of-band connection’. For those who don’t, let’s explain. An out-of-band connection is just a way to connect that’s separate from the main path everyone usually takes. Imagine a secret side door when the main entrance is being watched or blocked. This ‘side door’ method lets us sneak in and out without being noticed by typical security measures. In our case this consisted of a 4G connection.
In the midst of all this tech wizardry, let’s not forget a fundamental cornerstone: security. After all, what’s the use of a covert tool if it’s easily compromised?
To secure this highly valuable data we’ve implemented few things:
Disk Encryption. No password, no data.
Restricted Access to the DRPF. No bash access, only Port forward allowed, SSH (Secure Shell) Auth only. Same goes for the local device, we’re only allowed to connect to the local interface (trough the DRPF)
Disabling I/O ports. By doing this nobody can plug in the device without tweaking the configuration file. To tweak the configuration file the implant must be rebooted which lead to disk encryption.
How to protect against physical threats?
While we’ve highlighted the Raspberry Pi’s capabilities, it’s clear that it comes with its own set of security challenges. This device offers both advantages and potential risks. If you’re looking for ways to enhance security and safeguard against these risks, consider leveraging our expertise. Our red team services at Approach are available to provide guidance and support.
Education, Education, Education: Arm your team with knowledge. From the intern to the CEO, every member of your organization should be attuned to the threats posed by devices that seem benign at first glance. A well-informed workforce, bolstered by regular cyber security training, is the cornerstone of a resilient defence. And if you’re unsure about where to start? Approach’s red team services offer tailored training sessions, turning your team into a human security system.
Access Control & Routine Checks: Keep a tight ship. Know what devices belong in your network and which don’t. Regular sweeps for unrecognized devices and stringent physical access measures can ensure that your fortress remains impenetrable. And guess what? Our red team can run simulated tests to check how water-tight your measures truly are.
Stay Updated: Your defence mechanisms, from NAC and 802.1X protocols to firewalls and intrusion prevention systems, need to be in their prime. Consistently updating and adapting is key. Think of security not as a milestone but a journey—one where Approach’s red team can be your trusted co-pilots.
In our exploration, we highlighted the surprising power and vulnerabilities associated with the NAC Security employing IEEE 802.1X, demonstrating how an innocuous device like the Raspberry Pi can exploit these weaknesses. Through ingenious methods, this device seamlessly infiltrates networks, evading detection and assuming digital identities. Yet, while the tool’s capabilities are impressive, ensuring its security remains paramount. To counteract these threats, organizations must prioritize ongoing cyber security education, robust access controls, and constant security updates. As cyber threats grow in sophistication, partnering with experts, like those at Approach’s red team, can be a game-changer in ensuring your digital realm remains fortified.
Want to stay up to date with the latest threats? Subscribe then to our SOC newsletter.