During a recent engagement, I found myself in quite a difficult situation. I was in the client's offices and got my hands on one of their Windows laptops including a set of valid domain credentials. So, using an Ethernet cable, I was able to get the laptop into the client's network. But, thanks to a great Endpoint Detection and Response (EDR) solution, solid privilege management and 802.1X-2010 NAC, that was about as far as I could get. Or was it...?
First, let me explain the problem(s). The 802.1X-2010 standard for Network Access Control (NAC) is really solid in preventing unauthorized users and devices from accessing a network, bar some major misconfigurations. Bypassing it would go beyond the scope of most penetration tests, especially if it is configured to use certificate-based authentication, as was the case here. At least if there is no way to obtain a such a certificate. Which leads me to the second problem: The laptop I got and the associated permission structure were configured superbly. I saw no way to escalate privileges locally that didn't require at least some form of Social Engineering, which was out-of-scope for this specific pentest. Additionally, the EDR the client used was one of the best I've ever seen, so I couldn't even really make use of any of my recon tools. Even Living-of-the-Land was made more difficult since Powershell was configured with Constrained Language Mode.
So what I was left with was a set of credentials and a laptop that didn't allow me to do any of the "bad guy" stuff I would usually do. Quite a pickle indeed.
However, there along came a silver lining. Something I never used maliciously before, because I never had to before: Mobile hotspots. They are not only a feature of most modern smartphones and mobile devices, no, Microsoft decided to implement them as a base OS feature in Windows 10 onward.
Any system that has a spare wireless NIC (such as a laptop connected to the network via ethernet cable) can make use of it. And, as opposed to the older feature of network bridges, mobile hotspots on Windows systems don't even require local administrative privileges. Any user can set one up by default. So that's exactly what I did. I then connected a different laptop to the hotspot, a Linux system on which I had root privileges as well as my set of tools, et voila, all of the endpoint hardening, the limited permissions and the supreme EDR the client had in use went out the window. Not to mention that the NAC could be bypassed by any of their employees.
Sure, I couldn't do any proper Attacker-in-the-Middle attacks since I was technically on a different subnet, but everything else was fair game. From then on, it was just a matter of time until I 0wned the domain controller. But that's a story for another day.
Funnily enough, this happened only a short while after the so-called Nearest Neighbor Attack made waves in InfoSec news. So I tried to spin up a scenario where mobile hotspots could be used in combination with this type of attack. If an employee laptop gets compromised, for example through phishing, then the malicious actors could activate a malicious hotspot and connect to it from a nearby system they already 0wn, thus bypassing any EDR or AV solutions as well local priviliege limitations. The potency of this is even further increased thanks to the abundance of remote work.
The only caveat is that usually an initial compromise does not come with RDP access, so activating the mobile hotspot using the GUI would be an unlikely scenario. Therefore, it would need a way to do this from the command line. Is there one? Of course there is:
If you're managing a company network with Windows systems in it, you should disable the "Mobile Hotspot" feature via GPO. The specific key for this is Administrative Templates\Windows Components\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network.