What starting position does this attack require?

The first step is Obtain LAN address (T1078) — a initial access primitive. Assumed environment: target uses 802.

What is the final impact of this kill-chain?

The final step lands on Clone MAC on attacker NIC (N-NAC-BYPASS-MAC), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

802.1X NAC bypass via printer MAC spoof

Plug into the LAN, sniff a printer / IP-phone MAC, clone it on your laptop, get full LAN access via MAC-Auth-Bypass — bypass NAC entirely.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Obtain LAN address

T1078 · Valid Accounts

Initial Access

Physical access to a network drop

T1078 · Valid Accounts

Credential Access

Continue chain (LLMNR poison / Kerberoast / etc.)

T1557.001 · LLMNR/NBT-NS Poisoning and SMB Relay

Reconnaissance

Sniff for MAB-eligible devices (printer / VoIP)

N-ARP-RECON · ARP Sweep / LAN Discovery

Discovery

Internal nmap sweep

N-NMAP-INTERNAL · Internal Nmap Sweep

Defense Evasion

Clone MAC on attacker NIC

N-NAC-BYPASS-MAC · NAC Bypass via MAC Spoof

§ Context

Assumed environment: target uses 802.1X for endpoint devices but allows MAC-Auth-Bypass for legacy devices (printers, VoIP phones, IoT). MAC-allowlist is the only verification.

§ Steps

01
Obtain LAN addressInitial Access
T1078— Valid Accounts
02
Physical access to a network dropInitial Access
T1078— Valid Accounts
03
Continue chain (LLMNR poison / Kerberoast / etc.)Credential Access
T1557.001— LLMNR/NBT-NS Poisoning and SMB Relay
04
Sniff for MAB-eligible devices (printer / VoIP)Reconnaissance
N-ARP-RECON— ARP Sweep / LAN Discovery
05
Internal nmap sweepDiscovery
N-NMAP-INTERNAL— Internal Nmap Sweep
06
Clone MAC on attacker NICDefense Evasion
N-NAC-BYPASS-MAC— NAC Bypass via MAC Spoof

§ References

T1078Valid Accounts
T1557.001LLMNR/NBT-NS Poisoning and SMB Relay

§ Frequently asked

What is the "802.1X NAC bypass via printer MAC spoof" attack path?: Plug into the LAN, sniff a printer / IP-phone MAC, clone it on your laptop, get full LAN access via MAC-Auth-Bypass — bypass NAC entirely. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Obtain LAN address (T1078) — a initial access primitive. Assumed environment: target uses 802.
What is the final impact of this kill-chain?: The final step lands on Clone MAC on attacker NIC (N-NAC-BYPASS-MAC), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

802.1X NAC bypass via printer MAC spoof

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

WPA2-PSK handshake capture + crack → LAN access

Industroyer2 IEC-104 substation hijack

z/OS TN3270 → RACF userID brute → mainframe shell

Reconfigure MFP LDAP → harvest service-account credentials

HMI default credentials → operations disruption

npm typosquat → developer workstation → corporate VPN