The insecure VLAN

Posted on February 25, 2008. Filed under: Auditing | Tags: , , , |

As promised the second part in our series on utilizing Yersinia to exploit insecure network infrastructure designs. This blog focuses on VLAN hopping. First let me say that early on in my pilgrimage to security enlightenment and network utopia (not that I am there yet) I was guilty of the same pitfall that many organizations continue to believe. That belief being, that VLANs are a way to secure network segments. Unfortunately that is not the case. VLANs are purely a way to segment traffic. With strong access lists and port controls they will help to assist in increasing network security, but as a stand alone item they have nothing to do with security. Readers flame on.

With this in mind lets exam how to exploit the unsubstantiated belief that VLANs will secure independent network segments. To do this once again we will go to our wonderful friends in Spain, David and Alfredo and their great tool Yersinia.

Connect your system locally to the switched infrastructure that you would like to exploit. Fire up Yersinia in its graphical mode “yersinia –I” from your beast of a linux machine. Because as the boys in Spain say when asked about a Windows version. “ No, it does certainly not. Perhaps some nice fellow could port yersinia to Windows and make you happy.”

WARNING****Audit Notes

I wanted to put this early on in this post to ensure everyone knows how destructive this tool can be to ones network. This is a very invasive and dangerous exploit for the network. My usual approach is to talk with the IT manager about multiple exploits in this class and to inform them that in my belief it is better to receive a hard copy of the configs and document a simulated attack. If the customer wants us to proceed with a live attack, I always have signed documentation that ensures they know and accept the risks.

——————-

Now select the network interfaces you want to use by pressing the “i” key on your keyboard. You should now see DTP (dynamic trunking protocol) traffic, this could take several minutes to kick in. If you do not see DTP traffic then well to put it bluntly your screwed and they person who set this switch up obviously knows what they are doing. Perhaps I will give you another blog option in the future with VoIP Hopper.

For those of you who are successful in seeing DTP traffic congrats. We now need to change the port we are utilizing to a trunk port. To accomplish the push the “F5” or “g,” now we want to set everything to the default values by pressing the “d” key. Pressing the “x” key will start the attack against the switch and then push “1” to enable trunking. We are ready to switch VLANs, this should be apparent by the fact that additional DTP packets are streaming across your screen.

To complete the next part of this we will need to have accomplished a couple of items in the footprinting stage. We will need to know the VLAN we want to attach to, the gateway IP address for that VLAN and an IP address within that VLAN that is not active.

We will switch to 8021.q mode by pressing the “F6” or “g”. You should now see spanning tree or broadcast traffic flowing. As previously stated we will again press “d” to initialize default values, and then “x.” We will begin sending 802.1q arp poisoning by pressing the “2” key. Utilizing the three items we gathered during the footprinting phase, we will enter that information in. You should be able to see the traffic generated in the VLAN you were trying to jump to.

 

Make a Comment

Make a Comment: ( None so far )

blockquote and a tags work here.

    About

    “The soft and the pliable will defeat the hard and strong.” Lao Tzu

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS
    • Subscribe in Rojo

    Meta

Liked it here?
Why not try sites on the blogroll...