Download Slide 1 - ECE Users Pages

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Parallel port wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Network tap wikipedia , lookup

Wake-on-LAN wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Telephone exchange wikipedia , lookup

Spanning Tree Protocol wikipedia , lookup

Virtual LAN wikipedia , lookup

Transcript
Bypass a VPN, ACL, and
VLAN
ECE 4112
Alaric Craig and Pritesh Patel
Goal
 Bypass



three layers of security
VPN
Router ACLs
VLAN
 Effectively,
an outsider could bring an
internal network down with a DOS.
Method
 Exploit
authenticated remote machine
 Use the established VPN tunnel
 Send traffic that bypasses Router ACLs
and cross VLANs.
How
 Use
Sub7 to create a backdoor to the
remote machine.
 From remote machine, use existing vpn
tunnel to communicate inside the network.
 Now have access, perform VLAN Hopping
attack.
Sub 7
 Trojan
Horse use to gain root level access
 Many fun modules




Keylogging
Enable telnet and ftp
Tic tac toe
Realistic Matrix
In our case
VPN Bypassed
 Once
into the remote machine, telnet to
VLAN 1 machine. A send vlan hopping
traffic
 VPN’s used: Cisco VPN concentrator and
OpenVpn. Once connection setup, the
prompt can be used to send traffic to the
internal machine.
VLANs
 Virtual
Local Area Networks
 A logical grouping of devices or users
 Users can be grouped by function,
department, application, regardless of
physical segment location
 VLAN configuration is done at the switch
(Layer 2)
VLAN Membership

Static VLAN Assignment
- Port based membership: Membership is
determined by the port on the switch on
not by the host.

Dynamic VLAN Assignment
- Membership is determined by the host’s
MAC address. Administrator has to
create a database with MAC addresses and
VLAN mappings
VLAN Communication
•
•
•
VLANS cannot communicate with each other
even when they exist on the same switch
For VLANS to communicate they must pass
through a router
Each VLAN is required to have at least one
gateway to route packets in and out of the
network
VLAN Trunking
 Trunking
allows us to cascade multiple
switches using the trunk ports to
interconnect them
 Trunk ports act as a dedicated path for each
VLAN between switches
 The trunk port is a member of all configured
VLANs
VLAN Tagging
 Two
dominant tagging technologies:
- Inter Switch Link (ISL) (Cisco Proprietary
Technology)
- IEEE 802.1q (Industry Adopted
Standard)
VLAN Network Setup
Access Control List
Router ACLs:
Standard IP access list ADMIN
10 permit 192.168.0.0, wildcard bits 0.0.151.255
20 permit 57.35.0.0, wildcard bits 0.0.159.255
30 deny any log
Extended IP access list ACCT
10 permit icmp any any echo-reply
20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255
30 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.255
40 deny ip any any log
Extended IP access list IT
10 permit icmp any any echo-reply (24 matches)
90 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.255
100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255
110 deny ip any any log
ACL Demonstration
Switch Default Configuration
Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk
configurations
 DTP States:
On: "I want to be a trunk and I don't care what you think!" State used
when the other switch does not understand DTP.
Off: "I don't want to be a trunk and I don't care what you think!" State
used when the configured port is not intended to be a trunk
port.
Desirable: "I'm willing to become a VLAN trunk; are you interested?"
State used when the switch is interested in being a trunk.
Auto: "I'm willing to go with whatever you want!" This is the default
on many switches.
Non-Negotiate: "I want to trunk, and this is what kind of trunk I will
be!“
 Native VLAN set to VLAN 1

VLAN Hopping Attacks
 These
attacks are designed to allow the
attacker to bypass the Layer 3 device
 The
attack takes advantage of incorrectly
configured trunk ports on network switches
VLAN Hopping Attacks
 Basic
VLAN Hopping Attack
1. Attacker fools switch into thinking that
he is a switch that needs trunking
2. The attack needs a trunking favorable
setting such as Auto to succeed
3. The attacker is now a member of all
trunked VLANs on the switch and he
send and receive data on those VLANs
VLAN Hopping Attacks

Double Encapsulated VLAN Hopping Attack
1. Switches perform only one level of IEEE
802.1q decapsulation
2. This allows the attacker to specify a .1q
tag inside the frame, allowing the frame
to go to a VLAN that the outer tag did
specify.
3. This attack works even if Trunk ports are
set to OFF
Identification of VLAN Tags Using
Ethereal
VLAN Tag
81 00 0n nn
VLAN Hopping Attack Using
Tcpreplay