bypass a vpn, acl, and vlan
DESCRIPTION
Bypass a VPN, ACL, and VLAN. ECE 4112 Alaric Craig and Pritesh Patel. Goal. Bypass three layers of security VPN Router ACLs VLAN Effectively, an outsider could bring an internal network down with a DOS. Method. Exploit authenticated remote machine Use the established VPN tunnel - PowerPoint PPT PresentationTRANSCRIPT
Bypass a VPN, ACL, Bypass a VPN, ACL, and VLAN and VLAN
ECE 4112 ECE 4112
Alaric Craig and Pritesh PatelAlaric Craig and Pritesh Patel
GoalGoal
Bypass three layers of securityBypass three layers of security VPNVPN Router ACLsRouter ACLs VLANVLAN
Effectively, an outsider could bring an Effectively, an outsider could bring an internal network down with a DOS.internal network down with a DOS.
MethodMethod
Exploit authenticated remote machineExploit authenticated remote machine Use the established VPN tunnelUse the established VPN tunnel Send traffic that bypasses Router ACLs Send traffic that bypasses Router ACLs
and cross VLANs.and cross VLANs.
HowHow
Use Sub7 to create a backdoor to the Use Sub7 to create a backdoor to the remote machine.remote machine.
From remote machine, use existing vpn From remote machine, use existing vpn tunnel to communicate inside the network.tunnel to communicate inside the network.
Now have access, perform VLAN Hopping Now have access, perform VLAN Hopping attack.attack.
Sub 7Sub 7
Trojan Horse use to gain root level accessTrojan Horse use to gain root level access Many fun modulesMany fun modules
KeyloggingKeylogging Enable telnet and ftpEnable telnet and ftp Tic tac toeTic tac toe Realistic MatrixRealistic Matrix
In our caseIn our case
VPN BypassedVPN Bypassed
Once into the remote machine, telnet to Once into the remote machine, telnet to VLAN 1 machine. A send vlan hopping VLAN 1 machine. A send vlan hopping traffictraffic
VPN’s used: Cisco VPN concentrator and VPN’s used: Cisco VPN concentrator and OpenVpn. Once connection setup, the OpenVpn. Once connection setup, the prompt can be used to send traffic to the prompt can be used to send traffic to the internal machine.internal machine.
VLANsVLANs
Virtual Local Area NetworksVirtual Local Area Networks A logical grouping of devices or usersA logical grouping of devices or users Users can be grouped by function, Users can be grouped by function,
department, application, regardless of department, application, regardless of physical segment locationphysical segment location
VLAN configuration is done at the switch VLAN configuration is done at the switch (Layer 2)(Layer 2)
VLAN MembershipVLAN Membership
Static VLAN AssignmentStatic VLAN Assignment- Port based membership: Membership is - Port based membership: Membership is determined by the port on the switch on determined by the port on the switch on not by the host.not by the host.
Dynamic VLAN AssignmentDynamic VLAN Assignment- Membership is determined by the host’s - Membership is determined by the host’s MAC address. Administrator has to MAC address. Administrator has to
create a database with MAC addresses andcreate a database with MAC addresses and VLAN mappings VLAN mappings
VLAN CommunicationVLAN Communication
• VLANS cannot communicate with each other VLANS cannot communicate with each other
even when they exist on the same switcheven when they exist on the same switch• For VLANS to communicate they must pass For VLANS to communicate they must pass
through a routerthrough a router• Each VLAN is required to have at least one Each VLAN is required to have at least one
gateway to route packets in and out of the gateway to route packets in and out of the networknetwork
VLAN TrunkingVLAN Trunking
Trunking allows us to cascade multiple Trunking allows us to cascade multiple switches using the trunk ports to switches using the trunk ports to interconnect theminterconnect them
Trunk ports act as a dedicated path for Trunk ports act as a dedicated path for each VLAN between switcheseach VLAN between switches
The trunk port is a member of all configured The trunk port is a member of all configured VLANsVLANs
VLAN TaggingVLAN Tagging
Two dominant tagging technologies:Two dominant tagging technologies:
- Inter Switch Link (ISL) (Cisco Proprietary - Inter Switch Link (ISL) (Cisco Proprietary
Technology)Technology)
- IEEE 802.1q (Industry Adopted - IEEE 802.1q (Industry Adopted
Standard)Standard)
VLAN Network SetupVLAN Network Setup
Access Control ListAccess Control ListRouter ACLs:Router ACLs:
Standard IP access list ADMINStandard IP access list ADMIN 10 permit 192.168.0.0, wildcard bits 0.0.151.255 10 permit 192.168.0.0, wildcard bits 0.0.151.255 20 permit 57.35.0.0, wildcard bits 0.0.159.255 20 permit 57.35.0.0, wildcard bits 0.0.159.255 30 deny any log30 deny any logExtended IP access list ACCTExtended IP access list ACCT 10 permit icmp any any echo-reply 10 permit icmp any any echo-reply 20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255 20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255 30 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.25530 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.255 40 deny ip any any log40 deny ip any any logExtended IP access list ITExtended IP access list IT 10 permit icmp any any echo-reply (24 matches)10 permit icmp any any echo-reply (24 matches) 90 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.25590 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.255 100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255 110 deny ip any any log110 deny ip any any log
ACL DemonstrationACL Demonstration
Switch Default ConfigurationSwitch Default Configuration Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk
configurationsconfigurations DTP States:DTP States: On:On: "I want to be a trunk and I don't care what you think!" State used "I want to be a trunk and I don't care what you think!" State used
when the other switch does not understand DTP. when the other switch does not understand DTP. Off:Off: "I don't want to be a trunk and I don't care what you think!" State "I don't want to be a trunk and I don't care what you think!" State
used when the configured port is not intended to be a trunk used when the configured port is not intended to be a trunk port. port.
Desirable:Desirable: "I'm willing to become a VLAN trunk; are you interested?" "I'm willing to become a VLAN trunk; are you interested?" State used when the switch is interested in being a trunk. State used when the switch is interested in being a trunk.
Auto:Auto: "I'm willing to go with whatever you want!" This is the default "I'm willing to go with whatever you want!" This is the default on many switches. on many switches.
Non-Negotiate:Non-Negotiate: "I want to trunk, and this is what kind of trunk I will "I want to trunk, and this is what kind of trunk I will be!“be!“
Native VLAN set to VLAN 1Native VLAN set to VLAN 1
VLAN Hopping AttacksVLAN Hopping Attacks
These attacks are designed to allow the These attacks are designed to allow the attacker to bypass the Layer 3 deviceattacker to bypass the Layer 3 device
The attack takes advantage of incorrectly The attack takes advantage of incorrectly configured trunk ports on network switchesconfigured trunk ports on network switches
VLAN Hopping AttacksVLAN Hopping Attacks
Basic VLAN Hopping AttackBasic VLAN Hopping Attack1. Attacker fools switch into thinking that1. Attacker fools switch into thinking that he is a switch that needs trunkinghe is a switch that needs trunking2. The attack needs a trunking favorable 2. The attack needs a trunking favorable
setting such as setting such as AutoAuto to succeed to succeed 3. The attacker is now a member of all3. The attacker is now a member of all
trunked VLANs on the switch and he trunked VLANs on the switch and he send and receive data on those VLANssend and receive data on those VLANs
VLAN Hopping AttacksVLAN Hopping Attacks
Double Encapsulated VLAN Hopping AttackDouble Encapsulated VLAN Hopping Attack1. Switches perform only one level of IEEE 1. Switches perform only one level of IEEE
802.1q decapsulation802.1q decapsulation 2. This allows the attacker to specify a .1q 2. This allows the attacker to specify a .1q
tag inside the frame, allowing the frame tag inside the frame, allowing the frame to go to a VLAN that the outer tag did to go to a VLAN that the outer tag did specify. specify.
3. This attack works even if Trunk ports are 3. This attack works even if Trunk ports are set to set to OFFOFF
Identification of VLAN Tags Identification of VLAN Tags Using EtherealUsing Ethereal
VLAN Tag
81 00 0n nn
VLAN Hopping Attack Using VLAN Hopping Attack Using TcpreplayTcpreplay
