Bypass a VPN, ACL, and VLANGoalMethodHowSub 7In our caseVPN BypassedVLANsVLAN MembershipVLAN CommunicationVLAN TrunkingVLAN TaggingVLAN Network SetupAccess Control ListACL DemonstrationSwitch Default ConfigurationVLAN Hopping AttacksSlide 18Slide 19Identification of VLAN Tags Using EtherealVLAN Hopping Attack Using TcpreplaySlide 22Slide 23Slide 24Slide 25Bypass a VPN, ACL, Bypass a VPN, ACL, and VLAN and VLAN ECE 4112 ECE 4112 Alaric Craig and Pritesh PatelAlaric Craig and Pritesh PatelGoalGoalBypass three layers of securityBypass three layers of securityVPNVPNRouter ACLsRouter ACLsVLANVLANEffectively, an outsider could bring an Effectively, an outsider could bring an internal network down with a DOS.internal network down with a DOS.MethodMethodExploit authenticated remote machineExploit authenticated remote machineUse the established VPN tunnelUse the established VPN tunnelSend traffic that bypasses Router ACLs Send traffic that bypasses Router ACLs and cross VLANs.and cross VLANs.HowHowUse Sub7 to create a backdoor to the Use Sub7 to create a backdoor to the remote machine.remote machine.From remote machine, use existing vpn From remote machine, use existing vpn tunnel to communicate inside the network.tunnel to communicate inside the network.Now have access, perform VLAN Hopping Now have access, perform VLAN Hopping attack.attack.Sub 7Sub 7Trojan Horse use to gain root level accessTrojan Horse use to gain root level accessMany fun modulesMany fun modulesKeyloggingKeyloggingEnable telnet and ftpEnable telnet and ftpTic tac toeTic tac toeRealistic MatrixRealistic MatrixIn our caseIn our caseVPN BypassedVPN BypassedOnce into the remote machine, telnet to Once into the remote machine, telnet to VLAN 1 machine. A send vlan hopping VLAN 1 machine. A send vlan hopping traffictrafficVPN’s used: Cisco VPN concentrator and VPN’s used: Cisco VPN concentrator and OpenVpn. Once connection setup, the OpenVpn. Once connection setup, the prompt can be used to send traffic to the prompt can be used to send traffic to the internal machine.internal machine.VLANsVLANsVirtual Local Area NetworksVirtual Local Area NetworksA logical grouping of devices or usersA logical grouping of devices or usersUsers can be grouped by function, Users can be grouped by function, department, application, regardless of department, application, regardless of physical segment locationphysical segment locationVLAN configuration is done at the switch VLAN configuration is done at the switch (Layer 2)(Layer 2)VLAN MembershipVLAN MembershipStatic VLAN AssignmentStatic VLAN Assignment- Port based membership: Membership is - Port based membership: Membership is determined by the port on the switch on determined by the port on the switch on not by the host.not by the host.Dynamic VLAN AssignmentDynamic VLAN Assignment- Membership is determined by the host’s - Membership is determined by the host’s MAC address. Administrator has to MAC address. Administrator has to create a database with MAC addresses andcreate a database with MAC addresses and VLAN mappings VLAN mappingsVLAN CommunicationVLAN Communication•VLANS cannot communicate with each other VLANS cannot communicate with each other even when they exist on the same switcheven when they exist on the same switch•For VLANS to communicate they must pass For VLANS to communicate they must pass through a routerthrough a router•Each VLAN is required to have at least one Each VLAN is required to have at least one gateway to route packets in and out of the gateway to route packets in and out of the networknetworkVLAN TrunkingVLAN TrunkingTrunking allows us to cascade multiple Trunking allows us to cascade multiple switches using the trunk ports to switches using the trunk ports to interconnect theminterconnect themTrunk ports act as a dedicated path for Trunk ports act as a dedicated path for each VLAN between switcheseach VLAN between switchesThe trunk port is a member of all configured The trunk port is a member of all configured VLANsVLANsVLAN TaggingVLAN TaggingTwo dominant tagging technologies:Two dominant tagging technologies: - Inter Switch Link (ISL) (Cisco Proprietary - Inter Switch Link (ISL) (Cisco Proprietary Technology)Technology) - IEEE 802.1q (Industry Adopted - IEEE 802.1q (Industry Adopted Standard)Standard)VLAN Network SetupVLAN Network SetupAccess Control ListAccess Control ListRouter ACLs:Router ACLs:Standard IP access list ADMINStandard IP access list ADMIN 10 permit 192.168.0.0, wildcard bits 0.0.151.255 10 permit 192.168.0.0, wildcard bits 0.0.151.255 20 permit 57.35.0.0, wildcard bits 0.0.159.255 20 permit 57.35.0.0, wildcard bits 0.0.159.255 30 deny any log30 deny any logExtended IP access list ACCTExtended IP access list ACCT 10 permit icmp any any echo-reply 10 permit icmp any any echo-reply 20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255 20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255 30 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.25530 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.255 40 deny ip any any log40 deny ip any any logExtended IP access list ITExtended IP access list IT 10 permit icmp any any echo-reply (24 matches)10 permit icmp any any echo-reply (24 matches) 90 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.25590 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.255 100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255 110 deny ip any any log110 deny ip any any logACL DemonstrationACL DemonstrationSwitch Default ConfigurationSwitch Default ConfigurationDynamic Trunking Protocol (DTP) automates ISL/802.1q trunk Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk configurationsconfigurationsDTP States:DTP States: On:On: "I want to be a trunk and I don't care what you think!" State used "I want to be a trunk and I don't care what you think!" State used when the other switch does not understand DTP. when the other switch does not understand DTP. Off:Off: "I don't want to be a trunk and I don't care what you think!" State "I don't want to be a trunk and I don't care what you think!" State used when the configured port is not intended to be a trunk used when the configured port is not intended to be a trunk port. port. Desirable:Desirable: "I'm willing to become a VLAN trunk; are you
View Full Document