Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Anonymous access to Voice VLAN using CDP
From: "Wence Van der Meersch" <wence.vandermeersch () ascure com>
Date: Tue, 25 Jul 2006 15:16:15 +0200

Actually you configure the voice vlan on the switch, and when the phone
boots up it will talk CDP to the switch asking what's the voice VLAN,
and after receiving this information from the switch the phone will send
its own traffic tagged with this vlan id, while sending out the traffic
received through the pc port untagged.

Something you can try is to connect a hub (no switch obviously) between
the phone and the catalyst switch (if you're not using PoE, else put a
PoE extractor between the hub and the switch, and supply the phone with
the power lead from the extractor) and connecting a PC to this hub. Then
let the phone discuss the vlan details with the switch while you are
sniffing the whole conversation and when the phone starts sending tagged
traffic you can try sending traffic with this vlan tag from your PC
(which, ofcourse, has dot1q support enabled). I'm not sure if the switch
will filter incoming tagged traffic on MAC address (as it should, to
prevent this from happening and allowing only tagged traffic originating
from the phone) so you can try disconnecting the phone, cloning it's MAC
address and sending the tagged traffic, making it seem to the switch
that you are the phone.

Anyway this is purely an educated guess. I use cisco phones and switches
at home so I'll investigate this a bit further in the next few days.
Maybe I'll even write a tool for all this.

Wence Van der Meersch
Information Security Consultant, CISSP
Ascure NV

e-mail  wence.vandermeersch () ascure com
Web     http://www.ascure.com/

 

-----Original Message-----
From: jpecou () gmail com [mailto:jpecou () gmail com] 
Sent: vrijdag 21 juli 2006 18:57
To: pen-test () securityfocus com
Subject: Anonymous access to Voice VLAN using CDP

Hey guys .. I Will try to make this short and sweet. At my 
job we are looking to implement a VOIP infrastructure. A 
typical infrastructure with voice and date usually will have 
both voice and data on a seperate VLAN. The phone will then 
plug into the ethernet port and the PC plug into the phone. 
Basically The phone becomes a trunk port for the PC) I have 
read that the way the phone gets place on the voice VLAN is 
through CDP. Appearently upon connecting to the switch the 
phone sends a CDP packet identifying it self and then gets 
placed on the Voice VLAN. I would love to attempt to put a pc 
on our voice VLAN. I know that yersinia has options for 
crafting CDP packets. Has anyone accomplished this and could 
some one give me a breif explanation of how I could do this. 



Thanks!


--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win 
the Analyst's Choice Award from eWeek. As attacks through web 
applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most 
comprehensive solutions to meet your application security 
penetration testing and vulnerability management needs. You 
have an option to go with a managed service (Cenzic 
ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help 
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to 
confirm your results from other product. Contact us at 
request () cenzic com for details.
--------------------------------------------------------------
----------------


---- eMail Disclaimer ----
This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If 
you have received it 
by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from 
errors, inaccuracies or 
any loss in the message, from unauthorized use, disclosure, copying or alteration of it.
For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.html

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault