Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Locating switches in a multi-layer switching environment
From: "Jon R. Kibler" <Jon.Kibler () aset com>
Date: Wed, 21 Mar 2007 17:14:33 +0000

Okay, let me draw a picture... pardon the ASCII art!

                        +------+
                        | core | Located in Client's
                        |switch| Main Computer Room
                        +------+
                         /  |  \
                        /   |   \
                       /    |    \
                 +------+       +------+
                 | site |  ...  | site | Aggregate Switch,
                 |switch|       |switch| One per Building
                 +------+       +------+
                  /  |  \        /  |  \
                 /   |   \      /   |   \
                /    |    \    /    |    \
       +--------+                       +--------+
       |facility|                       |facility| Building Aggregate Switch,
       | switch |   ...  ... ...   ...  | switch | One per Floor per Building
       +--------+                       +--------+
         /  |  \                          /  |  \
        /   |   \                        /   |   \
       /    |    \                      /    |    \
+------+                                        +------+ Optional Department
| dept |   ...   ...                  ...   ... | dept | Switch, Possibly One
|switch|                                        |switch| or More per Department
+------+                                        +------+ per Floor per Building
  / | \                                           / | \
 /  |  \                                         /  |  \
      +---+                                   +---+
      |PC |                                   |PC |   Multiple Computers,
      | A |                                   | B |   Printers, etc.
      +---+                                   +---+


Client is running a mixture of switches. Most switches "above" the department level are Cisco. Most department level 
switches are HP.

If PC "A" were to ping PC "B", then PC "B" would appear to be only one hop away from "A" ("A" and "B" both are on the 
same VLAN). Since this is a switched network, everything is only one hop away, regardless the the number of intermediate switches.

CDP is turned off.

Cannot trunk -- Switches are configured statically for "access" only and will shut down the port if trunking is 
attempted.

BPDU guard and filter are turned on for each port.

MAC addresses are statically assigned to each port. (Thus, all MAC and ARP attacks result in the port being shut down.)

SNMP is enabled, but is only visible on the management VLAN.

The objectives of this pen-test are:
   a) Discover the location (hierarchy and trunking connections) of every switch in the network.
   b) Discover the management VLAN.
   c) Access a VLAN other than the VLAN assigned to that port (VLAN hop).
   d) Access a switch's management functions.
   e) Sniff SNMP traffic.

Quite frankly, everything I have tried (short of social engineering) has resulted in the port I am assigned being shut 
down.

I am beginning to conclude the architecture the client has deployed is VERY resilient to attack from an insider.

Thoughts? Suggestions?

THANKS!
Jon Kibler

Domain Admin wrote:
What do you mean map the location of a switch?
VLANS's typically have access to all other vlans via vlan trunking. What manufacture of switch are you working with. If you have access to a VLAN is CDP or a routeing protocol running? You could nmap the entire subnet and use trace route to find out the hope count and network path to the host you find in nmap.. there are many way to do what you want to do.. look here http://insecure.org/presentations/Shmoo06/shmoo-fyodor-011406.pdf

On 3/17/07, *Jon R. Kibler* <Jon.Kibler () aset com <mailto:Jon.Kibler () aset com>> wrote:

    Hi,

    A network recon question: When pen testing an environment that
    deploys multi-layer switching, how can one reliably map the network
    and the relative location of all of the switches?

    Add to this VLANS... How can you map VLANs that are on the network,
    especially if your access is but on one VLAN, and that VLAN is
    different than the switch management VLAN?

    Thoughts, tools, tricks, white papers, etc. appreciated.

    THANKS!
    Jon Kibler
    --
    Jon R. Kibler
    Chief Technical Officer
    Advanced Systems Engineering Technology, Inc.
    Charleston, SC  USA
    (843) 849-8214



    ------------------------------------------------------------------------

    This List Sponsored by: Cenzic

    Need to secure your web apps?
    Cenzic Hailstorm finds vulnerabilities fast.
    Click the link to buy it, try it or download Hailstorm for FREE.

    http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
    ------------------------------------------------------------------------





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]