Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Locating switches in a multi-layer switching environment
From: "Ivan ." <ivanhec () gmail com>
Date: Sat, 24 Mar 2007 14:28:59 +1100

Hi Jon,

have you looked upstream, at the possible exploitation of a router?
which you can use to hop back onto a switch?

These may assist

EIGRP Tools

Cisco torch

http://www.hackingciscoexposed.com/?link=tools

Sounds like your doing this onsite. If so, what about physical
explotation of a PC that belongs to comms admins?

I am beginning to conclude the architecture the client has deployed
is VERY resilient to attack from an insider.

This ascertain would only be the case if you are limited to sitting
behind the floor switch in the one vlan.
What about wireless? What about trying to compromise the DHCP server
that is serving you an IP (I'm assuming).
You could spend your time trying to discover some IP ranges that the
servers live in, then trying to locate a SYSLOG server that the comms
devices are pointed too.

I guess it just depends on what sort of time frame you have for this
gig. I would look for the less obvious way in or at least get a few of
your a-e objectives.

cheers
Ivan

On 3/22/07, Jon R. Kibler <Jon.Kibler () aset com> wrote:
Okay, let me draw a picture... pardon the ASCII art!

                         +------+
                         | core | Located in Client's
                         |switch| Main Computer Room
                         +------+
                          /  |  \
                         /   |   \
                        /    |    \
                  +------+       +------+
                  | site |  ...  | site | Aggregate Switch,
                  |switch|       |switch| One per Building
                  +------+       +------+
                   /  |  \        /  |  \
                  /   |   \      /   |   \
                 /    |    \    /    |    \
        +--------+                       +--------+
        |facility|                       |facility| Building Aggregate Switch,
        | switch |   ...  ... ...   ...  | switch | One per Floor per Building
        +--------+                       +--------+
          /  |  \                          /  |  \
         /   |   \                        /   |   \
        /    |    \                      /    |    \
+------+                                        +------+ Optional Department
| dept |   ...   ...                  ...   ... | dept | Switch, Possibly One
|switch|                                        |switch| or More per Department
+------+                                        +------+ per Floor per Building
   / | \                                           / | \
  /  |  \                                         /  |  \
       +---+                                   +---+
       |PC |                                   |PC |   Multiple Computers,
       | A |                                   | B |   Printers, etc.
       +---+                                   +---+


Client is running a mixture of switches. Most switches "above" the department level are Cisco. Most department level 
switches are HP.

If PC "A" were to ping PC "B", then PC "B" would appear to be only one hop away from "A" ("A" and "B" both are on the 
same VLAN). Since this is a switched network, everything is only one hop away, regardless the the number of intermediate switches.

CDP is turned off.

Cannot trunk -- Switches are configured statically for "access" only and will shut down the port if trunking is 
attempted.

BPDU guard and filter are turned on for each port.

MAC addresses are statically assigned to each port. (Thus, all MAC and ARP attacks result in the port being shut down.)

SNMP is enabled, but is only visible on the management VLAN.

The objectives of this pen-test are:
    a) Discover the location (hierarchy and trunking connections) of every switch in the network.
    b) Discover the management VLAN.
    c) Access a VLAN other than the VLAN assigned to that port (VLAN hop).
    d) Access a switch's management functions.
    e) Sniff SNMP traffic.

Quite frankly, everything I have tried (short of social engineering) has resulted in the port I am assigned being shut 
down.

I am beginning to conclude the architecture the client has deployed is VERY resilient to attack from an insider.

Thoughts? Suggestions?

THANKS!
Jon Kibler

Domain Admin wrote:
> What do you mean map the location of a switch?
>
> VLANS's typically have access to all other vlans via vlan trunking. What
> manufacture of switch are you working with.
>
> If you have access to a VLAN is CDP or a routeing protocol running?
>
> You could nmap the entire subnet and use trace route to find out the
> hope count and network path to the host you find in nmap.. there are
> many way to do what you want to do.. look here
>
> http://insecure.org/presentations/Shmoo06/shmoo-fyodor-011406.pdf
>
>
> On 3/17/07, *Jon R. Kibler* <Jon.Kibler () aset com
> <mailto:Jon.Kibler () aset com>> wrote:
>
>     Hi,
>
>     A network recon question: When pen testing an environment that
>     deploys multi-layer switching, how can one reliably map the network
>     and the relative location of all of the switches?
>
>     Add to this VLANS... How can you map VLANs that are on the network,
>     especially if your access is but on one VLAN, and that VLAN is
>     different than the switch management VLAN?
>
>     Thoughts, tools, tricks, white papers, etc. appreciated.
>
>     THANKS!
>     Jon Kibler
>     --
>     Jon R. Kibler
>     Chief Technical Officer
>     Advanced Systems Engineering Technology, Inc.
>     Charleston, SC  USA
>     (843) 849-8214
>
>
>
>     ------------------------------------------------------------------------
>
>     This List Sponsored by: Cenzic
>
>     Need to secure your web apps?
>     Cenzic Hailstorm finds vulnerabilities fast.
>     Click the link to buy it, try it or download Hailstorm for FREE.
>
>     http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>     ------------------------------------------------------------------------
>
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>

--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault