270 likes | 465 Views
Bypass a VPN, ACL, and VLAN. ECE 4112 Alaric Craig and Pritesh Patel. Goal. Bypass three layers of security VPN Router ACLs VLAN Effectively, an outsider could bring an internal network down with a DOS. Method. Exploit authenticated remote machine Use the established VPN tunnel
E N D
Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel
Goal • Bypass three layers of security • VPN • Router ACLs • VLAN • Effectively, an outsider could bring an internal network down with a DOS.
Method • Exploit authenticated remote machine • Use the established VPN tunnel • Send traffic that bypasses Router ACLs and cross VLANs.
How • Use Sub7 to create a backdoor to the remote machine. • From remote machine, use existing vpn tunnel to communicate inside the network. • Now have access, perform VLAN Hopping attack.
Sub 7 • Trojan Horse use to gain root level access • Many fun modules • Keylogging • Enable telnet and ftp • Tic tac toe • Realistic Matrix
VPN Bypassed • Once into the remote machine, telnet to VLAN 1 machine. A send vlan hopping traffic • VPN’s used: Cisco VPN concentrator and OpenVpn. Once connection setup, the prompt can be used to send traffic to the internal machine.
VLANs • Virtual Local Area Networks • A logical grouping of devices or users • Users can be grouped by function, department, application, regardless of physical segment location • VLAN configuration is done at the switch (Layer 2)
VLAN Membership • Static VLAN Assignment - Port based membership: Membership is determined by the port on the switch on not by the host. • Dynamic VLAN Assignment - Membership is determined by the host’s MAC address. Administrator has to create a database with MAC addresses and VLAN mappings
VLAN Communication • VLANS cannot communicate with each other even when they exist on the same switch • For VLANS to communicate they must pass through a router • Each VLAN is required to have at least one gateway to route packets in and out of the network
VLAN Trunking • Trunking allows us to cascade multiple switches using the trunk ports to interconnect them • Trunk ports act as a dedicated path for each VLAN between switches • The trunk port is a member of all configured VLANs
VLAN Tagging • Two dominant tagging technologies: - Inter Switch Link (ISL) (Cisco Proprietary Technology) - IEEE 802.1q (Industry Adopted Standard)
Access Control List Router ACLs: Standard IP access list ADMIN 10 permit 192.168.0.0, wildcard bits 0.0.151.255 20 permit 57.35.0.0, wildcard bits 0.0.159.255 30 deny any log Extended IP access list ACCT 10 permit icmp any any echo-reply 20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255 30 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.255 40 deny ip any any log Extended IP access list IT 10 permit icmp any any echo-reply (24 matches) 90 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.255 100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255 110 deny ip any any log
Switch Default Configuration • Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk configurations • DTP States: On: "I want to be a trunk and I don't care what you think!" State used when the other switch does not understand DTP. Off: "I don't want to be a trunk and I don't care what you think!" State used when the configured port is not intended to be a trunk port. Desirable: "I'm willing to become a VLAN trunk; are you interested?" State used when the switch is interested in being a trunk. Auto: "I'm willing to go with whatever you want!" This is the default on many switches. Non-Negotiate: "I want to trunk, and this is what kind of trunk I will be!“ • Native VLAN set to VLAN 1
VLAN Hopping Attacks • These attacks are designed to allow the attacker to bypass the Layer 3 device • The attack takes advantage of incorrectly configured trunk ports on network switches
VLAN Hopping Attacks • Basic VLAN Hopping Attack 1. Attacker fools switch into thinking that he is a switch that needs trunking 2. The attack needs a trunking favorable setting such as Auto to succeed 3. The attacker is now a member of all trunked VLANs on the switch and he send and receive data on those VLANs
VLAN Hopping Attacks • Double Encapsulated VLAN Hopping Attack 1. Switches perform only one level of IEEE 802.1q decapsulation 2. This allows the attacker to specify a .1q tag inside the frame, allowing the frame to go to a VLAN that the outer tag did specify. 3. This attack works even if Trunk ports are set to OFF
Identification of VLAN Tags Using Ethereal VLAN Tag 81 00 0n nn