Re: Locating switches in a multi-layer switching environment

From: Ivan . (ivanhec@gmail.com)
Date: Fri Mar 23 2007 - 22:28:59 EST

• Next message: Jacek Materna: "RE: Locating switches in a multi-layer switching environment"
• Previous message: Antonin Kral: "Re: When cat comes chasing..."
• In reply to: Jon R. Kibler: "Re: Locating switches in a multi-layer switching environment"
• Next in thread: Wiedemann, Adrian: "RE: Locating switches in a multi-layer switching environment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Jon,

have you looked upstream, at the possible exploitation of a router?
which you can use to hop back onto a switch?

These may assist

EIGRP Tools

Cisco torch

http://www.hackingciscoexposed.com/?link=tools

Sounds like your doing this onsite. If so, what about physical
explotation of a PC that belongs to comms admins?

>I am beginning to conclude the architecture the client has deployed
is VERY resilient to attack from an insider.

This ascertain would only be the case if you are limited to sitting
behind the floor switch in the one vlan.
What about wireless? What about trying to compromise the DHCP server
that is serving you an IP (I'm assuming).
You could spend your time trying to discover some IP ranges that the
servers live in, then trying to locate a SYSLOG server that the comms
devices are pointed too.

I guess it just depends on what sort of time frame you have for this
gig. I would look for the less obvious way in or at least get a few of
your a-e objectives.

cheers
Ivan

On 3/22/07, Jon R. Kibler <Jon.Kibler@aset.com> wrote:
> Okay, let me draw a picture... pardon the ASCII art!
>
> +------+
> | core | Located in Client's
> |switch| Main Computer Room
> +------+
> / | \
> / | \
> / | \
> +------+ +------+
> | site | ... | site | Aggregate Switch,
> |switch| |switch| One per Building
> +------+ +------+
> / | \ / | \
> / | \ / | \
> / | \ / | \
> +--------+ +--------+
> |facility| |facility| Building Aggregate Switch,
> | switch | ... ... ... ... | switch | One per Floor per Building
> +--------+ +--------+
> / | \ / | \
> / | \ / | \
> / | \ / | \
> +------+ +------+ Optional Department
> | dept | ... ... ... ... | dept | Switch, Possibly One
> |switch| |switch| or More per Department
> +------+ +------+ per Floor per Building
> / | \ / | \
> / | \ / | \
> +---+ +---+
> |PC | |PC | Multiple Computers,
> | A | | B | Printers, etc.
> +---+ +---+
>
>
> Client is running a mixture of switches. Most switches "above" the department level are Cisco. Most department level switches are HP.
>
> If PC "A" were to ping PC "B", then PC "B" would appear to be only one hop away from "A" ("A" and "B" both are on the same VLAN). Since this is a switched network, everything is only one hop away, regardless the the number of intermediate switches.
>
> CDP is turned off.
>
> Cannot trunk -- Switches are configured statically for "access" only and will shut down the port if trunking is attempted.
>
> BPDU guard and filter are turned on for each port.
>
> MAC addresses are statically assigned to each port. (Thus, all MAC and ARP attacks result in the port being shut down.)
>
> SNMP is enabled, but is only visible on the management VLAN.
>
> The objectives of this pen-test are:
> a) Discover the location (hierarchy and trunking connections) of every switch in the network.
> b) Discover the management VLAN.
> c) Access a VLAN other than the VLAN assigned to that port (VLAN hop).
> d) Access a switch's management functions.
> e) Sniff SNMP traffic.
>
> Quite frankly, everything I have tried (short of social engineering) has resulted in the port I am assigned being shut down.
>
> I am beginning to conclude the architecture the client has deployed is VERY resilient to attack from an insider.
>
> Thoughts? Suggestions?
>
> THANKS!
> Jon Kibler
>
> Domain Admin wrote:
> > What do you mean map the location of a switch?
> >
> > VLANS's typically have access to all other vlans via vlan trunking. What
> > manufacture of switch are you working with.
> >
> > If you have access to a VLAN is CDP or a routeing protocol running?
> >
> > You could nmap the entire subnet and use trace route to find out the
> > hope count and network path to the host you find in nmap.. there are
> > many way to do what you want to do.. look here
> >
> > http://insecure.org/presentations/Shmoo06/shmoo-fyodor-011406.pdf
> >
> >
> > On 3/17/07, *Jon R. Kibler* <Jon.Kibler@aset.com
> > <mailto:Jon.Kibler@aset.com>> wrote:
> >
> > Hi,
> >
> > A network recon question: When pen testing an environment that
> > deploys multi-layer switching, how can one reliably map the network
> > and the relative location of all of the switches?
> >
> > Add to this VLANS... How can you map VLANs that are on the network,
> > especially if your access is but on one VLAN, and that VLAN is
> > different than the switch management VLAN?
> >
> > Thoughts, tools, tricks, white papers, etc. appreciated.
> >
> > THANKS!
> > Jon Kibler
> > --
> > Jon R. Kibler
> > Chief Technical Officer
> > Advanced Systems Engineering Technology, Inc.
> > Charleston, SC USA
> > (843) 849-8214
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> >
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------
> >
> >
> >
> >
> >
> > ==================================================
> > Filtered by: TRUSTEM.COM's Email Filtering Service
> > http://www.trustem.com/
> > No Spam. No Viruses. Just Good Clean Email.
> >
>
> --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> (843) 849-8214
>
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Jacek Materna: "RE: Locating switches in a multi-layer switching environment"
• Previous message: Antonin Kral: "Re: When cat comes chasing..."
• In reply to: Jon R. Kibler: "Re: Locating switches in a multi-layer switching environment"
• Next in thread: Wiedemann, Adrian: "RE: Locating switches in a multi-layer switching environment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:40 EDT