Penetration Testing mailing list archives

FW: Layer 2 Security And Penetration Testing

From: "Billy Dodson" <billy () pmm-i com>
Date: Mon, 3 Jan 2005 17:34:01 -0600


Is this cisco TACACS that they are using to protect the ports?  Or are
they doing MAC filtering per port?  If they are doing MAC filtering
configured on the switchport then you would have to know the exact MAC
that was assigned to the port your plugged into in order to spoof.  If
they are doing MAC auth to a TACACS server then any valid MAC that
existed on their network could possibly work.  They could have
configured it to block any subsequent connections from a duped MAC
though.  So if you spoof a MAC that already exists in the network there
is a 50/50 chance that it would work if they are using TACACS.  

Are they not going to give you a connection that works?  Or do they want
you to test this MAC authentication they have in place?  If they want
you to do a vulnerability assessment of the network they should also
give you a connection with access.

-----Original Message-----
From: shiri yacov [mailto:shiri_yacov () hotmail com] 
Sent: Monday, January 03, 2005 4:03 PM
To: pen-test () securityfocus com
Subject: Layer 2 Security And Penetration Testing



Greetings to all PenTesters,

I am scheduled to perform a pentest in a big company, in the near
future.

However, a little intelligence gathering has revealed that the company

has enforced secure MAC on her switches (any port transmitting on other
than its known MAC address is immediatltly blocked until helpdesk
releases it.

since my starting point is a "hot" port in the wall, and since I would
not

give up on the first stage, I am looking for a way to get connected to

the net (using my allocated port) without activating any alarm when 

connecting to the net, and furthermore, without being blocked.



My idea so far includes spoffing my MAC address, however, I still dont
know to which MAC address should I switch my MAC to ? how do I know 

which MAC address is the legal one on a specific port ? 



Bruteforce is not an option - the port is frozen after 3 unsuccessful
subsequent unauthorized MACs.



Did anyone ever came accross a similar configuration ? Do you have an

idea as to how can I bypass this.



Regards, 

Shiri, Security Consultant

Current thread:

Layer 2 Security And Penetration Testing shiri yacov (Jan 03)
- Re: Layer 2 Security And Penetration Testing Jason Carr (Jan 03)
- Re: Layer 2 Security And Penetration Testing Enno Rey (Jan 03)
- Re: Layer 2 Security And Penetration Testing odinanne (Jan 04)
- <Possible follow-ups>
- FW: Layer 2 Security And Penetration Testing Billy Dodson (Jan 03)
- RE: Layer 2 Security And Penetration Testing Toni Heinonen (Jan 03)
- RE: Layer 2 Security And Penetration Testing Michael Scheidell (Jan 03)