Penetration Testing mailing list archives

RE: Layer 2 Security And Penetration Testing

From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Tue, 4 Jan 2005 01:51:09 +0200

My idea so far includes spoffing my MAC address, however, I 
still dont know to which MAC address should I switch my MAC 
to ? how do I know 
which MAC address is the legal one on a specific port ?


Do you know whether the port security option configured is fixed as in 1
MAC per 1 port, or 20 MACs for whole switch? If its 1 MAC per 1 port you
can of course try and gain access to the switch configuration (or if
they are stored in the network mgmt system or RADIUS server, in there).
The easiest way would however be simply to gain access to an already
used port. Then take a crossover cable, connect that from your system to
the workstation, sniff the MAC, change that to your card and take the
straight cable connected to the switch.

If the MAC addresses are switch-centered (ie. 20 MACs allowed, port
connected doesn't matter) then you could also try and use some MAC
address another computer is also using. You'll have to do this if you
can't disconnect any of the other workstations or none of the
workstations are laptops people take with them.

Otherwise you'd have to get access to the place where the legal MAC
addies are stored. The Ciscoworks server, perhaps, or a RADIUS server?
If there's 802.1x user authentication as well, then you're doomed. If
it's just a switch configuration, check if the physical security aspect
is dealt with, ie. if the switch is locked up properly.

***

Otherwise, the classic trick to a fool a switch is of course to
negotiate the port to *trunk* state. Buy a NIC that speaks 802.1q or ISL
and fake you're a switch to switch in question. A lot of switches
autonegotiate even workstation ports to trunk mode, if they aren't
explicitly configured otherwise.

***

Or you could just try and get to the trunk lines and the infrastructure
in the beginning. Or grabbing a workstation already connected to the
network. If there's 802.1x, these are your *only* options.

-- 
TONI HEINONEN 
     TELEWARE OY 
     Mob. +358 40 836 1815 / Tel. +358 (9) 3434 9110 
     Laajalahdentie 23, FIN-00330 Helsinki, Finland 
     toni () teleware fi / www.teleware.fi

Current thread:

Layer 2 Security And Penetration Testing shiri yacov (Jan 03)
- Re: Layer 2 Security And Penetration Testing Jason Carr (Jan 03)
- Re: Layer 2 Security And Penetration Testing Enno Rey (Jan 03)
- Re: Layer 2 Security And Penetration Testing odinanne (Jan 04)
- <Possible follow-ups>
- FW: Layer 2 Security And Penetration Testing Billy Dodson (Jan 03)
- RE: Layer 2 Security And Penetration Testing Toni Heinonen (Jan 03)
- RE: Layer 2 Security And Penetration Testing Michael Scheidell (Jan 03)