Penetration Testing mailing list archives
Re: Mapping a network
From: Elizabeth Greene <elizabeth.a.greene () gmail com>
Date: Wed, 23 Sep 2009 14:26:38 -0500
Are you receiving CDP from the switch? It contains the Management IP and Cluster (if enabled) information for the switch. These can give you another attack point. If CDP indicates a voice vlan is enabled then you could pretend to be a phone and land in that VLAN. This may help you get around some access lists. (Who plans for compromised attacks from phones?!) The DHCP server in that VLAN will probably hand you a tftp server IP. These TFTP servers usually offer the configuration files to the phones. If you are lucky there will be some cleartext passwords in the phone configs. If you are really lucky then the router configs will be backed up to the tftp server or the server will be vulnerable to directory traversal attack and this exploit will put another box in your 0wn3d column.. http://blog.teusink.net/2009/05/ciscoworks-tftp-directory-traversal.html CDP aside, to get an idea of the Layer 2 topology you could transmit a number of fake spanning tree BPDU announcements to force a root bridge re-election. The BPDUs you receive should give you an idea of how many switches are in the broadcast domain. If BPDU gaurd is enabled, it will shut your port down when you try this. A classic Layer 2 attack is to connect a switch to two ports, force it to become the root bridge, and listen to the traffic that crosses it. If you could compromise two hosts in the same VLAN but in two different switches, you could recreate this sort of attack remotely by tunneling the traffic between the two hosts. I am not aware of any toolkits that do this currently, so you would have to cook it from scratch. -ellie On Tue, Sep 22, 2009 at 4:04 PM, Lee <ler762 () gmail com> wrote:
DHCP snooping is enabled, so that seems to kill any arp spoofing tricks. Trunking is disabled on all the switch ports, so that seems to kill any vlan hopping tricks. ... maybe if I offer someone a chocolate bar for their password :)
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Mapping a network, (continued)
- Re: Mapping a network Kurt Buff (Sep 15)
- Re: Mapping a network Zack Payton (Sep 17)
- Re: Mapping a network Lee (Sep 22)
- Re: Mapping a network Zack Payton (Sep 22)
- Re: Mapping a network Lee (Sep 22)
- Re: Mapping a network Zack Payton (Sep 22)
- Re: Mapping a network Lee (Sep 22)
- Re: Mapping a network Chris Brenton (Sep 23)
- Re: Mapping a network Zack Payton (Sep 23)
- RE: Mapping a network David_Falloon (Sep 24)
- Re: Mapping a network Elizabeth Greene (Sep 23)
- Re: Mapping a network Zack Payton (Sep 17)
- Re: Mapping a network Kurt Buff (Sep 15)