Penetration Testing mailing list archives

Re: Mapping a network

From: Elizabeth Greene <elizabeth.a.greene () gmail com>
Date: Wed, 23 Sep 2009 14:26:38 -0500

Are you receiving CDP from the switch?  It contains the Management IP
and Cluster (if enabled) information for the switch.  These can give
you another attack point.

If CDP indicates a voice vlan is enabled then you could pretend to be
a phone and land in that VLAN.  This may help you get around some
access lists.  (Who plans for compromised attacks from phones?!)  The
DHCP server in that VLAN will probably hand you a tftp server IP.
These TFTP servers usually offer the configuration files to the
phones.  If you are lucky there will be some cleartext passwords in
the phone configs.  If you are really lucky then the router configs
will be backed up to the tftp server or the server will be vulnerable
to directory traversal attack and this exploit will put another box in
your 0wn3d column..
http://blog.teusink.net/2009/05/ciscoworks-tftp-directory-traversal.html

CDP aside, to get an idea of the Layer 2 topology you could transmit a
number of fake spanning tree BPDU announcements to force a root bridge
re-election.  The BPDUs you receive should give you an idea of how
many switches are in the broadcast domain.  If BPDU gaurd is enabled,
it will shut your port down when you try this.

A classic Layer 2 attack is to connect a switch to two ports, force it
to become the root bridge, and listen to the traffic that crosses it.
If you could compromise two hosts in the same VLAN but in two
different switches, you could recreate this sort of attack remotely by
tunneling the traffic between the two hosts.  I am not aware of any
toolkits that do this currently, so you would have to cook it from
scratch.

-ellie


On Tue, Sep 22, 2009 at 4:04 PM, Lee <ler762 () gmail com> wrote:

DHCP snooping is enabled, so that seems to kill any arp spoofing tricks.
Trunking is disabled on all the switch ports, so that seems to kill
any vlan hopping tricks.

... maybe if I offer someone a chocolate bar for their password :)


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Re: Mapping a network, (continued)
- Re: Mapping a network Kurt Buff (Sep 15)
  - Re: Mapping a network Zack Payton (Sep 17)
    - Re: Mapping a network Lee (Sep 22)
    - Re: Mapping a network Zack Payton (Sep 22)
    - Re: Mapping a network Lee (Sep 22)
    - Re: Mapping a network Zack Payton (Sep 22)
    - Re: Mapping a network Lee (Sep 22)
    - Re: Mapping a network Chris Brenton (Sep 23)
    - Re: Mapping a network Zack Payton (Sep 23)
    - RE: Mapping a network David_Falloon (Sep 24)
    - Re: Mapping a network Elizabeth Greene (Sep 23)
- Re: Mapping a network Chris Brenton (Sep 17)
- Re: Mapping a network Ty Miller (Sep 17)
- Re: Mapping a network arvind doraiswamy (Sep 22)
- Re: Mapping a network matteo filippetto (Sep 25)