Penetration Testing mailing list archives
Re: [PEN-TEST] Spoofing switched networks
From: Shoten <shoten () starpower net>
Date: Tue, 6 Feb 2001 20:28:34 -0500
Ahh, this is a distinction that I had to clarify here just last week. Just because a switch is considered "hardware" and looks like a hub does not mean that the configuration is hardware-based. To the contrary, it's software...software that keeps track of which ports should be speaking with which other ports. Getting one VLAN to bleed into another is not quite as simple as just getting the switch to fail open and span all ports by blasting a bazillion MAC addresses onto the wire, but it is well worth remembering that we are talking about software when it really comes down to it. Furthermore, if you have a manageable switch, which most of them are, you can directly speak with the software there. SNMP, anyone? :) ----- Original Message ----- From: <Eduardo_Campos () CREDOMATIC COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Tuesday, February 06, 2001 3:57 PM Subject: Re: [PEN-TEST] Spoofing switched networks Right, since VLANs are defined on hardware, how can you convince the switch to give you a trunk port ? That would be the only way to receive and send traffic to other VLANS. VLANS were not designed with security on mind. Broadcast domain division in fact is the best advantage you achieve with VLANs. Although, making VLANs and creating access-lists on the router which enable communications between them (if you permit it) can give you a very good way to have more strict security. "Lindqvist, Johan" <johan.lindqvist@DRIFTBO To: PEN-TEST () SECURITYFOCUS COM LAGET.COM> cc: Sent by: Penetration Subject: Re: [PEN-TEST] Spoofing switched networks Testers <PEN-TEST@SECURITYFOCUS. COM> 06-02-01 10:48 AM Please respond to Penetration Testers Hi.
Actually, sniffing isnt' that heard either. There are several ways to do it such as making the switch you are a trunk port and you need all the traffic. In order words, don't put a switch and VLANs in place and expect that to be your security because they can be defeated.
As for switching, I'm fully aware that it's not a security mechanism that cannot be defeated easily. However that VLANs have no security impact is news to me. Since VLANS are defined on physical switch port basis, how could they be used to receive or send traffic on other VLANs? /Johan -- Johan Lindqvist Security Specialist DRIFTBOLAGET AB, MÖLNDALSVÄGEN 81, 412 63 GÖTEBORG, SWEDEN PHONE: +46 8-23 92 00 FAX: +46 709-73 46 70 DIRECT: +46 31-760 43 07 MOBILE: +46 709-73 87 07 johan.lindqvist () driftbolaget com http://www.driftbolaget.com
Current thread:
- Re: [PEN-TEST] Spoofing switched networks, (continued)
- Re: [PEN-TEST] Spoofing switched networks Robert van der Meulen (Feb 04)
- Re: [PEN-TEST] Spoofing switched networks Brian Hartsfield (Feb 05)
- Re: [PEN-TEST] Spoofing switched networks Dave Ryan (Feb 05)
- Re: [PEN-TEST] Spoofing switched networks Chris St. Clair (Feb 04)
- Re: [PEN-TEST] Spoofing switched networks Lindqvist, Johan (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Sam Quigley (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Simon Waters (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Nathan Catlow (Feb 07)
- Re: [PEN-TEST] Spoofing switched networks shawn . moyer (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Sam Quigley (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Robert van der Meulen (Feb 04)
- Re: [PEN-TEST] Spoofing switched networks Eduardo_Campos (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Shoten (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Jason Brvenik (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Ryan Russell (Feb 06)