Penetration Testing mailing list archives

Re: Testing Hubs and Switches

From: Cedric Blancher <blancher () cartel-securite fr>
Date: 11 Dec 2002 17:36:39 +0100

Le mer 11/12/2002 à 10:02, Julian Young a écrit :

Some time back, i guess it was last summer,  somebody   was asking for
volunteers to test their hubs and switches for security venerabilities. 
as the time i think he wanted to  put together a who's who of switches
and hubs.
Does any one recognize this , remember any urls or what happened to the
project.  I was unable to participate at the time but still like to test
mine if they have not already been tested


Project seem to be stalled :

        http://www.alaricsecurity.com/ssp.html

It was an interesting idea, but the only submission is about ARP cache
poisoning, and we all know switches are vulnerable to this, just because
of their design.

Further is any one knows of any testing tools / techniques i would also
be very interested


Taranis will be a good start :

        http://www.bitland.net/taranis/

Taranis relies on MAC spoofing to redirect network traffic.

You can also have a look at dsniff package :

        http://monkey.org/~dugsong/dsniff/

It comes with macof tool that perform CAM table flooding. A switch can
fall into repeater mode for some MAC when CAM table is full.


If you want a complete view of switches attacks, have a look at Sean
Convery presentation at Black Hat USA 2002 you can find here :

        http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/bh-usa-02/

You'll find layer 2 attacks such MAC attacks, ARP attacks, protocols
attacks (CDP, DTP, VTP), VLAN hopping and others.

-- 
Cédric Blancher  <blancher () cartel-securite fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

remote MAC address discovery? Tina Bird (Dec 10)
- <Possible follow-ups>
- RE: remote MAC address discovery? Wolf, Glenn (Dec 10)
- RE: remote MAC address discovery? Rich Pulver (Dec 10)
- Re: remote MAC address discovery? Stephen Friedl (Dec 10)
  - Testing Hubs and Switches Julian Young (Dec 11)
    - Re: Testing Hubs and Switches Cedric Blancher (Dec 11)
    - Re: Testing Hubs and Switches Valgasu (Dec 11)