Re: Layer 2 Security And Penetration Testing

[Enno Rey <erey () ernw de>]

Hi,

before I'm trying to give you some hints (I don't have an easy answer to your question though), just some thoughts:

The most important step in any pen-test is the definition of the - let's say: 'goal of knowledge'.
Means, the customer has to clarify: 

- "Which benefit am I expecting from the test?" 
[e.g. evaluation of the secadmins' work, evaluation of a consulting company ot some supplier work, evaluation of 
technical or organizational measures, raise of interest in ITsec at higher management (by some spectacular hacks) etc. 
etc.]

- "Which questions are answered by the test?"    

Along with this definition there will be/has to be some clarification, about the threats that are simulated during the 
test.
As a pentest usually is a kind of "experiment to break the security with the means of an attacker", the type of 
attacker definitely has to be defined. Is the (simulated) attacker one of those famous 'hackers' from the internet... 
or an insider... or someone with physical access (cleaning personal, consultant etc.)?

These questions have to be answered first... to gain some benefit of a service called 'pentest'... for the money spent 
;-))

So, for your scenario...

Given you seem to have physical access to a port inside the client's building, the simulated attacker could be:

a) - an employee
b) - support personal (the guy fixing the copying machine) or sneaky consultants giving some presentation on fancy new 
marketing channels; in any case somebody who is authorised to the building in some form and probably is _authorised_ to 
participate in their network in some way (by the copying machine maintenance contract or the marketing directors will 
to see those shiny presentations).
c) - an outsider who gained physical access. In most corporate environments not too realistic. And even if possible 
usually not the focus of a pentest.

In case a:employee the attacker usually could simply look for the MAC address of a colleague's PC during that colleague 
is getting some coffee at the machine...
In case b:authorised external person exactly that MAC is authorised at the port and the (pentest's) usual question is: 
if somebody has access to our network, what can he do there?
In case c:outsider the pentest's focus will include getting into the building by some un-authorised way. This may be of 
the customer's interest (and we have done that in some cases), but usually this is _not_ the goal of knowledge of a 
test and not the type of attacker the client is interested in.
Usually the client is interested in case a or b, as these are the most common threats.

In other words: do they pay you to get a confirmation: "port security on switches of manufacturer xyz is working"?. I 
assume this is not the case...
have them define the type of attacker clearly and you probably won't face your problem anymore. Because you'll have 
access to a PC (employee) or your MAC address will be authorised (support guy/consultant) and the question will then 
be: "ok, how far do I get now?"

As for your initial question... I don't see any possible way here (on that 'hot port')... but, as I said: I don't see 
the knowledge benefit either.
The easiest way to find a valid port/MAC combination will probably be a printer connected to a network port. Most 
printers give out their hardware parameters (incl. MAC address) by some sequence/combination of keys/buttons, without 
any authorization needed. This is what I would try first... find a printer, print out the MAC, plug in your laptop with 
spoofed MAC and declare yourself as support guy/electrician etc.
see also the thread on 'physical pentesting' that lived on the list some weeks ago...

thanks,

Enno

-- 
Enno Rey

ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg
Tel. +49 6221 480390 - Fax 6221 419008 - Mobil +49 173 6745902
www.ernw.de - PGP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1 


On Mon, Jan 03, 2005 at 10:02:33PM -0000, shiri yacov wrote:
> Greetings to all PenTesters,
> I am scheduled to perform a pentest in a big company, in the near future.
> However, a little intelligence gathering has revealed that the company
> has enforced secure MAC on her switches (any port transmitting on other than its known MAC address is immediatltly 
> blocked until helpdesk releases it.
> since my starting point is a "hot" port in the wall, and since I would not
> give up on the first stage, I am looking for a way to get connected to
> the net (using my allocated port) without activating any alarm when 
> connecting to the net, and furthermore, without being blocked.
>
> My idea so far includes spoffing my MAC address, however, I still dont know to which MAC address should I switch my 
> MAC to ? how do I know 
> which MAC address is the legal one on a specific port ? 
>
> Bruteforce is not an option - the port is frozen after 3 unsuccessful subsequent unauthorized MACs.
>
> Did anyone ever came accross a similar configuration ? Do you have an
> idea as to how can I bypass this.
>
> Regards, 
> Shiri, Security Consultant

-- 
Enno Rey

ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg
Tel. +49 6221 480390 - Fax 6221 419008 - Mobil +49 173 6745902
www.ernw.de - PGP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1