Penetration Testing mailing list archives

Re: Internal pen-test

From: ddidier () netsecureia com
Date: 3 Jul 2008 09:29:22 -0000

Hello, Taras. As you pointed out, internal pen testing usually has more areas to test. Layer 2 and 3 areas need to be
thoroughly tested. You mentioned ARP already - you should also consider testing for these types of issues:

DHCP snooping / starvation - ]. DHCP snooping and starvation attacks can disrupt traffic flows by redirecting end
systems to un-trusted gateways which capture all traffic. This allows for collection and manipulation of confidential
data. This can be prevented in certain switch solutions which support DHCP spoofing and starvation controls.

VLAN Hoping - VLAN hopping can allow a user to access a VLAN and the systems in that VLAN which their system isnt
currently a member of. This can circumvent security and network integrity in a number of ways. This is normally a
problem because the default configuration type for VLAN interfaces is dynamic in many vendor devices and allows VLAN
hopping to occur.

CAM Overflow / MAC flooding - MAC flooding will flood a switch with packets in order to consume memory and causes a
switch to enter the fail-open mode which causes the switch to flood all data out all ports. A packet sniffer can then
be used to capture sensitive data which wouldnt normally be accessible. This can be prevented in certain switches by
configuring MAC limits per port.

Spanning Tree Attacks - Spanning tree attacks have the ability to disrupt redundant layer 2 paths on the network and
cause denial of service (Dos) attacks and allow the attacker to see data he wouldnt normally be able to see.

Routing Protocol Authentication - Routing protocols control the overall flow of data through a network. It is a fairly
simple task to hijack or inject false routes if proper security measures have not been taken. Adding authentication
for routing devices and updates greatly reduces these threats.

Router / Switch Management Access - The ability to manage network devices, including but not limited to routers and
switches needs to be limited to discrete management systems. If possible, this should be a dedicated management
network.

Hope this helps,

Dan Didier
http://www.NetSecureIA.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

Internal pen-test Taras P. Ivashchenko (Jul 02)
- Re: Internal pen-test Ramiro Caire (Jul 02)
  - Re: Internal pen-test Durga Prasad Adusumalli (Jul 03)
    - Re: Internal pen-test Taras Ivashchenko (Jul 07)
- <Possible follow-ups>
- Re: Internal pen-test ddidier (Jul 03)