this is a quick post about vlan hacking abuse.

specifically, this post will cover how to abuse cisco switches and the DTP (dynamic trunking protocol).

why is this important? typically, most environments segment out servers, workstations, management, etc, into different vlans. if they (mis)configure the switch, you could potentially jump onto the management subnet (where things are usually much less protected) from a user subnet.

in a nutshell, we are taking advantage of a misconfigured switch, not really doing any “hacking”.

here is part of the cisco config i am working off of (the switch stack i was working with was two 3750x’s):

interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
switchport voice vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 100
switchport mode access
switchport voice vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200,300,400
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 100
switchport mode trunk
!
interface GigabitEthernet1/0/8
description management subnet
switchport access vlan 400
switchport mode access

looking at the above config, there are issues with the way interfaces 1, 2, 3, and possibly 6 are configured.

ports 1, 2, and 3 are in a auto negotiate state, which is great as an attacker. i get to call the shots. in this example, the admin got lazy on port 6 and just gave that port access to every vlan. there are situations where a port might need access to every vlan, so you can’t say this is “wrong”. likewise, port 7 accomplishes what you want (restricting access to vlan 100 only), but best practice says this should be done in access mode, not trunk.

to abuse DTP, i used a tool that is built in to backtrack 5 called yersinia. its a tool that has a modular architecture and is designed to be flexible enough to add other protocols along the line. by default, it gives you the ability to view/edit/attack things like CDP, VTP, STP, DTP, etc.

heres how the attack works:

  1. plug your backtrack box into a port, start up yersinia (in GTK mode), and wait (no need to get an IP yet). notice in the screen shot below i see some DTP traffic and the status is ACCESS/AUTO. this means we can dictate what mode the switch should be in.

  2. start the attack by clicking “Launch attack”, go to the DTP tab, select the “enabling trunking” radio button and hitting “OK”.

  3. if the attack is successful, you should see the port  status in DTP go from ACCESS/AUTO to TRUNK/AUTO.

  4. now, flip over to the 802.1Q tab and wait. you should see all available vlan’s show up in the vlan column, and ARP should cough up some IP’s that we can explore. in this case, you can see there is some traffic on VLAN 400 with IP’s of 10.4.1.x. thats what i will target next.

  5. now that we have a target, i need to get on that VLAN and give myself an IP address. to do that in backtrack, i need to load the 802.1q module, set an interface to VLAN 400, bring up the interface, and give the new interface an IP address.

    here are those commands:

    modprobe 8021q
    vconfig add eth1 400
    ip link set eth1.400 up
    ifconfig eth1.400 10.4.1.3 netmask 255.255.255.0 up

  6.  now to test

     

in summary, because of a misconfigured vlan, i was able to change my port from access mode (restrictive) to trunk mode (potentially less restrictive) using DTP, enumerate other vlan’s with PVST, identify IP’s with ARP, and jump over to the management vlan with a valid IP.

the fix is quite simple. use access mode wherever possible, and if you are going to enable trunk mode be sure to restrict what vlan’s are visible/allowed.

reference/note: this post is very similar to http://synjunkie.blogspot.com/2009/10/abusing-vlans-with-backtrack.html. differences i found were that:

  1. yersinia hangs in curses mode if you are running backtrack 5 in a vm. i had to use the GUI.
  2.  the syntax for bringing up a vlan interface in backtrack 5 was different than backtrack 4, which synjunkie was using