1 / 25

Bypass a VPN, ACL, and VLAN

Bypass a VPN, ACL, and VLAN. ECE 4112 Alaric Craig and Pritesh Patel. Goal. Bypass three layers of security VPN Router ACLs VLAN Effectively, an outsider could bring an internal network down with a DOS. Method. Exploit authenticated remote machine Use the established VPN tunnel

brynne-vang
Download Presentation

Bypass a VPN, ACL, and VLAN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel

  2. Goal • Bypass three layers of security • VPN • Router ACLs • VLAN • Effectively, an outsider could bring an internal network down with a DOS.

  3. Method • Exploit authenticated remote machine • Use the established VPN tunnel • Send traffic that bypasses Router ACLs and cross VLANs.

  4. How • Use Sub7 to create a backdoor to the remote machine. • From remote machine, use existing vpn tunnel to communicate inside the network. • Now have access, perform VLAN Hopping attack.

  5. Sub 7 • Trojan Horse use to gain root level access • Many fun modules • Keylogging • Enable telnet and ftp • Tic tac toe • Realistic Matrix

  6. In our case

  7. VPN Bypassed • Once into the remote machine, telnet to VLAN 1 machine. A send vlan hopping traffic • VPN’s used: Cisco VPN concentrator and OpenVpn. Once connection setup, the prompt can be used to send traffic to the internal machine.

  8. VLANs • Virtual Local Area Networks • A logical grouping of devices or users • Users can be grouped by function, department, application, regardless of physical segment location • VLAN configuration is done at the switch (Layer 2)

  9. VLAN Membership • Static VLAN Assignment - Port based membership: Membership is determined by the port on the switch on not by the host. • Dynamic VLAN Assignment - Membership is determined by the host’s MAC address. Administrator has to create a database with MAC addresses and VLAN mappings

  10. VLAN Communication • VLANS cannot communicate with each other even when they exist on the same switch • For VLANS to communicate they must pass through a router • Each VLAN is required to have at least one gateway to route packets in and out of the network

  11. VLAN Trunking • Trunking allows us to cascade multiple switches using the trunk ports to interconnect them • Trunk ports act as a dedicated path for each VLAN between switches • The trunk port is a member of all configured VLANs

  12. VLAN Tagging • Two dominant tagging technologies: - Inter Switch Link (ISL) (Cisco Proprietary Technology) - IEEE 802.1q (Industry Adopted Standard)

  13. VLAN Network Setup ACL

  14. Access Control List Router ACLs: Standard IP access list ADMIN 10 permit 192.168.0.0, wildcard bits 0.0.151.255 20 permit 57.35.0.0, wildcard bits 0.0.159.255 30 deny any log Extended IP access list ACCT 10 permit icmp any any echo-reply 20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255 30 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.255 40 deny ip any any log Extended IP access list IT 10 permit icmp any any echo-reply (24 matches) 90 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.255 100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255 110 deny ip any any log

  15. ACL Demonstration

  16. Switch Default Configuration • Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk configurations • DTP States: On: "I want to be a trunk and I don't care what you think!" State used when the other switch does not understand DTP. Off: "I don't want to be a trunk and I don't care what you think!" State used when the configured port is not intended to be a trunk port. Desirable: "I'm willing to become a VLAN trunk; are you interested?" State used when the switch is interested in being a trunk. Auto: "I'm willing to go with whatever you want!" This is the default on many switches. Non-Negotiate: "I want to trunk, and this is what kind of trunk I will be!“ • Native VLAN set to VLAN 1

  17. VLAN Hopping Attacks • These attacks are designed to allow the attacker to bypass the Layer 3 device • The attack takes advantage of incorrectly configured trunk ports on network switches

  18. VLAN Hopping Attacks • Basic VLAN Hopping Attack 1. Attacker fools switch into thinking that he is a switch that needs trunking 2. The attack needs a trunking favorable setting such as Auto to succeed 3. The attacker is now a member of all trunked VLANs on the switch and he send and receive data on those VLANs

  19. VLAN Hopping Attacks • Double Encapsulated VLAN Hopping Attack 1. Switches perform only one level of IEEE 802.1q decapsulation 2. This allows the attacker to specify a .1q tag inside the frame, allowing the frame to go to a VLAN that the outer tag did specify. 3. This attack works even if Trunk ports are set to OFF

  20. Identification of VLAN Tags Using Ethereal VLAN Tag 81 00 0n nn

  21. VLAN Hopping Attack Using Tcpreplay

More Related