Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel

Goal  Bypass three layers of security VPN VPN Router ACLs Router ACLs VLAN VLAN  Effectively, an outsider could bring an internal network down with a DOS.

Method  Exploit authenticated remote machine  Use the established VPN tunnel  Send traffic that bypasses Router ACLs and cross VLANs.

How  Use Sub7 to create a backdoor to the remote machine.  From remote machine, use existing vpn tunnel to communicate inside the network.  Now have access, perform VLAN Hopping attack.

Sub 7  Trojan Horse use to gain root level access  Many fun modules Keylogging Keylogging Enable telnet and ftp Enable telnet and ftp Tic tac toe Tic tac toe Realistic Matrix Realistic Matrix

In our case

VPN Bypassed  Once into the remote machine, telnet to VLAN 1 machine. A send vlan hopping traffic  VPN’s used: Cisco VPN concentrator and OpenVpn. Once connection setup, the prompt can be used to send traffic to the internal machine.

VLANs  Virtual Local Area Networks  A logical grouping of devices or users  Users can be grouped by function, department, application, regardless of physical segment location  VLAN configuration is done at the switch (Layer 2)

VLAN Membership  Static VLAN Assignment - Port based membership: Membership is determined by the port on the switch on determined by the port on the switch on not by the host. not by the host.  Dynamic VLAN Assignment - Membership is determined by the host’s MAC address. Administrator has to MAC address. Administrator has to create a database with MAC addresses and create a database with MAC addresses and VLAN mappings VLAN mappings

VLAN Communication VLANS cannot communicate with each other VLANS cannot communicate with each other even when they exist on the same switch For VLANS to communicate they must pass through a router For VLANS to communicate they must pass through a router Each VLAN is required to have at least one gateway to route packets in and out of the network Each VLAN is required to have at least one gateway to route packets in and out of the network

VLAN Trunking  Trunking allows us to cascade multiple switches using the trunk ports to interconnect them  Trunk ports act as a dedicated path for each VLAN between switches  The trunk port is a member of all configured VLANs

VLAN Tagging  Two dominant tagging technologies: - Inter Switch Link (ISL) (Cisco Proprietary - Inter Switch Link (ISL) (Cisco Proprietary Technology) Technology) - IEEE 802.1q (Industry Adopted - IEEE 802.1q (Industry Adopted Standard) Standard)

VLAN Network Setup

Access Control List Router ACLs: Standard IP access list ADMIN 10 permit , wildcard bits permit , wildcard bits permit , wildcard bits permit , wildcard bits deny any log 30 deny any log Extended IP access list ACCT 10 permit icmp any any echo-reply 10 permit icmp any any echo-reply 20 deny ip deny ip permit ip permit ip deny ip any any log 40 deny ip any any log Extended IP access list IT 10 permit icmp any any echo-reply (24 matches) 10 permit icmp any any echo-reply (24 matches) 90 deny ip deny ip deny ip deny ip deny ip any any log 110 deny ip any any log

ACL Demonstration

Switch Default Configuration  Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk configurations  DTP States: On: "I want to be a trunk and I don't care what you think!" State used when the other switch does not understand DTP. On: "I want to be a trunk and I don't care what you think!" State used when the other switch does not understand DTP. Off: "I don't want to be a trunk and I don't care what you think!" State used when the configured port is not intended to be a trunk port. Off: "I don't want to be a trunk and I don't care what you think!" State used when the configured port is not intended to be a trunk port. Desirable: "I'm willing to become a VLAN trunk; are you interested?" State used when the switch is interested in being a trunk. Desirable: "I'm willing to become a VLAN trunk; are you interested?" State used when the switch is interested in being a trunk. Auto: "I'm willing to go with whatever you want!" This is the default on many switches. Auto: "I'm willing to go with whatever you want!" This is the default on many switches. Non-Negotiate: "I want to trunk, and this is what kind of trunk I will be!“ Non-Negotiate: "I want to trunk, and this is what kind of trunk I will be!“  Native VLAN set to VLAN 1

VLAN Hopping Attacks  These attacks are designed to allow the attacker to bypass the Layer 3 device  The attack takes advantage of incorrectly configured trunk ports on network switches

VLAN Hopping Attacks  Basic VLAN Hopping Attack 1. Attacker fools switch into thinking that he is a switch that needs trunking he is a switch that needs trunking 2. The attack needs a trunking favorable setting such as Auto to succeed 3. The attacker is now a member of all 3. The attacker is now a member of all trunked VLANs on the switch and he send and receive data on those VLANs send and receive data on those VLANs

VLAN Hopping Attacks  Double Encapsulated VLAN Hopping Attack 1. Switches perform only one level of IEEE 802.1q decapsulation 802.1q decapsulation 2. This allows the attacker to specify a.1q 2. This allows the attacker to specify a.1q tag inside the frame, allowing the frame tag inside the frame, allowing the frame to go to a VLAN that the outer tag did to go to a VLAN that the outer tag did specify. specify. 3. This attack works even if Trunk ports are 3. This attack works even if Trunk ports are set to OFF set to OFF

Identification of VLAN Tags Using Ethereal VLAN Tag n nn

VLAN Hopping Attack Using Tcpreplay