Lets just go ahead and use DTP & VLAN 1… Part 1: Attacking DTP – getting those server files

In my previous post, I discussed the vulnerabilities introduced from using the defaults of DTP and VLAN1 along with ways to mitigate the vulnerabilities. In this post a basic example of attacking DTP will be reviewed.

To make things easier to follow the following diagram will be used throughout the series:VH

Before the attack, for demonstration purposes, we verify that the attacker’s switchport (fa 0/14) is not a trunk:

Untitled2

We will also verify the inability of the attacker to access the target server (due to the router’s ACL):a1

Now that we have verified the inability for the attacker to gain access to the server we can begin the attack.

The first phase of the attack will be to trick the switch into thinking its connected to another switch and negotiate a trunk link. This will be completed through spoofing DTP packets, which can be seen below:at1

We can see the switch port flap as it resets, and then its verified that the attacker’s port is now a trunk:Untitled3

Now that the switch believes its connected to another switch via a trunk connection its now possible to create virtual interfaces for any VLAN allowed across the trunk (all by default):at2

As can be imagined, with the attacker able to successfully trick the connected switch into thinking s/he is also a switch almost anything is possible. For today, we will simply pull a file off of the server which is supposed to be protected by an ACL on the router:
at3

passwords

With DTP enabled on a port it takes a matter of seconds to trick a switch into thinking its connected to another switch, this is why its very important to configure any port that is not a trunk port in use as an access port with other appropriate security configurations.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s