Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel.

Published byMabel Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel."— Presentation transcript:

1 Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel

2 Goal  Bypass three layers of security VPN VPN Router ACLs Router ACLs VLAN VLAN  Effectively, an outsider could bring an internal network down with a DOS.

3 Method  Exploit authenticated remote machine  Use the established VPN tunnel  Send traffic that bypasses Router ACLs and cross VLANs.

4 How  Use Sub7 to create a backdoor to the remote machine.  From remote machine, use existing vpn tunnel to communicate inside the network.  Now have access, perform VLAN Hopping attack.

5 Sub 7  Trojan Horse use to gain root level access  Many fun modules Keylogging Keylogging Enable telnet and ftp Enable telnet and ftp Tic tac toe Tic tac toe Realistic Matrix Realistic Matrix

6 In our case

7 VPN Bypassed  Once into the remote machine, telnet to VLAN 1 machine. A send vlan hopping traffic  VPN’s used: Cisco VPN concentrator and OpenVpn. Once connection setup, the prompt can be used to send traffic to the internal machine.

8 VLANs  Virtual Local Area Networks  A logical grouping of devices or users  Users can be grouped by function, department, application, regardless of physical segment location  VLAN configuration is done at the switch (Layer 2)

9 VLAN Membership  Static VLAN Assignment - Port based membership: Membership is determined by the port on the switch on determined by the port on the switch on not by the host. not by the host.  Dynamic VLAN Assignment - Membership is determined by the host’s MAC address. Administrator has to MAC address. Administrator has to create a database with MAC addresses and create a database with MAC addresses and VLAN mappings VLAN mappings

10 VLAN Communication VLANS cannot communicate with each other VLANS cannot communicate with each other even when they exist on the same switch For VLANS to communicate they must pass through a router For VLANS to communicate they must pass through a router Each VLAN is required to have at least one gateway to route packets in and out of the network Each VLAN is required to have at least one gateway to route packets in and out of the network

11 VLAN Trunking  Trunking allows us to cascade multiple switches using the trunk ports to interconnect them  Trunk ports act as a dedicated path for each VLAN between switches  The trunk port is a member of all configured VLANs

12 VLAN Tagging  Two dominant tagging technologies: - Inter Switch Link (ISL) (Cisco Proprietary - Inter Switch Link (ISL) (Cisco Proprietary Technology) Technology) - IEEE 802.1q (Industry Adopted - IEEE 802.1q (Industry Adopted Standard) Standard)

13 VLAN Network Setup

14 Access Control List Router ACLs: Standard IP access list ADMIN 10 permit 192.168.0.0, wildcard bits 0.0.151.255 10 permit 192.168.0.0, wildcard bits 0.0.151.255 20 permit 57.35.0.0, wildcard bits 0.0.159.255 20 permit 57.35.0.0, wildcard bits 0.0.159.255 30 deny any log 30 deny any log Extended IP access list ACCT 10 permit icmp any any echo-reply 10 permit icmp any any echo-reply 20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255 20 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.151.255 30 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.255 30 permit ip 57.35.0.0 0.0.159.255 192.168.0.0 0.0.151.255 40 deny ip any any log 40 deny ip any any log Extended IP access list IT 10 permit icmp any any echo-reply (24 matches) 10 permit icmp any any echo-reply (24 matches) 90 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.255 90 deny ip 10.1.10.0 0.0.0.255 57.35.0.0 0.0.159.255 100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255 100 deny ip 192.168.0.0 0.0.151.255 57.35.0.0 0.0.159.255 110 deny ip any any log 110 deny ip any any log

15 ACL Demonstration

16 Switch Default Configuration  Dynamic Trunking Protocol (DTP) automates ISL/802.1q trunk configurations  DTP States: On: "I want to be a trunk and I don't care what you think!" State used when the other switch does not understand DTP. On: "I want to be a trunk and I don't care what you think!" State used when the other switch does not understand DTP. Off: "I don't want to be a trunk and I don't care what you think!" State used when the configured port is not intended to be a trunk port. Off: "I don't want to be a trunk and I don't care what you think!" State used when the configured port is not intended to be a trunk port. Desirable: "I'm willing to become a VLAN trunk; are you interested?" State used when the switch is interested in being a trunk. Desirable: "I'm willing to become a VLAN trunk; are you interested?" State used when the switch is interested in being a trunk. Auto: "I'm willing to go with whatever you want!" This is the default on many switches. Auto: "I'm willing to go with whatever you want!" This is the default on many switches. Non-Negotiate: "I want to trunk, and this is what kind of trunk I will be!“ Non-Negotiate: "I want to trunk, and this is what kind of trunk I will be!“  Native VLAN set to VLAN 1

17 VLAN Hopping Attacks  These attacks are designed to allow the attacker to bypass the Layer 3 device  The attack takes advantage of incorrectly configured trunk ports on network switches

18 VLAN Hopping Attacks  Basic VLAN Hopping Attack 1. Attacker fools switch into thinking that he is a switch that needs trunking he is a switch that needs trunking 2. The attack needs a trunking favorable setting such as Auto to succeed 3. The attacker is now a member of all 3. The attacker is now a member of all trunked VLANs on the switch and he send and receive data on those VLANs send and receive data on those VLANs

19 VLAN Hopping Attacks  Double Encapsulated VLAN Hopping Attack 1. Switches perform only one level of IEEE 802.1q decapsulation 802.1q decapsulation 2. This allows the attacker to specify a.1q 2. This allows the attacker to specify a.1q tag inside the frame, allowing the frame tag inside the frame, allowing the frame to go to a VLAN that the outer tag did to go to a VLAN that the outer tag did specify. specify. 3. This attack works even if Trunk ports are 3. This attack works even if Trunk ports are set to OFF set to OFF

20 Identification of VLAN Tags Using Ethereal VLAN Tag 81 00 0n nn

21 VLAN Hopping Attack Using Tcpreplay

22

23

24

25

Download ppt "Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel."

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
LAN Segmentation Virtual LAN (VLAN).

LAN Segmentation Virtual LAN (VLAN).
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Virtual LANs.

Virtual LANs.
VLAN KRISHNAKUMAR RAJENDRAN NIKITA PATEL TEJENDRA PATEL Guided by Prof, Edmund Gean.

VLAN KRISHNAKUMAR RAJENDRAN NIKITA PATEL TEJENDRA PATEL Guided by Prof, Edmund Gean.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.

Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
VLANs Virtual LANs CIS 278.

VLANs Virtual LANs CIS 278.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
Bellevue University CIS 341A Final Review. The test Monday, August 4, 2008 50 Question multiple choice, True/False, and fill in the blanks. You have the.

Bellevue University CIS 341A Final Review. The test Monday, August 4, Question multiple choice, True/False, and fill in the blanks. You have the.
VLANs (Virtual LANs) CS 158B Elaine Lim Allison Nham.

VLANs (Virtual LANs) CS 158B Elaine Lim Allison Nham.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.

Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
© Wiley Inc. 2006. All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 8: Virtual LANs (VLANs)

© Wiley Inc All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 8: Virtual LANs (VLANs)
Routing ROUTING. Router A router is a device that determines the next network point to which a packet should be forwarded toward its destination Allow.

Routing ROUTING. Router A router is a device that determines the next network point to which a packet should be forwarded toward its destination Allow.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.

We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.

Similar presentations

Ads by Google