Monday, December 26, 2016

Bypass VTY access lists with Linux and Yersinia

AS ALWAYS, DON'T DO THIS OUTSIDE YOUR LAB UNLESS YOU HAVE PERMISSION FROM THE NETWORK OWNER!

It's a Cisco security best practice to put access control lists on VTY lines to protect the management plane from unauthorized login attempts. Most organizations that follow this best practice restrict access to a management vlan, not specific IP addresses.

What if you are in an area where none of the edge switches have the management vlan configured on a port? Are you dead in the water? Maybe not. I have found that one Cisco security best practice that most companies don't follow is to shut down unused ports, and they configure unused fiber ports as trunks or leave them defaulted. There is usually at least one SFP module that is empty, not shutdown and configured as a trunk.

These oversights will let us get onto that management vlan and bypass the ACLs that would block us if we were connected to a non-management vlan access port! In the case of the fiber port you will need a copper SFP module (GLT). If you don't have one of these in your pen test tool kit I recommend purchasing one. They can be found on eBay for around $30.

This example assumes that you know the vlan ID of the management vlan. That is information that you will have to have gotten by some means - social engineering, foot printing, requesting a copy of the config with the passwords removed, etc. Remember the Marine Corps motto - Improvise, Adapt, Overcome! Later in the blog I will show you how to use Wireshark to figure out all the active vlans.

In my lab I have a 3750 with Vlan 100 configured like this:
interface Vlan100
 ip address 172.30.103.2 255.255.255.240
 no ip redirects
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 112A3A2B36
end

access-list 10 permit 172.30.103.0 0.0.0.15
access-list 10 deny any log

line vty 0 4
 access-class 10 in
end

To log in using SSH you must be on Vlan 100.

My laptop has eth0 configured with 192.168.10.172/24.

Here is a log entry from trying to log in from Eth0:
%SEC-6-IPACCESSLOGNP: list 10 denied 0 192.168.10.172 -> 0.0.0.0, 1 packet

Let's get started


Insert the GLT SFP module and connect an Ethernet cable to your laptop.

Configure Linux to use Vlans

I'm running Ubuntu 14.04 LTS. I took the setup of Linux for Vlans from the "HowTo: Configure Linux Virtual Local Area Network" nixCraft article listed in the Reference section. The nixCraft site is a great resource for Linux information.

Install the "vlan" package:

sudo apt install vlan

Load the Vlan tagging kernel driver

When the vlan package finishes installing, check to see if the 802.1q kernel driver is loaded:
lsmod | grep 8021q

if not loaded, run the following:

sudo modprobe 8021q 

Then check again:

lsmod | grep 8021q
8021q     28672 0
garp        16384 1 8021q
mrp          0480 1 8021q

Create the Vlan subinterface

sudo vconfig add eth0 100


Add an IP address

sudo ip addr add 172.30.103.4/28 dev eth0.100

Bring the Interface up

sudo ip link set up eth0.100


To view the interface:

ifconfig eth0.100
eth0.100  Link encap:Ethernet  HWaddr 80:fa:5b:31:de:85
          inet addr:172.30.103.4  Bcast:0.0.0.0  Mask:255.255.255.240
          inet6 addr: fe80::82fa:5bff:fe31:de85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:369 errors:0 dropped:0 overruns:0 frame:0
          TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:23360 (23.3 KB)  TX bytes:20761 (20.7 KB)
or

ip addr show dev eth0.100
6: eth0.100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 80:fa:5b:31:de:85 brd ff:ff:ff:ff:ff:ff
    inet 172.30.103.4/28 scope global eth0.100
       valid_lft forever preferred_lft forever
    inet6 fe80::82fa:5bff:fe31:de85/64 scope link
       valid_lft forever preferred_lft forever

At this point you should be able to ping the switch from Vlan 100:

mhubbard@1S1K-SYS76:~$ ping -I eth0.100 172.30.103.2
PING 172.30.103.2 (172.30.103.2) from 172.30.103.4 eth0.100: 56(84) bytes of data.
64 bytes from 172.30.103.2: icmp_seq=1 ttl=255 time=7.71 ms
64 bytes from 172.30.103.2: icmp_seq=2 ttl=255 time=2.13 ms
64 bytes from 172.30.103.2: icmp_seq=3 ttl=255 time=0.917 ms

Remove the Vlan config when finished

sudo vconfig rem eth0.100

You will see:
Removed VLAN -:eth0.100:-

Making the vlan permanent


1. Add the module to the kernel on boot:

sudo su -c 'echo "8021q" >> /etc/modules'

2. Create the interface and make it available when the system boots. Add the following lines to /etc/network/interfaces (change the values according to your scenario):

auto eth0.100
iface eth0.100 inet static
    address 172.30.103.4
    netmask 255.255.255.0
    vlan-raw-device eth0


Configure VMware workstation to use the VLAN interface.

Now you can setup VMware Workstation so that you use a Windows or Linux VM. It's pretty easy,  start the Vmware Virtual Network Editor. Click the drop down next to "Bridged To:" and select eth0.100. Save and exit the editor. 



Here is a screen shot showing the Windows VM's network settings and a putty session showing me logged into the switch. You can see that the VM has an IP on the same subnet as the switch, the MAC Address of the Windows VM on the switch port and that the MAC is connected to vlan 100.


Capturing VLAN tagged traffic with Wireshark

The Wireshark Wiki had the information I needed to set Wireshark up to capture traffic on the Vlan interface. It turned out to be just a matter of selecting Eth0 as the capture interface! Below is a screenshot of a ping sent to the switch.


Find the VLANS that are in use

While in Wireshark you can set the display filter to STP and figure out which Vlans are in use. Find packets with a destination of PVST+ and look at the Packet Details pane. You will see a section labeled 802.1Q Virtural LAN. The Vlan ID will be the the last entry. You can work your way down the PVST+ packets and discover all active Vlans.



You can also see active vlans in the Packet List pane in the "Info" column


If CDP is enabled

If the port you are connected to has CDP enabled you can view a lot of useful information. Set the display filter to CDP. Select a packet and look at the Packet Details pane. You can see that CDP gives out a lot of information that could be useful.


But what if the Fiber port is shut down or not a Trunk?

Here we will rely on a port (Fibre or Copper) being in a default state. In the default state a switch port allows trunk negotiation. A Cisco security best practice is shut down unused ports but we know that isn't typical. 

Another Cisco security best practice is to disable DTP negotiation on a port using "switchport nonegotiate" but that is also seldom done.

In the code below I ran "default int g1/010" and then "sh int g1/0/10 sw" to show that the default does turn on trunk negotiation.

3750x(config)#defa int g1/0/10
Interface GigabitEthernet1/0/10 set to default configuration
3750x(config)#end

3750x#sh int g1/0/10 sw
Name: Gi1/0/10
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)

Yersinia is the Tool we need now

Yersinia is an open source tool for Layer 2 attacks. In the references is a link to a Defcon video that shows some uses for Yersinia. It's not a technical deep dive for sure but it will get you started. It has many more capabilities than just negotiating a trunk. You should spend a couple hours working with it in your lab. It will cement your understanding of Layer 2 security issues.

Installing Yersinia is simple because it's in the Ubuntu repository:

sudo apt install yersinia

Once it's installed run:

sudo yersinia -G


That will start the GUI. Click on the DTP tab and then click "Launch Attack" select "enable trunking".


You can see under Status that the switch sent a DTP packet showing it's in the access/desirable mode.


Here is the output from my switch:


Inital port state


******************************************************************************
Hubbard#sh int f1/0/12 sw
Name: Fa1/0/12
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
******************************************************************************

After the Attack


******************************************************************************
Hubbard#sh int f1/0/12 sw
Name: Fa1/0/12
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

******************************************************************************

For reference here are the Cisco port commands and trunking capabilities. Note that even though a port configured with "switchport mode access" will never be a trunk it still sends out DTP packets. It is a Cisco Security best practice to include "switchport nonegotiate" on access ports and trunk ports.

Configuration   Command on One Side Short Name Meaning To Trunk,   Other Side Must Be
switchport   mode trunk ;
switchport nonegotiate
Nonegotiate Always trunks on this   end; does not send DTP messages (good when other switch is a non-Cisco   switch) On
switchport   mode access;
switchport nonegotiate
Access (with   nonegotiate) Never trunks; does   not send DTP messages (Never trunks)
switchport mode trunk Trunk Always trunks on this end; sends DTP to help other side choose   to trunk On, desirable, auto
switchport mode dynamic   desirable Desirable Sends DTP messages, and trunks if negotiation succeeds On, desirable, auto
switchport mode dynamic auto Auto Replies to DTP messages, and trunks if negotiation succeeds On, desirable
switchport mode access Access Never trunks; sends DTP to help other side reach same   conclusion (Never trunks)


Conclusion

Now that we can access the management vlan and CDP has shown us the management IP address we can get up to some mischief! A couple good first steps would be

Brute Forcing Telnet Passwords with NMAP and Brute Forcing SNMP with NMAP. If you are successful pulling the configuration but not the telnet password try this Decrypting (recovering) Cisco Switch/Router/Firewall Passwords

Layer 2 security is often ignored because it's hard to imagine an evil employee. But if you follow Cisco's best practices for port security what I demonstrated here wouldn't be possible.

  • Shut down unused ports - You can't exploit a port that is shut down.
  • Use "switchport nonegotiate" on access ports so they don't send DTP packets.
  • Use "switchport nonegotiate" on trunk ports so they don't send DTP packets.
  • Use "switchport trunk native vlan X" on trunks. X should be an unused vlan number. This will prevent untagged traffic from accessing the network.
  • Don't leave ports in a default state - Use peer reviewed templates to configure switches so no mistakes are made.
If you create a template to configure switches these best practices are free and require no extra work. I have a blog on using Excel and Word to automate device configurations. Configure Network Devices with Excel and Word Mail Merge

References

VLAN capture setup - Wireshark setup
Experimenting with VLAN hopping
A VLAN Hopping Attack
VoIP Hopper - a VoIP Pen Testing tool
voice over misconfigured internet telephones - An interesting tool for playing back pcap captures.