Hacking VLANs/Packet Stealth
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Hacking VLANs/Packet Stealth

  1. #1

    Exclamation Hacking VLANs/Packet Stealth

    If a device in a VLAN is hacked, whether this be an internetworking device or a computer system of some type, would'nt the hacker be able to see the other devices on different Virtual LANs by looking at the packets that are sent and recieved by that device? If this is true, would there be a way for one to have some type of packet stealth to prevent this?

    Brandon64
    The End Justifies The Means...

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    The only way this could be done is if the device in question was on a vlan trunk (a trunk being a segment that receives packets/frames from multiple vlans because devices on that segment (or a downstream segment) belong to diffrent vlans. Usually, you don't have hosts (computers) sitting on a trunk segment, you would usually have trunks only between switches/routers (L3 switches). At the end of a trunk segment or when there's no trunking at all, (most often) the switch is setup to associate a vlan with certain port(s) so it only forwards frames for the determined vlan on that/those physical ports.

    On the other hand, if there is a device like a normal computer with a NIC that supports VLANs (intel pro/100 for example) sitting on a trunk segment, it would be possible to have it "sniff" all the vlans by configuring the NIC as a member of those vlans...

    Hope this helps a bit...

    Ammo

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    What about the packets? Is there no way to encrypt them? THanKS!
    The End Justifies The Means...

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Which packets?
    Are you refering to ip packets (datagrams) or ethernet packets (frames?)

    For IP packets there are ways to encrypt them (IPSec) however can only encrypt unicast (not multicast or broadcasts). As for ethernet frames, AFAIK there is no way to encrypt them since it would brake the protocol... And VLAN does not provide encryption capabilities either; it's just not designed for that...


    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    There really is no need to encrypt everything on a VLAN either. I really wish I could have answered this one for ya, but ammo did a hell of a job explaining it and there is not much else to say, except that another way to be able to sniff all VLANS is to be connected to a SPAN port that is configured to mirror (SPAN) all other ports on the layer 2 or 3 switch.

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Is this necessarily true anymore? I was under the impression that dsniff could do some spoofing magic with ethernet frames and trick a switch into delivering all traffic to the box connected in the switch, essentially giving it the capability to sniff all of the ports and circumventing the inherent protections of the switch (not saying this is easy, but merely possible).

    The most feasible way would be to use only encrypted protocols, ssh, scp, sftp, ssl, etc for information you consider sensitive, (logon to system, anytime passing creditcard info, etc). I have always considered it a good security practive to never send this type of information in clear if possible to avoid and would recommend you move away from protocols that do not support encryption (if possible, which it isn't always) such as telnet, ftp, etc. Or you could also use encryption on top of insecure protocols for example using PGP to encrypt email traffic...

    I always assume someone is looking and act accordingly

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    nebulus, this is basically the same thing you just said, just in a slightly different manner. You are exactly right.

    My point is why encrypt something that doesn't need to be encrypted. A huge part of risk management is determinining what and what not to protect. If the cost (meaning $$ or resources) of protecting something outweighs the risk of losing it, then it is probably not a good decision. For example, do you really care if all the SPAM you get is encrypted. I guess that question is truly answered by how much value SPAM has to you, but for most of us, it is not worth the time or energy to protect something that is useless to begin with.

  8. #8
    Member
    Join Date
    Sep 2001
    Posts
    37
    Regarding VLAN Trunks, surely a PC or Packet Sniffer sitting in a trunk VLAN would only see the data that needs passing between switches, not necessarily the data belongs to a VLAN that exists wholly within a single switch?

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    That's correct alanmott...

    Ammo
    Credit travels up, blame travels down -- The Boss

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •