Hacking VLANs/Packet Stealth

[ammo]

Actually nebulus, spoofing arp (dsniff) still does not give you to ability to sniff hosts on other vlans:

that is because the switch determines if the physical port is a member of the particular vlan: it is not based on MAC addresses... So if you were to use dsniff in a VLAN, you would be able to sniff other hosts on that vlan, but not hosts on other vlans (unless on a trunk link as I said eariler, in which case you wouldn't even need dsniff...)

Ammo

[TSeNg]

ACL's man....

[iNViCTuS]

ACL's have nothing to do with this...

ACL's do not prevent someone from using a packet sniffer to see what is going across the wire

[yuna_admirer]

When a port of a switch enter trunk mode . The datagram are not encrypted it self . If we use ISL trunk , Cisco Switch or Router add 4 field , call ISL header -everybody knows that- , or 802.1q internal header .
Trunking line is different from normal Accesslink in one aspect , capable of trasmiting data from more than 1 VLAN . Basically , Trunking is poor design for security , i guess .
A traffic-analyzer can easily capture Trunk-ethernet frame . Knowing the correct mode of trunk , so the hacker/cracker can easily decode it , determine which VLAN does this frame belong , and so on , the user data .

[Networker]

iNVicTus, Nebulus,
do you mean that tools like dsniff may fool a 802.1pq ethernet switch?

I am very surprised, because VLANs are hardware based (e.g. galnet) soft is there only to program cams.

If you ever heard or read a such experiment I'll be glad to learn about it!!!

[yuna_admirer]

Whether VLAN are hardware based or software based has nothing to do with its proness to hacker's attack . Their principals remain the same . The hacker could always plug his PC to one port of the switch legally ( he is user in his Vlan) but when he crack down the Switch console , he could turn his port into trunk mode , and his local line to the switch become trunk line (with some setting in his pc - that is also a trunk port) and analyz other Vlan traffic by simply removing the ISL or 802.1q header (external and internal) . But that is Trunk .

In a dynamic Vlan enviroment , spoofing the the Vlan Membership Policy server (VMPS) about the host 's MAC address is quite possible . But a well designed Lan security policy will easily shut this hole .

[iNViCTuS]

Here ya go networker...enjoy:

http://www.sans.org/newlook/resource...ed_network.htm

[yuna_admirer]

Should we bother in such solution ? I think we just have to statically asign the MAC address of the critical server when we are configuring switch .

[Networker]

Thanks iNViCTuS,

quote: Here ya go networker...enjoy:

http://www.sans.org/newlook/resourc...hed_network.htm

that's quite a good paper (SANS is a good site anyway). I agree with that analysys adding maybe that the main risk is about DoS and not confidentiality (I don't believe in arp spoofing for spying a connection, real end users will quickly know that smth is wrong).
But DoS & ARP spoofing may be use to place a zombie in the white city and that's a way a coompromisong an host/server.

Anyway I still don't beleive there is a way to fool a ethernet switch properly configured.

For instance Hacher is in a default_VLAN (admin made sure that there no way to take hand on internal switch servers such as telnet or ftp from the default_VLAN=> hacker can not change anything about ports configuration) and the target is VLAN A.
I don't think that the hacker host as a chance to sniff anything on VLAN A just by sending layer 2 data to the zswitch to compromise it!

[yuna_admirer]

Originally posted here by Networker
For instance Hacher is in a default_VLAN (admin made sure that there no way to take hand on internal switch servers such as telnet or ftp from the default_VLAN=> hacker can not change anything about ports configuration) and the target is VLAN A.
I don't think that the hacker host as a chance to sniff anything on VLAN A just by sending layer 2 data to the zswitch to compromise it! [/B]

Of course , but changing his MAC address is quite possible ?