Testing Switches for Vulnerabilities: Page 3

Book Excerpt: To hackers, your routers are a veritable Fort Knox. This article details some of the methods used to determine if the switches on your LAN are just as impenetrable.
(Page 3 of 3)

VTP Attacks

The VLAN Trunking Protocol (VTP) is a management protocol that reduces the amount of configuration in a switched environment. With VTP, a switch can be a VTP Server, VTP Client, or VTP Transparent switch. VTP Transparent switches do not participate in VTP, so the discussion here focuses on Server and Client. Using VTP, you can configure all your VLAN declarations on a switch operating in VTP Server mode. Any time you make a change, whether it is the addition, modification, or removal of a VLAN, the VTP configuration revision number increments by one. When VTP Clients see that the configuration revision number is greater than what they currently have, they know to synchronize with the VTP Server. The example below shows the output of the show vtp status command, which illustrates both the configuration revision number and the VTP mode of a switch.

show vtp status Command Output

Cat2950#show vtp status
VTP Version                     : 2   
Configuration Revision          : 4
Maximum VLANs supported locally : 68
Number of existing VLANs        : 6
VTP Operating Mode              : Server
VTP Domain Name                 : HackMyNetwork
VTP Pruning Mode                : Enabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled   
MD5 digest                      : 0x3D 0x02 0xD4 0x3A 0xC4 0x46 0xA1 0x03
Configuration last modified by 10.1.1.40 at 5-4-02 22:25:

A malicious hacker can use VTP to his advantage to remove all VLANs (except the default VLANs) on a network. This allows the malicious hacker to be on the same VLAN as every other user. The users might still be on separate networks, however, so the malicious hacker would need to change his IP address to be on the same network as the host he wants to attack.

A malicious hacker exploits VTP to his advantage by connecting into a switch and establishing a trunk between his computer and the switch. (See the earlier “VLAN Hopping” section for more on establishing a trunk.) A malicious hacker then sends a VTP message to the switch with a higher configuration revision number than the current VTP Server but with no VLANs configured. This causes all switches to synchronize with the computer of the malicious hacker, which removes all nondefault VLANs from their VLAN database.

From Penetration Testing and Network Defense, by Andrew Whitaker and Daniel Newman. Chapter 10, pp. 333-337 - Cisco Press. Reprinted with permission.

This article was first published on EnterpriseITPlanet.com.


Page 3 of 3

Previous Page
1 2 3
 





0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.