Ettercap

fyod42 · Newbie Poster Joined: 29 May 2004 Posts: 6

Hello there, first post here. First I want to thank all of the developers for an outstanding product. Also I notice that you freely give your time to peruse through the forums and help people. Outstanding..

My problem is this.

I am connected to an Allied Telesyn 8024 layer 2 switch (http://alliedtelesyn.com/products/details.aspx?9) with port security enabled to the Secure mode. By misconfiguration, only the switch itself is on a vlan. The router is not, the other switches in the network are also not. No ports are included in this vlan on the switch. The management vlan is 1. The switch checks its CAM table for the correct mac from the correct port before it forwards the frame. This means that a remote management session is highly improbable from the current setup (static mapping). The only response I can get from the switch is with an arp request. For this I use the arping utility for linux.

The switch is on vlan 1. Here is an ethereal capture of an arp reply from the switch.

No. Time Source Destination Protocol Info
3 1.500954 AlliedTe_XX:XX:XX LinksysG_XX:XX:XX 0x0806 ARP

Frame 3 (60 bytes on wire, 60 bytes captured)
Arrival Time: May 29, 2004 15:21:41.982501000
Time delta from previous packet: 0.001966000 seconds
Time since reference or first frame: 1.500954000 seconds
Frame Number: 3
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II, Src: 00:30:84:XX:XX:XX, Dst: 00:04:5a:XX:XX:XX
Destination: 00:04:5a:XX:XX:XX (LinksysG_XX:XX:XX)
Source: 00:30:84:XX:XX:XX (AlliedTe_XX:XX:XX)
Type: 802.1Q Virtual LAN (0x8100)
802.1q Virtual LAN
000. .... .... .... = Priority: 0
...0 .... .... .... = CFI: 0
.... 0000 0000 0001 = ID: 1
Type: ARP (0x0806)
Data (42 bytes)

0000 00 04 5a XX XX XX 00 30 84 XX XX XX 81 00 00 01 ..Zj...0.M. ....
0010 08 06 00 01 08 00 06 04 00 02 00 30 84 XX XX XX ...........0.M.
0020 ac 10 00 05 00 04 5a XX XX XX ac 10 00 80 00 00 ......Zj........
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............

The switch connects to the router through port 24. Enhanced Stacking is enabled and this switch is set up as a master. It can only see 1 other switch. The second switch is between the first switch and the router. I am unable to connect to the second switch or get any type of response. This is important because if I could connect to the second switch via telnet or web management, I could set it up as a master and reconfigure switch one. So keep that in mind.

I am able to use ettercap to arp poison all of the other hosts connected to the switch. I am not able to see the rest of the net. I know the rest of the net is there from broadcast arps from the router. I also have the macs and IPS of most of them.

Would it be possible to DoS the switch? Any recommendations? What about some type of vlan packet DoSer.

Could I use ifconfig to spoof my mac and ip address to look like an allied telesyn switch, and then generate packets with the correct vlan header to access the switch management ports?

How can I generate vlan packets (libnids, libnet, libdnet) and use them with ettercap?

What, as developers, are you thinking about vlans? As they are becoming increasingly used. Don't tell me this is the beginning of the end for ettercap!

Trunking is not enabled. Spanning tree is not enabled.

If you need any more info ASK and it shall be given to you.

Thanks

fyod42 · Newbie Poster Joined: 29 May 2004 Posts: 6

Ive googled the fuk out of vlan info and this is the #1 link on the net.

http://www.sans.org/rr/papers/38/1090.pdf

It includes actual code used with libnet to attempt the various types of attacks with vlans. A must read.

gzzah · Semi-Experienced Poster Joined: 18 Feb 2004 Posts: 34

fyod42 · Newbie Poster Joined: 29 May 2004 Posts: 6

Whoah...

I was going to try the various types of attacks in those articles, and had the libnet codes all ready, but then I decided to look here http://www.candelatech.com/~greear/vlan.html

I recompiled my kernel with 8021q as a loadable module. (included with my kernel)

I edited my rc.d/rc.local file with the lines

/sbin/i forget it loads the module dependencies.

/sbin/modprobe -a 8021q

and then rebooted

I installed the vconfig utility (rpmfind.net) and then did

$ vconfig add eth0 1 (1 is the vlan id I needed) This created device eth0.1

$ ifconfig eth0.1 netmask 255.255.255.0 broadcast 255.255.255.255 hw ether (mac from eth0 becasue port security is on and drops all other macs) (IP but different from eth0)

$ ifconfig eth0.1 up

Now, I tried to ping the switch adn examined packets in ethereal on the "any" device.

$ ping switch

didn't work.

$ ping -I eth0.1 switch

Bingo! It responded!

$ telnet -b eth0.1 switch

Bingo!

I then configured the switch to operate correctly, saved changes, and quit. I rmmod 8120q and edited rc.d file. Fixed.

NaGA · Posted: 31 May 2004 10:08 am Post subject:

Standard Port security has nothing to do with arp poisoning, because "spoofed" arp packets have the right source mac address of the ettercap machine.

Guest · Posted: 31 May 2004 9:12 pm Post subject:

Well the switch had a predefined static mac address that was allowed on each individual port. IOW, I couldn't connect to anything with a mac other than the one predefined. Not even by spoofing other legal macs located on different ports.

Maybe you guys should look into a plugin that spoofs a vlan header so you could arp poison different vlans?

BTW, great product.. I can't believe its free!

gzzah · Semi-Experienced Poster Joined: 18 Feb 2004 Posts: 34

ALoR · Wannabe developer Joined: 20 Mar 2001 Posts: 2930

fyod42 · Newbie Poster Joined: 29 May 2004 Posts: 6

Alor - this is a very big thing you just said.

Many people could benefit from this post.

Bypassing VLAN Security

fyod42 · Newbie Poster Joined: 29 May 2004 Posts: 6

An even better resource particularly useful to developers http://wiki.wireshark.org/CaptureSetup/VLAN, including details for all major OS