Vlan Hopping Anomaly

Discussion in 'Cisco' started by Jos_Cit, Aug 6, 2005.

  1. Jos_Cit

    Jos_Cit Guest

    Hello, i have read many doc about this attack but there are many
    contradictions.

    I hnow that this exploit exist in 2 ways :

    Basic=> The attacker spoof a switch and gains the trunked states of the
    switch's port. Rely on auto-negotiate feature turned ON.
    This ways is simple to understand.

    ******************************************************************
    Complex 1 => This attack is described on
    http://www.sans.org/resources/idfaq/vlan.php and to work need that the
    attacker and the trunk share same native vlan ( ex. VLAN 10 ). In this
    doc. that the attacker send on the access port ( VLAN 10 ) a tagged
    frame with a VLAN-ID of target VLAN ( ex. VLAN 20 ) . The switch takes
    frame and forward it on trunk port without native tag (10). The other
    switch read VLAN-ID(20) and forward frame on the access vlan 20.
    In this scenario my doubts is :

    1) Why the first SW accepts tagged frame but does'nt read the tags ?
    Is this behavior an anomaly of work ?

    2) Why the last switch that receives native frame on trunk port reads
    the VLAN-ID ? Is this normal or anomaly ? I think that sw does'nt read
    VLAN-ID because the frame on trunk is native .

    ******************************************************************

    Complex 2 => In other docs per ex:
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
    , there is an attack called " Double-Encapsulated 802.1Q ". In this
    exploit the conditions are similar to the precedent but the attacker
    need to insert two VLAN-ID ( outer,inner ). If this case work then :

    1) The first switch read VLAN-ID on access port and forward frame on
    trunk ( strip off first VLAN-ID ) . This behavior is different that
    precedent case . Why the switch forward this frame according to VLAN-ID
    on the access-port ? Is this behavior another anomalies ?

    ******************************************************************

    Sorry about lenght of post.



    Thanks


    Giuseppe Citerna
    ccie#1053




























    Complex 2 => This
     
    Jos_Cit, Aug 6, 2005
    #1
    1. Advertising

  2. www.BradReese.Com, Aug 6, 2005
    #2
    1. Advertising

  3. Jos_Cit

    Jos_Cit Guest

    Thanks Brad, i know this paper. The doc. describes double-tagging
    attack.
    In my post i describe 3 form of this exploit. The problem is to know
    the logic of switches-


    thanks
    Giuseppe Citerna











    www.BradReese.Com ha scritto:

    > Hi Giuseppe,
    >
    > You may find Cisco's VLAN Hopping Attack helpful:
    >
    > http://www.cisco.com/en/US/netsol/n...s_white_paper09186a008014870f.shtml#wp1002270
    >
    > Sincerely,
    >
    > Brad Reese
    > BradReese.Com Cisco Repair Service Experts
    > http://www.bradreese.com/cisco-big-iron-repair.htm
    > 1293 Hendersonville Road, Suite 17
    > Asheville, North Carolina USA 28803
    > U.S. Toll Free: 877-549-2680
    > International: 828-277-7272
     
    Jos_Cit, Aug 6, 2005
    #3
  4. Giuseppe,

    Cisco hired @stake for the Research Report:

    Secure Use of VLANs: An @stake Security Assessment

    http://cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf

    and Cisco's VLAN Security and VLAN Hopping Attacks:

    http://www.cisco.com/en/US/about/ac...out_cisco_packet_feature09186a0080142deb.html

    Finally, Sean Convery of Cisco Systems provided the following Black Hat
    Presentation on VLAN Hopping:

    http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf

    Sincerely,

    Brad Reese
    SMARTnet Eligible Cisco Factory Refurbished
    http://www.bradreese.com/cisco-inventory-search.htm
     
    www.BradReese.Com, Aug 6, 2005
    #4
  5. Jos_Cit

    Jos_Cit Guest

    Thanks Brad, but i read this doc. The problem is another.


    Giuseppe
     
    Jos_Cit, Aug 6, 2005
    #5
  6. In article <>,
    Jos_Cit <> wrote:
    :Hello, i have read many doc about this attack but there are many
    :contradictions.

    :I hnow that this exploit exist in 2 ways :

    In your bay-networks posting, you listed 3 exploits instead of 2.


    You have multi-posted -- posted substantially the same message
    to several different newsgroup. I'm not going to chase down
    all of the newsgroups and post answers in all of them.
    Go back to those newsgroups and post indicating which -one- newsgroup
    should receive the response. Better yet, cross-post that
    "I took the conversation to ZZZ" message instead of multi-posting it.

    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
     
    Walter Roberson, Aug 7, 2005
    #6
  7. Jos_Cit

    Jos_Cit Guest

    Sorry for multi-posting , i did not know that it was not educated .

    I took the conversations to comp.dcom.sys.cisco and all reply would have to
    be sent to this newsgroup.


    Giuseppe Citerna








    "Walter Roberson" <-cnrc.gc.ca> ha scritto nel messaggio
    news:dd5908$mor$...
    > In article <>,
    > Jos_Cit <> wrote:
    > :Hello, i have read many doc about this attack but there are many
    > :contradictions.
    >
    > :I hnow that this exploit exist in 2 ways :
    >
    > In your bay-networks posting, you listed 3 exploits instead of 2.
    >
    >
    > You have multi-posted -- posted substantially the same message
    > to several different newsgroup. I'm not going to chase down
    > all of the newsgroups and post answers in all of them.
    > Go back to those newsgroups and post indicating which -one- newsgroup
    > should receive the response. Better yet, cross-post that
    > "I took the conversation to ZZZ" message instead of multi-posting it.
    >
    > --
    > "[...] it's all part of one's right to be publicly stupid." -- Dave

    Smey
     
    Jos_Cit, Aug 7, 2005
    #7
  8. Jos_Cit

    Jos_Cit Guest

    Hello, i tested this scenario with 2948G / 3500XL and i can to hop VLAN .
    Instead with 3550 i cannot .
    I have tested only case with ONE encapsulations dot.1q and not
    dot.1q-in-dot.1q scenario.tag

    But to return to my original case, why in a case ( COMPLEX 1 ) the first
    switch does'nt reads VLAN-ID and in the COMPLEX 2 the switch reads the
    VLAN-ID on his access-port ? Both behavior are BUGs or only second case ?
    According to me only second case were a bug, because on the access port
    switch does'nt reads 802.1q encap. Is right ?


    thanks


    Giuseppe Citerna
    ccie#10503


    "Jos_Cit" <> ha scritto nel messaggio
    news:...
    > Hello, i have read many doc about this attack but there are many
    > contradictions.
    >
    > I hnow that this exploit exist in 2 ways :
    >
    > Basic=> The attacker spoof a switch and gains the trunked states of the
    > switch's port. Rely on auto-negotiate feature turned ON.
    > This ways is simple to understand.
    >
    > ******************************************************************
    > Complex 1 => This attack is described on
    > http://www.sans.org/resources/idfaq/vlan.php and to work need that the
    > attacker and the trunk share same native vlan ( ex. VLAN 10 ). In this
    > doc. that the attacker send on the access port ( VLAN 10 ) a tagged
    > frame with a VLAN-ID of target VLAN ( ex. VLAN 20 ) . The switch takes
    > frame and forward it on trunk port without native tag (10). The other
    > switch read VLAN-ID(20) and forward frame on the access vlan 20.
    > In this scenario my doubts is :
    >
    > 1) Why the first SW accepts tagged frame but does'nt read the tags ?
    > Is this behavior an anomaly of work ?
    >
    > 2) Why the last switch that receives native frame on trunk port reads
    > the VLAN-ID ? Is this normal or anomaly ? I think that sw does'nt read
    > VLAN-ID because the frame on trunk is native .
    >
    > ******************************************************************
    >
    > Complex 2 => In other docs per ex:
    >

    http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
    > , there is an attack called " Double-Encapsulated 802.1Q ". In this
    > exploit the conditions are similar to the precedent but the attacker
    > need to insert two VLAN-ID ( outer,inner ). If this case work then :
    >
    > 1) The first switch read VLAN-ID on access port and forward frame on
    > trunk ( strip off first VLAN-ID ) . This behavior is different that
    > precedent case . Why the switch forward this frame according to VLAN-ID
    > on the access-port ? Is this behavior another anomalies ?
    >
    > ******************************************************************
    >
    > Sorry about lenght of post.
    >
    >
    >
    > Thanks
    >
    >
    > Giuseppe Citerna
    > ccie#1053
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > Complex 2 => This
    >
     
    Jos_Cit, Aug 9, 2005
    #8
  9. Jos_Cit

    Jos_Cit Guest

    Hi Walter ,

    whit this phrase

    > "[...] it's all part of one's right to be publicly stupid." -- Dave

    Smey

    you have demonstrated arrogance and aggressiveness. I think that you must
    reflect on this phrase and to be more educated .




    Giuseppe Citerna






    "Walter Roberson" <-cnrc.gc.ca> ha scritto nel messaggio
    news:dd5908$mor$...
    > In article <>,
    > Jos_Cit <> wrote:
    > :Hello, i have read many doc about this attack but there are many
    > :contradictions.
    >
    > :I hnow that this exploit exist in 2 ways :
    >
    > In your bay-networks posting, you listed 3 exploits instead of 2.
    >
    >
    > You have multi-posted -- posted substantially the same message
    > to several different newsgroup. I'm not going to chase down
    > all of the newsgroups and post answers in all of them.
    > Go back to those newsgroups and post indicating which -one- newsgroup
    > should receive the response. Better yet, cross-post that
    > "I took the conversation to ZZZ" message instead of multi-posting it.
    >
    > --
    > "[...] it's all part of one's right to be publicly stupid." -- Dave

    Smey
     
    Jos_Cit, Aug 11, 2005
    #9
  10. Jos_Cit

    Bob Goddard Guest

    Jos_Cit wrote:

    > Hi Walter ,
    >
    > whit this phrase
    >
    >> "[...] it's all part of one's right to be publicly stupid." --
    >> Dave

    > Smey
    >
    > you have demonstrated arrogance and aggressiveness. I think that you
    > must reflect on this phrase and to be more educated .

    [...]

    Congratulations, you have just made yourself the
    laughing stock of usenet.
     
    Bob Goddard, Aug 11, 2005
    #10
  11. Jos_Cit

    Jos_Cit Guest


    > Congratulations, you have just made yourself the
    > laughing stock of usenet.



    What means your post ?

    thanks
    Giuseppe Citerna
     
    Jos_Cit, Aug 11, 2005
    #11
  12. Hi Bob ,
    you don't know me .
    I am a italian boy , I am a security consultant .
    I read , sometimes , your posts .
    I think that you know a little your arguments .... a little
    But , I think .. that you should **** a little .... because you are a
    hysteric girl ..... In italiano ... una checca isterica :)

    Ciao .... scopa di piĆ¹ e posta di meno


    Rocco





    Bob Goddard wrote:
    > Jos_Cit wrote:
    >
    > > Hi Walter ,
    > >
    > > whit this phrase
    > >
    > >> "[...] it's all part of one's right to be publicly stupid." --
    > >> Dave

    > > Smey
    > >
    > > you have demonstrated arrogance and aggressiveness. I think that you
    > > must reflect on this phrase and to be more educated .

    > [...]
    >
    > Congratulations, you have just made yourself the
    > laughing stock of usenet.
     
    security_123@, Aug 11, 2005
    #12
  13. Hi Walter .....
    I think that anyone is perfect ...
    But Jos_Cit , although post your messages like multiposting is a
    correct person , and the word stupid is the real wrong !
    best regards

    Rocco
     
    security_123@, Aug 11, 2005
    #13
  14. In article <ZXGKe.4679$>,
    Jos_Cit <> wrote:
    :Hi Walter ,
    :whit this phrase

    :> "[...] it's all part of one's right to be publicly stupid." -- Dave Smey

    :you have demonstrated arrogance and aggressiveness.


    Giuseppe, it is part of my file of quotations; each of my postings
    has one added on randomly. I don't find out which one until I read
    the finished posting. The line is not specifically directed at you.


    :I think that you must
    :reflect on this phrase and to be more educated .

    The quotation is a reminder, counseling patience with other posters, as
    the "free marketplace of ideas" includes the right to express ideas in
    ways that might at first seem odd, argumentative, or even stupid.
    As my ideas might seem the same way to others, the quote is a reminder
    to myself as well, that any courtesies that I expect to be
    extended to myself, I must be prepared to extend to others.

    The quotation suggests, by its reference to the choice of wording as
    a "right", that before attacking others, that one should pause
    and mentally recognize their humanity (or canineity ;-) ) and review
    one's initial reaction to their posting, seeking a deeper understanding
    before replying.
    --
    This signature intentionally left... Oh, darn!
     
    Walter Roberson, Aug 11, 2005
    #14
  15. Ok Walter , excuse us if we don't understand that your application
    generate automatic string .
    But I say you that if :
    the "free marketplace of ideas" includes the right to express ideas
    The same right is for Jos ... first
    ....
    second
    the idea is a your idea o a idea of your application ?
    Because if it isn't a your idea , as you tell , the only thing to do is
    , to say :
    Exsuse me if my application is stupid ....

    Bye

    Rocco
     
    security_123@, Aug 12, 2005
    #15
  16. In article <>,
    security_123@ <> wrote:
    :Ok Walter , excuse us if we don't understand that your application
    :generate automatic string .

    Well, it would have been obvious to anyone with Usenet experience
    who'd been reading the newsgroup for more than about a day.
    I'm averaging about 6 posts to the newsgroup per day; I'm past the
    4500 posting mark for this newsgroup alone. No-one sustains that
    kind of output and -hand- picks a different random signature
    for every posting.

    :But I say you that if :
    :the "free marketplace of ideas" includes the right to express ideas
    :The same right is for Jos ...

    The free marketplace of ideas does not include the right to demand
    that other people listen and respond. People are thus free to
    say "I am going to ignore you unless you post in this particular
    format." Whether the poster agrees to use that format or not
    would depend upon the potential value of the answers that would
    be lost by not agreeing.

    It happens that the people most likely to be annoyned by multiposting
    (posting the same question to several newsgroups) are the "old-timers"
    who have been around for a long time and answer a lot of questions.
    So it is usually a good idea to avoid multiposting, as it tends to
    result in your questions being ignored by the people who are most
    likely to know the answer and take the time to write out the answer.

    Jos could have ignored my advice, but then I would have ignored Jos...


    :second
    :the idea is a your idea o a idea of your application ?

    I selected the quotation and added it in to the configuration
    file, if that is what you mean. I do not, though, select the
    particular quotation that gets attached to any one posting.

    :Because if it isn't a your idea , as you tell , the only thing to do is
    :, to say :
    :Exsuse me if my application is stupid ....

    I have evidence that the application's random number generator
    is biased in practice, but I suspect that is not what you mean by
    "the application is stupid".

    The appliation -is- stupid in that it does not have any artificial
    intelligence to read the posting and select the quotation that would be
    most appropriate.

    Do I apologize for having selected that quotation as one of the
    possibilities? No. I have been using electronic mass communication
    systems for more than 20 years, and the quotation aptly summarizes
    a lot of what has happened over the years.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
     
    Walter Roberson, Aug 15, 2005
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    590
  2. Jimchip

    Re: Networking Anomaly

    Jimchip, Jul 3, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    444
    Jimchip
    Jul 3, 2003
  3. Dan

    Freeserve Hometime Anomaly

    Dan, Nov 30, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    380
  4. Imhotep

    PC-hopping mobile malware sighted

    Imhotep, Sep 24, 2005, in forum: Computer Security
    Replies:
    0
    Views:
    433
    Imhotep
    Sep 24, 2005
  5. Sherlock Holmes

    Vlan hopping

    Sherlock Holmes, Sep 26, 2007, in forum: Cisco
    Replies:
    6
    Views:
    4,517
    Ford Perfect
    Mar 26, 2009
Loading...

Share This Page