How do you demonstrate VLAN hopping?. I am trying to show this to a
customer who has mutliple DMZ segments configured as Layer2 VLANs on a
Cisco 6500 switch. There is N trunk port on this switch but DTP is
turned on on all ports.
Is it enough to cascade another L2 switch on an access port [ say VLAN
100] of the 6509, connect a desktop on this second switch and send a
packet with different VLAN ID [say VLAN 200] on the 6509.
Am I on the right track?
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

check these out

should get you started

cheers
Ivan

10/18/06, dubaisans dubai <dubaisans (AT) gmail (DOT) comwrote:
How do you demonstrate VLAN hopping?. I am trying to show this to a
customer who has mutliple DMZ segments configured as Layer2 VLANs on a
Cisco 6500 switch. There is N trunk port on this switch but DTP is
turned on on all ports.

Is it enough to cascade another L2 switch on an access port [ say VLAN
100] of the 6509, connect a desktop on this second switch and send a
packet with different VLAN ID [say VLAN 200] on the 6509.

Am I on the right track?

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

--

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Have you thought about just plugging in a linux machine (or cdbootable)
and having it take care of the vlan stuff for you (join all VLANS from
one linux box).

dubaisans dubai wrote:
How do you demonstrate VLAN hopping?. I am trying to show this to a
customer who has mutliple DMZ segments configured as Layer2 VLANs on a
Cisco 6500 switch. There is N trunk port on this switch but DTP is
turned on on all ports.

Is it enough to cascade another L2 switch on an access port [ say VLAN
100] of the 6509, connect a desktop on this second switch and send a
packet with different VLAN ID [say VLAN 200] on the 6509.

Am I on the right track?

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Wed, 18 2006, Ivan . wrote:

check these out

should get you started

Those documents show that vlan hopping doesn't work on properly
configured switches.

10/18/06, dubaisans dubai <dubaisans (AT) gmail (DOT) comwrote:
>How do you demonstrate VLAN hopping?. I am trying to show this
>to a customer who has mutliple DMZ segments configured as
>Layer2 VLANs on a Cisco 6500 switch. There is N trunk port
>on this switch but DTP is turned on on all ports.
>
>Is it enough to cascade another L2 switch on an access port [
>say VLAN 100] of the 6509, connect a desktop on this second
>switch and send a packet with different VLAN ID [say VLAN 200]
>on the 6509.
>
>Am I on the right track?

The right track would IMH be to teach the customer how to
configure his switch.

Ulric

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

my Cisco Router, I do a nmap from outside on the Internet. The result
is:

" Interesting ports on 50.1:
Not shown: 1676 closed ports
PRT STATE SERVICE
23/tcp filtered telnet
135/tcp filtered msrpc
1524/tcp filtered ingreslock
27665/tcp filtered Trinoo_Master

I am worried about the last two entries. The last nmap was done in Feb
this year and I have confirmed that the two ports did not exist.
Though the state "filtered" is a solace but I am still concerned. How
can be sure that the system has not been compromised?

Also the current IS Version on my Router is 12.4. It was the same case
when I was using older v 12.2 on another router, so I thought maybe,
it's an IS issue and I upgraded my Router to 2811 with IS v 12.4.

But as soon as I plugged it into the circuit, I realised the nmap again
gives the Trinoo_Master entry with state as filtered.

Where could lie the problem. Is it with my firewall configuration behind
the router?
is it my ISP trying to block access to these ports through my home
connection?

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

10/17/06, dubaisans dubai <dubaisans (AT) gmail (DOT) comwrote:
How do you demonstrate VLAN hopping?. I am trying to show this to a
customer who has mutliple DMZ segments configured as Layer2 VLANs on a
Cisco 6500 switch. There is N trunk port on this switch but DTP is
turned on on all ports.

If DTP is turned on then you just need to send the right DTP packets
and turn on trunking. Check out yersinia @ http://www.yersinia.net/

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Hi all, a great tool that can do Vlan hopping and a lot of layer 2
attacks is Yersinia:

For example in vlans you can :

Send RAW VTP packet
Delete ALL VLANs
Delete selected VLAN
Add one VLAN

Check it here: http://www.yersinia.net

Regards,

Christian Martorella
www.edge-security.com

dubaisans dubai wrote:
How do you demonstrate VLAN hopping?. I am trying to show this to a
customer who has mutliple DMZ segments configured as Layer2 VLANs on a
Cisco 6500 switch. There is N trunk port on this switch but DTP is
turned on on all ports.

Is it enough to cascade another L2 switch on an access port [ say VLAN
100] of the 6509, connect a desktop on this second switch and send a
packet with different VLAN ID [say VLAN 200] on the 6509.

Am I on the right track?

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.


>
>
>

P R D
Todo lo que saber, y lo que ni imaginabas,
en Yahoo! Respuestas (Beta).
Probalo ya!

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

To really be sure try netcat'ing or telnet'ing to those ports while running a pcap.
Sent via BlackBerry from T-Mobile

Message
From: "Paul Melson" <pmelson (AT) gmail (DOT) com>
Date: Wed, 18 2006 16:40:54
To:"'Faheem SIDDIQUI'" <fahimdxb (AT) gmail (DOT) com>,<pen-test (AT) securityfocus (DOT) com>
Subject: RE: About Trinoo_Master on 27665 tcp

Message
Subject: About Trinoo_Master on 27665 tcp

my Cisco Router, I do a nmap from outside on the Internet. The result
is:

>

" Interesting ports on 50.1:
Not shown: 1676 closed ports
PRT STATE SERVICE
23/tcp filtered telnet
135/tcp filtered msrpc
1524/tcp filtered ingreslock
27665/tcp filtered Trinoo_Master

>

I am worried about the last two entries. The last nmap was done in Feb
this year and I have confirmed
that the two ports did not exist.
Though the state "filtered" is a solace but I am still concerned. How can
be sure that the system has
not been compromised?

Don't be. The difference between "filtered" and "closed" is that for the
closed ports Nmap received a TCP RST packet for that port and for the
filtered ports it received no response (like a firewall drop) or an ICMP
unreachable packet.

I would say it's 99.9% likely that somewhere between your Nmap host and your
router a firewall or router is knocking down all traffic to those ports.

PaulM

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.