Jump to content

MITM using Cisco switch and SPAN session


kerpap

Recommended Posts

You can also paste it into https://docs.google.com/viewer for safer reading http://docs.google.com/viewer?url=http%3A%2F%2Ffsosecurity.com%2FSPAN_MITM.pdf

Without reading whole thing though, just seeing "Admin access to victim AP" if you have that already, what else do you really need if you want control of things?

Edited by digip
Link to comment
Share on other sites

the idea is by having admin access, you can shut down the victim's router. if its a consumer level wireless router like a linksys, you would be cloning the settings of their router i.e. SSID and WPA key. then using the Cisco switch you can sniff all traffic going in and out with a SPAN session.

it was an interesting concept albeit very elaborate and would only work in specific conditions.

I did the CCNA:SECURITY certification and have been researching how relevant their "best practices" really are. stuff like VLAN hopping only seem theoretical however that too can be done. it too will only work with very specific conditions.

I have actually done traffic sniffing on a SPAN sport before with back track and its really neat what you can get from it.

it basically copies all traffic specified and delivers it to the SPAN port in which you connect your BT/Kali machine.

anyways, I thought this article was cool and worth a read

Link to comment
Share on other sites

I'm just thinking in terms of admin access on the AP which most likely is the gateway/router you have control of a lot of things already such as DNS or just setting a route through your own network and forwarding passively while sniffing the traffic, or you can configure yourself in most cases to be in more than one vlan(depending on the type of equipment and network card capabilities or if you use multiple NICs) or if have access to their switch and its spanning tree and setup port mirroring, which is a legit method for debugging but also attacking networks to sniff data, you could still gain access to their internal network via that one AP I would think without need to clone anything locally and disabling their equipment which might setup alarms since you'd need mac address cloning for your external layer 2 address if they have access setup with sticky ports ( http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html#wp1070666 ) by disabling their AP, you're AP would have to look identical or it would get itself banned from their network based on the MAC address of the device alone.

In most cases I've seen though, people mis-configure vlans anyway and almost always have vlan one on which if I recall from my own cisco classes all vlans will flow through sort of defeating vlan security making VLAN1 kind of like a hub for all traffic, but I guess cloning settings to your own router with WPA key gives you the chance to step in, you would still need to over power their AP to get them to connect to you first though I would think, if we're talking wireless here? Only reason I say this is because most places with large networks are going to have more than one wireless AP, not just one.

You mention shutting down the victim's AP, but when most places have multiple wireless routers/APs/gateways, bridged and setup for wider range of wireless access across their organization one AP down might not be of much use unless they only have one Wirelss AP? Your scenario works if they only have one single point of failure in having just one AP, but in most corporate lans I've been on/around, they have redundancy and multiple AP's unless its a small mom and pop coffee shop for which, they're most likely not going to have spanning tree setups, switches and segregated vlans for internet access and would most likely have one network for customers only, and (hopefully) a separate network/lan for the back office which would probably be wired and (again, HOPEFULLY) not in any way connected to the same wireless AP(although we both know that while its best case scenario to have them not connected so no one can pivot off one to the other, many places use one for both, which is a single point of failure in not just small businesses but even large organizations).

Link to comment
Share on other sites

The thing I like about this article is using a SPAN session for traffic sniffing.

you could take a switch and plug it into the port a PC is plugged into in an office you are pentesting and configure it as the root bridge and configure a SPAN session and then you can sniff all traffic on the network.

Link to comment
Share on other sites

We used to also save our startup configs locally to text files in case we ever needed to swap out hardware which always seemed to go down in the middle of class for some reason(my school was infamous for spending half the class getting the equipment up, and restoring bin files that people would wipe from the previous class and not remember to restore which was always fun trying to figure out which ios went on which device since they never documented anything).

Just print the startup config and copy/paste it to your desktop or remote tftp server for quick restore of the setup if you ever need to get them back up quickly, and you can just paste it back in your terminal server client and then "copy run start" since most commands don't need the whole command typed out."show start-up config" to print it on the screen and then copy it locally from the terminal to a text file, make changes, paste it in the other devices as needed, makes for quick restores.

There is also another command to save the configs to actual Flash if there is enough space with the ios bin file, which puts it in the directory with the bin file instead of just a single file in nvram and you can give it a file name and save multiple different configurations depending on when you need them and also list and load them as needed to overwrite current running config, like changing ACL's on or off for remoting into a device or routes to do things as needed. I just can't remember the actual command that writes it locally per file name or how to list them and restore them from the local directory but it can also be done via tftp, something like copy tftp://server/path/config Flash:/filename1, etc. This way we could easily load other startup configs which were stored in the same directory as the ios bin files and if we fat fingered the current setup, we just reloaded the backup file, but with very limited space on most of the equipment we used, we always saved a copy locally to a central tftp server for use later to paste in whatever client we remoted in with. The nice thing was we could copy and paste the text file and edit them in a regular text editor locally ahead of time to make other configs for specific needs and have all our settings ready to go then just paste it in, or copy them off the tftp server and swap changes as needed.

Link to comment
Share on other sites

We used to also save our startup configs locally to text files in case we ever needed to swap out hardware which always seemed to go down in the middle of class for some reason(my school was infamous for spending half the class getting the equipment up, and restoring bin files that people would wipe from the previous class and not remember to restore which was always fun trying to figure out which ios went on which device since they never documented anything).

Just print the startup config and copy/paste it to your desktop or remote tftp server for quick restore of the setup if you ever need to get them back up quickly, and you can just paste it back in your terminal server client and then "copy run start" since most commands don't need the whole command typed out."show start-up config" to print it on the screen and then copy it locally from the terminal to a text file, make changes, paste it in the other devices as needed, makes for quick restores.

There is also another command to save the configs to actual Flash if there is enough space with the ios bin file, which puts it in the directory with the bin file instead of just a single file in nvram and you can give it a file name and save multiple different configurations depending on when you need them and also list and load them as needed to overwrite current running config, like changing ACL's on or off for remoting into a device or routes to do things as needed. I just can't remember the actual command that writes it locally per file name or how to list them and restore them from the local directory but it can also be done via tftp, something like copy tftp://server/path/config Flash:/filename1, etc. This way we could easily load other startup configs which were stored in the same directory as the ios bin files and if we fat fingered the current setup, we just reloaded the backup file, but with very limited space on most of the equipment we used, we always saved a copy locally to a central tftp server for use later to paste in whatever client we remoted in with. The nice thing was we could copy and paste the text file and edit them in a regular text editor locally ahead of time to make other configs for specific needs and have all our settings ready to go then just paste it in, or copy them off the tftp server and swap changes as needed.

That command right there needs to be tattooed to people's foreheads. I don't know how many times I've gone to a site where some dumb ass forgot that command, 8 months ago....

Edited by barry99705
Link to comment
Share on other sites

or wr mem or just wr works

(write mem)

if in config mode do wr mem.

thing is that unless you are super Cisco savvy you may poorly configure your network and there are some cool tricks that you can do to exploit it and get interesting info.

if you are running wireshark pay attention to STP. it will give you the bridge ID of the switch the BPDU is coming from. default is 32,768.

if the root bridge has this ID it is possible that the config on the root switch was not forced into root bridge.

you can plug a switch into the LAN and configure it to have a bridge priority of 0 and force it to be the root bridge and if it works, all traffic will flow through your switch. you can setup a SPAN port ond sniff sensitive network traffic.

this is called (at least be Cisco) a "Rouge Switch Attack"

Link to comment
Share on other sites

"wr" or "write" works 10.x and prior as well as now for backward compatibility in most devices, but some devices throw an error saying something like deprecated in 12 and later ios bin files. If someone is using ios 10.x and older though, they probably have more issues than using the write command ;)

Link to comment
Share on other sites

We had some catalyst switches at school that used to give messages about the write command, and some of them didn't even show in the ? help menu, only copy was available, but cisco makes it available as mentioned, for backwards compatibility I assume but I don't know that every device still supports it or not. Just sharing what I remember from school, this going back to like 2008 or so, and write mem would work but give messages to use copy run start or to use copy instead. I'm sure others have seen the message or run into it on some hardware of theirs. The one thing I do remember using was write erase | reload and wiping the config (but on some devices write erase also removed bin file?? don't quote me on that).

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...