Back a while ago, I had this idea I came up with while studying for the CCNA exam. The book I was reading said that switchports on a Cisco switch, by default are an “dynamic desirable” trunking mode. Basically what this means is that if you plug another switch into a port set to this, the port will become a trunk, and will trunk down all the VLANs that it’s aware of.
So my first thought was “well cool, I could carry a 2950 with me on the next pen test”, but that’s sort of unwieldy. If there only was a way to do this with Linux! Well, yes, it turns out, there is a way, and it’s from a utility that I’ve heard of before, but never really played with. It’s called Yersinia, named after y pestis, better known as the Black Death.
Yersinia is focused a lot on network attacks, and lets you do all sorts of nasty things like set up DTP trunking, delete VLANs, mess with spanning tree, etc… and the devs are nice enough to include a GTK interface.
So let’s set up the situation: we’re on a penetration test, we’re inside the building. We plug in to an open jack but find that we’re on a VLAN that is fairly restricted. Oh darn. Well, maybe the network guy wasn’t as security conscious as he thought, and just dropped a few ports into a VLAN behind an ACL (probably, since he left a live port open!). If he didn’t reconfigure the switchport, it’s in dynamic desirable status, and we can access any VLAN that the switch knows about by telling the switch that we would like to set up our port as a trunk.
Fire up Yersinia and select “Launch Attack”, and select the DTP (Dynamic Trunking Protocol) tab. Select “Enable trunk” and hit OK. Or if you’re a CLI monkey yersinia dtp -attack 1 -i eth0. If everything goes right, once spanning-tree quits shitting itself, you will be sitting on a fresh, new trunk port. What can we do from here? Well, a lot… we can hop out of the confined VLAN we’re in and directly access any VLAN that the switch is trunking. Server VLAN? Sure. And we’re going to zip right on past any ACLs that may be in place because anything we do is going to be from within the same VLAN as the target. Maybe a little ARP poisoning for some good ol’MITM action? Yep. We can do that too, and Yersinia is set up to make it happen.
How do we prevent this from happening? A good start is shutting down any unused ports on your switches! For the live ports, you need to force your edge ports into access mode, or have then not negotiate trunking with whatever is plugged into it. This is done on a per-port basis:
switchport mode access – this will force the port into an “access only” mode, effectively disabling trunking
switchport nonegotiate – Prohibit the port from negotiating trunking
Is there a way to catch someone doing this? Well, it’s a pain in the ass, but basically (at least on a 2950), you have to enable trunk event logging on a per-port basis (logging event trunk-status). If you’re going to do this, you may as well just do it right and force your ports into access mode and be done with it. But you will see events like this:
%DTP-5-TRUNKPORTON: Port Fa0/24 has become dot1q trunk
Unfortunately, Cisco didn’t see fit to set up a logging event for when someone tries to trunk on an access port, so you’re not going to make any noise