DTP - Share it

The one thing that is always overlooked, when someone tries to secure a network, is the user side. It is rare to see a DMZ network, that is protected by a firewall from the users. The general idea is that if you are an internal user, you have legitimate access to the servers, so there is no need to protect them from you. In this article we will discuss a frequently overlooked feature of Cisco switches called DTP, we will explain why is it dangerous and what are the steps to disable it.

In some rare occasions, the IT security people have done their job right and limited the access from internal users to the servers in the internal or external DMZ. This ofcourse will make it harder for a penetration tester to find something interesting to put in the report. Only if he could jump in the VLAN with the servers, so there is no firewall in the way …

Scenario

Well, maybe it is time to look at the Layer 2 side of the network. You might happen to know that by default Cisco switches don’t put their ports in access mode, with the idea that if you happen to connect two switches, they can automatically reconfigure the ports that connect them in trunk mode, so you can share VLANs between them. The proprietary protocol that negotiates that is called DTP, which stands for Dynamic Trunking Protocol.

Yersinia is a network tool designed to take advantage of some weaknesses or misconfiguration in different network protocols (STP, CDP, DTP, DHCP, HSRP, ISL, VTP). Lets try it out:
$ sudo yersinia -I
Just remember to maximize your console window in case that you use KDE or GNOME or something else, as yersinia will refuse to start if the window is too small. You can use the F1 to F10 keys to cycle through the different windows and each window shows information for a specific protocol, if it is detected to be enabled on the network. In our example we will focus on the DTP window and we’ll hope that we see some activity there. If this is the case, we will see some lines with ACCESS/DESIRABLE in them, which represents the current state of the port.

All we need to do now is to press ‘x‘ to execute an attack and select ‘1‘ in order to try and enable trunking. If you see a couple of lines with ‘TRUNK/DESIRABLE‘ this most probably means that the attack is successful. Now if you go to the 802.1Q window, you should be able to see all the VLANs that are enabled on the switch and even the IP ranges that are used in them. After that joining a VLAN is trivial:

$ sudo modprobe 8021q
$ sudo vconfig add eth0 4
$ sudo ifconfig eth0.4 10.0.0.199 netmask 255.255.255.0 up

In this example ‘8021q’ is the module that enables vlan support in Linux, ‘4’ is the VLAN number and ‘10.0.0.199’ is the IP address assigned. Just remember that you need to leave yersinia running, in order to keep the port in trunk mode.

Mitigation

The solution of this problem is actually quite simple – just put all client ports in access mode. The following commands executed for every client port will do just that:

# switchport mode access
# switchport access vlan x
# switchport nonegotiate

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*