|
-//--**--//--xx--//--**--//--xx--//--**--//--xx--//--**--//--xx--//--**--//- .o (( Hacking in Switched Environments By Olmec )) o. -//--**--//--xx--//--**--//--xx--//--**--//--xx--//--**--//--xx--//--**--//- -[Contents:] Introduction. Switched Environments: Definition and Examples. Common sense. -[This article serves to explain the problems switched environments can pose to common techniques employed on networks.] -[Introduction:] Today LAN environments are evolving to support their increased load, and need for security. The easiest way to achieve both is to move to a switched network; herein conversations become private and load on each node's NIC is reduced. Essentially each node is only aware of conversations it's implicitly involved in. The complexity of the switched network depends on what solution the LAN needs. Different Layered switches are used here. -[Switched Environments:] Switches route (yes, yes wrong word) packets based on various levels of information. Each level consists of a unique set (to those levels below it) and each level above it has a unique set: Layer 1: This is the underlying network medium [Ed: Physical Layer] usually Ethernet, but can be Token-Ring etc. Layer 2: This is the Data-link layer. This is the level that devices using the Layer 1 medium use to communicate. Datagrams here have a unique physical address that they use it identify themselves. Each datagram transmitted from a node has both the source and destination address (MAC address) present. Layer 3: This is the Network layer. Essentially the protocol used to communicate on top of Layer 2 datagrams. For instance packets have unique IP addresses and TOS fields (IPX and IP). Layer 4: This is the Transport layer. Sockets and Layer 3 packet contents are unique to this layer. [Ed: For the sake of making things a bit clearer, these are the three OSI layers that don't apply to switching... Layer 5: The Session Layer. This layer manages communication sessions - service requests and responses and all that junk. Layer 6: The Presentation Layer - coding and conversion functions for the application layer - like ASCII or MPEG or whatever. Layer 7: The Application Layer - Provides services directly to applications. Okay. Now I've confused you even more than Olmec has. That wasn't my intention. I just wanted to get the full picture intact for yall so I can show you how it fits together, so Olmec's terminology makes a bit more sense to yall dumbasses :) Aight... User information from the Application layer is converted to data That data is then converted into segments Segments are converted to packets or datagrams Those are converted to frames And frames are converted to bits ------------------------------------------------------------------------- | | | Application | | ------------------------------------------------------------------------- | | | Presentation | | ------------------------------------------------------------------------- | | Upper Layer Data| Session | PDU | ------------------------------------------------------------------------- | TCP Header | Upper Layer Data| Transport | Segment | ------------------------------------------------------------------------- | IP Header | Data | Network | Packet | ------------------------------------------------------------------------- | LLC Header | Data | Data-Link | Frame | ------------------------------------------------------------------------- | MAC Header | Data | Physical | Bits | ------------------------------------------------------------------------- | | 101110101 | | | ------------------------------------------------------------------------- You dig? Hokay, back to Olmec... ] For example a Layer 2 switch can switch packets based on source and destination physical address. Layer 3 switches can switch on protocol information, protocol type and socket addresses. Layer 4 switches can switch based on connections i.e. complete sockets, as well as switch side ports, rules can also be applied on top of this further limiting conversations. There are essentially two types of conversations, direct and broadcast. Direct conversations are those that sender knows the exact address of the receiver and needs only to communicate with it. Broadcast conversations are those that hosts, either lacking higher level config (IP address assigned over DHCP for example). The use of various switches depends on the need of the network. For instance, refer to [Figure 1] here direct conversations between PC 1 and PC 2 are private from both the Layer 4 switch and any other network device, except the Layer 2 switch they both are connected to. +------+ +------+ +-----+ | PC 1 | | PC 2 | .............. | YOU | +------+ +------+ +-----+ \ / +----------------+ | Layer 2 Switch | +----------------------------+ +----------------+ | PC 3 (central DHCP server) | \ +----------------------------+ \ | +----------------+ +----------+ | Layer 4 Switch |=========| Internet | | With rule set | +----------+ +----------------+ -[Figure 1] A layer four switch has the ability to route packets based on physical addresses, IP addresses and ports. This allows rule-sets to be established in order to further increase network security (i.e. sales cant get to accounts etc). The problem is that each of these implementations has several drawbacks these will be discussed later. -[Network Enumeration in switched environments:] Note: please refer to the LAN detailed in Figure One Ok, so you have plugged into the LAN (into the layer 2 switch) and you need to know what's what and where. Here are your detailed options: 1. You can send out an IP packet that is corrupt, in the sense that the IP address is (255.255.255.255) or send to a lower level physical address (FF-FF-FF-FF-FF-FF). One of two things is going to happen: 1.1 The Layer 2 switch is going to drop the packet (this is bad) and/or kill the port for a period. However, the MAC (FF-FF-FF-FF-FF-FF) is a broadcast address, so it will most probably be sent to all active ports on the switch (see below). The Layer 2 switch is going to broadcast that packet to all PCs on the LAN (this is better). Information regarding PCs on the LAN can be determined from the resulting packets. However due to the nature of the packet, most PCs are likely to drop it. The beauty of MS LANs is that they essentially run on several broadcast protocols, NetBEUI and their Samba. 2. You can send various DHCP/BOOTP requests out, however for this to work, you need to know the IP of the DHCP server. However I have found that MS's DHCP seems to respond (at least in part) to requests with invalid source and destination IPs. The response is sufficient to gain the DHCP servers IP. 2.1 There are several protocols that are broadcast over the LAN, (WINS and ARP are excellent examples). These are too complex to explain now but ICMP errors and ARP requests are magic. [Wizdumb: Connectionless protocols in WAN environments is just asking for it.] BOOTP is also another excellent example. BOOTP servers respond to some of the most mundane requests. Its broadcast, and very easy to gain information. 3. One can use directional broadcast pings, this does however require knowledge of subnets i.e. the first 24 bits of the IP address. Thus all machines on that subnet will respond: 3.1 ping 192.168.1.255 all machines on 192.168.1.0/24 will respond. 4. Another method, similar to that described in 3 above, developed in co-operation with Aragon, is a SYN-BROADCAST. Herein a TCP packet, with the SYN flag set is sent to a broadcast address. 4.1 The resulting responses are very interesting. 99% of the time, windows boxes will respond with a RST/ACK. Thus detection of M$ boxes (NT and 98 inc.) can be reliably done without much LAN noise being generated (see article on SZN with regards to logging SYN scans). [Ed: SZN is @ www.security.za.net]