TUCoPS :: General Information :: hackswev.txt

Hacking in Switched Environments

             .o (( Hacking in Switched Environments By Olmec )) o.


Switched Environments: Definition and Examples.
Common sense.

-[This article serves to explain the problems switched environments can
pose to common techniques employed on networks.]


Today LAN environments are evolving to support their increased load, and
need for security. The easiest way to achieve both is to move to a
switched network; herein conversations become private and load on each
node's NIC is reduced. Essentially each node is only aware of
conversations it's implicitly involved in. The complexity of the switched
network depends on what solution the LAN needs. Different Layered switches
are used here.

-[Switched Environments:]

Switches route (yes, yes wrong word) packets based on various levels of
information. Each level consists of a unique set (to those levels below
it) and each level above it has a unique set:

	Layer 1:        This is the underlying network medium [Ed: Physical 
			Layer] usually Ethernet, but can be Token-Ring etc.
	Layer 2:        This is the Data-link layer.  This is the level
			that devices using the Layer 1 medium use to
			communicate.  Datagrams here have a unique physical
			address that they use it identify themselves.
			Each datagram transmitted from a node has both the
			source and destination address (MAC address)
	Layer 3:        This is the Network layer.  Essentially the
			protocol used to communicate on top of Layer 2
			datagrams.  For instance packets have unique 
			IP addresses and TOS fields (IPX and IP).
	Layer 4:        This is the Transport layer.  Sockets and Layer 3
			packet contents are unique to this layer.

[Ed: For the sake of making things a bit clearer, these are the three OSI
     layers that don't apply to switching...

     Layer 5: The Session Layer. This layer manages communication sessions -
	      service requests and responses and all that junk.
     Layer 6: The Presentation Layer - coding and conversion functions for the
	      application layer - like ASCII or MPEG or whatever.
     Layer 7: The Application Layer - Provides services directly to

     Okay. Now I've confused you even more than Olmec has. That wasn't my
     intention. I just wanted to get the full picture intact for yall so I can 
     show you how it fits together, so Olmec's terminology makes a bit more
     sense to yall dumbasses :) Aight...

     User information from the Application layer is converted to data
     That data is then converted into segments
     Segments are converted to packets or datagrams
     Those are converted to frames
     And frames are converted to bits

  |                 |                 | Application     |                 |
  |                 |                 | Presentation    |                 |
  |                 | Upper Layer Data| Session         | PDU             |
  | TCP Header      | Upper Layer Data| Transport       | Segment         |
  | IP Header       | Data            | Network         | Packet          |
  | LLC Header      | Data            | Data-Link       | Frame           |
  | MAC Header      | Data            | Physical        | Bits            |
  |                 | 101110101       |                 |	          |

  You dig? Hokay, back to Olmec... ]

For example a Layer 2 switch can switch packets based on source and
destination physical address. Layer 3 switches can switch on protocol
information, protocol type and socket addresses. Layer 4 switches can
switch based on connections i.e. complete sockets, as well as switch side
ports, rules can also be applied on top of this further limiting

There are essentially two types of conversations, direct and broadcast.  
Direct conversations are those that sender knows the exact address of the
receiver and needs only to communicate with it.  Broadcast conversations
are those that hosts, either lacking higher level config (IP address
assigned over DHCP for example). The use of various switches depends on
the need of the network.  For instance, refer to [Figure 1] here direct
conversations between PC 1 and PC 2 are private from both the Layer 4
switch and any other network device, except the Layer 2 switch they both
are connected to.

+------+                     +------+                       +-----+
| PC 1 |                     | PC 2 |   ..............      | YOU |
+------+                     +------+                       +-----+
	\                   /
	 | Layer 2 Switch |     +----------------------------+
	 +----------------+     | PC 3 (central DHCP server) |
			   \    +----------------------------+
			    \       |
			     +----------------+         +----------+
			     | Layer 4 Switch |=========| Internet |
			     | With rule set  |         +----------+
		-[Figure 1]

A layer four switch has the ability to route packets based on physical
addresses, IP addresses and ports. This allows rule-sets to be established
in order to further increase network security (i.e. sales cant get to
accounts etc). The problem is that each of these implementations has several 
drawbacks these will be discussed later.

-[Network Enumeration in switched environments:]

Note: please refer to the LAN detailed in Figure One

Ok, so you have plugged into the LAN (into the layer 2 switch) and you
need to know what's what and where. Here are your detailed options:

1.      You can send out an IP packet that is corrupt, in the sense that the
	IP address is ( or send to a lower level physical
	address (FF-FF-FF-FF-FF-FF).  One of two things is going to happen:

1.1     The Layer 2 switch is going to drop the packet (this is bad) and/or
	kill the port for a period. However, the MAC (FF-FF-FF-FF-FF-FF) is a
	broadcast address, so it will most probably be sent to all active
	ports on the switch (see below). The Layer 2 switch is going to
	broadcast that packet to all PCs on the LAN (this is better).
	Information regarding PCs on the LAN can be determined from the
	resulting packets. However due to the nature of the packet, most PCs
	are likely to drop it. The beauty of MS LANs is that they essentially
	run on several broadcast protocols, NetBEUI and their Samba.
2.      You can send various DHCP/BOOTP requests out, however for this to
	work, you need to know the IP of the DHCP server.  However I
	have found that MS's DHCP seems to respond (at least in part) to
	requests with invalid source and destination IPs. The response is
	sufficient to gain the DHCP servers IP.

2.1     There are several protocols that are broadcast over the LAN, (WINS
	and ARP are excellent examples). These are too complex to explain
	now but ICMP errors and ARP requests are magic.
	[Wizdumb: Connectionless protocols in WAN environments is just asking
	for it.] BOOTP is also another excellent example. BOOTP servers respond
	to some of the most mundane requests. Its broadcast, and very easy to
	gain information.

3.      One can use directional broadcast pings, this does however require
	knowledge of subnets i.e. the first 24 bits of the IP address. Thus
	all machines on that subnet will respond:

3.1     ping 
	all machines on will respond.

4.      Another method, similar to that described in 3 above, developed in
	co-operation with Aragon, is a SYN-BROADCAST. Herein a TCP packet,
	with the SYN flag set is sent to a broadcast address.

4.1     The resulting responses are very interesting. 99% of the time, windows
	boxes will respond with a RST/ACK. Thus detection of M$ boxes (NT
	and 98 inc.) can be reliably done without much LAN noise being
	generated (see article on SZN with regards to logging SYN scans).
        [Ed: SZN is @ www.security.za.net]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH