1
00:00:06,464 --> 00:00:07,614
- [Instructor] This is a demonstration

2
00:00:07,614 --> 00:00:09,987
of switch hacking using Yersinia.

3
00:00:09,987 --> 00:00:11,891
In this demo, as an attacker,

4
00:00:11,891 --> 00:00:15,198
we have a goal of denying
service to a victim machine

5
00:00:15,198 --> 00:00:17,368
or even performing a
man-in-the-middle attack

6
00:00:17,368 --> 00:00:20,248
by acting as a rogue DHCP server,

7
00:00:20,248 --> 00:00:22,779
but to do this, we must
deny network access

8
00:00:22,779 --> 00:00:25,344
to the legitimate DHCP server.

9
00:00:25,344 --> 00:00:27,504
We'll gain unauthorized
access through a switch

10
00:00:27,504 --> 00:00:29,718
to other VLANs or broadcast domains

11
00:00:29,718 --> 00:00:34,289
by negotiating Dynamic
Trunking Protocol, or DTP.

12
00:00:34,289 --> 00:00:35,450
Once we have this access,

13
00:00:35,450 --> 00:00:39,444
we can use the Cisco's VLAN
Trunking Protocol, or VTP,

14
00:00:39,444 --> 00:00:42,277
again using Yersinia,
to deny network access

15
00:00:42,277 --> 00:00:44,808
to the legitimate DHCP server.

16
00:00:44,808 --> 00:00:48,036
VTP is used to share VLAN
information between switches

17
00:00:48,036 --> 00:00:51,681
and we can exploit this to
remove the server's VLAN.

18
00:00:51,681 --> 00:00:53,353
Let's get started.

19
00:00:53,353 --> 00:00:55,013
I've already created the typology

20
00:00:55,013 --> 00:00:57,368
and configuration using AutoNetkit.

21
00:00:57,368 --> 00:00:59,779
Let's use the AutoNetkit
Visualization tool

22
00:00:59,779 --> 00:01:01,520
to help you understand this network.

23
00:01:01,520 --> 00:01:02,797
This is the window you're prompted

24
00:01:02,797 --> 00:01:06,118
to open after you build
your initial configurations.

25
00:01:06,118 --> 00:01:07,662
Starting from the Physical diagram,

26
00:01:07,662 --> 00:01:10,785
you could see how the devices
are connected together.

27
00:01:10,785 --> 00:01:12,847
We have two switches with
a connection between them

28
00:01:12,847 --> 00:01:14,786
that acts as a trunk.

29
00:01:14,786 --> 00:01:16,168
The router provides the function

30
00:01:16,168 --> 00:01:19,987
to route between the two VLANs
configured on both switches.

31
00:01:19,987 --> 00:01:20,997
The attacker Kali machine

32
00:01:20,997 --> 00:01:23,122
and victim are connected to switch one,

33
00:01:23,122 --> 00:01:25,769
the server is connected to switch two.

34
00:01:25,769 --> 00:01:27,255
You'll see that even though the attacker

35
00:01:27,255 --> 00:01:29,354
isn't directly attached to switch two,

36
00:01:29,354 --> 00:01:31,536
we could still affect its state.

37
00:01:31,536 --> 00:01:34,682
Let's look at the Layer 2 diagram.

38
00:01:34,682 --> 00:01:36,807
You'll see how vlan2 and vlan3

39
00:01:36,807 --> 00:01:38,967
are logically placed in the network.

40
00:01:38,967 --> 00:01:42,287
The Kali machine and victim are on vlan2

41
00:01:42,287 --> 00:01:44,537
and the server is on vlan3.

42
00:01:45,909 --> 00:01:48,028
The router provides Layer 3 connectivity

43
00:01:48,028 --> 00:01:50,594
between the two VLANs.

44
00:01:50,594 --> 00:01:54,677
Let's start the simulation
and open the consoles.

45
00:01:55,865 --> 00:01:58,210
I'll run the command show int status,

46
00:01:58,210 --> 00:02:02,377
note how Kali is connected
to port Gigabit Ethernet 0/3.

47
00:02:03,655 --> 00:02:05,640
On switch two, we'll run the same command

48
00:02:05,640 --> 00:02:08,890
and you could see server-1 is on vlan3.

49
00:02:09,866 --> 00:02:10,911
On Kali, we'll see that we can

50
00:02:10,911 --> 00:02:14,494
successfully ping the
server at 10.0.128.2.

51
00:02:17,912 --> 00:02:19,828
AutoNetkit follows best practices

52
00:02:19,828 --> 00:02:22,103
and hardcodes the
switchport mode to access

53
00:02:22,103 --> 00:02:23,601
for our Kali machine.

54
00:02:23,601 --> 00:02:25,490
To demonstrate Dynamic Trunking Protocol,

55
00:02:25,490 --> 00:02:27,278
we'll put the port back
in the default mode,

56
00:02:27,278 --> 00:02:29,111
which is dynamic auto.

57
00:02:32,987 --> 00:02:34,357
We'll verify the change was made

58
00:02:34,357 --> 00:02:37,956
by doing show int gi0/3 switchport.

59
00:02:37,956 --> 00:02:40,356
Note that the Administrative
Mode has changed

60
00:02:40,356 --> 00:02:41,448
to dynamic auto

61
00:02:41,448 --> 00:02:44,544
and the Trucking Encapsulation
is set to negotiate.

62
00:02:44,544 --> 00:02:46,016
Our Access VLAN is two,

63
00:02:46,016 --> 00:02:48,506
but when we ask the
switch to enable trunking,

64
00:02:48,506 --> 00:02:50,514
our Native VLAN will be one.

65
00:02:50,514 --> 00:02:52,894
This will isolate Kali from vlan2,

66
00:02:52,894 --> 00:02:55,086
unless we send frames tagged

67
00:02:55,086 --> 00:02:57,509
with the VLAN ID of two.

68
00:02:57,509 --> 00:03:00,493
AutoNetkit also makes VLAN
Trunking Protocol passive

69
00:03:00,493 --> 00:03:02,707
by placing it in Transparent mode.

70
00:03:02,707 --> 00:03:05,842
You can see this with the
command show vtp status.

71
00:03:05,842 --> 00:03:08,164
We'll change this by placing
switch one in Server mode

72
00:03:08,164 --> 00:03:10,741
and running show vtp status again.

73
00:03:10,741 --> 00:03:14,074
Note that the updater ID is 172.16.1.137

74
00:03:15,072 --> 00:03:17,572
and was also the last updater.

75
00:03:20,320 --> 00:03:22,851
We'll place switch two in VTP Client mode

76
00:03:22,851 --> 00:03:24,851
and run show vtp status.

77
00:03:27,367 --> 00:03:29,062
This will make switch one the server

78
00:03:29,062 --> 00:03:31,163
and switch two the client.

79
00:03:31,163 --> 00:03:32,916
You'll see that the
switch is in Client mode

80
00:03:32,916 --> 00:03:33,912
and has been updated

81
00:03:33,912 --> 00:03:36,662
by the updater ID for switch one.

82
00:03:37,528 --> 00:03:40,625
Now we've undone the best
practices configurations

83
00:03:40,625 --> 00:03:41,704
by AutoNetkit

84
00:03:41,704 --> 00:03:45,016
and placed the switches
in a more default state.

85
00:03:45,016 --> 00:03:48,499
Let's run Yersinia in ncurses
as our Interactive mode.

86
00:03:48,499 --> 00:03:51,979
There is a GUI mode, but
you'll find it quite unstable.

87
00:03:51,979 --> 00:03:53,976
By default, eth0 is selected,

88
00:03:53,976 --> 00:03:56,921
we'll change the attacking
interface to eth1.

89
00:03:56,921 --> 00:03:58,431
You could do this with the i key,

90
00:03:58,431 --> 00:04:00,880
to get help use the h key.

91
00:04:00,880 --> 00:04:03,551
You should see configuration
bridge protocol data units

92
00:04:03,551 --> 00:04:04,884
from the switch.

93
00:04:08,740 --> 00:04:11,051
Now we'll change the protocol mode to DTP

94
00:04:11,051 --> 00:04:12,634
by using the g key.

95
00:04:14,302 --> 00:04:16,728
You could see the
advertised VTP domain name

96
00:04:16,728 --> 00:04:19,398
and that the status of our port is ACCESS,

97
00:04:19,398 --> 00:04:20,524
but the switch is also set

98
00:04:20,524 --> 00:04:24,248
to dynamically auto negotiate using DTP.

99
00:04:24,248 --> 00:04:26,442
We'll execute an attack using the x key,

100
00:04:26,442 --> 00:04:29,002
our attack will be to
enable trunking mode.

101
00:04:29,002 --> 00:04:30,186
We've sent a frame to the switch

102
00:04:30,186 --> 00:04:31,580
that we desire trunking,

103
00:04:31,580 --> 00:04:32,706
then the switch will reflect this

104
00:04:32,706 --> 00:04:34,830
by enabling trunking mode.

105
00:04:34,830 --> 00:04:36,897
We could verify this by
going back to switch one

106
00:04:36,897 --> 00:04:38,798
and running show int trunk.

107
00:04:38,798 --> 00:04:40,412
This will show our port in auto mode

108
00:04:40,412 --> 00:04:43,125
and that we've negotiated 802.1q trunking

109
00:04:43,125 --> 00:04:44,786
with the Native VLAN of one.

110
00:04:44,786 --> 00:04:46,617
We don't have any VLANs in spanning tree

111
00:04:46,617 --> 00:04:47,848
forwarding state yet,

112
00:04:47,848 --> 00:04:49,148
we'll have to wait for STP to go

113
00:04:49,148 --> 00:04:50,721
through the listing and learning phases

114
00:04:50,721 --> 00:04:52,543
and enter forwarding.

115
00:04:52,543 --> 00:04:54,064
Then when we verify this,

116
00:04:54,064 --> 00:04:55,759
you could see that we're
in forwarding state

117
00:04:55,759 --> 00:04:57,756
and now if we do show int trunk again,

118
00:04:57,756 --> 00:04:58,955
you could see that one through three

119
00:04:58,955 --> 00:05:01,218
are now in forwarding state.

120
00:05:01,218 --> 00:05:04,814
Let's open a new tab and
try pinging the server.

121
00:05:04,814 --> 00:05:06,835
You'll see we can't do this

122
00:05:06,835 --> 00:05:08,271
because of our Native VLAN,

123
00:05:08,271 --> 00:05:10,354
which has changed to one.

124
00:05:14,819 --> 00:05:16,201
So, let's go to the victim console

125
00:05:16,201 --> 00:05:18,451
and try pinging the server.

126
00:05:20,644 --> 00:05:22,444
You could see, I could
still reach the server,

127
00:05:22,444 --> 00:05:24,731
so let's change that.

128
00:05:24,731 --> 00:05:26,763
Let's go back to Yersinia
and use the g key

129
00:05:26,763 --> 00:05:29,096
to change the attack to VTP,

130
00:05:30,989 --> 00:05:33,610
then we'll choose the attack
that deletes one VLAN.

131
00:05:33,610 --> 00:05:37,527
We'll target the server's
VLAN, which is vlan3.

132
00:05:38,428 --> 00:05:42,595
After some time, you'll
see state changes from VTP.

133
00:05:44,494 --> 00:05:48,661
In the meantime, we can
look at the running attacks.

134
00:05:50,423 --> 00:05:54,173
Now, we'll try pinging the
server again from the victim,

135
00:05:54,173 --> 00:05:58,562
you'll see that the server
is no longer reachable.

136
00:05:58,562 --> 00:06:00,385
You can verify this on either switch

137
00:06:00,385 --> 00:06:02,858
by using the show vlan command.

138
00:06:02,858 --> 00:06:04,875
You'll see that vlan3 is now missing,

139
00:06:04,875 --> 00:06:07,867
which isolates the
server from the network,

140
00:06:07,867 --> 00:06:11,416
now we can be free to attack the victim.

141
00:06:11,416 --> 00:06:14,110
This concludes this
demo of switch hacking.

142
00:06:14,110 --> 00:06:16,023
You've seen how you can
widen the scope of access

143
00:06:16,023 --> 00:06:17,564
to a network using protocols,

144
00:06:17,564 --> 00:06:19,247
like Dynamic Trunking Protocol

145
00:06:19,247 --> 00:06:21,163
and VLAN Trunking Protocol.

146
00:06:21,163 --> 00:06:22,830
Thanks for watching.