Recently I have done a penetration test and it once again showed why you should never trust the L2 segmentation for security.
The obvious reason not to trust L2 segmentation is that by using arp poisoning all your data between one ore more machines can be routed through another machine, and thus one is able to read all data sent and received between these machines. Introducing VLANs would help a lot, but even then there are techniques to circumvent these limitations.
When starting a test ,one of the first things I do is starting wireshark to see what interesting traffic is being broad/multicasted through out all ports. Normally you would only find some arp, spanning tree or sometimes routing protocols traffic. But this time I also found some fragments of citrix sessions and HTTP requests between a client and a citrix server and I figured it was better to keep the sniffer open for a while to see whether there would popup even more interesting packets.
So after an hour or so I checked the captured packets and I found some packets sent by a Network Monitoring System containing SNMP communities. Unfortunately after testing the community it turned out to be a community that allowed writing to the switch.
I am still not sure why these packets had been put on the switchport I was connected to. I can only think of two options:
- The switch was (partially) broken and had put packets on the wrong port ( It can’t be the port, because the the switch decides where to put the packets, and I had seen the same behaviour on another port on the same switch ).
- The switch’s ARP table was full with arp entries. In this case the switch just throws out packets to all ports for mac addresses that are not listed in the arp table.
My best guess is the first. The company only had about 75 users, and because switches can contain thousands of mac addresses it is unlikely that the arp table had been full of entries. Besides that, if the arp table had been full, I should have seen the same packets on both switch ports I had been listening, but I had not. Some packets I had captured on one port on the switch, I had not on the other and vice versa. It seemed completely random.
So, never trust on L2 segmentation for security, and if your using SNMP (write) communities, AT LEAST use an accesslist to protect it!
Tags: linkedin