An idea of cross-vlan penetration for Intranet penetration applications

0x00 Preface

With the development of network technology, network lines become more and more complex. Penetration testers reach the border server through injection, upload, and other basic or advanced script penetration methods on the web. Further in-depth access will face more complex networks, such as messy vlan environments.

What is vlan: http://baike.baidu.com/history/id=9328829

Test Topology

 

0x01 test Overview

A total of three servers and an H3C s3610 L3 switch are selected, along with the author's notebook (Kali Linux ).

The three servers represent the basic business division of tec503. The attacker is in the same vlan200 as the webserver. In addition, attackers have controlled webserver.

Three VLANs are divided on the vswitch. The data servers (dataserver.tec503.com) and web servers (webserver.tec503.com) of the Tec503 (hypothetical target company) are divided into three VLANs (vlan100, vlan200, vlan300. Vlan100 and vlan200 cannot access each other. However, you can access vlan300.

Enable snmp and telnet for a vswitch (snmp is generally used to monitor switch traffic, and telnet is used to manage layer-3 switches ).

Purpose: To test the dataserver data exposure with as few traces as possible.

0x02 basic Infiltration Process in the Early Stage

During the preliminary information collection, the tec503.com domain transfer vulnerability was found, and the target ip address (5.5.6.4) for this test was determined ).

Webserver is also open to external users. web vulnerabilities are detected after basic detection. After obtaining the webshell, you can get the management permission.

Then, check that the gateway ip address is 172.10.0.1 on the webserver. Try to ping it.

Telnet to see an H3C device.

Failed to log on with simple weak passwords such as 123456, password, and manager.

Try snmp weak password detection (here the weak password refers to the group string used in snmp management. Generally, public is the permission to read and write, and private is the default value ).

Found that the default readable group string is public. Continue to try snmp to get the H3C device password

The password "admin" was obtained successfully (I forgot to say that I did not try admin on purpose)

Then, you can use the password to telnet to the vswitch.

And successfully enters the system-view status.

0x03 vswitch Penetration Process

After successfully logging on to the vswitch via telnet, we can start to collect various configuration information (vlan division, super password, and route table information) of the vswitch. In addition to the super password, this information can be obtained through a readable string of snmp. For cisco devices, if a readable and writable group string exists, you can directly download the core configuration file (including the password string) of cisco ).

Here we need to briefly talk about the two features of a layer-3 Switch, vlan division and port mirroring. A port refers to a port on a vswitch rather than a computer service port.

A port image is a technology that mirrors data from a port of a vswitch to another port. You can also select an inbound or outbound data packet from the image. This technology is usually used in enterprise monitoring and traffic analysis. When using a port image, you should also pay attention to the problems that cause traffic load monitoring on the port.

In this test, port mirroring technology is used to obtain the packets sent and received by dataserver.

Let's analyze the configuration file of this vswitch first.

Here we can see that the super password is encrypted by H3C ciper. You can use the encrypted string.

Next, let's take a look at the division of ip-pool. In combination with the information collected by nslookup in the early stage, we can further clearly approach the target.

We can find that we are in the vlan200, the target is in the vlan100, and the domain control is in the 300.

Then let's continue to see which vlan each interface is in use is divided.

Here we can see that Ethernet 1/0/3 is in vlan100, while Ethernet 1/0/4 is in vlan200, that is, our vlan.

After clear interface division, we began to create a local image Group 1.

Then, specify the port number of the image.

Then, specify the monitoring port number.

Finally, log on to our controlled webserver. Use the packet capture software to analyze the data packets of the target (dataserver.tec503.com.

This is to capture the destination (dataserver.tec503.com) ICMP packet.

This is an HTTP packet capture.

The same applies to packages of other protocols. The detailed subsequent analysis process will not be demonstrated here.

0x04 postscript

Routing and switches are becoming more and more common during penetration, and due to administrator configuration experience. Default configurations, weak passwords, and other misconfigurations often occur. In addition, the locations of routes and switches in the network also reflect their importance in a Penetration Process. when I wrote the article, I also found an article on freebuf about cross-vlan ARP sniffing. (Http://www.bkjia.com/Article/201309/246816.html). Also hope to lead more good articles through this article.

Reference

H3C Ethernet switch Configuration Guide

Wireshark packet capture practice analysis guide Version 2