03 April 2010

Sniffing For CISCO-Specific Protocols

During the two decades since it was founded, Cisco Systems has developed a variety of useful proprietary network protocols on all layers of the Open System Interconnection (OSI) model. The hacker can simply look at the hosts sending the proprietary protocol's Protocol Data Units (PDUs) and hosts responding to them and log their MAC and IP addresses. Some of these protocols have known security flaws that allow exploitation of hosts sending them without any further device fingerprinting necessary.

A list of common Cisco proprietary and related protocols, layer by layer:

* Port Aggregation Protocol (PAgP)
01-00-0c-cc-cc-cc
SNAP High-level Data Link Control (HDLC) protocol type 0x0104.
Used to bundle ports on Catalyst switches into an EtherChannel.
Similar to Ethernet bonding in the Linux world.

* VLAN Trunking Protocol (VTP)
01-00-0c-cc-cc-cc
SNAP HDLC protocol type 0x2003. Exploitable and gives away a
lot of data about configured virtual LANs (VLANs).

* Inter Switch Link (ISL)
01-00-0c-00-00-00
Functionally similar to 802.1q. Watch out for baby giant frames.
Not to be confused with the Internet Security Label, also abbreviated
as ISL.

* Dynamic Trunking Protocol (DTP)
01-00-0c-cc-cc-cc
SNAP HDLC protocol type 0x2004. Negotiates trunk port mode between
Cisco Catalyst switches. Exploitable to jump VLANs.

* Spanning Tree PVST+
01-00-0c-cc-cc-cd
SNAP HDLC protocol type 0x010b. Cisco proprietary version of the
Spanning Tree Protocol (STP).

* STP Uplink Fast
01-00-0c-cd-cd-cd
SNAP HDLC protocol type 0x200a. Speeds up STP convergence time
in the presence of redundant links on networks consisting of Catalyst
switches.

* VLAN Bridge STP
01-00-0c-cd-cd-ce
SNAP HDLC protocol type 0x010c. Operates on top of IEEE STP to
bridge VLANs while running single instance of STP. Indicates
presence of Catalyst 6000/6500 switches with Multilayer Switch
Feature Cards (MSFCs) installed.

* Cisco Discovery Protocol (CDP)
01-00-0c-cc-cc-cc
SNAP HDLC protocol type 0x2000. CDP is your best friend, and some
attacks are CDP-related.

* Hot Standby Routing Protocol (HSRP).
224.0.0.2 (all routers)
Creates a virtual router for redundancy reasons.

* Generic Routing Encapsulation (GRE)
Originally Cisco tunneling protocol, now supported by many non-Cisco
devices and systems. Often indicates a presence of virtual private
network (VPN) above it.

* Enhanced Interior Gateway Routing Protocol (EIGRP)
224.0.0.10

* Interior Gateway Routing Protocol (IGRP)
224.0.0.10

As you can guess, by passively sniffing network traffic, it is possible to ob-tain far more data than many could have imagined. This includes the precise type of the Cisco device in use (for example, Cisco Cache Engine, Cisco VoIP phone, high-end Catalyst switch with Multilayer Switch Feature Card [MSFC]) and even the characteristics of a specific inter-face exposed to your eavesdropping (for example, the presence of a trunk port on a switch).

Remember that CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. So do not assume that you are on VLAN 1 (as you would love to be) if you see them. On the contrary, 802.1q updates are forwarded untagged on the VLAN 1 for interoperability reasons, unless VLAN 1 has been cleared from the trunk port. Cisco PVST+ updates are sent and tagged for all other VLANs.



[*] Hacking Exposed - Cisco


biOos
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)