Penetration Testing mailing list archives
RE: Anonymous access to Voice VLAN using CDP
From: "Wence Van der Meersch" <wence.vandermeersch () ascure com>
Date: Tue, 25 Jul 2006 15:16:15 +0200
Actually you configure the voice vlan on the switch, and when the phone boots up it will talk CDP to the switch asking what's the voice VLAN, and after receiving this information from the switch the phone will send its own traffic tagged with this vlan id, while sending out the traffic received through the pc port untagged. Something you can try is to connect a hub (no switch obviously) between the phone and the catalyst switch (if you're not using PoE, else put a PoE extractor between the hub and the switch, and supply the phone with the power lead from the extractor) and connecting a PC to this hub. Then let the phone discuss the vlan details with the switch while you are sniffing the whole conversation and when the phone starts sending tagged traffic you can try sending traffic with this vlan tag from your PC (which, ofcourse, has dot1q support enabled). I'm not sure if the switch will filter incoming tagged traffic on MAC address (as it should, to prevent this from happening and allowing only tagged traffic originating from the phone) so you can try disconnecting the phone, cloning it's MAC address and sending the tagged traffic, making it seem to the switch that you are the phone. Anyway this is purely an educated guess. I use cisco phones and switches at home so I'll investigate this a bit further in the next few days. Maybe I'll even write a tool for all this. Wence Van der Meersch Information Security Consultant, CISSP Ascure NV e-mail wence.vandermeersch () ascure com Web http://www.ascure.com/
-----Original Message----- From: jpecou () gmail com [mailto:jpecou () gmail com] Sent: vrijdag 21 juli 2006 18:57 To: pen-test () securityfocus com Subject: Anonymous access to Voice VLAN using CDP Hey guys .. I Will try to make this short and sweet. At my job we are looking to implement a VOIP infrastructure. A typical infrastructure with voice and date usually will have both voice and data on a seperate VLAN. The phone will then plug into the ethernet port and the PC plug into the phone. Basically The phone becomes a trunk port for the PC) I have read that the way the phone gets place on the voice VLAN is through CDP. Appearently upon connecting to the switch the phone sends a CDP packet identifying it self and then gets placed on the Voice VLAN. I would love to attempt to put a pc on our voice VLAN. I know that yersinia has options for crafting CDP packets. Has anyone accomplished this and could some one give me a breif explanation of how I could do this. Thanks! -------------------------------------------------------------- ---------------- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. -------------------------------------------------------------- ----------------
---- eMail Disclaimer ---- This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If you have received it by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from errors, inaccuracies or any loss in the message, from unauthorized use, disclosure, copying or alteration of it. For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.html ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Anonymous access to Voice VLAN using CDP jpecou (Jul 21)
- Re: Anonymous access to Voice VLAN using CDP Paul Robertson (Jul 21)
- RE: Anonymous access to Voice VLAN using CDP Wence Van der Meersch (Jul 25)
- <Possible follow-ups>
- Re: Re: Anonymous access to Voice VLAN using CDP jpecou (Jul 24)
- Re: Re: Anonymous access to Voice VLAN using CDP Mario Platt (Jul 25)
- RE: Re: Anonymous access to Voice VLAN using CDP Jacek Materna (Jul 25)
- Re: RE: Re: Anonymous access to Voice VLAN using CDP lists (Jul 27)