Results 1 to 8 of 8

Thread: Questions about Vlans

  1. #1
    Member
    Join Date
    Oct 2007
    Posts
    52

    Default Questions about Vlans

    Just got a new router with the capability of setting up a v-lan (linksys calls it a AP isolation) just wondering if its possible to escape the vlan. "jump to the other side..." i tried a search just not sure what to look for if someone could help me on my search it would be greatly appreciated.

  2. #2
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default

    Quote Originally Posted by fload View Post
    Just got a new router with the capability of setting up a v-lan (linksys calls it a AP isolation) just wondering if its possible to escape the vlan. "jump to the other side..." i tried a search just not sure what to look for if someone could help me on my search it would be greatly appreciated.
    You have to use a router which is able to route the traffic between the different VLANs. I think there where some bugs which gave you the capability for hopping between the different VLANs. Hopefully this is long time ago ...

    Some basic info can be found in the wikipedia: http : / / en.wikipedia.org/wiki/VLAN_hopping
    m-1-k-3

  3. #3
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by m-1-k-3 View Post
    You have to use a router which is able to route the traffic between the different VLANs. I think there where some bugs which gave you the capability for hopping between the different VLANs. Hopefully this is long time ago ...

    Some basic info can be found in the wikipedia: http : / / en.wikipedia.org/wiki/VLAN_hopping
    m-1-k-3
    Are you referring to Client Isolation? If you are, the only sure-fire way I know is by forcing your MAC onto the gateway's "pass-thru" list, which will enable communication between hosts. Otherwise sniffing is still capable even without direct communication.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Correct. There are a lot of coffee shops in my town which use ap isolation to try to keep their clients safe. In helping one of them get set up I did some testing and the only way I've found to defeat it is like shadow kill has already suggested which is to brute force the router itself and add your self to a allowed list. Just wanted to second what shadow kill already said.

  5. #5
    Just burned his ISO
    Join Date
    May 2009
    Posts
    7

    Default

    *bump to see if there has been progress on cracking/compromising a wireless system that utilizes client/ap isolation*

    *rub@ wireless system

    i'm in charge of the wireless system (ooohhh, ahhh, please be gentle on the flames ) and we're in the start/middle of deployment (the stage depends on the person's pov). keeping it simple, ssid for intranet (wpa security, radius authentication, etc.). no worries there, yet. ssid for internet - open with captive portal (some worries here)

    we got training on this system, but it's an overwhelmingly complex system that can be deceivingly simple when presented in the gui interface they provide. click here, click that, put settings here, etc. forget all of that, once they showed me the configuration is over 90percent cisco cli-compatible, i stayed in the command line for configuring it. they gave a sample configuration on a demo box that through some luck, i was able to understand enough to be able to put on our production controller and customize accordingly... in the process of doing that, i was able to break down some of the inner-workings and why it's so effective at "security"

    user role/acl rules - built in firewall on the controller

    i'm the one opening up the access, so naturally, i open up the standard http ports and whatever i need (ie port i manage my dd-wrt router at home, financialchat, openvpn port i use to connect to my dd-wrt router at home, that's about it, unless i get requests from users)

    firewall/acl rule "user any net-service blah permit"

    if i change the above to any any ..., then client/ap isolation won't be enabled for that particular net-service? i'm not even going to try it, as it seems useless (at this time)

    re: internet ssid; after i authenticated to the captive portal, i can surf the internet. i then tried to run ettercap/mitm and hamster/ferret (bt4) using my test laptop running windows, and all i can see is the cisco router which is the one i use for the internet. hamster sees packets, but no database/target shows up. doing the same thing on a wep ap, and i can mitm the test laptop and/or perform sidejacking on it.

    the router is probably vulnerable to attacks, but since none of the net-service ports defined are opened on the router, i'm limited on what the attacks that can be done. as a test, i opened net-service telnet, and i can telnet to the router.

    i'm just trying to see if there has been progress on how to overcome the client/ap isolation security. if there has been, then maybe i can mitigate the risks.

    thank you.

    ps: sorry if this is not very clear as i'm writing this in the late hours (for me)...

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by pureh@te View Post
    add your self to a allowed list.
    Just for the record (in case you did not already know): You can overload the memory of a poorly programmed (by the manufacturer) switch or switching device, effectively mac-flood them to death. There are tools out there to do it (break out of VLAN's I mean).

    To be fair, I've never attempted it against a WAP so what you've said could well be highly accurate, just provisioning a little more information.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Why not have two different access points with two different passwords? One for VIP's and one for everyone else.

    Or even put both of them on the same AP and make the VIP's go through a VPN.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  8. #8
    Just burned his ISO
    Join Date
    May 2009
    Posts
    7

    Default

    from what i can see looking at the configuration, the sequence of events on the 2 virtual access points are:

    intranet:
    ssid association > enterprise vlan > security profile > user role = acl rules/firewall rules > internet vlan

    internet:
    ssid association > internet vlan > security profile > user role= acl rules/firewall rules > internet vlan

    failure to authenticate at any step/sequence prevents further access.

    enterrprise vlans end up on a trunking port to a physical connection to the enterprise network

    internet vlans end up on a trunking port to a physical connection to the internet (via router and firewall)

    there is an ip tunnel from an AP to the controller. this layer 3 (gre) tunnel is used for transporting layer 2 vlans. the ap's don't have the "intelligence" found in normal ap's and all configurations are centralized on the controller(s)

    there is no logical path that allows a pc to connect to the enterprise ssid and jump to the internet vlan and vice versa.

    forgetting everything above, the 2 major challenges to a potential attack are user role limitations (firewall rules) and client/ap isolation. this only pertains to the internet ssid. once authenticated on the enterprise ssid, the user is on the enterprise network with access to enterprise resources/servers = wired network access.

    overloading the mac address table? any particular tool on the backtrack for this attack?
    there are only 8 allowed tcpip ports (dhcp, dns, https, http, custom ports above 7000 for my personal use). icmp not allowed.

    if the client/ap isolation is compromised, then mitm and sidejacking are possible.

    thank you.

    ps: it is possible that the system is secured from current attack methods available at this time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •