Remote ARP Poisoning/Triple VLAN Tagging
I'm not sure how applicable this question is as its mainly Cisco related, but if anyone could shed some light onto anything, it would be greatly appreciated.
After playing extensively with BT4, ettercap and different VoIP tools I have a technical scenario that I have tried to create in a lab but cannot get to work.
This is the scenario.
Malicious User <-> Cisco IP Phone <-> Cisco Catalyst Switch (providing VLANs 10, 20 and 30) <-> Cisco Router (performing inter-vlan routing)
The Malicious User is placed in the data VLAN, VLAN 10 for example. The phone is placed in the voice VLAN, VLAN 20 for example. We already know that via VLAN hopping we can jump into the voice VLAN, create a dot1q interface in BT4 and ARP poison phone conversations.
However just say there is a third VLAN, VLAN 30 for example which is a management VLAN. ACL's block vlan access from VLAN 10 to VLAN 30, but allow from VLAN 20 to VLAN 30.
So when we VLAN hop into VLAN 20, we can access the management VLAN. Cool.
My goal and point of the lab is to ARP poison traffic on VLAN 30 so I can capture management traffic.
So heres my two questions.
- Because VLAN 30 is a remote network, I cant ARP poison it. I have read mixed reports about remote ARP poisoning, however the closest I have ever come is to ARP poison the gateway on VLAN 20, and hope that I can capture VLAN20->VLAN30 information, which is NOT what I want, and will only result in a one sided poison, half duplex if you will. Is there such thing as remote network ARP poisoning?
- If I cannot remote network ARP poison, can I double VLAN hop (triple VLAN tagging) into VLAN 30? If this is possible I could then ARP poison directly on VLAN 30.
- - Two issues with this, firstly everywhere I've read states that triple tagging is possible and I can understand how technically it could be, but I have yet to see a working example.
- - Secondly, from the vague information about Voice VLAN assignments (VVID), the switchport voice vlan 20 command acts like: switchport trunk allowed vlan 20. I am unsure whether tripple tagging would work over a VVID *trunk*, my theory is it would just drop the packet.
The major problem I'm hitting with triple tagging is custom packet generation. Can anyone suggest a way to build my own packet with additional VLAN headers?
Can anyone confirm/theorize on ANY of this at all?