Remote ARP Poisoning/Triple VLAN Tagging
I'm not sure how applicable this question is as its mainly Cisco related, but if anyone could shed some light onto anything, it would be greatly appreciated.
After playing extensively with BT4, ettercap and different VoIP tools I have a technical scenario that I have tried to create in a lab but cannot get to work.
This is the scenario.
Malicious User <-> Cisco IP Phone <-> Cisco Catalyst Switch (providing VLANs 10, 20 and 30) <-> Cisco Router (performing inter-vlan routing)
The Malicious User is placed in the data VLAN, VLAN 10 for example. The phone is placed in the voice VLAN, VLAN 20 for example. We already know that via VLAN hopping we can jump into the voice VLAN, create a dot1q interface in BT4 and ARP poison phone conversations.
However just say there is a third VLAN, VLAN 30 for example which is a management VLAN. ACL's block vlan access from VLAN 10 to VLAN 30, but allow from VLAN 20 to VLAN 30.
So when we VLAN hop into VLAN 20, we can access the management VLAN. Cool.
My goal and point of the lab is to ARP poison traffic on VLAN 30 so I can capture management traffic.
So heres my two questions.
- Because VLAN 30 is a remote network, I cant ARP poison it. I have read mixed reports about remote ARP poisoning, however the closest I have ever come is to ARP poison the gateway on VLAN 20, and hope that I can capture VLAN20->VLAN30 information, which is NOT what I want, and will only result in a one sided poison, half duplex if you will. Is there such thing as remote network ARP poisoning?
- If I cannot remote network ARP poison, can I double VLAN hop (triple VLAN tagging) into VLAN 30? If this is possible I could then ARP poison directly on VLAN 30.
- - Two issues with this, firstly everywhere I've read states that triple tagging is possible and I can understand how technically it could be, but I have yet to see a working example.
- - Secondly, from the vague information about Voice VLAN assignments (VVID), the switchport voice vlan 20 command acts like: switchport trunk allowed vlan 20. I am unsure whether tripple tagging would work over a VVID *trunk*, my theory is it would just drop the packet.
The major problem I'm hitting with triple tagging is custom packet generation. Can anyone suggest a way to build my own packet with additional VLAN headers?
Can anyone confirm/theorize on ANY of this at all?
First of all ARP is not a routed protocol, it is used only internally and does not usually traverse networks This is not strictly true, it can traverse via a network bridge but as it is a broadcast protocol is does not typically go anywhere any other broadcast wouldn't.
ARP. ARP is _entirely_ local.... TCP/IP, UDP etc. are remote, (they are routing protocols).<---------great bath room reading
The "secret" is the subnet mask..... Yeah, that nasty complicated thing they make you study.... They never really tell you what it's for I'll let the dog out of the bag.
The subnet mask really is only used for one thing (not really)... Determining whether the IP address of the machine to be contacted is "local". It may be through routers still but it could still be considered local depending upon the router's configuration and the subnet mask. If the destination IP address doesn't fit in the subnet mask then the returned packet is sent to the default gateway, if it fits the subnet mask and the _local_ ARP table doesn't hold the required information, (the MAC address), then an ARP request is sent out to get the MAC address of the machine.
Thus, it is either impossible or _really really_ difficult, (depends on the security level of the network as a whole), to ARP poison a remote network, (you have to have a network that is relatively "local" and wide open to broadcasts of ARP to be able to accomplish it!
hope this helps op