The Test. Bringing down a network. Need advice.

[DeadlyFoez]

Ok, so my landlord is in a high up position at a major newspaper company. He started talking to me about the network infrastructure and how every print press and webserver...everything is tied together in the end. He had told me about how he doesn't trust the smarts of the IT department, mainly because they have failed many times over.

I told him that if he gave me a chance that I could just connect up a machine running bt4pr and cause extensive random network traffic that would DoS every node and device on the network. If I'm right that would be using ettercap with a plug-in.

By theory I know I am correct, but I am sure that there is more to infiltrating a network like that.

Does anyone have any input that they could give me. I Do know that I do not have the great knowledge of some of the genius's in this forum, but just an opinion as to if my thought are correct and if this is easily possible.

What kind of security measures could stop this from happening?

I have tried this on my home network before and got to witness the chaos it created with only 8 devices on the network, But how well would it work on a huge network like this?

Thank you for any info.

[Gitsnik]

Wow. Not often one sees such a blatant request, so I will start from the beginning:

No pentester should ever agree to DoS attacks with the level of knowledge and outage you have and are discussing. It is both highly dangerous and mildly... humm... Immature. You are causing potentially millions of dollars of damage, which needs to be covered by insurance and all the rest.

Not to mention you really, REALLY need a signed statement saying that you can do this. You wouldn't catch me on one of these assignments without a couple of lawyers ensuring it was watertight - and even then it would be a stretch.

If the owner is onsite and onboard, have him walk into any comms cabinet he has and take out any thin orange cables with square (not rectangular) connectors. As well as anything plugged into a switch at ports 1, 2, and 41, 42 (assuming a 42 port switch).

Doing this lets you perform mass DoS conditions which are relatively easy to correct (all we did is remove the fiber connectors and the common switch uplink ports), but will cause panic and problems for the IT team.

In theory, purely arpspoofing the entire network with // // would cause massive issues, but it depends on monitoring tools, 802.1x, port security, vlan's and a few other techs. You should not do it though.

Resolving the spoofing issue is fairly easy though - crack the network in half by the core switches - one side or the other will still be being poisoned, then crack that half in half, and so on. Mathematically you should be able to discover exactly who the perpetrator is (by switch) in 7 or less splits.

[DeadlyFoez]

Whoa whoa whoa. Certainly I KNOW not to try something like this even with a contract, especially if I am asking "what will happen" in these forums. But I wanted to more or less make sure as to what I speculate is correct.

I certainly would never try anything like this unless it was on my own network, or a cloned network set up strictly for penetration purposes. I am not knowledged enough to try something like that and not cause damage.

But after he explained the quirkiness of the whole network and how everything relies so deeply on everything else, I figure causing random traffic could bring the network down to it's knees.


I appreciate your response and knowledge on this. Thank you.

[Gitsnik]

Whoa whoa whoa. Certainly I KNOW not to try something like this even with a contract, especially if I am asking "what will happen" in these forums. But I wanted to more or less make sure as to what I speculate is correct.

Have to be sure of these things.

If you think about it, in IT (and in Radio and wifi and the like), in terms of DoS it really is about size - the more traffic you throw at a firewall (even if it doesn't let it through) means the more bandwidth normal people can't use. The more scum data you throw onto a network, the less bandwidth normal people can use.

If you target that data maliciously (a-la ettercap - with or without plugins I might add), then there will be a point where a problem occurs. Think of it like a single car collision on a two lane freeway - everything slows down significantly because of this one tiny car.

[Thorn]

Wow. Not often one sees such a blatant request, so I will start from the beginning:

No pentester should ever agree to DoS attacks with the level of knowledge and outage you have and are discussing. It is both highly dangerous and mildly... humm... Immature. You are causing potentially millions of dollars of damage, which needs to be covered by insurance and all the rest.

Agreed, Gitsnik has hit the nail on the head. A DoS is about the last thing you want to be doing. It's one of the few things that are specifically excluded from my contracts.

[DeadlyFoez]

Well I had to ask. Most of my customers that contact me about network security are basically concerned about their wifi, and that is easy enough to speculate and test.

"Oh you're using WEP, that can be cracked in 10 minutes."
"Let me put you up to WPA2 with a random passphrase containing 52 alphanumeric characters and other symbols and now you are safe. Done and done."

So, the conclusion is, yes, my thoughts are correct and he possibly has a reason to worry since his IT crew has no clue of modern day technology?

[Gitsnik]

yes, my thoughts are correct

Sure. A DoS can cause havoc

and he possibly has a reason to worry since his IT crew has no clue of modern day technology?

Without seeing a network map and technology breakdown, no one can confirm or deny this statement.

Theoretically, an open network with none of the tech I mentioned, could be brought to its knees by a misconfigured network cable - a malicious attacker should have no trouble with the same. It is hard to say otherwise.

Never underestimate a tech team by the way, I once had a pentester do that without him realising that I was part of the admin team onsite - he figured things were ok and just kicked off a nessus scan first thing - which lead to nothing bad for us and lots bad for him.

[streaker69]

Ok, so my landlord is in a high up position at a major newspaper company. He started talking to me about the network infrastructure and how every print press and webserver...everything is tied together in the end. He had told me about how he doesn't trust the smarts of the IT department, mainly because they have failed many times over.

I told him that if he gave me a chance that I could just connect up a machine running bt4pr and cause extensive random network traffic that would DoS every node and device on the network. If I'm right that would be using ettercap with a plug-in.

By theory I know I am correct, but I am sure that there is more to infiltrating a network like that.

Does anyone have any input that they could give me. I Do know that I do not have the great knowledge of some of the genius's in this forum, but just an opinion as to if my thought are correct and if this is easily possible.

What kind of security measures could stop this from happening?

I have tried this on my home network before and got to witness the chaos it created with only 8 devices on the network, But how well would it work on a huge network like this?

Thank you for any info.

Your landlord is a bloody idiot and has no idea the danger in what he's proposing you do, and neither do you. You shouldn't even be considering doing this as you could potentially get someone killed.

If you're talking about a network that I'm thinking of, chances are those presses are controlled by some sort of process control system, and attacking them in the way you're thinking could cause them to go out of control and potentially kill someone.

Have you ever seen someone pulled into a large press? I know someone that did, he was sucked in to his waist before the stopped the press and he died there after several hours of being in pain.

Control network are nothing that someone without extensive experience should be playing in, especially when you're talking about large incredibly expensive equipment running at very high voltages.

[Thorn]

So, the conclusion is, yes, my thoughts are correct and he possibly has a reason to worry since his IT crew has no clue of modern day technology?

Yes, the network is likely vulnerable to a DoS, but that's hardly news or constitutes a revelation. Almost any network is going to be vulnerable to a DoS of some type.

Reading between the lines here, it sounds like independent reviews of two things needs to be done. First, a review of the network design and topology needs to be conducted to see if it is correctly designed and set up according to best practices. For example, from your first post it sounds like the press controllers and the web servers are all on the LAN, when the web servers should be on a DMZ or on a remote site.

Secondly, a risk assessment in some flavor needs to be conducted. Whether it's a vulnerability assessment, or a pen test, it needs to be done to determine what portions of the network are mission critical, and in what ways they may be so vulnerable to as to cause a major meltdown in the paper if they fail. For example, email is almost universally seen as "critical" in most organizations, when it really isn't. If the email fails, you can still fall back on the telephones to communicate until email is restored. If may be inconvenient, but it can be done. On the other hand, a database server with the subscribers' credit cards in an unencrypted database will probably be seen as mundane and boring, but if the data gets lost or stolen, the potential damage to the paper could wipe it out in short order.

[lupin]

By theory I know I am correct, but I am sure that there is more to infiltrating a network like that.

When I was installing some newly purchased switches as part of an office move a number of years ago (early in my career) I managed to accidentally DOS the network by plugging both ends of the same straight-through cable into two ports on the same switch. So no, there isnt always that much to it.

And let me pile on with everyone else and say that attempting to DOS a production network is never something you want to do. The slight chance of an accidental DOS is keeping me fom running a penetration test on a particularly old and fragile but quite important system at my work - a deliberate DOS is unthinkable.