DM_ · 2013/09/28 23:07
0 x00 preface
With the development of network technology, network lines become more and more complex. Penetration testers reach border servers on the Web through basic or advanced script penetration methods such as injection, upload, etc. Further down the line, you face more complex networks, such as messy VLAN environments.
What is a vlan:baike.baidu.com/history/id=…
Test the topology
0x01 Test Basic Status Overview
A total of three servers and a H3C S3610 layer 3 switch were selected. Along with my laptop (Kali Linux).
The three servers represent the basic business division of TEC503. The attacker is in the same vlan200 as the webserver. And the attacker has taken control of the Webserver.
The dataserver (dataserver.tec503.com), Web server (webserver.tec503.com) and domain controller of Tec503(imaginary target company) are divided into three vlans (VLAN100, VLAN200, Vlan300). Vlan100 and VLAN200 cannot access each other. But they all have access to VLAN300.
SNMP and Telnet are enabled on the switch (SNMP is used to monitor switch traffic, and Telnet is used to manage Layer 3 switches).
The goal: Get access to dataserver data with as little trace as possible.
0x02 Preliminary basic infiltration process
The domain transmission vulnerability of Tec503.com was found in the early information collection. Therefore, the test target IP address (5.5.6.4) is determined.
And webServer is open to the world. A Web vulnerability was found after basic probing. And after obtaining Webshell successfully obtained the management rights.
On the Webserver, the gateway IP address is 172.10.0.1.
Telnet looks like an H3C device.
Try 123456, password, manager and other simple weak password login, the result is failed.
Try SNMP weak password detection (weak passwords refer to community strings used for SNMP management. The read permission is public, and the read and write permission is private by default.
The default readable community string public is used. Continue to use SNMP to obtain the H3C device password
Successfully obtained the password “admin” (forgot to mention that I did not try admin earlier)
You can then Telnet in to the switch using this password.
The system enters the system-view state successfully.
0x03 Switch Penetration Process
After successfully logging in to the switch through Telnet, we can start to collect various configuration information of the switch (VLAN division, super password, routing table information). Ip address pool partition, etc.) and all of these information except the super password can be obtained through a readable string of SNMP. And for Cisco devices, if there is a readable and writable community string, it can be downloaded directly to the Cisco core configuration file (including password strings, etc.).
This section briefly describes the two functions of layer 3 switches: VLAN division and port mirroring. A port is a port on a switch, not a service port on a computer.
Port mirroring refers to the technology of mirroring data from a port on a switch to another port, and you can choose to mirror incoming or outgoing packets. This technique is commonly used in enterprise monitoring and traffic analysis. During port mirroring, you should also pay attention to the problem of monitoring port traffic load caused by high traffic.
The test used port mirroring to get data packets sent and received by dataserver.
Let’s start by analyzing the configuration file of this switch.
Here we can see the super password which is encrypted by H3C Ciper. Encrypted strings are available at github.com/grutz/h3c-p… This script decrypts.
Next, let’s look at the division of ip-pool. With the information collected by the earlier NSLOOKUP, we can further clearly approach the target.
According to the figure above, we are now in VLAN200, the target is in VLAN100, and the domain control is in 300.
So let’s go ahead and look at which VLAN each interface in use is divided into.
You can see here that Ethernet 1/0/3 is in VLAN100. And Ethernet 1/0/4 is in VLAN200, which is the VLAN we are in.
After the interface partition is clear, we start to create a local mirror group 1.
Then specify the port number to be mirrored.
Then formulate the monitoring port number.
Finally, log in to the WebServer controlled by us. Use the packet capture software to analyze the data packets of the target (dataserver.tec503.com).
This is the diagram of capturing ICMP packets of the target (dataserver.tec503.com).
This is a diagram of capturing HTTP packets.
The same is true for packages of other protocols, but the detailed follow-up analysis process is not demonstrated here.
0 x04 afterword.
Routes and switches are more and more common during infiltration and are not properly configured by administrators. Default configurations, weak passwords and other improper configurations often occur. The location of routes and switches in the network also shows their importance in the infiltration process. I also found a freebuf article about ARP sniffing across vlans. (www.freebuf.com/articles/sy)… Also hope that through this article leads to more good articles.
reference
H3C Ethernet Switch Configuration Guide
Wireshark Packet Capture Guide second edition
WooYun: China Mobile H3C firewall side leakage successfully logs in to the device by obtaining the administrator password through SNMP