RE: Anonymous access to Voice VLAN using CDP

From: Wence Van der Meersch (wence.vandermeersch@ascure.com)
Date: Tue Jul 25 2006 - 09:16:15 EDT


Actually you configure the voice vlan on the switch, and when the phone
boots up it will talk CDP to the switch asking what's the voice VLAN,
and after receiving this information from the switch the phone will send
its own traffic tagged with this vlan id, while sending out the traffic
received through the pc port untagged.

Something you can try is to connect a hub (no switch obviously) between
the phone and the catalyst switch (if you're not using PoE, else put a
PoE extractor between the hub and the switch, and supply the phone with
the power lead from the extractor) and connecting a PC to this hub. Then
let the phone discuss the vlan details with the switch while you are
sniffing the whole conversation and when the phone starts sending tagged
traffic you can try sending traffic with this vlan tag from your PC
(which, ofcourse, has dot1q support enabled). I'm not sure if the switch
will filter incoming tagged traffic on MAC address (as it should, to
prevent this from happening and allowing only tagged traffic originating
from the phone) so you can try disconnecting the phone, cloning it's MAC
address and sending the tagged traffic, making it seem to the switch
that you are the phone.

Anyway this is purely an educated guess. I use cisco phones and switches
at home so I'll investigate this a bit further in the next few days.
Maybe I'll even write a tool for all this.

Wence Van der Meersch
Information Security Consultant, CISSP
Ascure NV

e-mail wence.vandermeersch@ascure.com
Web http://www.ascure.com/

 

> -----Original Message-----
> From: jpecou@gmail.com [mailto:jpecou@gmail.com]
> Sent: vrijdag 21 juli 2006 18:57
> To: pen-test@securityfocus.com
> Subject: Anonymous access to Voice VLAN using CDP
>
> Hey guys .. I Will try to make this short and sweet. At my
> job we are looking to implement a VOIP infrastructure. A
> typical infrastructure with voice and date usually will have
> both voice and data on a seperate VLAN. The phone will then
> plug into the ethernet port and the PC plug into the phone.
> Basically The phone becomes a trunk port for the PC) I have
> read that the way the phone gets place on the voice VLAN is
> through CDP. Appearently upon connecting to the switch the
> phone sends a CDP packet identifying it self and then gets
> placed on the Voice VLAN. I would love to attempt to put a pc
> on our voice VLAN. I know that yersinia has options for
> crafting CDP packets. Has anyone accomplished this and could
> some one give me a breif explanation of how I could do this.
>
>
>
> Thanks!
>
>
> --------------------------------------------------------------
> ----------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win
> the Analyst's Choice Award from eWeek. As attacks through web
> applications continue to rise, you need to proactively
> protect your applications from hackers. Cenzic has the most
> comprehensive solutions to meet your application security
> penetration testing and vulnerability management needs. You
> have an option to go with a managed service (Cenzic
> ClickToSecure) or an enterprise software (Cenzic Hailstorm).
> Download FREE whitepaper on how a managed service can help
> you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to
> confirm your results from other product. Contact us at
> request@cenzic.com for details.
> --------------------------------------------------------------
> ----------------
>
>
---- eMail Disclaimer ----
This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If you have received it
by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from errors, inaccuracies or
any loss in the message, from unauthorized use, disclosure, copying or alteration of it.
For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.html

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:23 EDT