re: Cisco-like port security
I don't want to scare anybody or post what we know - however ...
We have identified some network security holes on Cisco switches
Depending on your Cisco switch configuration
If we are at an IP-Phone, we are able to:
- knock down the entire IP-Phone network
- hack into any vlan on the Cisco switch
- knock down any vlan network or knock down any device on any vlan
- Even with some basic MAC address security which limits to only a single MAC address, we can still get onto any network and have multiple computers injected into those networks.
- Inject our own DHCP server and have it take control of DHCP services
- Inject our own gateway on any vlan network
- Redirect devices on other vlans to use our gatway - and span monitor all traffic then
- find/scan for server vulnerabilities on any vlan
I'm not trying to be scary - I am however stating :
- network security is often overlooked or never checked
- all networks everywhere usually have some huge gaping security holes for bad guys to get through
- when it comes to "port security" , you really need to think out-of-the-box and think about how many ways and methods could the NSA use to get into your network.
Another FYI - I kinda suspect the next big world-wide network security vulnerabilities will be CPU micro-code and CPU hidden Minix code . . . (AKA - did you know your CPU processors hava a built-in hidden CPU & operating system & web browser interface ?)
Would You care to elaborate any further?
Is this perhaps vtp related? Are static vlans affected?
Did You test the same thing on MikroTik? How did it go?
Re: Would You care to elaborate any further?
Not much at this time. I am still looking for other vulnerabilities when on Cisco switches connected to VoIP phones.
FYI - this is not specifically a Cisco thing , it is a related to but not necessarily a VoIP thing and how things are configured
Re: Is this perhaps vtp related? Are static vlans affected?
Kinda (not vtp domain related) but Vlan related
Re: Did You test the same thing on MikroTik? How did it go?
I used a Cisco switch & PC & a Mikrotik something we all have access to and might already own
North Idaho Tom Jones