Research Demo: Double Tagging VLAN Hopping Attack Against the Microsoft Server 2012 Hyper-V Cisco Nexus 1000v Virtual Network Using One Physical Switch

image_pdfimage_print

This post demonstrates the effects of using a double tagging VLAN hopping attack to send an ICMP packet to a virtual machine located on a separate VLAN than the physical attacking system. In this scenario the attacker is using a physical Kali 2.0 system connected to a native vlan access port on a Cisco 2950 switch and targeting a virtual machine located on a separate VLAN within the Microsoft Server 2012 Hyper-V hypervisor environment using the Cisco Nexus 1000v virtual switch.

This experiment was performed on seven different hypervisor/virtual network configurations in order to perform a systematic evaluation of the effects across all of the major enterprise level virtualization platforms. The following network diagram illustrates the configuration used for each of the experiments:

double_tagging_physical_single_switch

Continue reading ‘Research Demo: Double Tagging VLAN Hopping Attack Against the Microsoft Server 2012 Hyper-V Cisco Nexus 1000v Virtual Network Using One Physical Switch’

Research Demo: Double Tagging VLAN Hopping Attack Between Two Virtual Networks With a Cisco 2950 Switch in the Middle

image_pdfimage_print

This post demonstrates the effects of using a double tagging vlan hopping attack to send an ICMP packet from a virtual machine located in one hypervisor environment to another virtual machine located in a separate hypervisor environment connected to the same physical switch. In this scenario the attacker is using a virtual Kali 2.0 system located within the Citrix XenServer hypervisor environment and targeting a virtual machine located on a separate VLAN within the ProxMox hypervisor environment.

This experiment was performed on seven different hypervisor/virtual network configurations in order to perform a systematic evaluation of the effects across all of the major enterprise level virtualization platforms. The following network diagram illustrates the configuration used for each of the experiments:

double_tagging_virtual

Continue reading ‘Research Demo: Double Tagging VLAN Hopping Attack Between Two Virtual Networks With a Cisco 2950 Switch in the Middle’

Research Demo: Double Tagging VLAN Hopping Attack Against the Proxmox Virtual Network Using Two Physical Switches

image_pdfimage_print

This post demonstrates the effects of running a Double Tagging VLAN Hopping attack against the ProxMox hypervisor environment. In this scenario there are two Cisco 2950 switches in between the attacker and the virtual network. The experiment was performed on seven different hypervisor/virtual network configurations in order to perform a systematic evaluation of the effects across all of the major enterprise level virtualization platforms. The following network diagram illustrates the configuration used for each of the experiments:

double_tagging_physical_dbl_switch_scenario

Continue reading ‘Research Demo: Double Tagging VLAN Hopping Attack Against the Proxmox Virtual Network Using Two Physical Switches’

Research Demo: Switch Spoofing Attack Against a Cisco 2950 Switch from the VMWare ESXi 6.0 Hypervisor Environment

image_pdfimage_print

This post includes a demo video which illustrates the effects of a Switch Spoofing attack launched from within a virtualized networking environment. The experiment was performed on seven different hypervisor/virtual network configurations in order to perform a systematic evaluation of the effects across all of the major enterprise level virtualization platforms. The following network diagram illustrates the configuration used for each of the experiments:

switch_spoofing_virtual

Continue reading ‘Research Demo: Switch Spoofing Attack Against a Cisco 2950 Switch from the VMWare ESXi 6.0 Hypervisor Environment’

Research Demo: ARP Poisoning Attacks in Virtual Networks

image_pdfimage_print

This post includes demo videos which illustrate the effects of an ARP poisoning Man-in-the-Middle attack within a virtualized networking environment. The experiment was performed on seven different hypervisor/virtual network configurations in order to perform a systematic evaluation of the effects across all of the major enterprise level virtualization platforms. The following network diagram illustrates the configuration used for each of the experiments:

arp_poison

Continue reading ‘Research Demo: ARP Poisoning Attacks in Virtual Networks’

How To: CentOS 7 Router

image_pdfimage_print

I have had to create a few CentOS 7 minimal router systems over the past few weeks for my research environments and decided to document the process. CentOS 7 makes use of systemd and firewalld which is a change from previous versions which were openrc and iptables based. The process of creating a minimal router system is fairly straight forward and can be completed in a very short amount of time after the initial installation with minimal dependencies.

Continue reading ‘How To: CentOS 7 Router’

DefCon 23 Presentation: Exploring Layer 2 Network Security in Virtualized Environments

image_pdfimage_print

DefCon 23 Video Demo: Rogue DHCP/DNS server gaining root access to target

image_pdfimage_print

DefCon 23 Video Demo: Rogue DHCP/DNS server ShellShock exploit proof of concept

image_pdfimage_print

DefCon 23 Video Demo: Rogue DHCP/DNS server on Citrix XenServer 6.2 with Open vSwitch 1.4.6

image_pdfimage_print