Thursday, February 7, 2008

Why "sticky" port security is dumb when your physical security sucks

If you havent heard of POPI Security... now you can:

P = Physical
O = Operational (OPSEC)
P = Personnel
I = Information(INFOSEC)

all that whiz bang pop a shell with metasploit and dump your mom's PII stuff falls into the "I" and they go up in order of ease, cost & complexity. For example, throwing a rock through a window and climbing into an office is in the "P" and cheap where a TEMPEST attack is in "I "and usually not cheap and requires a high degree of technical ability. Hopefully that makes sense.

Anyway, all that leads to the "no shit there I was" story of doing the onsite assessment. We roll in and get told there is "Sticky Port Security" on the switches. Begrudgingly we had given them our MAC addresses prior to the assessment so they could reserve us some IP space in the DHCP pool. So we set our IPs to the static ones they said we would have and nothing. A few phone calls later, still nothing.

Eventually we try plugging into empty network drops and setting things to DHCP, viola... IP address (not ones we were assigned) and connectivity. so much for port security, not much good when you leave hot open drops.

The "sticky" part of the security was a pain because we had 4 laptops and only 2 hot drops and the switch would only allow one IP per port. Thankfully, two networked printers were in the room, printing the printer's configuration (giving us its MAC) and SMAC for windows we had the other two laptops up and running. Yes, a simple 4 port router that clones MAC addresses would have worked too, but we didnt bring one.

Getting reverse shells back to our Linux hosts in VMware will be for another post, but we made it happen using VMware NATing & Fpipe.

Anyway, I mention physical security because:
1-we negated the port security by changing our MAC address and unplugging the printer from the network
2-because they didnt turn off ports that were unused we were handed IP addresses on the LAN
3-if the objective had been to just get "access" to the LAN we were done in 20 minutes
4-because of the open drops, 5 minutes and a wifi router and we could have had all the internal access we needed.

Just something to think about when you my smile smugly and tell people you have port security on your switches and your physical security sucks.

No comments: