On cisco switch there is a feature called port security, how port security works?
port security will only allows specific mac addresses that already connect to switchport, if the mac didn’t match, frame that sent by host through that switchport would be drop. To know more and good understanding about this, I strongly recommended to learn OSI Layers and TCP/IP first before jumping to this material.
There is 3 port security action or usually we called it violation, there is Shutdown, Restrict, and Protect. But now I will choose Restrict, because we can get notification when foreign mac address trying to connect, and why not shutdown? that’s the critical one, find out yourself.
Okay, let’s begin. In this post I’m using DracOs linux as my pentesting equipment. What is DracOs? DracOs is the first pentest linux distribution in Indonesia that build from LFS. Very light and powerful.
And this is our pentest LAB. Remember port-security in this lab only implemented on IOU2 interface e0/0 with 3 maximum mac addresses for IOU3 e0/0, PC1 e0 and PC2 e0.
First thing that you need to do is bring up your interface card. Now let’s start to thinking how to get information that can we use from authorized user without IP while we’re blocked by swithport?.
Network Scaning? No,You can’t because you don’t have IP address to do that yet.
Okay and here is my config on e0/0 switchport, and you will see violation occured after bring up your interface. But why? because my device is not match with port-security rules and everytime you give power to any interface, that interface will automatically send out ARP broadcast to all ports and finding some friend in their network but sadly my frames got droped by portsec. lol.
I setup my Router as DHCP server, the reason why I set it up is, I need ARP and DHCP Acknowledgement from authorized user, And I just want to make it like in real world with prefix /29
Okay, now from the client side, I’m requesting DHCP from PC1 to the server while I’m sniffing my own DracOs interface and looking for an ARP broadcast from authorized user, and gotcha, now I’ve got some information here.
As you can see from Layer 2, now we’ve got authorized mac-address and now we know what IP network that authorized user get from DHCP server. Now what?
Make sure your interface card still up and working well, then assign IP address within the same network as the information above, and I will make it to prefix /24 why? because we won’t get IP from DHCP Server, and I’m just gonna make it static with /24 because we don’t know what mask that DHCP srv use, And logically I can cover it up by using /24 just because it makes sense by using “C” Class. Can we do that? Absolutely yes.
But, just assigned IP to our interface is not enough, it doesn’t mean we can do ping to Router, because PortSec is matching with layer 2, we need to use mac address of authorized user to bypass this feature by manipulating it. Change your mac address with authorized user mac, then congratulation now you bypassing it and welcome to the network.
Just looking at my arp tables after doing ping, and scanning my whole network and what I’ve got is just 2 host up, do you know why? because I have the same mac address with one of authorized user that has IP 172.16.0.2 and MAC 00:50:79:66:68:00, and I’m replacing him.
DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)