CiscoInTheSkyWithDiamonds

More documents

Recommendations

Info

Being able to receive (decrypt) and send (encrypt) STUN messages allows us to participate on the control channel We can take ports or entire port groups We get access to the management networks Management network services expose much more vulnerable services We can MitM management network traffic Most vSphere connections are SSL Nobody has ever seen an actual PKI being used All certificates are self-signed upon installation The only defense is a perfect L2 VLAN setup L3 is almost un-defendable VXLAN and other SDN magic requires L3
1. Compromise a web server in a virtual DMZ Non-administrative shell 2. Upload a script (e.g. PHP) for STUN L3 communication 3. Run VEM STUN L3 attack to VSM Takeover of port groups Configure new mappings 4. Configuration and use of a direct tunnel to internal or management network 3 1 2 4
Page 1: Observed by Greg & FX
Page 4 and 5: 1967: First systems with IBM CP-67
Page 6 and 7: 10 GigE Virtual Switch
Page 9 and 10: Cisco Nexus Operating System (NX-OS
Page 11 and 12: This being a VMware VM, we can boot
Page 13 and 14: The N1kV requires license files to
Page 15 and 16: Let‘s see what that function does
Page 17 and 18: Exploitation is a bit tricky though
Page 19 and 20: The jailbreak script adds a user to
Page 21 and 22: Why talk about licensing? CSCud0142
Page 23 and 24: 6 bytes (12 hex chars) “signature
Page 25 and 26: We could now exercise our 1337 reve
Page 28 and 29: CDP is everywhere in Cisco land VM
Page 30 and 31: The VSM stores a set of “opaque d
Page 32 and 33: Offset Size Meaning 0x0 8 Bit Proto
Page 35 and 36: VEMs register themselves with the V
Page 37: Cisco’s documentation says 128 Bi
Page 42 and 43: At Phenoelit, FtR is the go-to-guy
Page 45: Our work with Cisco PSIRT goes back

CiscoInTheSkyWithDiamonds

Create successful ePaper yourself

Delete template?

Save as template?