Comments for Insinuator

Comment on VMDK Has Left the Building — Some Nasty Attacks Against VMware vSphere 5 Based Cloud Infrastructures by Johnny

Johnny — Tue, 04 Jun 2013 09:07:57 +0000

Hi Guys,

Well done for soime really interesting work. I am fairly new to this and would like to know if there are some detailed instructions for this exploit, i.e. I have a test enviornment on a Netapp san and the local hard disk storage. WOuld like to create a VM and break out of the VM to the Host. How do I configure the RAW disk settings?

Thanks a lot for the excellent and thought proving write up.

John

Comment on IPv6 Neighbor Cache Exhaustion Attacks – Risk Assessment & Mitigation Strategies, Part 1 by Antonios Atlasis

Antonios Atlasis — Sat, 01 Jun 2013 06:32:30 +0000

Great article Enno. Thanks for sharing your test results. Your explanation seems very reasonable to me.
I believe that in order this attack to be effective, the “malicious” packets should arrive even faster from several distributed sources at the same time (aka DDoS), which, of course, it doesn’t make it that trivial attack. Nevertheless, this would be a rather typical DDoS flooding attack which could take down the target for other reasons too.
Unless, as you said, we miss something…

Comment on RA Guard Support by LT

LT — Tue, 07 May 2013 10:00:39 +0000

The HP list doesn’t look particularly accurate. The 2910 definitely does RA guard – you can confirm in these release notes:

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c03467132/c03467132.pdf

I’m relatively sure the 2920 does too.

It would be worth adding extreme networks devices to the list too.

Comment on RA Guard Support by Wolfgang Neudorfer

Wolfgang Neudorfer — Tue, 07 May 2013 07:17:41 +0000

Thanks for the list Enno!

Regards, W.

Comment on RA Guard Support by Sander Steffann

Sander Steffann — Thu, 02 May 2013 20:32:39 +0000

If someone is doing further research on this topic it would be interesting to see which switches can detect and/or drop fragmented Router Advertisements. That is currently a common way of evade RA Guard.

Comment on BPDU Guard: Bringing Down Infrastructures by alpacapowered

alpacapowered — Thu, 25 Apr 2013 14:14:58 +0000

One thing to note: The ESXi vSwitch BDPU filter feature is not only available since 5.1, but has also been implemented on ESXi 5.0 and even 4.1 with these patches last year:
http://kb.vmware.com/kb/2032597
http://kb.vmware.com/kb/2020743

You are not required to update to 5.1 to make use of the BDPU filter.

Comment on Some more Notes on RA Guard Evasion and “undetermined-transport” by erey

erey — Mon, 15 Apr 2013 10:28:12 +0000

Hi Alex,

thanks for your feedback.
Here’s the “sh ver”:

Switch>sh ver | b Ports
Switch Ports Model SW Version SW Image
—— —– —– ———- ———-
* 1 10 WS-C3560CG-8PC-S 15.0(2)SE C3560c405ex-UNIVERSALK9-M

This one was/isn’t stacked with anything.

best

Enno

Comment on Some more Notes on RA Guard Evasion and “undetermined-transport” by Alex

Alex — Mon, 15 Apr 2013 10:15:32 +0000

Hi Enno,

The expected behaviour should be the following on 15.0(2)SE: “undetermined-transport” should be supported on 3560s, but only on X and E series. The non X and E series do not support the “undetermined-transport” keyword, but should accept the ACL blindly (in case they are stacked with X and E).
The non X and E series might never support “undetermined-transport” for hardware reasons.

The output you provide seems to be different, and would indicate that the parser requires a specific order to apply the ACL. This is not good and we should get a bug filed if you are running an X/E series. If not, I’ll get pushed back by engineering.

I don’t have a 3560 X or E available, so would you mind providing a “sh ver” from your switch so I can file a bug internally for this?

Cheers,
Alex

Comment on IPv6 Neighbor Cache Exhaustion Attacks – Risk Assessment & Mitigation Strategies, Part 1 by Eric Vyncke

Eric Vyncke — Fri, 12 Apr 2013 13:46:57 +0000

Actually, what I meant to say is that ‘destination guard’ is the silver bullet to mitigate this attack (i.e. router never initiates a NS for unknown IPv6 address, it only refreshes existing ones), but, usually, the normal thresholds are OK for most deployments.

Thanks for the testing BTW

-éric

Comment on Loki for Windows released by Mr. Derp

Mr. Derp — Fri, 12 Apr 2013 03:11:30 +0000

Thanks for releasing the tool. It’s awesome!

Mr. Derp