Listening to the Network

by Ian Whiting (Titania, CEO)

About the Author 

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has previously been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve.


My favourite tool for monitoring network traffic with a graphical environment is Wireshark, on a command line then I would commonly use TCPDump. Both tools are mature products that have been around for years, and if you are a penetration tester you have most likely already used either one or both of them.

Many years ago now, when network hubs were used, the quantity of network traffic arriving at my laptop used to be huge. In today’s modern switched networks you usually no longer get to see network traffic that was sent to a specific network address. However it is still worth checking to see if you can see traffic that should not be visible in a switched environment. I have had to report to clients on a number of occasions, instances where I have been watching network packets that I simply should not have seen. I have recently seen a network hub still being used on a network that should have long since been replaced. In this case the company being tested was a financial organisation supplier and the network traffic on the hub contained data from several competing financial clients.

A common network protocol I see used on networks is Link Layer Discovery Protocol (LLDP), which is used for advertising the capabilities of the sender. LLDP is useful when combined with network management software, but it is also useful information for an attacker. The screenshot from Wireshark (see Figure 1) highlights a captured LLDP packet. You can clearly see that it contains information such as the make, model and software version from the switch; in this case it is a Brocade ICX running IronWare 7.4.00T311. Using that information it would be trivial for an attacker to review a vulnerability database and then download any exploit code for vulnerabilities. The information could also be used to obtain default passwords and other configuration settings that may not have been changed by the network administrator.

Figure 1. LLDP packet

Some manufacturers have developed their own variation of LLDP, the most prevalent of which is the Cisco Discovery Protocol (CDP). Although CDP is a Cisco proprietary protocol it has appeared on other manufacturer’s equipment too. You can see from the Wireshark CDP packet capture screenshot (see Figure 2), that the information in CDP also includes the software platform and version. You may have noticed that both LLDP and CDP include the management address of the devices, very useful.

Figure 2. CDP packet

The Cisco CDP also includes VLAN Trunking Protocol (VTP) domain information, which is also included in the Dynamic Trunking Protocol (DTP) packets (see Figure 3).

Figure 3. DTP packet

VTP is designed to make network administration easier by enabling the propagation of changes to the VLANs on the network, such as adding and removing VLANs over multiple network switches. VTP can be configured in server, client or transparent /off modes. If a switch is in server or client mode it is possible to modify the VLAN configuration on the switch if you can determine the VTP password. Therefore the presence of VTP could potentially pose a serious risk to a network, especially when a weak password has been set. 

The VTP password is not easily tested over the network without modifying the VLAN configuration (or destroying it), Nipper Studio can be used to review the actual configuration in order to determine its state without jeopardising the network (see Figure 4). It certainly would not make you a very popular penetration tester if you took down a customer’s network by removing all their VLANs.

Figure 4. Nipper Studio

A tool called Yersinia can be used to monitor the network in a similar manner to Wireshark, but it separates out protocols such as CDP, DTP and VTP in easy to review sections. However I would recommend using this tool with caution as it includes a number of network attacks such as using VTP (see Figure 5).

Figure 5. Yersinia

It is sometimes possible to audit the routing protocols present on the network by passively listening to the network traffic. Even though I should not be seeing routing protocol traffic when plugging in to a standard network port, at least the following Open Shortest Path First (OSPF) packet capture shown in the next example (see Figure 6) shows that MD5 authentication has been configured.

Figure 6. OSPF packet

However I have often seen routing protocols where either no authentication is configured or default credentials are transmitted with no encryption. In the next example (see Figure 7), Routing Information Protocol (RIP) version 1 is being used which has no support for authentication.

Figure 7. Vulnerable Routing Information Protocol

There are a huge number of other interesting protocols that have not been covered in this article, such as Dynamic Host Configuration Protocol (DHCP). However hopefully this article has bestowed a renewed understanding that simply listening to what the network has to communicate can highlight some security issues. These are issues which can be, and are too often, missed when security assessments place too great a focus on the results of network scanners.