General discussion

Locked

Popular Internal IP Addressing Scheme Could Leave Enterprises Vulnerable

By seanferd ·
DarkReading.com

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=217800409

"A popular method of saving IP address space in enterprise networks could expose businesses to hackers who might use it to interrupt service or steal data, according to a well-known security researcher."

RSnake's blog post
http://www.sectheory.com/rfc1918-security-issues.htm

RFC 1918 - Address Allocation for Private Internets
http://www.faqs.org/rfcs/rfc1918.html

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Wouldn't this require the hacker to first establish

by Deadly Ernest In reply to Popular Internal IP Addre ...

a working and accepted VPN connection into the network they wish to hack?

One of the safety features of using such an IP is the fact any communication with an internal address that does accidentally get out is bit binned at the first Internet router it meets.

I accept the possibility may exist, the real question is the ability to actually exploit it.

I must admit the only major network I designed used two of the private address systems, one for the gateway area and another for the corporate lan.

Collapse -

As far as I know, yes.

by seanferd In reply to Wouldn't this require the ...

I think the idea is to make use of collisions once you've compromised the home/roaming computer when not inside the private network. When connecting via VPN or bringing the laptop back into the office, the cracker has a chance to compromise the larger private network.

I think that it is being pointed out because more networks are being put into service without this in mind, or as a reminder that strong perimeter security isn't the only need in private networks.

I thought I'd leave it to those more familiar with large private networks to weigh in on this. :)

Collapse -

I've worked on a few large private networks in the pass, but

by Deadly Ernest In reply to As far as I know, yes.

it's the hacker side I'm weak on, not much IDS experience despite working on secure gateways and the like. I couldn't see how they could make the issue work from outside the network or how they could get in deep enough without being inside the fence to begin with, and if they're inside then any damn IP series is vulnerable to them as they'll have the basic address system from the system they've compromised.

edit to add.

Sometimes you can confuse the **** out of a hacker with something simple like using an IP address range and mask that don't normally go together - for example

10.100.200.x with a mask of 10.100.200.255

most people expect a 10.x.x.x address to have a mask of 10.255.255.255 and not using it can make life harder.

Collapse -

That is interesting

by seanferd In reply to I've worked on a few larg ...

I don't think that would have ever crossed my mind. It's one of the reasons I so enjoy reading comments from knowledgeable folk such as you.

Very cool.

Collapse -

Think that's fun, one of the best nights I had at college

by Deadly Ernest In reply to That is interesting

was when I was asked to set up a dozen machines as a small gateway and lan so the security class could have a go at hacking it. I got roundly abused by the teacher a couple of days later as he had two senior classes unable to break in. He was confident and had a go, much to the classes amusement when he couldn't. And all I did was mess around with masks and protocols. Kind of like this IP address / mask:

Gateway device with two nics - one external IP and one internal (10.255.15.20 / 10.255.15.255) get the joke here - ethernet to the next

Gateway device with two nics - two internal IPs (10.255.15.21 / 10.255.15.255 -- 192.168.0.1 / 192.168.255.255) this connected to the next using IPX/SPX

Gateway Device with two nics - two internal IPs (192.168.0.100 / 192.168.255.255 -- 172.1.100.1 / 172.255.255.255) ethernet to the lan

nine lan pcs with one nic and IP each (172.1.100.x / 172.255.255.255) all static.

The normal thing with internals is

10.x.x.x / 10.255.255.255
172.1.x.x / 172.1.255.255
192.168.0.x / 192.168.0.255

the weird masks and the use of IPS/SPX was bad enough but what sent him crazy was the use of 255 as a valid subnet group since it came in good at the start, he expected the normal mask. And using all three was another annoyance. I'm not sure how it would have gone against a GREAT hacker.

edit to add - Not sure if this would actually work for interacting with the Internet due to the IPX/SPX, but it was sure fun setting it up. I know the rest of it would work.

Collapse -

Security class apparently

by seanferd In reply to Think that's fun, one of ...

needed more work. It's one thing for it to be difficult, but if they don't even have an idea on how to go about figuring it out, they are probably memorizing, not learning concepts. Oops.

Sounds like it was a bit of fun. :)

Collapse -

Which was part of the issue, what got to the teacher

by Deadly Ernest In reply to Security class apparently

was the fact I was a lot sneakier and trickier than he thought I was.

Collapse -

:^0

by seanferd In reply to Security class apparently

The Student becomes the Master! :^0

Collapse -

The problem with that

by jdclyde In reply to I've worked on a few larg ...

is if they (like most places do out of administrator laziness) use DHCP to hand out the IP addresses.

Collapse -

Correct, it's one of the reasons why I prefer to set up

by Deadly Ernest In reply to The problem with that

with static IP addresses. However, again you talking about someone being inside the fence and active on the network to be able to be assigned an IP address by dhcp.

In bigger networks it's best to use static between links and the dhcp within the sub groups if you must use dhcp.

Back to Networks Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums