5

I know that when setting up VTP across switches in a network you should set a secret/password to prevent unauthorized requests. My question is I know that this uses an MD5 hash to ensure that attackers don't falsify any requests, but I haven't been able to find a decent explanation of how this hash is calculated. Is it salted with the domain of the network? Is it a request salted with the password sent to the VTP server? Is it even salted at all? All i have seen when digging through Cisco documentation is stuff along the lines of "Requests are secured using a MD5 hash," but I have yet to see a decent explanation of how this hash is actually calculated.

Edit: I am attempting to crack a VTP password given a captured VTP packet. Hence why I want to know how the md5 hash is salted.

Jannu
  • 229
  • 2
  • 6

1 Answers1

4

For general understanding, VTP allows central management of VLAN domains, ID and other attributes. It governs how other switches learn and understand VLANs. Any updates related to VTP management are sent by the VTP server.

The risk lies when the MD5 hash is known either by compromising the switch and running commands such as show command, show vtp password or by looking at the vlan.dat file an attacker can force a digest change for the entire domain thus a new VTP server can be set up (a rogue) which will then allow unauthorized access to previously blocked/disabled VLANs, allowing addition of new unauthorized switches in the network.

As with version 3.0 of VTP the two options: hidden and secret provide mitigation to the recovery process of a message digest. More info can be found here.

UPDATE based upon the excerpt taken from the article. MD5 hash is calculated and is only equal when the domains names are the same along with taking other VTP configurations into consideration. In the above link, the author has provided evidence of this via tests.

peterh
  • 2,938
  • 6
  • 25
  • 31
Saladin
  • 1,547
  • 3
  • 14
  • 23
  • How is that hash calculated though? I am attempting to find a way to crack it given a captured VTP packet. Also yes before anyone asks yes I own the network and I do already have the password. – Jannu Apr 10 '13 at 16:30
  • Alright got a decent guess based on the link provided by Saladin. The MD5 digest appears to be a hash of all the VTP information which will include the password with it. The switch then appears to hash this and send it with the update to the other routers. The new switch then hashes the new values with their password in their configuration and if the digest matches they accept the update else they reject the update. That said I don't have anything hard and fast yet because it appears Cisco themselves have failed to publish documentation on this or at least ensure it's distributed. – Jannu Apr 10 '13 at 17:10