talardie's blog

Goals

The goal is to be able to power on all computers in the security laboratory.

How does Wake on LAN work?

Wake on LAN is based on the following principle:

When the PC shuts down, the NIC still gets power, and keeps listening on the network for a “magic” packet to arrive. This packet must contain a certain byte-sequence, but can be encapsulated in any kind of packet (IPX, IP, anything). The NIC only listens, and does not reply anything.

Hardware requirements

• Motherboards with a 3-pin Wake-on-LAN connector near the PCI slots and BIOS support for Wake-on-LAN power up.

• The network card with a 3-pin Wake-on-LAN connector.

Wake-up frame

A Wake-up frame is a special data packet containing the Ethernet address of the remote network card and can be encapsulated in any kind of packet. The frame should carry a byte stream (magic sequence) composed by, at the least, 16 times the repetition of the Ethernet address and preceded by a synchronization stream of 6 bytes, which value is FF (6 x FF).

Magic sequence

If the Ethernet address of a target computer is 01:02:03:04:05:06 (6 bytes), then the LAN controller of that machine should be looking for the following sequence

FFFFFFFFFFFF010203040506010203040506010203040506010203040506
010203040506010203040506010203040506010203040506010203040506
010203040506010203040506010203040506010203040506010203040506
010203040506010203040506

inside the frame.

The Tool

There are a lot of Wake-on-LAN tools, but not every tool is adequate to our exigences. The whole security laboratory network is a multi-VLAN environment. This implicates that it’s not possibile to send a Layer 2 frame through multiple VLANs with the intent to power on all computer at once. Therefore we need a tool, which encapsulates the “magic data” into an IP packet, so that it can be routet between the VLANs.

**wakeonlan** is a perl script that satisfys this requisit. It encapsulates the Magic data in an UDP packet and then sends it to a broadcast address, which can be specified (default: 255.255.255.255), to the “discard” port 9.

The packet looks like this:

[ethernet header][IP header][UDP header][Magic sequence][CRCS]

Example

This tool is very easy to use:

wakeonlan -i <broadcast address of the subnet (vlan)> <hardware address of the NIC>

So if we ant to power on the computer in the subnet 172.16.106.0/24 with the ethernet address of 00:0e:0c:a1:e3:b1 we just have to run wakeonlan like this:

wakeonlan -i 172.16.106.255 00:0e:0c:a1:e3:b1

Broadcast across VLANs

Our goal is to power on the computers from a single administration server located in a protected VLAN beyond the VLANs of the other hosts. As long as we want to wake up a computer same network respectively in the sam VLAN, there is no problem using the command explained in the previous chapter, but if the packet is sent from a remote network, it won’t work.

If you send WOL packets from remote networks, the routers must be configured to allow directed broadcasts. This must be done for these two reasons:

• Because the PC is asleep, it will not have an IP address and will not respond to Address Resolution Protocols (ARPs) from the router. Therefore, only a local subnet IP broadcast packet is transmitted on the segment without an ARP.

• If there is a Layer 2 switch between the router and the PC, which is true for most networks today, the switch does not know to which port the PC is physically connected. Only a Layer 2 broadcast or an unknown unicast frame is sent out to all switch ports. All IP broadcast packets are addressed to the broadcast MAC address.

Allowing directed boradcast is a possible security leak, because IP directed broadcasts are used in the common and popular smurf denial of service attack, and can also be used in related attacks.

An IP directed broadcast is a datagram which is sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, the one that is connected directly to the target subnet, can conclusively identify a directed broadcast. Directed broadcasts are occasionally used for legitimate purposes, but such use is not common outside the industry.

Finally to run Wake-on-LAN accross the security laboratory VLANs we have to allow directed boradcast on the VLAN interfaces of the Layer 3 switch but with some **security restriction**.

Configuring the Layer 3 Switch

If a Cisco interface is configured with the no ip directed-broadcast command, directed broadcasts that are otherwise exploded into link-layer broadcasts at that interface are dropped instead. The no ip directed-broadcast command is the default in Cisco IOS Software, therefore we have to enable it on every VLAN interface, in which we want use WOL.

Configuration

Before we allow directed broadcast we have to make some restriction. Let’s define an access-list rule:

SwitchSecL(config)#access-list 101 permit udp host 172.16.253.3 any eq 9

This accepts directed broadcasts only from the “LabServer” on port 9. (**wakeonlan** sends the UDP packet to port 9)

The next step is to allow the forwarding of physical and directed IP broadcast on the same UDP port.

SwitchSecL(config)#ip forward-protocol udp 9

Now we have specified the protocol and port to be forwarded.

The final step is to allow directed broadcast with the access-list restriction on the designed VLAN interfaces.

SwitchSecL(config)# interface vlan 106
SwitchSecL(config-if)#ip directed-broadcast 101

This enables the translation of a directed broadcast to physical broadcasts.

Now we are able to wake up computers across VLANs.