dugan-winsec02.ppt - black hat

February 7, 200213:30 - 14:45

Black Hat - Windows Security 2002 New Orleans, LA

1

Protecting your Cisco Protecting your Cisco Infrastructure against the Infrastructure against the

latest “Attacktecs™”latest “Attacktecs™”By Stephen Dugan, [email protected]

February 7, 200213:30 - 14:45


2

IntroductionIntroductionWelcome to the presentation

andThank you for coming!

Who is the speaker?What is the focus of the presentation?Why a talk on Cisco at a Windows show?How will the material be presented?

February 7, 200213:30 - 14:45


3

AgendaAgendaIntroduction

Section 1 – Physical and Remote Access

Initial ConfigurationDevice Access OptionsPassword IssuesManagement Protocols

Section 2 -Layer 2

VLANs / DesignSTP / VTP / DTPNetwork SniffingVLAN Hopping

Section 3 - Layer 3 ACLsIP Routing ProtocolsHSRP

February 7, 200213:30 - 14:45


4

Section 1Section 1

Physical and Remote Access

February 7, 200213:30 - 14:45


5

Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess

Initial Configuration Commandsor…

Commands that belong on all configurations

Turning off unused default features

Turning on features you should be using

February 7, 200213:30 - 14:45


6


Globally ON by defaultEchoChargenDiscardFingerBootpAuto-InstallIP Source-RoutingDNS lookup

AttacktecsLots of documented attacks and available tools!

SolutionsTurn them all off

ReasoningMost are not used or neededRarely used for legit purposes

RO(config)# no service tcp-small-servers

RO(config)# no service udp-small-servers

RO(config)# no service finger

RO(config)# no service config

RO(config)# no ip identd

RO(config)# no ip bootp server

RO(config)# no boot network

RO(config)# no ip domain-lookup

February 7, 200213:30 - 14:45


7


Interface level ON by defaultUnreachable messagesProxy-ARPRedirectsMask RepliesDirected-broadcast (Before 12.0)

AttacktecsLots of documented attacks and available tools!

SolutionsAgain…Turn them all offShould be done at ALL interfaces

ReasoningMost are not used or neededRarely used for legitimate purposes today

RO(config-if)# no ip unreachables

RO(config-if)# no ip proxy-arp

RO(config-if)# no ip source-route

RO(config-if)# no ip redirects

RO(config-if)# no ip mask-reply

RO(config-if)# no ip directed-broadcast

February 7, 200213:30 - 14:45


8


General Features that should be turned ON

Nagle (RFC 896)Login/MOTD BannersTCP-keepalives-in

Attacktecs Various DoS

ReasoningBanners for legal mattersNagle and TCP-KA can help in DOS attacks or high volume interactive traffic

RO(config)# service nagle

RO(config)# service tcp-keepalives-in

RO(config)# banner motd ^

Get off my network! NOW!

(unless you work here)

YWBPTTFEOTL ^

February 7, 200213:30 - 14:45


9


Features that should be turned ON

Cisco Express ForwardingUnicast Reverse Path Forwarding

Attacktecs DDoS Tools: TFN(2K), Trinoo, Etc.See PacketStorm for updated DDoS

SolutionsCEF will boost performanceRFP helps DDoS detection

ReasoningSource Address VerificationForced Asymmetric routingUse BGP Weight or Local

Preference if Multi-Homed

ip cef

! "ip cef distributed" for RSP+VIP

interface serial 0/0

ip address 192.168.8.1 255.255.252.0

ip verify unicast reverse-path

ip route 0.0.0.0 0.0.0.0 Serial 0

Fa0/0

S0/0

Enterprise

Network

Upstream

ISP

Internet

Source = 192.168.11.45

DROPPED

February 7, 200213:30 - 14:45


10


Device Access OptionsConsole – Physical Access

AUX – The Dial-in Backdoor

VTY – Access for those Protocols we’ve stopped using for years!

February 7, 200213:30 - 14:45


11


Console – Physical AccessUse for initial configsEasy to avoid passwords

AttacktecsPassword RecoveryTheft of EquipmentSOLD on Internet Auction Sites

SolutionsLock the Doors!Guards with M16sSecret IOS Command?!?!

ReasoningALL Cisco devices can be

compromised with Console

line con 0

login

password ClearText

exec-timeout 3 0

Username Steve password EncryptMe

Line Con 0

Login Local

Exec-timeout 3 0

aaa new-modeltacacs-server key NotCleartextaaa authentication login default

tacacs+ local

February 7, 200213:30 - 14:45


12


AUX – Dial-in BackdoorUsed mostly for remote Dial-IN access for administratorsCan be configured to Route Traffic for DDR

AttacktecsWarDial to find NumberUse as a jumping point to launch other attacks

SolutionsUnplug Modem until neededStrong Password ProtectionTimeouts and CD-DROP detect to avoid session theft

ReasoningHas good uses for solving network down type problemsSame Security problems with all Dial type access

line aux 0

login

password ClearText

exec-timeout 3 0

Username Steve password EncryptMe

Line aux 0

Login Local

Exec-timeout 3 0

aaa new-modeltacacs-server key NotCleartextaaa authentication login default

tacacs+ local

February 7, 200213:30 - 14:45


13


VTY – All AccessUsed mostly for telnetSupports LAT, MOP, rLogin, ect.

AttacktecsFlood router with TelnetsMiTM – discover device password watching telnet trafficReverse-Telnet (2000,3000, 7000)

SolutionsUse SSH & ACLsTurn off unused protocolsLast resort...Turn off VTY access

ReasoningStandard for Cisco managementSSH provides encryption for device management sessions

username Steve password ohSSH

ip domain-name router1.101labs.com

cry key generate rsa

ip ssh time-out 60

ip ssh authentication-retries 2

Access-list 2 permit host 10.1.1.1

line vty 0 4

Login local

IP access-class 2 in

transport input ssh (Default is ALL)

Note: Cisco only uses SSH v1 and has an active advisory for SSH. Also has IOS support for SSH client. Limited platform support. Still A LOT better then cleartext telnet! See link section for more info.

February 7, 200213:30 - 14:45


14


Password IssuesUser, Privileged, and custom access

Implications of “No Password”

MD5 and Password Encryption

Password Recovery

February 7, 200213:30 - 14:45


15


User Exec - Level 1 - Router> Can Look at various tables ARP, BGP, Routing etc.Can do simple PINGsTelnet to other places (Jump off point)

Privilege Exec - Level 15 - Router#Essentially “Root” Access for IOS DeviceAll Functions Available

Custom Levels - Levels 2-14 - Router#Set using Username/Password or AAAPrivilege Levels inherit lower levels unless denied.Useful in large environments with different experience levels and job functions of Techs.

February 7, 200213:30 - 14:45


16


Implications of “No Password”Login Command on VTY Line will force the Router to Ask for Password even if none is configured. This is the default. Login combined with no password on CON/AUX allows login without challengeTo disable CON or AUX use: Line aux 0

transport input none

transport output none

no exec

February 7, 200213:30 - 14:45


17


MD5 and Password EncryptionMost Passwords stored on Cisco IOS Device configs are in Clear Text.Using the “Service Password-Encryption command will weakly, type 7, encrypt your passwords. (You could decrypt them with Pen&Paper in 40 minutes)The Enable SECRET password is MD5. You should use this for Privilege Exec. Access.

Service Password-encryption

Hostname Router-1

no Enable Password

enable secret 5 $1$y/fP$O.MMCCsH8leilgoRUwBxk1

• Use Type 5 (MD5) for any passwords that let you.

February 7, 200213:30 - 14:45


18


Password RecoveryAs simple as...

Power CycleBreak Keyconfreg or o/r 0x2142

Secret IOS Command (some devices)“No Service Password-Recovery”Break Key after Power Cycle will give you a “Factory Default <y/n>” question.

February 7, 200213:30 - 14:45


19


Management Protocols

CDP – How they Discover your network

SNMP – More holes than Swiss cheese

NTP – What Time did they break in?

SYSLOG – Another Ignored Log

Loopbacks – Interfaces that don’t go Down

February 7, 200213:30 - 14:45


20


CDP – Cisco Discovery ProtocolUsed to discover the networkL2 Messages Sent every 60 secondsWill discover Device name, IOS revision, L3 addresses, Native VLAN and more.Default is ON for all ports/interfaces

AttacktecsEveryone can discover your networkDOS attack discovered by FXInfo can be used in a variety of ways

SolutionsTurn it off GloballyTurn it off at a port/interfaceLeave it on in the Management VLAN

ReasoningNot needed unless your actively discovering the networkRequired for CiscoWorks 2000

RO(config)# no cdp run

RO(config-if)# no cdp enable

SW> (enable) set cdp disable <mod/port>

(omitting the <mod/port> turns off CDP for the entire Switch)

February 7, 200213:30 - 14:45


21


SNMP V1 & V2“Simple Net-attacks Made Possible”

Main ProblemsUses community strings that are stored/sent in cleartextMany times left unchanged/default as Public/PrivateMany Freeware SNMP tools used for hacking

If it must be usedDon’t enable a RW stringUse ACL

Use V3 if RW is needed

access-list 1 permit host 10.1.1.1

access-list 1 deny any log-input

snmp community not-public ro 1

February 7, 200213:30 - 14:45


22


SYSLOGDefault is console logging onlyStop Console loggingSend messages to syslog server.

NTPGets time from trusted sourceAttach Timestamps to logs

clock timezone MST -7clock summer-time MST recurringntp authenticatentp authentication-key 1 md5 AtTheTonentp trusted-key 1ntp access-group peer 3ntp server 192.168.254.57 key 1access-list 3 permit host 192.168.254.57access-list 3 deny any log

service timestamp log datetime localtimelogging 10.1.1.1no logging console

February 7, 200213:30 - 14:45


23


Loopback interfacesLoopbacks are internal/software interfaces

Never go downCan be assigned L3 addressesRouter-ID for OSPF/BGP

Source IP Address in PacketsTelnet/SSHSNMPSYSLOGTFTP / FTP

Interface loopback 0

ip address 192.168.1.1 255.255.255.0

IP telnet source-interface loopback 0

IP tftp source-interface loopback 0

IP ftp source-interface loopback 0

Logging source interface loopback 0

Router ospf 1

Router-id 192.168.1.1

Router bgp 65410

BGP Router-id 192.168.1.1

February 7, 200213:30 - 14:45


24


Catalyst Switch Options

Password Commands

Telnet / SSH Connection Options

NTP, SYSLOG, SNMP

February 7, 200213:30 - 14:45


25


Catalyst Switch PasswordsPasswords for User and Enable modes

AttacktecsPassword Recovery

Power off. Passwords Cleared for first 60 SecondsMust Be Attached to Console

SolutionsUse Difficult PasswordsLimit Physical Access

set password (hit Return)

Old Password: *.Eat@JoE$^^_

New Password: JoE$F0Od_Stnks

Retype Password: JoE$F0Od_Stnks

set enable (Hit Return)

Old Enablepass: Stay!0Ff_My-C@

New Enablepass: C@_iN_Da_H@

Retype: C@_iN_Da_H@

February 7, 200213:30 - 14:45


26


NEW ALERT for CAT Switches 1/29/02

ALL Catalysts Running “Set based IOS” are Vulnerable to DoS attackFix by new Code 2/5/02Use SSH and IP Permit

set crypto key rsa 1024

set ip permit enable ssh

show crypto key

show ip permit

set ip http server disable

Catalyst Switch ManagementSame Management management methods as IOS Router

AttacktecsBSD Telnet DoS AttackDiscover device configs and password watching telnets or HTTP traffic

SolutionsUse SSH & IP Permit ListsShut off HTTP AccessLast resort...Turn off TelnetOR… Don’t configure IP on Switch

February 7, 200213:30 - 14:45


27


NTP, SYSLOG on CATsCisco Recommends modifying some of the logging levels based on environment conditionsNTP configuration is very similar to the configuration commands on Router IOS.

set logging server <IP address>set logging timestamp enableset logging level spantree 6 defaultset logging level sys 6 defaultset logging server severity 4set logging console disable

set ntp client enableset ntp server <address of server>set ntp authentication enableset ntp key <key>set ntp timezone <zone name>set ntp summertime <details>

February 7, 200213:30 - 14:45


28

Section 2Section 2

Layer 2 - Switching

February 7, 200213:30 - 14:45


29

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - Switching

VLANSGood Design – Simplifies Security

Default VLANS – 1,1001-1005

Management VLAN - Defaults to VLAN1

February 7, 200213:30 - 14:45


30


Design Philosophies

Spanning Tree = BADRouting = GOOD

KISP

Plan with security in mind

February 7, 200213:30 - 14:45


31


Good Design!Bad Design!!!!Switch Block Redundant Rats nest

February 7, 200213:30 - 14:45


32


VLANsVLAN 1 – The dead VLAN

VLANs 1001 – 1005 – The dead technology VLANs

Clear Trunks of these VLANs

Can’t remove them from switches

February 7, 200213:30 - 14:45


33

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingManagement VLAN - Defaults to VLAN 1

Change this on all switches to a Random Number (the same number for all switches)NO USER Traffic

Don’t Assign to User PortsACL to block them!

Used for Anything your users should’t seeIP RoutingCDP (if you didn’t want to turn it off)VTP MLSP

February 7, 200213:30 - 14:45


34

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingManagement VLAN (cont..)

Runs on all switches in the blockUse 1 Management VLAN per block

Trunked with User VLANs on these Links

Should be the only VLAN on this link

February 7, 200213:30 - 14:45


35


STP / VTP / DTPSpanning Tree Issues

VLAN Trunking Protocol – The “A” DoS

Dynamic Trunking Protocol – To Trunk or not to Trunk?…that is the question.

February 7, 200213:30 - 14:45


36

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingSpanning Tree Protocol

For loop prevention in an Ethernet NetworkWorks by electing a “root bridge”Sends messages Via BPDUsAttacktecs include

Forced takeover as ROOT bridgeBPDU Flood attackBPDU Change Notification flag

(Unintentional side affect of a switched network)Solutions

Force user ports not send/receive BPDUsPortfast & BPDU-Guard

February 7, 200213:30 - 14:45


37

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingVTP

VLAN Trunking ProtocolUsed to Maintain VLAN database consistencyCould be used for attack to add/delete VLANsRisky to use under normal conditionsRequired by some CATs to create VLANSSolution

Set all switches to VTP Transparent ModeSet Password to avoid mis-configuration / attacks

February 7, 200213:30 - 14:45


38

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingDynamic Trunking Protocol“To Trunk or not to Trunk”

All Switch 100mb ports are set to AUTOConnecting a AUTO - AUTO ports doesn’t TrunkConnecting a AUTO - ON ports does TrunkAttacktecs

802.1Q tag manipulationAccess to all VLANs without Router

SolutionSet all non-trunk ports to DTP OFF modeForce Users to 10MB (Lead Balloon?!?!)

February 7, 200213:30 - 14:45


39

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingCAT OS Commands

SET PORT HOST <mod/port>Batch command that configures

Trunking to OFFPortfast ON

Set Port Disable <mod/port> set spantree portfast bpdu-guard enableset spantree guard root 1/1

February 7, 200213:30 - 14:45


40

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingVLAN “Hopping”

Works by injecting modified 802.1q tagsCan effectively pass traffic to other VLANs without a router.Solutions

Set Native VLANs on truck ports to an unused VLAN and not VLAN 1Set port VLAN <vlan#> <mod/port>Remember the native VLAN must match on both sides of the trunk

February 7, 200213:30 - 14:45


41

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingNetwork Sniffing with Switch Ports

H

Attacker running ARP spoofing tool with bridging software

Sends continuous ARP replies telling the PC he’s the Server and the Server that he’s the PC. Traffic is bridged for PC/SERVER to maintain connection.

Solutions:

Private VLANs?

Host IDS!

February 7, 200213:30 - 14:45


42

Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingFlooding switch with MAC Addresses

or….How to make a switch act like a hub.

HAttacking host PC launches attack that floods the CAM table on the switch. Using all allocated CAM memory. Switch then forwards all traffic like unknown unicasts.

Solutions:Port SecurityMax Mac Count 1

February 7, 200213:30 - 14:45


43

Section 3Section 3

Layer 3 - RoutingLayer 3 - Routing

February 7, 200213:30 - 14:45


44

Section 3 - Layer 3 - Routing

Access Control Lists

Standard / Extended / NamedContext Based (CBAC)Other

February 7, 200213:30 - 14:45


45


IP Standard ACLsIP Source Address Based onlyVariety of used (Not just packet filtering)1-99 1300 to 1999 range

IP Extended ACLsLooks at

Source & Destination IPSource & Destination PortsProtocolSYN/RST bit (Established)Can be Logged - Log or Log-input (timestamp and packet info)

100 – 199, 2000 - 2699 RangeIP Named ACLs

Same as STD or EXT except with a Name instead of a number.Can remove a single List entry without removing Whole ACL

February 7, 200213:30 - 14:45


46


Context Based Access Control (CBAC)AKA Cisco IOS Firewall Feature setCreates dynamic inbound ACE entries based upon egress traffic.

Internet

Inbound Base ACL “Deny any”

IP PacketAs Packet exits a short lived dynamic ACE is added to the beginning of the base ingress ACL. Allowing return traffic.

February 7, 200213:30 - 14:45


47

Section 3 - Layer 3 - RoutingOther IP ACL types

ReflexiveDynamicTime-based

Other ACLsIPXAppleTalk MAC NetBIOS

VACLs

February 7, 200213:30 - 14:45


48


IP Routing Protocols

RIP – May it Rest in Peace (PLEASE!!!)IGRP – I’d rather run RIP first EIGRP – Simple and PowerfulOSPF – You Stubbed your what?

February 7, 200213:30 - 14:45


49


RIPV1

Classfull IP (no VLSM or CIDR)Broadcasts every 30 sec.Cleartext PasswordsAny IP product that has “Routing” features supports itTo many security problem to fix.

V2ClasslessUses Multicasts every 30 secondsMD5 passwordsWide supportStill vulnerable to attacks

“You can tie on pretty ribbon and give it some makeup… but its still the same old RIP”

February 7, 200213:30 - 14:45


50


Setting RIP V2 with Key-chain

key chain MyKey key 1 key-string 1234 ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip rip authentication key-chain MyKey ! router rip version 2 Network 192.168.1.0 passive-interface default no passive-interface E0

E0 E0

February 7, 200213:30 - 14:45


51


IGRPCisco ProprietaryUses (Lowest) Bandwidth and Delay for metricsClassfullBroadcasts every 90 sec.Converges SLOWER than RIPNO SECURITYStill out there because of the CCNA program….

Solution.. Modify your configs and add the “E”

February 7, 200213:30 - 14:45


52


Enhanced IGRP (EIGRP)Acts like a LS Routing protocol when

Discovering neighborsMaintaining neighborsExchanging Routes

Acts like a DV Routing protocol for Calc. metricsUses Lowest Bandwidth and Delay like IGRPClassless MD5 Passwords checked before creating neighborsLess constraints than OSPFDoesn’t force good designCan go Query Crazy

February 7, 200213:30 - 14:45


53


EIGRP with Authentication (Key-Chain)

Router eigrp 1 network 192.168.1.0 passive-interface default no passive-interface E0

Interface E0 ip address 192.168.1.1 255.255.255.0ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 keyname

key chain keyname key 1 key-string 0987654321 accept-lifetime infinite

E0 E0

February 7, 200213:30 - 14:45


54


OSFPIndustry Open Standard

Can be Complex

Classless

Supports MD5 Password protection

Forces good design (sometimes)

February 7, 200213:30 - 14:45


55


OSPF with Authentication

Router OSPF 1 network 192.168.1.1 0.0.0.0 area 0 area 0 authentication message-digest Interface E0 ip address 192.168.1.1 255.255.255.0ip ospf message-digest-key 1 md5 5 myOSPFpass

E0 E0

February 7, 200213:30 - 14:45


56


HSRPHot Swappable ROUTER Protocol

Designed to maintain High Availability of GWsHSRP is Cisco Proprietary VRRP is the new IETF standard Works by sending hello messages between routers to Elect Active and standby RoutersIs Vulnerable to attack when configured correctly

February 7, 200213:30 - 14:45


57


HSRP Attacktecs

Active StandbyN

orm

al P

acke

t Flo

w

Attack sent to make PC appear as an HSRP Router and to “preempt” ACTIVE status

Used as DoS or MiTMAltered Packet Flow

Enterprise Network or Internet

February 7, 200213:30 - 14:45


58


Solutions to HSRP AttackSet HSRP PRIORITY to 255 on both routersACTIVE Router gets Highest IP in SUBNET, Standby gets Second Highest, Virtual Gets ThirdModify the default MAC Address created for HSRPCreate ACL to only permit the HSRP traffic between the appropriate routers (MLS implications…)Have switches only send 224.0.0.2 (0000.5E00.0002) to ports that will have Routers

Caveat: Doing this will force you too disable CGMP or IGMP Snooping, don’t use this last one if your using Multicasting in you network.

February 7, 200213:30 - 14:45


59

LinksLinksGeneral Cisco Security

http://www.cisco.com/warp/public/707/21.html#httphttp://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.ziphttp://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm

DDoShttp://packetstormsecurity.nl/distributed/http://www.cisco.com/warp/public/707/newsflash.html

Designhttp://www.dcug.org/prezos/DCUG-Campus1-25-2001.zip

SSHhttp://www.cisco.com/warp/public/707/SSH-multiple-pub.htmlhttp://www.cisco.com/warp/public/707/ssh.shtml

http://www.cisco.com/warp/public/707/21.html#http

http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

http://packetstormsecurity.nl/distributed/

http://www.cisco.com/warp/public/707/newsflash.html

http://www.cisco.com/warp/public/707/SSH-multiple-pub.html

http://www.cisco.com/warp/public/707/SSH-multiple-pub.html

http://www.cisco.com/warp/public/707/ssh.shtml

February 7, 200213:30 - 14:45


60

Thank you for coming!!Thank you for coming!!Special thanks to

Jeff Moss, Keith Myers and the rest of the Black Hat Crew.

Tony and SPuD for beginning 101labs with me.

dugan-winsec02.ppt - black hat

Documents