Hacking Cisco Networks and Countermeasures

Overview

• Reconnaissance Attacks– Passive Sniffing– Ping Sweeps– Port Scans (tcp&udp)

• Active Attacks– Password attacks– Trust exploitation– Port redirection

• External Attacks– IP Spoofing– DoS, DDoS Attacks

• Internal Attacks– DHCP and ARP Attacks

Reconnaissance Attacks

• Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications.

• Reconnaissance attacks include these attacks:– Packet sniffers– Port scans– Ping sweeps– Internet information queries

Packet Sniffers

• A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. There are packet sniffer features:– Packet sniffers exploit information passed in clear text. Protocols

that pass information in clear text are Telnet, FTP, SNMP, Post Office Protocol (POP), and HTTP.

– Packet sniffers must be on the same collision domain as the machine that they are targeting.

– Packet sniffers can be used legitimately or can be designed specifically for attack.

Host A Host BRouter A Router B

Passive Sniffing

Packet Sniffer Attack Mitigation

• Here are some packet sniffer mitigation techniques and tools:– Authentication– Switched infrastructure– Antisniffer tools – Cryptography

Host A Host BRouter A Router B

Port Scans and Ping Sweeps

• Port scan and ping sweep attacks:– Identify all services on the network– Identify all hosts and devices on the network– Identify the operating systems on the network– Identify vulnerabilities on the network

Ping Sweep with NMAP

Ping Sweep (cont.)

Blocking Ping Sweeps

access-list 102 deny icmp any any echoaccess-list 102 permit ip any any

interface FastEthernet0/0ip address 10.1.1.254 255.255.255.0ip access-group 102 in

Seems like it worked but ???

We give out too much information…

To block messages originating from the blocking router…

access-list 103 permit icmp any any unreachable

class-map match-all STOPSHARING match access-group 103!

policy-map STOPSHARING class STOPSHARING drop class class-default

control-plane service-policy output STOPSHARING

Same result…

But this time we don’t share info…

Simple UDP Port Scan

Destination Unreachable (Port)

How to block…

access-list 101 deny icmp any any unreachableaccess-list 101 permit ip any any

interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 101 out

We don’t send any unreachable messages…

After Blocking everything seems open, some obscurity for scanner…

• Port scans and ping sweeps cannot be prevented without compromising network capabilities.

Port Scan and Ping Sweep Attack Mitigation

However, damage can be mitigated using IPS at the network and host levels.

Workstation with HIPS

Laptop with HIPS

Scan Port Shared Connection

IDS and IPS

Internet Information Queries

• Sample IP address query

Attackers can use Internet tools such as whois as a

weapon.

Access Attacks

• Intruders use access attacks on networks or systems for the these reasons:– Retrieve data– Gain access– Escalate their access privileges

• Access attacks include:– Password attacks– Trust exploitation– Port redirection

Password Attacks

• Hackers implement password attacks using:– Brute-force attacks– Trojan horse programs– IP spoofing– Packet sniffers

Password Attack Example

– The bgp_md5crack tool is used for cracking a secret used for RFC2385 based packet signing and authentication. It is designed for offline cracking, means to work on a sniffed, correct signed packet. This packet can either be directly sniffed of the wire or be provided in a pcap file.

For Routing Protocols…

Simple Cracking with Cain…

Trust Exploitation

– A hacker leverages existing trust relationships.

– Several trust models exist:

• Microsoft Windows:– Domains

– Active directory

• Linux and UNIX:– NIS

– NIS+

System AUser = psmith; Pat Smith

System B is compromised by a hacker.

User = psmith; Pat Smith

HackerUser = psmith; Pat Smithson

A hackergains

access to System A .

Trust relationships:

• System A trusts System B.

• System B trusts everyone.

• System A trusts everyone.

Port Redirection

Host B

Attacker

Source: ADestination: BPort: 23

CompromisedHost A

Source: AttackerDestination: APort: 22

Source: AttackerDestination: BPort: 23

Port Redirection Configuration

On HOSTA we create a named pipe using the mkfifo commands:

#pipe will be the name of our named pipemkfifo pipe

We then create our two way tunnel using Netcat on HOSTA:

nc -lvp 25 <pipe | nc -t 10.1.2.253 23 >pipe

Then telnet from Attacker machine telnet 10.1.2.1 80

Here we are connected to the internal switch…

IP Spoofing

– IP spoofing occurs when a hacker inside or outside a network impersonates a trusted source.

– IP spoofing uses trusted internal IP addresses or trusted external IP addresses.

– Attackers use IP spoofing for many reasons:• To gain root access• To inject malicious data or commands into an existing data

stream • To divert network packets to the hacker who can then

reply as a trusted user by changing the routing tables• To crash servers by overloading memory (DoS)• As a step in a larger attack

IP Spoofing—Types of Attack

•IP spoofing attacks are either:– Nonblind spoofing

• The attacker sniffs sequence numbers (i.e., from inside the subnet of the victim).

– Blind spoofing • The attacker calculates sequence numbers.

•IP spoofing can lead to these types of attacks:– Man-in-the-middle attack– DoS attack– Distributed DoS (DDoS) attack

Let’s see in action

Here we drive router to reply to the other host..

Man-in-the-Middle Attacks

– A man-in-the-middle attack requires that the hacker has access to network packets that come across a network.

– A man-in-the-middle attack is implemented using the following:

• Network packet sniffers (nonblind attack)• Routing and transport protocols (blind attack)

Host A Host B

Router A Router B

Data in Clear Text

IP Spoofing Attack Mitigation

• The threat of IP spoofing can be reduced, but not eliminated, using these measures:– Strong access control at the router

• ACLs on outbound interface• ACLs on inbound interface

– Data encryption– Additional authentication requirements

Host A Host B

Router A ISP Router B

IPSec tunnel

DoS Attacks

• A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services.

• DoS attack techniques almost always use IP spoofing.

TCP SYN Flooding DoS Attack

AttackerTCP

Client

-------------Client Ports1024–65535

Victim TCP Server

-------------Service Ports

1–1024

80

1SYN

2 SYN and ACK

?

SYN Packet with Spoofed

Source Address

TCP Client

-------------Client Ports1024–65535

TCP Server

-------------Service Ports

1–102480

1SYN

3ACK

2 SYN and ACK

TCP Three-Way

Handshake

DDoS Attacks

• DoS and DDoS attacks have these characteristics: – They are not generally targeted to gain access.– They aim at making a service unavailable. – They require very little effort to execute.– They are difficult to eliminate.

• DoS Attack • DDoS Attack

Attacker Victim

Attack Control Mechanism

Zombie Zombie Zombie

Victim

DDoS Example

HandlerSystems

Client System

4. The client issues commands to handlers that control agents in a mass attack.

1. The cracker looks for targets.

2. The cracker installs software to scan, compromise, and infect agents with zombies.

3. Agents are loaded with remote control attack software.

AgentSystems

SYN Flooding Attack

Let’s be more creative…

We put almost 1 million packets in one minute period on the wire, not so bad….

CPU Consumption..

DoS and DDoS Attack Mitigation

• Reduce DoS and DDoS attacks by:– Protecting yourself against IP spoofing with ingress- and

egress-filtering ACLs– Using antivirus software to find zombie agents– Using anti-DoS features on routers and firewalls

• ip verify unicast reverse-path interface command • ACLs to filter all private Internet address space (RFC

1918) – Using traffic rate limiting at the ISP level

• Use class-based traffic policing on ICMP packets• Use SYN rate limiting

Rate Limiting

What rate limiting does:• Allows network managers to set bandwidth thresholds for users and by traffic type

Benefits:• Prevents the deliberate or accidental flooding of the network

• Keeps traffic flowing smoothly

Rate Limiting for Different Classes of UsersNetwork

Manager

Teachers

Students

2 Mbps

10 Mbps

50 Mbps

Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.

Example: ICMP rate limiting

access-list 170 permit icmp any any

Interface f0/0rate-limit input access-group 170 128000 16000 24000 conform-action transmit exceed-action drop

Spoofing the DHCP Server

1. An attacker activates a DHCP server on a network segment.

2. The client broadcasts a request for DHCP configuration information.

3. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information.

4. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client.

ClientRogue DHCP Attacker

Legitimate DHCP Server

Everything starts with starvation…

Storm Control can be in help…

Interface fastethernet 0/1storm-control broadcast level 10.00 8.00

DHCP Snooping

– DHCP snooping allows the configuration of ports as trusted or untrusted.

• Trusted ports can send DHCP requests and acknowledgements.

• Untrusted ports can forward only DHCP requests.

– DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID.

– Use the ip dhcp snooping command.

ClientRogue DHCP

Attacker

Legitimate DHCP Server

DHCP Snooping Configuration

ip dhcp snoopingip dhcp snooping vlan 20interface FastEthernet0/13

switchport access vlan 20ip dhcp snooping trust

Switch#sh ip dhcp snooping binndingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:14:A8:96:2C:40 10.1.2.12 86371 dhcp-snooping 20 FastEthernet0/2400:14:6A:1D:B8:00 10.1.2.13 86371 dhcp-snooping 20 FastEthernet0/23Total number of bindings: 2

ARP Spoofing: Man-in-the-Middle Attacks

•10.1.1.1 = MAC C.C.C.C

ARP Table in Host A

IP 10.1.1.2MAC A.A.A.A

A

B

•10.1.1.2 = MAC C.C.C.C

ARP Table in Host B

•10.1.1.1 = MAC B.B.B.B•10.1.1.2 = MAC A.A.A.A

ARP Table in Host C

CIP 10.1.1.3MAC C.C.C.C

1. IP 10.1.1.2 ? MAC for 10.1.1.1

2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B

3. Subsequent gratuitous ARP replies overwrite legitimate replies

•10.1.1.1 bound to C.C.C.C•10.1.1.2 bound to C.C.C.C

Attacker

IP 10.1.1.1MAC B.B.B.B

A BC

A = host A

B = host B

C = host C

10.1.1.1

Mitigating Man-in-the-Middle Attacks with DAI

• MAC or IP Tracking Built on DHCP Snooping

10.1.1.2DHCP Server

DHCP Discovery (BCAST)

DHCP Offer (UCAST)

DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof.

DAI Function:

Track DiscoveryTrack DHCP Offer MAC or IPTrack Subsequent ARPs for MAC or IP

DAI in Action

•A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping.

10.1.1.110.1.1.210.1.1.2

GARP is sent to attempt to change the IP address to MAC bindings.

Gateway is

10.1.1.1

Attacker is not gateway according to this binding table

I am your gateway: 10.1.1.1

DAI Configuration…

ip arp inspection vlan 20ip arp inspection vlan 20 logging dhcp-bindings allip arp inspection validate src-mac

Questions & Discussion

? ???

?

?

??

??

?

?

?

?

Thank you…