twisting layer 2 protocols defcamp 8 paul coggin @paulcoggin 2... · *nix w/nis(ad integ.) active...
TRANSCRIPT
1 1
Twisting Layer 2 Protocols
DefCamp 8
Paul Coggin @PaulCoggin
2 2
OSI and TCP/IP Model
OSI Model
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Data Link
Physical
TCP/IP Model
Network Interface
Application
Transport
Internet
Frame Header
Ow
n th
e N
etw
ork
3 3
Cisco Discovery Protocol (CDP)
Cisco Discovery Protocol (CDP) - Great tool for mapping out a network during an audit - Be sure to disable on connections to external networks such as WAN, MetroE - VoIP phones use CDP (how to secure info leakage on VoIP net??)
4 4
Cisco Discovery Protocol (CDP) – Great for Recon!
5 5
Protocol Hacking Tools GSN3 SCAPY Colasoft Packet Builder Many others… (Remember to enable IP forwarding)
First Hop Redundancy Protocols
Global Load Balancing Protocol (GLBP) Hot Standby Router Protocol (HSRP) Virtual Redundant Router Protocol (VRRP)
Active router 192.168.1.1
Backup router 192.168.1.2
Virtual router 192.168.1.3
192.168.1.50
Multicast protocol Priority elects role MD5, clear, no authentication
V
VRogue Insider
6 6
VRRP – No Authentication
VRRP – No Authentication
7 7
VRRP – Clear Text Authentication
VRRP – Clear Text Authentication
8 8
HSRP MITM – Packet Analysis
HSRP Password Clear Text
9 9
FHRP – Crafted HSRP Packets
Routers
Rogue Insider
Crafted HSRP coup packet with higher priority
10 10
IPv6 Neighbor Discover Protocol
Filter on IPv6 or Ethernet Type 0x86DD to Identify IPv6 Packets
IPv6 uses multicast \ No more broadcast
11 11
IPv6 SLACC MITM
IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools - Chiron, - Evil FOCA - THC Parasite6 - SCAPY - Colasoft Packet Builder
Windows
Linux Mac
Default - Hosts Send ICMPv6 Router Solicitation
Rogue Insider Sending RA’s
Man-in-the-Middle
Mitigations - RAguard - 802.1x - Private VLANs - IPv6 port security - Source\Destination Guard - SeND (encrypt NDP)
12 12
IPv6 Network Discovery Spoofing MITM
Windows
Linux
Mac
Mitigations - Source\Destination Guard - 802.1x - Private VLANs - IPv6 port security - NDP Spoofing - DHCP Snooping - Source\Destination Guard - SeND (encrypt NDP)
Rogue Insider
Network Discovery Spoofing - MITM (ARP Spoofing equivalent for IPv6)
IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools - Chiron - Evil FOCA - THC Parasite6 - SCAPY - Colasoft Packet Builder
13 13
Multicast Source 1
Multicast Overview
Multicast Source 2
Multicast uses UDP One-way traffic stream “Fire and Forget” - Video - Many other apps Multicast Routing PIM - Reverse Path Forwarding(RPF)
Receiver Receiver Receiver
IGMP Report to Join Multicast Group
Member 1
IGMP Report to Join Multicast Group
Member 1
IGMP Report to Join Multicast Group
Member 2
- Routers send periodic queries - Host per VLAN per group reports - Host may send
leave messages - IPv4 – IGMP - IPv6 - MLD
Multicast PIM routing
14 14
Multicast - IGMP
15 15
Multicast Routing - PIM
16 16
Multicast Source 1
Attacking Multicast
Multicast Source 2
Receiver Receiver Receiver
Multicast PIM routing
Craft Router PIM Packets - SCAPY - Colasoft Packet Builder - Possible to use GNS3
or Quagga etc to add PIM router
Local VLAN Segement - Hello packets - Join/Prune packets - Assert Unicast PIM Packets - Register - Register-Stop - C-RP-Advertisement
Craft IGMP/MLD - SCAPY - Collasoft Packet Builder - IGMP Leaves - IGMP Queries - Spoof IGMP Source
17 17
Multicast Source 1
Securing Multicast
Multicast Source 2
Receiver Receiver Receiver
Multicast PIM routing
- Control Plane Policing(CoPP) - Modular Quality of Service - PIM Neighbor Filter (ACL may be defeated by spoofing. L2 spoof protection needed.) - RP Announce Filter - Multicast Boundary Filter - L3 Switch Aggregation
Multicast Storm Control on switches L2 port security
Secure Multicast Control Protocol Trust Relationships
18 18
Hack the Network via OSPF
Area 1
Area Border Router (ABR)
ABR
Area 2
Area 0
Autononynmous System Border Router (ASBR)
DR BDR
OSPF Exploit Tools - Quagga - NRL Core(Network Simulator) - Nemesis - Loki - GSN3\Dynamips - Buy a router on eBay - Hack a router and reconfigure - Code one with Scapy - IP Sorcery( IP Magic) - Cain & Able to crack OSPF MD5 - MS RRAS - NetDude - Collasoft - Phenoelit IRPAS
OSPF Attack Vectors - Take over as DR - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth or use IP OSPF Cost for Traffic Engineering on hacked router
OSPFtypicallyisimplementedwithoutanythoughttosecurity.LSA’saremul<castonthespokeLANforanyusertosniffwithoutMD5.
External Network BGP, EIGRP, ISIS
19 19
OSPF – No Authentication
20 20
OSPF – Clear Text Authentication
21 21
OSPF – MD5 Authentication
22 22
EIGRP Overview
10.1.1.0 255.255.255.0
• Advanced Distance Vector – “Hybrid” • No authentication / MD5 Authentication • Classless \ Classful routing default • Supports IPv4/6, IPX and Appletalk • Fast convergence - Successor - Feasible Successor • Unequal and equal cost load balancing • Upgrade replacement for IGRP
10.1.2.0 255.255.255.0
192.168.1.0 255.255.255.0
• Incremental updates • EIGRP uses DUAL algorithm • Cisco proprietary • 3 Tables similar to OSPF - Neighbor table - Routing table - Topology table • Summarization at any interface in network
Remember to use “no auto-summary” command to enable classless routing or experience
dis-contiguous network issues.
23 23
10.1.1.0 255.255.255.0
10.1.2.0 255.255.255.0
192.168.1.0 255.255.255.0
Hack the Network via EIGRP
SimilartoOSPF,EIGRPtypicallyisimplementedwithoutanythoughttosecurity.Network
administratorsshoulduseauthen<ca<onandconfigureinterfacestobepassiveinEIGRP.
EIGRP Attack Vectors - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth for Traffic Engineering on hacked router EIGRP Exploit Tools - GSN3\Dynamips - Buy a router on eBay - Hack a router and reconfigure - Phenoelit IRPAS
24 24
10.1.2.0 255.255.255.0
EIGRP – No Authentication
25 25
10.1.2.0 255.255.255.0
EIGRP – MD5 Authentication
26 26
DMZ Layer 2 Security
Secure DMZ Trusts - PVLAN - VACL - Separate Virtual or Physical Int w/ ACL’s - Develop a network traffic matrix to define required network traffic flows WWW
DNS
SMTP
SharePoint
DMZ - Typically single VLAN - Open trusts Inside VLAN - DMZ to Internal AD integ. - Pivot from DMZ to Internal network
Internal Network
Database Email DNS
*NIX w/NIS(AD Integ.)
Active Directory
Internet
27 27
Layer 2 – Secure Visualization and Instrumentation
TAP/Sniffer
NOC \ SOC
Out-of-bound Network
Whitelist the Layer 2 Network Trust Relationships
Whitelist Trusted Information Flows in Monitoring
Secure Control, Management, Data Planes
In-band Monitoring EPC SPAN RSPAN ERSPAN Netflow
28 28
References
LANSwitchSecurity–WhatHackersKnowAboutYourSwitches,EricVyncke,ChristopherPaggen,CiscoPressEnnoRey-@Enno_Insinuator,�@WEareTROOPERS��,ERNWPapersandResources,www.ernw.de,www.insinuator.netIvanPepeInjak-@IOShints,PapersandResources,hYp://www.ipspace.netIPv6Security,ScoYHoggandEricVyncke,CiscoPressIPv6Security,ScoYHogg,hYp://www.gtri.com/wp-content/uploads/2014/10/IPv6-Hacker-Halted-The-Hacker-Code-Angels-vs-Demons.pdfThePrac<ceofNetworkSecurityMonitoring,RicardBejtlich,NoStarchPressRouterSecurityStrategiesSecuringIPNetworkTrafficPlanes,GreggSchudel,DavidJ.Smith,CiscoPresshYps://www.cisco.com/go/safehYp://docwiki.cisco.com/wiki/FHShYp://www.netop<cs.com/blog/01-07-2011/sample-pcap-fileshYp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_frp/configura<on/12-4/fp-12-4-book.htmlhYp://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.htmlhYp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/best/prac<ces/recommenda<ons.htmlhYp://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.htmlhYp://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.htmlhYp://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.htmlhYp://monkey.org/~dugsong/dsniff/hYps://www.yersinia.nethYps://www.nsa.gov/ia/_files/factsheets/Factsheet-Cisco%20Port%20Security.pdfhYp://iase.disa.mil/s<gs/net_perimeter/network-infrastructure/Pages/index.aspx
29 29
Ques&ons?
@PaulCoggin