1 1

Twisting Layer 2 Protocols

DefCamp 8

Paul Coggin @PaulCoggin

2 2

OSI and TCP/IP Model

OSI Model

7

6

5

4

3

2

1

Application

Presentation

Session

Transport

Network

Data Link

Physical

TCP/IP Model

Network Interface

Application

Transport

Internet

Frame Header

Ow

n th

e N

etw

ork

3 3

Cisco Discovery Protocol (CDP)

Cisco Discovery Protocol (CDP) -  Great tool for mapping out a network during an audit -  Be sure to disable on connections to external networks such as WAN, MetroE -  VoIP phones use CDP (how to secure info leakage on VoIP net??)

4 4

Cisco Discovery Protocol (CDP) – Great for Recon!

5 5

Protocol Hacking Tools GSN3 SCAPY Colasoft Packet Builder Many others… (Remember to enable IP forwarding)

First Hop Redundancy Protocols

Global Load Balancing Protocol (GLBP) Hot Standby Router Protocol (HSRP) Virtual Redundant Router Protocol (VRRP)

Active router 192.168.1.1

Backup router 192.168.1.2

Virtual router 192.168.1.3

192.168.1.50

Multicast protocol Priority elects role MD5, clear, no authentication

V

VRogue Insider

6 6

VRRP – No Authentication

VRRP – No Authentication

7 7

VRRP – Clear Text Authentication

VRRP – Clear Text Authentication

8 8

HSRP MITM – Packet Analysis

HSRP Password Clear Text

9 9

FHRP – Crafted HSRP Packets

Routers

Rogue Insider

Crafted HSRP coup packet with higher priority

10 10

IPv6 Neighbor Discover Protocol

Filter on IPv6 or Ethernet Type 0x86DD to Identify IPv6 Packets

IPv6 uses multicast \ No more broadcast

11 11

IPv6 SLACC MITM

IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools -  Chiron, -  Evil FOCA -  THC Parasite6 -  SCAPY -  Colasoft Packet Builder

Windows

Linux Mac

Default - Hosts Send ICMPv6 Router Solicitation

Rogue Insider Sending RA’s

Man-in-the-Middle

Mitigations -  RAguard -  802.1x -  Private VLANs -  IPv6 port security -  Source\Destination Guard -  SeND (encrypt NDP)

12 12

IPv6 Network Discovery Spoofing MITM

Windows

Linux

Mac

Mitigations -  Source\Destination Guard -  802.1x -  Private VLANs -  IPv6 port security -  NDP Spoofing -  DHCP Snooping -  Source\Destination Guard -  SeND (encrypt NDP)

Rogue Insider

Network Discovery Spoofing - MITM (ARP Spoofing equivalent for IPv6)

IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools -  Chiron -  Evil FOCA -  THC Parasite6 -  SCAPY -  Colasoft Packet Builder

13 13

Multicast Source 1

Multicast Overview

Multicast Source 2

Multicast uses UDP One-way traffic stream “Fire and Forget” -  Video -  Many other apps Multicast Routing PIM - Reverse Path Forwarding(RPF)

Receiver Receiver Receiver

IGMP Report to Join Multicast Group

Member 1

IGMP Report to Join Multicast Group

Member 1

IGMP Report to Join Multicast Group

Member 2

- Routers send periodic queries - Host per VLAN per group reports -  Host may send

leave messages -  IPv4 – IGMP -  IPv6 - MLD

Multicast PIM routing

14 14

Multicast - IGMP

15 15

Multicast Routing - PIM

16 16

Multicast Source 1

Attacking Multicast

Multicast Source 2

Receiver Receiver Receiver

Multicast PIM routing

Craft Router PIM Packets -  SCAPY -  Colasoft Packet Builder -  Possible to use GNS3

or Quagga etc to add PIM router

Local VLAN Segement -  Hello packets -  Join/Prune packets -  Assert Unicast PIM Packets -  Register -  Register-Stop -  C-RP-Advertisement

Craft IGMP/MLD - SCAPY - Collasoft Packet Builder - IGMP Leaves - IGMP Queries - Spoof IGMP Source

17 17

Multicast Source 1

Securing Multicast

Multicast Source 2

Receiver Receiver Receiver

Multicast PIM routing

- Control Plane Policing(CoPP) - Modular Quality of Service - PIM Neighbor Filter (ACL may be defeated by spoofing. L2 spoof protection needed.) -  RP Announce Filter -  Multicast Boundary Filter -  L3 Switch Aggregation

Multicast Storm Control on switches L2 port security

Secure Multicast Control Protocol Trust Relationships

18 18

Hack the Network via OSPF

Area 1

Area Border Router (ABR)

ABR

Area 2

Area 0

Autononynmous System Border Router (ASBR)

DR BDR

OSPF Exploit Tools -  Quagga -  NRL Core(Network Simulator) -  Nemesis -  Loki -  GSN3\Dynamips - Buy a router on eBay -  Hack a router and reconfigure -  Code one with Scapy -  IP Sorcery( IP Magic) -  Cain & Able to crack OSPF MD5 -  MS RRAS -  NetDude -  Collasoft -  Phenoelit IRPAS

OSPF Attack Vectors -  Take over as DR - Inject routes to mask source of attack - DoS -  Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth or use IP OSPF Cost for Traffic Engineering on hacked router

OSPFtypicallyisimplementedwithoutanythoughttosecurity.LSA’saremul<castonthespokeLANforanyusertosniffwithoutMD5.

External Network BGP, EIGRP, ISIS

19 19

OSPF – No Authentication

20 20

OSPF – Clear Text Authentication

21 21

OSPF – MD5 Authentication

22 22

EIGRP Overview

10.1.1.0 255.255.255.0

•  Advanced Distance Vector – “Hybrid” •  No authentication / MD5 Authentication •  Classless \ Classful routing default •  Supports IPv4/6, IPX and Appletalk •  Fast convergence - Successor - Feasible Successor •  Unequal and equal cost load balancing •  Upgrade replacement for IGRP

10.1.2.0 255.255.255.0

192.168.1.0 255.255.255.0

•  Incremental updates •  EIGRP uses DUAL algorithm •  Cisco proprietary •  3 Tables similar to OSPF - Neighbor table - Routing table - Topology table •  Summarization at any interface in network

Remember to use “no auto-summary” command to enable classless routing or experience

dis-contiguous network issues.

23 23

10.1.1.0 255.255.255.0

10.1.2.0 255.255.255.0

192.168.1.0 255.255.255.0

Hack the Network via EIGRP

SimilartoOSPF,EIGRPtypicallyisimplementedwithoutanythoughttosecurity.Network

administratorsshoulduseauthen<ca<onandconfigureinterfacestobepassiveinEIGRP.

EIGRP Attack Vectors -  Inject routes to mask source of attack -  DoS -  Inject routes for MITM -  Add new routes to hacked router -  Change interface bandwidth for Traffic Engineering on hacked router EIGRP Exploit Tools -  GSN3\Dynamips - Buy a router on eBay -  Hack a router and reconfigure -  Phenoelit IRPAS

24 24

10.1.2.0 255.255.255.0

EIGRP – No Authentication

25 25

10.1.2.0 255.255.255.0

EIGRP – MD5 Authentication

26 26

DMZ Layer 2 Security

Secure DMZ Trusts - PVLAN - VACL - Separate Virtual or Physical Int w/ ACL’s - Develop a network traffic matrix to define required network traffic flows WWW

DNS

SMTP

SharePoint

DMZ -  Typically single VLAN -  Open trusts Inside VLAN -  DMZ to Internal AD integ. -  Pivot from DMZ to Internal network

Internal Network

Database Email DNS

*NIX w/NIS(AD Integ.)

Active Directory

Internet

27 27

Layer 2 – Secure Visualization and Instrumentation

TAP/Sniffer

NOC \ SOC

Out-of-bound Network

Whitelist the Layer 2 Network Trust Relationships

Whitelist Trusted Information Flows in Monitoring

Secure Control, Management, Data Planes

In-band Monitoring EPC SPAN RSPAN ERSPAN Netflow

28 28

References

LANSwitchSecurity–WhatHackersKnowAboutYourSwitches,EricVyncke,ChristopherPaggen,CiscoPressEnnoRey-@Enno_Insinuator,�@WEareTROOPERS��,ERNWPapersandResources,www.ernw.de,www.insinuator.netIvanPepeInjak-@IOShints,PapersandResources,hYp://www.ipspace.netIPv6Security,ScoYHoggandEricVyncke,CiscoPressIPv6Security,ScoYHogg,hYp://www.gtri.com/wp-content/uploads/2014/10/IPv6-Hacker-Halted-The-Hacker-Code-Angels-vs-Demons.pdfThePrac<ceofNetworkSecurityMonitoring,RicardBejtlich,NoStarchPressRouterSecurityStrategiesSecuringIPNetworkTrafficPlanes,GreggSchudel,DavidJ.Smith,CiscoPresshYps://www.cisco.com/go/safehYp://docwiki.cisco.com/wiki/FHShYp://www.netop<cs.com/blog/01-07-2011/sample-pcap-fileshYp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_frp/configura<on/12-4/fp-12-4-book.htmlhYp://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.htmlhYp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/best/prac<ces/recommenda<ons.htmlhYp://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.htmlhYp://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.htmlhYp://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.htmlhYp://monkey.org/~dugsong/dsniff/hYps://www.yersinia.nethYps://www.nsa.gov/ia/_files/factsheets/Factsheet-Cisco%20Port%20Security.pdfhYp://iase.disa.mil/s<gs/net_perimeter/network-infrastructure/Pages/index.aspx

29 29

Ques&ons?

@PaulCoggin