Bsides Vienna 2016 Paul Coggin @PaulCoggin 1 1 OSI and TCP/IP - - PowerPoint PPT Presentation

bsides vienna 2016 paul coggin paulcoggin
SMART_READER_LITE
LIVE PREVIEW

Bsides Vienna 2016 Paul Coggin @PaulCoggin 1 1 OSI and TCP/IP - - PowerPoint PPT Presentation

Mar 21, 2023 145 likes •590 views

Exploiting First Hop Protocols to Own the Network Bsides Vienna 2016 Paul Coggin @PaulCoggin 1 1 OSI and TCP/IP Model OSI Model TCP/IP Model 7 Application 6 Presentation Own the Network Application 5 Session Transport 4 Transport

slide-1
SLIDE 1

1 1

Exploiting First Hop Protocols to Own the Network

Bsides Vienna 2016 Paul Coggin @PaulCoggin

slide-2
SLIDE 2

2 2

OSI and TCP/IP Model OSI Model

7 6 5 4 3 2 1 Application Presentation Session Transport Network Data Link Physical

TCP/IP Model

Network Interface Application Transport Internet Frame Header

Own the Network

slide-3
SLIDE 3

3 3

Cisco Discovery Protocol (CDP)

Cisco Discovery Protocol (CDP)

  • Great tool for mapping out a network during an audit
  • Be sure to disable on connections to external networks such as WAN, MetroE
  • VoIP phones use CDP (how to secure info leakage on VoIP net??)
slide-4
SLIDE 4

4 4

Cisco Discovery Protocol (CDP) – Great for Recon!

slide-5
SLIDE 5

5 5

Multicast Source 1

Multicast Overview

Multicast Source 2

Multicast uses UDP One-way traffic stream “Fire and Forget”

  • Video
  • Many other apps

Multicast Routing PIM

  • Reverse Path Forwarding(RPF)

Receiver Receiver Receiver

IGMP Report to Join Multicast Group Member 1 IGMP Report to Join Multicast Group Member 1 IGMP Report to Join Multicast Group Member 2

  • Routers send

periodic queries

  • Host per VLAN per

group reports

  • Host may send

leave messages

  • IPv4 – IGMP
  • IPv6 - MLD

Multicast PIM routing

slide-6
SLIDE 6

6 6

Multicast - IGMP

slide-7
SLIDE 7

7 7

Multicast Routing - PIM

slide-8
SLIDE 8

8 8

Multicast Source 1

Attacking Multicast

Multicast Source 2 Receiver Receiver Receiver Multicast PIM routing

Craft Router PIM Packets

  • SCAPY
  • Colasoft Packet Builder
  • Possible to use GNS3
  • r Quagga etc to add

PIM router Local VLAN Segement

  • Hello packets
  • Join/Prune packets
  • Assert

Unicast PIM Packets

  • Register
  • Register-Stop
  • C-RP-Advertisement

Craft IGMP/MLD

  • SCAPY
  • Collasoft Packet Builder
  • IGMP Leaves
  • IGMP Queries
  • Spoof IGMP Source
slide-9
SLIDE 9

9 9

Multicast Source 1

Securing Multicast

Multicast Source 2 Receiver Receiver Receiver Multicast PIM routing

  • Control Plane Policing(CoPP)
  • Modular Quality of Service
  • PIM Neighbor Filter (ACL

may be defeated by spoofing. L2 spoof protection needed.)

  • RP Announce Filter
  • Multicast Boundary Filter
  • L3 Switch Aggregation

Multicast Storm Control on switches L2 port security

Secure Multicast Control Protocol Trust Relationships

slide-10
SLIDE 10

10 10

Protocol Hacking Tools GNS3 SCAPY Colasoft Packet Builder Many others… (Remember to enable IP forwarding)

First Hop Redundancy Protocols

Global Load Balancing Protocol (GLBP) Hot Standby Router Protocol (HSRP) Virtual Redundant Router Protocol (VRRP) Active router 192.168.1.1 Backup router 192.168.1.2 Virtual router 192.168.1.3 192.168.1.50 Multicast protocol Priority elects role MD5, clear, no authentication

V V

Rogue Insider

slide-11
SLIDE 11

11 11

VRRP – No Authentication

VRRP – No Authentication

slide-12
SLIDE 12

12 12

VRRP – Clear Text Authentication

VRRP – Clear Text Authentication

slide-13
SLIDE 13

13 13

HSRP MITM – Packet Analysis

HSRP Password Clear Text

slide-14
SLIDE 14

14 14

FHRP – Crafted HSRP Packets

Routers Rogue Insider Crafted HSRP coup packet with higher priority

slide-15
SLIDE 15

15 15

IPv6 Neighbor Discover Protocol

Filter on IPv6 or Ethernet Type 0x86DD to Identify IPv6 Packets IPv6 uses multicast \ No more broadcast

slide-16
SLIDE 16

16 16

IPv6 SLACC MITM

IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools

  • Chiron,
  • Evil FOCA
  • THC Parasite6
  • SCAPY
  • Colasoft Packet Builder

Windows Linux Mac Default - Hosts Send ICMPv6 Router Solicitation Rogue Insider Sending RA’s Man-in-the-Middle Mitigations

  • RAguard
  • 802.1x
  • Private VLANs
  • IPv6 port security
  • Source\Destination Guard
  • SeND (encrypt NDP)
slide-17
SLIDE 17

17 17

IPv6 Network Discovery Spoofing - MITM

Windows Linux Mac Mitigations

  • Source\Destination Guard
  • 802.1x
  • Private VLANs
  • IPv6 port security
  • NDP Spoofing
  • DHCP Snooping
  • Source\Destination Guard
  • SeND (encrypt NDP)

Rogue Insider Network Discovery Spoofing - MITM (ARP Spoofing equivalent for IPv6) IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools

  • Chiron
  • Evil FOCA
  • THC Parasite6
  • SCAPY
  • Colasoft Packet Builder
slide-18
SLIDE 18

18 18

OSPF – No Authentication

slide-19
SLIDE 19

19 19

OSPF – Clear Text Authentication

slide-20
SLIDE 20

20 20

Hack the Network via OSPF

Area 1 Area Border Router (ABR) ABR Area 2 Area 0 Autononynmous System Border Router (ASBR) DR BDR

OSPF Exploit Tools

  • Quagga
  • NRL Core(Network Simulator)
  • Nemesis
  • Loki
  • GSN3\Dynamips
  • Buy a router on eBay
  • Hack a router and reconfigure
  • Code one with Scapy
  • IP Sorcery( IP Magic)
  • Cain & Able to crack OSPF MD5
  • MS RRAS
  • NetDude
  • Collasoft
  • Phenoelit IRPAS

OSPF Attack Vectors

  • Take over as DR - Inject routes to mask source of attack - DoS
  • Inject routes for MITM - Add new routes to hacked router
  • Change interface bandwidth or use IP OSPF Cost for Traffic Engineering on hacked router

OSPF typically is implemented without any thought to security. LSA’s are mul<cast on the spoke LAN for any user to sniff without MD5.

External Network BGP, EIGRP, ISIS

slide-21
SLIDE 21

21 21

10.1.2.0 255.255.255.0

EIGRP – No Authentication

slide-22
SLIDE 22

22 22

10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Hack the Network via EIGRP

Similar to OSPF, EIGRP typically is implemented without any thought to security. Network administrators should use authen<ca<on and configure interfaces to be passive in EIGRP.

EIGRP Attack Vectors

  • Inject routes to mask source of attack
  • DoS
  • Inject routes for MITM
  • Add new routes to hacked router
  • Change interface bandwidth for Traffic Engineering on hacked router

EIGRP Exploit Tools

  • GSN3\Dynamips
  • Buy a router on eBay
  • Hack a router and reconfigure
  • Phenoelit IRPAS
slide-23
SLIDE 23

23 23

DMZ Layer 2 Security

Secure DMZ Trusts

  • PVLAN
  • VACL
  • Separate Virtual or Physical

Int w/ ACL’s

  • Develop a network traffic

matrix to define required network traffic flows

WWW DNS SMTP SharePoint DMZ

  • Typically single VLAN
  • Open trusts Inside VLAN
  • DMZ to Internal AD integ.
  • Pivot from DMZ to Internal network

Internal Network Database Email DNS *NIX w/NIS(AD Integ.) Active Directory Internet

slide-24
SLIDE 24

24 24

Layer 2 – Secure Visualization and Instrumentation

TAP/Sniffer NOC \ SOC Out-of-bound Network

Whitelist the Layer 2 Network Trust Relationships Whitelist Trusted Information Flows in Monitoring Secure Control, Management, Data Planes

In-band Monitoring EPC SPAN RSPAN ERSPAN Netflow

slide-25
SLIDE 25

25 25

References

Developing IP Mul<cast Networks, Vol 1 – Beau Williamson LAN Switch Security – What Hackers Know About Your Switches, Eric Vyncke, Christopher Paggen, Cisco Press Enno Rey - @Enno_Insinuator, @WEareTROOPERS , ERNW Papers and Resources ,www.ernw.de, www.insinuator.net Ivan PepeInjak - @IOShints, Papers and Resources, h[p://www.ipspace.net IPv6 Security, Sco[ Hogg and Eric Vyncke, Cisco Press h[p://www.gtri.com/wp-content/uploads/2014/10/IPv6-Hacker-Halted-The-Hacker-Code-Angels-vs-Demons.pdf The Prac<ce of Network Security Monitoring, Ricard Bejtlich, No Starch Press Router Security Strategies Securing IP Network Traffic Planes, Gregg Schudel, David J. Smith, Cisco Press h[ps://www.cisco.com/go/safe h[p://docwiki.cisco.com/wiki/FHS h[p://www.netop<cs.com/blog/01-07-2011/sample-pcap-files h[p://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_frp/configura<on/12-4/fp-12-4-book.html h[p://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html h[p://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/best/prac<ces/recommenda<ons.html h[p://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html h[p://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html h[p://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html h[p://monkey.org/~dugsong/dsniff/ h[ps://www.yersinia.net h[ps://www.nsa.gov/ia/_files/factsheets/Factsheet-Cisco%20Port%20Security.pdf h[p://iase.disa.mil/s<gs/net_perimeter/network-infrastructure/Pages/index.aspx h[p://www.cisco.com/c/en/us/about/security-center/mul<cast-toolkit.html

slide-26
SLIDE 26

26 26

Ques&ons? @PaulCoggin

slide-27
SLIDE 27

27 27

OSPF – MD5 Authentication

slide-28
SLIDE 28

28 28

10.1.2.0 255.255.255.0

EIGRP – MD5 Authentication

slide-29
SLIDE 29

29 29

VPN_A VPN_A VPN_B

10.3.0.0 10.1.0.0 11.5.0.0 P P P P PE PE CE CE CE

VPN_A VPN_B VPN_B

10.1.0.0 10.2.0.0 11.6.0.0 CE PE PE CE CE

VPN_A

10.2.0.0 CE

iBGP sessions

  • P Routers (LSRs) are in the Core of the MPLS Cloud
  • PE Routers (Edge LSRs or LERs) Use MPLS with the

Core and Plain IP with CE Routers

  • P and PE Routers Share a Common IGP
  • PE Routers are MP-iBGP Fully-meshed

MPLS Architecture Overview

Service provider may accidentally or intentionally misconfigure VPN’s Utilize IPSEC VPN over MPLS VPN to insure security

slide-30
SLIDE 30

30 30

MPLS Label PCAP - Service Provider Core

32-bit MPLS Label Format

  • Label : 20-bit
  • EXP : 3-bit
  • Bottom-of-Stack : 1-bit
  • TTL : 8-bit

CPE to CPE Telnet over Service Provider MPLS VPN

slide-31
SLIDE 31

31 31

Telnet Username \ Password – Clear Text Encapsulated in MPLS VPN A Separate Overlay Encrypted VPN is Required to Secure Your Traffic

slide-32
SLIDE 32

32 32

CAM Table Overflow Attack

Yersinia, Macof, DSNIFF N

  • d

e 2 t

  • N
  • d

e 4 Node 2 to Node 4

Node 1 Node 2 Node 4 Node 3

Node 2 to Node 4 Switch CAM table exploited resulting in switch VLAN operating like a shared Ethernet hub Attack may cause multiple switches to fallback to shared Ethernet behavior

Implement port security to limit MACs per interface, SNMP Traps

slide-33
SLIDE 33

33 33

ARP Poisoning

Corporate Server IP 172.16.1.1 User 1 IP 192.168.1.2 MAC 2222.2222.2222 User 3 IP 192.168.1.3 MAC 3333.3333.3333 Router IP 192.168.1.1 MAC 1111.1111.1111

Gratuitous ARP – User 1 traffic to server redirected to User 3 172.16.1.1 MAC 3333.3333.3333

Gratuitous ARP – Return traffic redirected to User 3 192.168.1.2 MAC 3333.3333.3333 Cain and Abel Ettercap User 1 ARP Cache Poisoned Router ARP Cache Poisoned

slide-34
SLIDE 34

34 34

ARP Poisoning

  • Dynamic ARP Inspection
  • IP Source Inspection
  • SNMP Alerts and Syslog monitoring
slide-35
SLIDE 35

35 35

Rogue DHCP Server

DHCP Client Corporate DHCP Server Rogue User Unauthorized DHCP Server

  • Allocates bad DNS server or default gateway

Denial of service by exhausting the leases in the DHCP scope

  • Tools – Yersinia, Gobbler

Mitigation

  • Limit MAC addresses per interface
  • VACL’s to block DHCP UDP 68
  • DHCP snooping Trusted\Untrusted (mitigates client hardware address change)
slide-36
SLIDE 36

36 36

Lawful Intercept

Identify Physical Source of Traffic

DHCP with Option 82 Support Example Enterprise Network

DHCP Option 82 provides the DSLAM and Switch Name and the Physical Interface That Requested a DHCP IP Address

DHCP request DHCP response with IP address DHCP request with sub ID in Option identifier (RFC 3046) Ethernet Access Domain

MAC B MAC C MAC A

ISP DHCP Server ADSL modem

IP DSLAM

PE-AGG

DSL CPE

L3VPN-PE

slide-37
SLIDE 37

37 37

Spanning Tree Protocol – Attack

Implement Root Guard, BPDU Guard, Syslog, SNMPv3 Alerts

Root Bridge MITM, DoS (Yersinia)

BPDU w/ priority 0

Root

slide-38
SLIDE 38

38 38

VLAN Trunking Protocol (VTP)

VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q Trunk 802.1Q Trunk 802.1Q Trunk

  • VLANs are added\removed on VTP Server
  • VLAN modifications propagated to VTP Clients
  • Common VTP Domain name and password
  • Same Native VLAN on Trunk
  • Sync to latest changes

VTP Client 802.1Q Trunk

slide-39
SLIDE 39

39 39

VLAN Trunking Protocol (VTP) - Security

VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q Trunk 802.1Q Trunk 802.1Q Trunk

  • Existing network running default VTP settings
  • Switches sync to higher rev VTP DB resulting in VLAN config being lost!!
  • Everyone has a current VLAN.DAT backup right??
  • Configure a password for VTP Domain (NOT Cisco….SanFran….)
  • Delete VLAN.DAT before connecting a new switch
  • Change the native VLAN to something other than 1

VTP Client 802.1Q Trunk Switch with higher rev of VTP DB added

slide-40
SLIDE 40

40 40

Broadcast Storms

VLAN 20 VLAN 20 VLAN 20 VLAN 20 VLAN 20

Rogue Insider Misconfigured Application Failed NIC

Broadcast storm propagated across VLAN

VLAN 20 Traffic Storm Control limits unicast, multicast, broadcast traffic to a % of port BW

  • Not enabled on interfaces by default (add to template configuration for port security)
  • Traffic that exceeds configured threshold will be dropped
  • Violations can be configured to be shutdown or send a SNMP Trap(recommend v3)
slide-41
SLIDE 41

41 41

VLAN Hopping – Dynamic Trunking Protocol

  • Dynamic Trunk Protocol (DTP) Modes : Auto, On, Off, Desirable, Non-negotiate
  • IP Phones, Wireless Access Points
  • All VLANs are trunked by default
  • Native VLAN (untagged); Default Native VLAN 1 and required by DTP
  • Yersinia or other packet crafting tools
  • Disable trunking on interfaces where not in use
  • Specify VLANs to be allowed on trunk interfaces
  • Do not use Native VLAN 1

VLAN 50 VLAN 60 VLAN 50 VLAN 40 VLAN 60

DTP Trunk Spoof DTP to look like switch (Yersinia)

slide-42
SLIDE 42

42 42

VLAN Hopping – Double VLAN Tag

  • No two-way communication. Frames sent to target with no response to sender.
  • Craft Frames with double encapsulated frames
  • VLAN trunking is not required in this scenario
  • Disable AUTO\DYNAMIC NEGOTIATION!
  • Don’t use native VLAN 1. Use tagged mode for native VLAN x on trunks
  • Disable interfaces not in use

VLAN 50 VLAN 60 VLAN 50 VLAN 40 VLAN 60 VLAN 10 Yersinia

VLAN 10, VLAN 40 VLAN 40 Tag Frame Untagged Frame

Switch strips off first VLAN ID