bsides vienna 2016 paul coggin paulcoggin
play

Bsides Vienna 2016 Paul Coggin @PaulCoggin 1 1 OSI and TCP/IP - PowerPoint PPT Presentation

Mar 21, 2023 •145 likes •585 views

Exploiting First Hop Protocols to Own the Network Bsides Vienna 2016 Paul Coggin @PaulCoggin 1 1 OSI and TCP/IP Model OSI Model TCP/IP Model 7 Application 6 Presentation Own the Network Application 5 Session Transport 4 Transport

  1. Exploiting First Hop Protocols to Own the Network Bsides Vienna 2016 Paul Coggin @PaulCoggin 1 1

  2. OSI and TCP/IP Model OSI Model TCP/IP Model 7 Application 6 Presentation Own the Network Application 5 Session Transport 4 Transport Network 3 Internet Data Link 2 Frame Header Network Interface 1 Physical 2 2

  3. Cisco Discovery Protocol (CDP) Cisco Discovery Protocol (CDP) - Great tool for mapping out a network during an audit - Be sure to disable on connections to external networks such as WAN, MetroE - VoIP phones use CDP (how to secure info leakage on VoIP net??) 3 3

  4. Cisco Discovery Protocol (CDP) – Great for Recon! 4 4

  5. Multicast Overview Multicast Multicast Source 1 Source 2 Multicast uses UDP - Routers send One-way traffic stream periodic queries “Fire and Forget” - Host per VLAN per - Video group reports - Many other apps - Host may send Multicast Routing PIM Multicast leave messages - Reverse Path Forwarding(RPF) - IPv4 – IGMP PIM routing - IPv6 - MLD IGMP Report to Join IGMP Report to Join IGMP Report to Join Multicast Group Multicast Group Multicast Group Member 1 Member 2 Member 1 Receiver Receiver Receiver 5 5

  6. Multicast - IGMP 6 6

  7. Multicast Routing - PIM 7 7

  8. Attacking Multicast Multicast Multicast Source 1 Source 2 Craft Router PIM Packets Craft IGMP/MLD - SCAPY - SCAPY - Colasoft Packet Builder - Collasoft Packet Builder - Possible to use GNS3 - IGMP Leaves or Quagga etc to add - IGMP Queries Multicast PIM router - Spoof IGMP Source Local VLAN Segement PIM routing - Hello packets - Join/Prune packets - Assert Unicast PIM Packets - Register - Register-Stop - C-RP-Advertisement Receiver Receiver Receiver 8 8

  9. Securing Multicast Multicast Multicast Source 1 Source 2 Multicast Storm Control on switches - Control Plane Policing(CoPP) L2 port security - Modular Quality of Service - PIM Neighbor Filter (ACL may be defeated by spoofing. Multicast L2 spoof protection needed.) PIM routing - RP Announce Filter - Multicast Boundary Filter - L3 Switch Aggregation Secure Multicast Control Protocol Trust Relationships Receiver Receiver Receiver 9 9

  10. First Hop Redundancy Protocols V Backup router Active router Virtual router 192.168.1.2 192.168.1.1 192.168.1.3 Multicast protocol Priority elects role MD5, clear, no authentication 192.168.1.50 Rogue Protocol Hacking Tools GNS3 Insider V SCAPY Global Load Balancing Protocol (GLBP) Colasoft Packet Builder Hot Standby Router Protocol (HSRP) Many others … Virtual Redundant Router Protocol (VRRP) (Remember to enable IP forwarding) 10 10

  11. VRRP – No Authentication VRRP – No Authentication 11 11

  12. VRRP – Clear Text Authentication VRRP – Clear Text Authentication 12 12

  13. HSRP MITM – Packet Analysis HSRP Password Clear Text 13 13

  14. FHRP – Crafted HSRP Packets Crafted HSRP coup packet with higher priority Routers Rogue Insider 14 14

  15. IPv6 Neighbor Discover Protocol Filter on IPv6 or Ethernet Type 0x86DD to Identify IPv6 Packets IPv6 uses multicast \ No more broadcast 15 15

  16. IPv6 SLACC MITM IPv6 Neighbor Discovery Protocol (NDP) Mitigations (Think ARP for IPv6) - RAguard IPv6 MITM Tools - 802.1x - Chiron, - Private VLANs - Evil FOCA - IPv6 port security - THC Parasite6 - Source\Destination Guard - SCAPY - SeND (encrypt NDP) - Colasoft Packet Builder Rogue Insider Man-in-the-Middle Sending RA’s Windows Mac Linux Default - Hosts Send ICMPv6 Router Solicitation 16 16

  17. IPv6 Network Discovery Spoofing - MITM IPv6 Neighbor Discovery Protocol (NDP) Mitigations (Think ARP for IPv6) - Source\Destination Guard IPv6 MITM Tools - 802.1x - Chiron - Private VLANs - Evil FOCA - IPv6 port security - THC Parasite6 - NDP Spoofing - SCAPY - DHCP Snooping - Colasoft Packet Builder - Source\Destination Guard - SeND (encrypt NDP) Network Discovery Spoofing - MITM (ARP Spoofing equivalent for IPv6) Mac Windows Rogue Linux Insider 17 17

  18. OSPF – No Authentication 18 18

  19. OSPF – Clear Text Authentication 19 19

  20. Hack the Network via OSPF OSPF Exploit Tools Autononynmous System - Quagga External Network Border Router (ASBR) - NRL Core(Network Simulator) BGP, EIGRP, ISIS - Nemesis - Loki Area 0 - GSN3\Dynamips Area 1 - Buy a router on eBay - Hack a router and reconfigure - Code one with Scapy ABR - IP Sorcery( IP Magic) - Cain & Able to crack OSPF MD5 DR Area Border Router BDR Area 2 - MS RRAS (ABR) - NetDude - Collasoft - Phenoelit IRPAS OSPF typically is implemented without any thought to security. LSA’s are mul<cast on the spoke LAN for any user to sniff without MD5. OSPF Attack Vectors - Take over as DR - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth or use IP OSPF Cost for Traffic Engineering on hacked router 20 20

  21. EIGRP – No Authentication 10.1.2.0 255.255.255.0 21 21

  22. Hack the Network via EIGRP EIGRP Attack Vectors - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth for Traffic Engineering on hacked router EIGRP Exploit Tools - GSN3\Dynamips - Buy a router on eBay - Hack a router and reconfigure - Phenoelit IRPAS Similar to OSPF, EIGRP typically is implemented without any thought to security. Network administrators should use authen<ca<on and configure interfaces to be passive in EIGRP. 10.1.1.0 10.1.2.0 192.168.1.0 255.255.255.0 255.255.255.0 255.255.255.0 22 22

  23. DMZ Layer 2 Security DMZ Secure DMZ Trusts - Typically single VLAN - PVLAN - Open trusts Inside VLAN Internet - VACL - DMZ to Internal AD integ. - Separate Virtual or Physical - Pivot from DMZ to Internal network Int w/ ACL’s - Develop a network traffic *NIX w/NIS(AD Integ.) matrix to define required network traffic flows WWW DNS Internal Network SMTP SharePoint Database Email DNS Active Directory 23 23

  24. Layer 2 – Secure Visualization and Instrumentation In-band Monitoring EPC SPAN NOC \ SOC RSPAN ERSPAN Netflow TAP/Sniffer Out-of-bound Network Whitelist the Layer 2 Network Trust Relationships Whitelist Trusted Information Flows in Monitoring Secure Control, Management, Data Planes 24 24

  25. References Developing IP Mul<cast Networks, Vol 1 – Beau Williamson LAN Switch Security – What Hackers Know About Your Switches, Eric Vyncke, Christopher Paggen, Cisco Press Enno Rey - @Enno_Insinuator, �@WEareTROOPERS� �, ERNW Papers and Resources ,www.ernw.de, www.insinuator.net Ivan PepeInjak - @IOShints, Papers and Resources, h[p://www.ipspace.net IPv6 Security, Sco[ Hogg and Eric Vyncke, Cisco Press h[p://www.gtri.com/wp-content/uploads/2014/10/IPv6-Hacker-Halted-The-Hacker-Code-Angels-vs-Demons.pdf The Prac<ce of Network Security Monitoring, Ricard Bejtlich, No Starch Press Router Security Strategies Securing IP Network Traffic Planes, Gregg Schudel, David J. Smith, Cisco Press h[ps://www.cisco.com/go/safe h[p://docwiki.cisco.com/wiki/FHS h[p://www.netop<cs.com/blog/01-07-2011/sample-pcap-files h[p://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_frp/configura<on/12-4/fp-12-4-book.html h[p://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html h[p://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/best/prac<ces/recommenda<ons.html h[p://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html h[p://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html h[p://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html h[p://monkey.org/~dugsong/dsniff/ h[ps://www.yersinia.net h[ps://www.nsa.gov/ia/_files/factsheets/Factsheet-Cisco%20Port%20Security.pdf h[p://iase.disa.mil/s<gs/net_perimeter/network-infrastructure/Pages/index.aspx h[p://www.cisco.com/c/en/us/about/security-center/mul<cast-toolkit.html 25 25

  26. Ques&ons? @PaulCoggin 26 26

  27. OSPF – MD5 Authentication 27 27

  28. EIGRP – MD5 Authentication 10.1.2.0 255.255.255.0 28 28

  29. MPLS Architecture Overview VPN_A VPN_A iBGP sessions 11.5.0.0 10.2.0.0 CE CE P VPN_A VPN_B P 10.1.0.0 10.2.0.0 CE PE CE PE VPN_A P P 11.6.0.0 CE VPN_B PE CE 10.3.0.0 PE VPN_B CE 10.1.0.0 • P Routers (LSRs) are in the Core of the MPLS Cloud • PE Routers (Edge LSRs or LERs) Use MPLS with the Core and Plain IP with CE Routers • P and PE Routers Share a Common IGP • PE Routers are MP-iBGP Fully-meshed Service provider may accidentally or intentionally misconfigure VPN’s Utilize IPSEC VPN over MPLS VPN to insure security 29 29

  30. MPLS Label PCAP - Service Provider Core CPE to CPE Telnet over Service Provider MPLS VPN 32-bit MPLS Label Format • Label : 20-bit • EXP : 3-bit • Bottom-of-Stack : 1-bit • TTL : 8-bit 30 30

  31. Telnet Username \ Password – Clear Text Encapsulated in MPLS VPN A Separate Overlay Encrypted VPN is Required to Secure Your Traffic 31 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bending and Twisting Networks BSides Vienna 2014 Paul Coggin Senior Principal Cyber Security

Bending and Twisting Networks BSides Vienna 2014 Paul Coggin Senior Principal Cyber Security

UNCLASSIFIED UNCLASSIFIED Bending and Twisting Networks BSides Vienna 2014 Paul Coggin Senior Principal Cyber Security Analyst paul.coggin@dynetics.com @PaulCoggin www.dynetics.com 1 1 V100230_Faint V## Goes Here 0000-00-yymm

442 views • 21 slides
Bending and Twisting Networks DeepSec 2014 Paul Coggin Senior Principal Cyber Security Analyst

Bending and Twisting Networks DeepSec 2014 Paul Coggin Senior Principal Cyber Security Analyst

UNCLASSIFIED UNCLASSIFIED Bending and Twisting Networks DeepSec 2014 Paul Coggin Senior Principal Cyber Security Analyst paul.coggin@dynetics.com @PaulCoggin www.dynetics.com 1 1 V100230_Faint V## Goes Here 0000-00-yymm UNCLASSIFIED

366 views • 21 slides
D I G I TA L S U P P LY C H A I N S E C U R I T Y BSides Vienna 2015 Hi Im Dave Lewis I

D I G I TA L S U P P LY C H A I N S E C U R I T Y BSides Vienna 2015 Hi Im Dave Lewis I

D E F E N D I N G T H E E X P O S E D F L A N K D I G I TA L S U P P LY C H A I N S E C U R I T Y BSides Vienna 2015 Hi Im Dave Lewis I was a defender for almost two decades CV: ca.linkedin.com/in/gattaca/ I have the scars to prove

1.04k views • 82 slides
DeepSec 2012 Own the Network Own the Data Paul Coggin Internetwork Consulting Solutions

DeepSec 2012 Own the Network Own the Data Paul Coggin Internetwork Consulting Solutions

DeepSec 2012 Own the Network Own the Data Paul Coggin Internetwork Consulting Solutions Architect paul.coggin@dynetics.com www.dynetics.com Information Engineering Solutions UNCLASSIFIED UNCLASSIFIED Introduction Network Security

380 views • 20 slides
What is SS7 SS7/C7 is to PSTN what BGP routing protocol is to Internet Created by AT&amp;T in

What is SS7 SS7/C7 is to PSTN what BGP routing protocol is to Internet Created by AT&amp;T in

x33fcon 2019 SS7 for INFOSEC Paul Coggin @Paul Coggin What is SS7 SS7/C7 is to PSTN what BGP routing protocol is to Internet Created by AT&amp;T in 1975 Adopted as standard in 1980 SS7 North America C7 Utilized outside

248 views • 22 slides
Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco Lancini Security Consultant, CEFRIEL @lancinimarco Roberto Puricelli Security Consultant, CEFRIEL @robywankenoby 2 Introduction Intro

870 views • 35 slides
Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering

Running a Bug Bounty Program What you need to know Shpend TU - Master in Software Engineering Senior AppSec Engineer &amp; Team Lead @ Bugcrowd Bug bounty Hunter Video Games Bsides Vienna 2016 Agenda What &amp; Why

365 views • 34 slides
f eaturing vZilla Paul Braren, IT Professional VMware Certified Professional (VCP

f eaturing vZilla Paul Braren, IT Professional VMware Certified Professional (VCP

Build Your Own VMware ESXi and Microsoft Hyper-V lab at Home, Using Affordable and Efficient Hardware. Security BSides Boston, Saturday, May 18 2013 f eaturing vZilla Paul Braren, IT Professional VMware Certified Professional (VCP

327 views • 13 slides
Cyber@UC Meeting 52 BSides Recap and Memory Scanning If Youre New! Join our Slack:

Cyber@UC Meeting 52 BSides Recap and Memory Scanning If Youre New! Join our Slack:

Cyber@UC Meeting 52 BSides Recap and Memory Scanning If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance Public

334 views • 18 slides
Forward Guidance without Common Knowledge Discussion Paul Pichler University of Vienna &amp;

Forward Guidance without Common Knowledge Discussion Paul Pichler University of Vienna &amp;

George-Marios Angeletos &amp; Chen Lian Forward Guidance without Common Knowledge Discussion Paul Pichler University of Vienna &amp; Oesterreichische Nationalbank Gerzensee, November 2017 Main contributions Dynamic Beauty Contests

424 views • 8 slides
Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX 2012 Kees Cook &lt;keescook@google.com&gt; (pronounced &quot;Case&quot;) Overview Overview Identifying the threat model not the

974 views • 50 slides
2019 EMEA Regional Meeting Bid Vienna October 11 13 Why Vienna? Vienna is the worlds

2019 EMEA Regional Meeting Bid Vienna October 11 13 Why Vienna? Vienna is the worlds

2019 EMEA Regional Meeting Bid Vienna October 11 13 Why Vienna? Vienna is the worlds most livable city and our vibrant country committee is excited to share it with Democrats Abroad! It has palaces, top museums, three opera houses,

349 views • 12 slides
TOWN OF VIENNA FINANCIAL STATEMENT OVERVIEW For the Year Ended December 31, 2016 Johnson Block

TOWN OF VIENNA FINANCIAL STATEMENT OVERVIEW For the Year Ended December 31, 2016 Johnson Block

TOWN OF VIENNA FINANCIAL STATEMENT OVERVIEW For the Year Ended December 31, 2016 Johnson Block &amp; Co., Inc. Certified Public Accountants 406 Science Drive, Suite 100 Madison, Wisconsin (608) 274 2002 Fax: (608) 274 4320 Town of Vienna

279 views • 12 slides
A look at the Vienna Mediation Rules 26/09/2016 Dispute Resolution analysis: The new mediation

A look at the Vienna Mediation Rules 26/09/2016 Dispute Resolution analysis: The new mediation

A look at the Vienna Mediation Rules 26/09/2016 Dispute Resolution analysis: The new mediation rules of the Vienna International Arbitration Centre (VIAC) took effect on 1 January 2016. VIAC is the international arbitration court of the Austrian

393 views • 3 slides
Chapter 9 : Linguistics in Prague and Vienna between the wars John A. Goldsmith May 5 , 2016 1

Chapter 9 : Linguistics in Prague and Vienna between the wars John A. Goldsmith May 5 , 2016 1

Chapter 9 : Linguistics in Prague and Vienna between the wars John A. Goldsmith May 5 , 2016 1 The two main characters 1 . 1 Nikolai Trubetzkoy 1890 - 1938 . Early studies in Russia, and a year in Leipzig. 1 . 2 Roman Jakobson 1896 - 1982 .

225 views • 4 slides
Configuration management with Ansible and Git Paul Waring (paul@xk7.net, @pwaring) March 16, 2016

Configuration management with Ansible and Git Paul Waring (paul@xk7.net, @pwaring) March 16, 2016

Configuration management with Ansible and Git Paul Waring (paul@xk7.net, @pwaring) March 16, 2016 Topics Configuration management Version control Firewall Apache Git Hooks Bringing it all together Live demo

618 views • 23 slides
2013 Full Year Result Terry Davis Group Managing Director John Murphy Managing Director Australian

2013 Full Year Result Terry Davis Group Managing Director John Murphy Managing Director Australian

2013 Full Year Result Terry Davis Group Managing Director John Murphy Managing Director Australian Beverages Nessa OSullivan Group Chief Financial Officer 18 February 2014 1 2013 Result Overview Difficult trading conditions in the

650 views • 18 slides
NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What

NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What

NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What is NoSQL? Not only SQL SQL means Relational model Strong typing ACID compliance Normalization NoSQL means more freedom or flexibility 4

376 views • 34 slides
Mini Course on Epistemic Game Theory Toulouse, June 30 - July 3, 2015 Exercises Part I: Common

Mini Course on Epistemic Game Theory Toulouse, June 30 - July 3, 2015 Exercises Part I: Common

Mini Course on Epistemic Game Theory Toulouse, June 30 - July 3, 2015 Exercises Part I: Common Belief in Rationality Exercise 1. A game of cards Barbara, Chris and you are sitting in a bar, having a drink before the movie starts. You have

214 views • 9 slides
Orange Empire Signal Garden Lessons Learned OR Remove spider * before servicing main board. *

Orange Empire Signal Garden Lessons Learned OR Remove spider * before servicing main board. *

Orange Empire Signal Garden Lessons Learned OR Remove spider * before servicing main board. * For those of you who's first language is not English spider is a bug + not a computer term.. + Bug denotes an animal again not a

1.25k views • 103 slides
Automa utomation tion of of Mit MitM M Attac Attack k on on WiFi iFi Netw Networ orks

Automa utomation tion of of Mit MitM M Attac Attack k on on WiFi iFi Netw Networ orks

Automa utomation tion of of Mit MitM M Attac Attack k on on WiFi iFi Netw Networ orks ks Martin Vondrek Author: Supervisor: Ing. Jan Pluskal Foreign supervisor: Dr Johann A. Briffa ) ) ) ) ) ) ) ) ) wifimitm Brno

332 views • 21 slides
RMLL 2009 Network virtualisation using Netkit and Dynamips Cedric Foll 07.08.09 Cedric Foll

RMLL 2009 Network virtualisation using Netkit and Dynamips Cedric Foll 07.08.09 Cedric Foll

RMLL 2009 Network virtualisation using Netkit and Dynamips Cedric Foll 07.08.09 Cedric Foll cedric.foll@(laposte.net|education.gouv.fr) Network and security architect and Chef Security Officer (CSO) of French Ministry of Education Teacher

408 views • 21 slides
C URVY Y OGA E XPLORATION Module Two W HERE W E RE H EADED

C URVY Y OGA E XPLORATION Module Two W HERE W E RE H EADED

C URVY Y OGA E XPLORATION Module Two W HERE W E RE H EADED Class One : Alignment &amp; Sun SalutaEon ModificaEons Class Two: The 3 Bs

351 views • 11 slides
L AUGHTER Y OGA IS THE B EST M EDICINE Ho Ho - Ha Ha Ha Presented by: Erin Langiano, R/TRO and

L AUGHTER Y OGA IS THE B EST M EDICINE Ho Ho - Ha Ha Ha Presented by: Erin Langiano, R/TRO and

L AUGHTER Y OGA IS THE B EST M EDICINE Ho Ho - Ha Ha Ha Presented by: Erin Langiano, R/TRO and Kellie Halligan, CTRS W HO ARE WE ? W HERE DO WE WORK ? Royal Ottawa Place is a unique long term care facility, providing care to individuals who

694 views • 20 slides

More recommend