Project 1: Network Penetration Testing

Transcription

1 Project 1: Network Penetration Testing October 11, 2004 This is a seven week project in which you will explore, test, and verify the presence of known vulnerabilities from the bottom to the top of OSI layer [1] in your network. You will be using the ISIS test bed, ASSET, for this project. The network topology is depicted in figure 2. The project itself is divided into five sections according to the OSI layers (see figure 1) and you will work on one section every week. For each section you will use the pentest procedure discussed in the class and refine your attack trees. In the sixth week you will present the final attack tree that incorporates all the attack trees you have developed to meet a final goal. Week 1: Physical Network Survey In the first week of this project you will test the physical security of the network. In addition, you will gather vital information about the hardware, software, procedures, and tools used in the network and used to maintain the testbed that may come in handy in future. Following is an incomplete list of items you must consider when assessing physical security of a network. In addition, you may cover any other relevant items as part of your pentest process. The list and questions are provided as a guide and by no means exhaustive. Your grades, however, will depend on the comprehensiveness of information you gather. 1. Equipment Security: How are the equipments protected? Who has access to what equipment? What is the process of gaining access equipments in the network? What kind of switches are in the network? Can you access the switch s console port? What is the physical topology of the network? 2. Network Media Security: What type of network media is used? How can the network media be accessed tapped? 3. EMI from Network Media and Equipment What protection measures are taken to avoid EMI? Is there any EMI from the media? Are there any hardware tools to extract data from EMI emitted by the media, switch or any other networking equipment? At the end of the week you would have gathered all necessary information relevant to assess physical security of the network. Your report will structure this information in a readable form. In addition, you will create an attack tree with all the information you gathered. Then, verify which attacks are viable on the network and refine your attack tree accordingly. The report you turn should include at least the following information: 1

2 Week 7 Final Presentation Application Week 6 TCP, UDP, HTTP, SQL, DNS, IMAP, and SMTP Presentation Session Week 4, 5 OSPF, BGP Week 2, 3 CAM Table, VLAN, STP, ARP Week 1 Physical Topology Survey Transport Network Data Link Physical Figure 1: Project 1 Schedule Information you gathered on the network infrastructure, processes, etc. An attack tree for the network Methods taken to verify the attacks in the attack tree Pruned/refined attack tree noting which attacks are viable and which ones are not. This attack tree should include a cost metric so that we can find out the most serious threats immediately. Note: Please note that your report should include two attack trees. One prior to verifying attacks and the other (pruned tree) which has only attacks that are viable on the network. Also, note that this section is concerned only about the physical security of the network. Week 2 & 3: Data Link Security In this two week exercise you will explore and verify vulnerabilities in layer-2 protocols and mechanisms used in ISIS. In particular, you will be dealing with CAM Tables, VLANs (802.1Q), and Spanning Tree Protocol [2, 3]. From previous week s exercise you already know the type of switches in use and the topology. In the first week you will create three attacks trees, one for each protocol or mechanism, and prune them using the knowledge you gained from last week. For example, you may have attacks in your initial attack tree that are specific to certain switches or software versions, which you could eliminate. You should also create a Plan of Attack that you would use to verify your semi-pruned attack tree. Your Plan of Attack must at least include the following: What off-the-shelf tools are planning to use or develop and use? A detailed procedures to test each protocol or mechanism and what are expecting to observe in each step Backup plans if things go wrong. (Things will go wrong, and you are expected to predict what can go wrong and be prepared for that event. To the best you can) In the second week you will execute your Plan of Attack and prune the attack tree further to reflect the results you observe. The following is a preliminary guide-line for the goals to achieve for each attack: 1. CAM table: Make your behave like HUB ed network 2

3 ASSET Network Victim Network Figure 2: Your Test Network for Project-1 2. STP: Make all the traffic between and go through 3. VLAN : Try to send a packet to in victim s network from your network directly (i.e. without going through the routers) You are free to extend the goals of your attacks but your report must include the verification of at least the attacks above. Your report should include the following items: An overview of VLANs, CAMs, and STP. An attack tree for the each of the above protocol Verification (include source code in all cases) of the goals listed above Prune the attack tree accordingly and attach the pruned tree Please answer the following questions: Are there any well-known vulnerabilities specific to the switches in ISIS? If so, please describe the vulnerabilities in detail (and cite your source). Are there any well-known vulnerabilities in the protocols and mechanisms in general? If so, please describe the vulnerabilities in detail (and cite your source). How are these CAM tables implemented in switches? Are there separate CAM for each port, VLAN, or for group of ports? List tools available to test vulnerabilities at layer-2? Week 4 & 5: IP Routing Security In the last exercise you studied and tested layer 2 protocols and mechanisms in ASSET for vulnerabilities. For the following two weeks your task is to do the same in layer 3. In particular, you will study the design 3

4 PIX M1 M2 M3 M4 M5 Intermediate Network Net 4 Net 5 Net 6 OSPF BGP Figure 3: ASSET s IP Routing Topology and implementation of OSPF and BGP and test them for vulnerabilities. Figure 3 depicts the IP routing topology and yes ASSET uses both BGP and OSPF for routing. The following is a list of tasks for this two-week long assignment. Week 4 Understand the need for routing protocols, where the protocols fit in a network, and their importance. What are the differences between BGP and OSPF? What are their alternatives? Understand the design details of OSPF and BGP. You can go through the RFCs [4, 5, 6]. You must understand the preconditions and postconditions proposed in the RFCs for the protocols proper operations. Using the RFCs as a guide please answer the following questions: 1. Draw functional diagrams for OSPF and BGP. 2. Identify preconditions and postconditions for each item. 3. Note any explicit or implicit assumptions made by in the RFC, as these will help exploit the protocols. As you can see the RFCs are old. Do the OSPF and BGP used in ASSET follow the RFCs. That is, is the implementation we are using different from the ones proposed in the RFCs. If so what has changed? How is the Intermediate network wired? Create a list of attacks against OSPF and BGP. Here is an incomplete list of studies and research papers on this subject [7, 8, 9, 10]. Create a separate attack tree and Plan of Attack for each protocol. As usual create an attack tree with all the vulnerabilities. Then verify the vulnerabilities and prune your attack trees accordingly. Please attach all four attack trees to your report. 4

5 Week 5 Week 5 is allotted for you to test the vulnerabilities and prepare your report. ASSET uses both BGP and OSPF for routing, so test to see if it is vulnerable to any of the attack. Week 6: Application security TBA Week 7: Final Presentation TBA References [1] Eugene Blanchard, Introduction to Networking: and Data Communications to networking/c4412.htm, Commandprompt, Inc, Internet page. [2] Ido Dubrawsky, Safe Layer 2 Security In Depth Version 2 /cuso/epso/sqfr/sfblu wp.pdf, Cisco Systems Inc. Internet White Paper. [3] Cisco Systems, Virtual LAN Security Best Practices /si/casi/ca6000/prodlit/vlnwp wp.pdf, Cisco Systems Inc. Internet White Paper. [4] J. Moy, OSPF, RFC IETF, [5] Y. Rekhter, RFC A Border Gateway Protocol 4 (BGP-4). IETF, [6] An Internet Encyclopedia [7] Butler, K. Mcdaniel, P. A Survey of BGP Security [8] Vetter, B. An Experimental Study of Insider Attacks For OSPF Routing Protocol U.S. Department of Defense Advanced Research Projects Agency and the U.S. AFRL [9] Bellovin, S. Routing Security smb/talks/routesec.pdf AT&T Research Labs, [10] Wang, F. On the vulnerabilities and protection of OSPF routing protocol rsg/routing/references/wang98vulnerability.pdf. 5