Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

Similar documents
Top-Down Network Design, Ch. 7: Selecting Switching and Routing Protocols. Top-Down Network Design. Selecting Switching and Routing Protocols

Top-Down Network Design

Configuring IP Unicast Routing

BTEC Level 3 Extended Diploma

Configuring IP Unicast Routing

Configuring IP Unicast Routing

Hierarchical Routing. Our routing study thus far - idealization all routers identical network flat not true in practice

Configuring IP Unicast Routing

IP Routing Volume Organization

Initial motivation: 32-bit address space soon to be completely allocated. Additional motivation:

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Configuring EIGRP. Overview CHAPTER

Unit 3: Dynamic Routing

TDC 363 Introduction to LANs

Cisco Certified Network Associate ( )

CSc 450/550 Computer Networks Internet Routing

Routing Protocol Type Primarily IGP or EGP RIP Distance-Vector IGP EIGRP OSPF IS-IS BGP

Pass4sures. Latest Exam Guide & Learning Materials

Last time. Transitioning to IPv6. Routing. Tunneling. Gateways. Graph abstraction. Link-state routing. Distance-vector routing. Dijkstra's Algorithm

Computer Networks ICS 651. IP Routing RIP OSPF BGP MPLS Internet Control Message Protocol IP Path MTU Discovery

Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)

Qus1:-What is cat stands for in networking?

Chapter 4: outline. Network Layer 4-1

MikroTik RouterOS Training. Routing. Schedule. Instructors. Housekeeping. Introduce Yourself. Course Objective 7/4/ :00 10:30 Morning Session I

IPv6 Bootcamp Course (5 Days)

Chapter 4: Network Layer

Internet Routing Protocols Tuba Saltürk

IP Protocols. ALTTC/Oct

Chapter 3 Command List

Topics for This Week

CCNP (Routing & Switching and T.SHOOT)

Detecting Sniffers on Your Network

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

General Networking. Chapter 1

Routing Information Protocol. A simple distance vector scheme

EIGRP. About EIGRP. CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.7 1

Routing Protocols of IGP. Koji OKAMURA Kyushu University, Japan

Computer Networking Introduction

Cisco Exam Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) Version: 6.0 [ Total Questions: 79 ]

Cisco CCNA (ICND1, ICND2) Bootcamp

Multiprotocol BGP Extensions for IP Multicast Commands

CCNA Routing and Switching (NI )

Chapter 4: Network Layer. Lecture 12 Internet Routing Protocols. Chapter goals: understand principles behind network layer services:

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

(Chapters 2 3 in Huitema) E7310/Internet basics/comnet 1

TEXTBOOK MAPPING CISCO COMPANION GUIDES

CCNA MCQS with Answers Set-1

Campus Networking Workshop CIS 399. Core Network Design

Overview. Information About Layer 3 Unicast Routing. Send document comments to CHAPTER

CCNA Cisco Certified Network Associate CCNA (v3.0)

EEC-684/584 Computer Networks

Introduction to Computer Networks

Inter-networking. Problem. 3&4-Internetworking.key - September 20, LAN s are great but. We want to connect them together. ...

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

Operation Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Exam Topics Cross Reference

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

ROUTING INTRODUCTION TO IP, IP ROUTING PROTOCOLS AND PROXY ARP

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

Routing Information Protocol. RIP application. RIP version 1

Chapter 7 Routing Protocols

CCNA. Course Catalog

CCNA 3 (v v6.0) Chapter 5 Exam Answers % Full

Routing Information Protocol

CCNA Routing & Switching

Auxiliary protocols. tasks that IP does not handle: Routing table management (RIP, OSPF, etc.). Congestion and error reporting (ICMP).

Announcements. CS 5565 Network Architecture and Protocols. Project 2B. Project 2B. Project 2B: Under the hood. Routing Algorithms

Routing in the Internet

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

CCNA Practice test. 2. Which protocol can cause high CPU usage? A. NTP B. WCCP C. Telnet D. SNMP Answer: D

Introduction to Routing

Performing Path Traces

Routing Protocol. Seiya Tsubone. Apr The University of Tokyo. Seiya Tsubone (The University of Tokyo) Routing Protocol Apr. 25.

Internet Routing : Fundamentals of Computer Networks Bill Nace

Introduction to routing in the Internet

CIT 380: Securing Computer Systems. Network Security Concepts

Interconnecting Cisco Networking Devices Part 2 (ICND2 v3.0)

Routing Unicast routing protocols

CCIE Route & Switch Written (CCIERSW) 1.0

Building the Routing Table. Introducing the Routing Table Directly Connected Networks Static Routing Dynamic Routing Routing Table Principles

Routing. Jens A Andersson Communication Systems

The most simple way to accelerate a Router is at 9.8 m/sec/sec.

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

Hot Standby Router Protocol (HSRP): Frequently Asked Questions

Chapter IV: Network Layer

Real4Test. Real IT Certification Exam Study materials/braindumps

Implementing Cisco IP Routing ( )

Antonio Cianfrani. Routing Protocols

CIS 83 Midterm Spring 2004 Answer Sheet Name Score Grade Question Answer Question Answer

Configuring IPv4. Finding Feature Information. This chapter contains the following sections:

ICMP, ARP, RARP, IGMP

Chapter 7: Routing Dynamically. Routing & Switching

DATA COMMUNICATOIN NETWORKING

RIP Version 2. The Classless Brother

Table of Contents 1 Static Routing Configuration RIP Configuration 2-1

GuideTorrent. The best excellent exam certification guide torrent and dumps torrent provider

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Introduction to routing in the Internet

Cisco Questions & Answers

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Transcription:

Session Overview! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs! RIP, IGRP, EIGRP and OSPF! Attacking tunnels! GRE intrusion & RFC-1918 hacking

Trends CERT Coordination Center Trends in Denial of Service Attack Technology http://www.cert.org/archive/pdf/dos_trends.pdf

Attack Scenarios [0] The Network Target Attacker HSRP Victim IGRP RADIUS

Attack Scenarios [1] A normal traffic path Target Attacker HSRP Victim RADIUS

Attack Scenarios [2] Layer 2 interception Target Attacker HSRP Victim RADIUS

Attack Scenarios [3] Layer 2/3 local redirection Target ARP or routing changed Attacker HSRP Victim RADIUS

Attack Scenarios [4] Layer 3 IRDP insertion Target Attacker HSRP Victim RADIUS

Attack Scenarios [5] Layer 3 redirection (ICMP) Target ARP or routing changed Attacker HSRP Redirected traffic Victim RADIUS

Attack Scenarios [6] HSRP switchover & takeover Target Attacker HSRP Victim RADIUS

Attack Scenarios [7] Another normal traffic path Attacker Telnet Backup Victim IGRP Authentication RADIUS

Attack Scenarios [8] IGRP Routing attack Attacker Backup Victim IGRP RADIUS

Attack Scenarios [9] The beauty of multicast Multicast Domain Multicast attack AIX Checkpoint Victim Default Install Attacker

How do these attacks work in general?! Normal communication goes down the OSI layers! All attacks on Layer 2 and Layer 3 work on! Modification of the addressing! Therefore modification of the traffic path Server Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1) Application stream Protocols/Ports Addressing and routing Ethernet addressing Directly Connected Client Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)

Layer 2 Attack! Man in the middle attack! Intercepting traffic by giving false data link address information to both parties! Layer 3 remains untouched! Most effective way is ARP interception Server Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1) Attacker decides forwarding Attacker Data Link (2) Physical (1) Client Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)

Layer 3 Attack! Man in the middle or remote attack! Intercepting traffic by giving false next hop information to one or both parties! Works from remote segments! There are various methods of applications Server Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1) Attacker decides forwarding Attacker Network (3) Data Link (2) Physical (1) Client Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)

Cisco Discovery Protocol (CDP)! Cisco proprietary data link layer protocol! Used for discovery purposes! Contains valuable information about the router or switch! IP address! Software Version! Platform! Capabilities! Native VLAN...! Can be used for Denial of Service attacks

Spanning Tree (STP)! Provides path calculation for flat earth networks! Sends out periodic BPDUs (bridge protocol data units) approximately every 4 seconds! Switch with the lowest priority value becomes root and frames will be forwarded through it S1 S1 S2 S2

Spanning Tree (STP) attack! Different BPDUs send out to switches all the time forces spanning tree recalculation! BPDUs with Attacker as best root switch may result in attacker getting all traffic (attacker becomes tree root) Attacker

IEEE 802.1q VLAN trunks! Used to share a VLAN between two switches! Uses a tag field in frame to identify VLAN! Trunk transports frames from all trunked VLANs Attacker Trunk connection using tagged frames Victim VLAN 1 Eth II frames VLAN 2 Eth II frames

IEEE 802.1q trunk frames! Frames get tagged for VLAN trunk transport 6 Bytes 6 Bytes 2 Bytes 2 Bytes 2 Bytes Destination Source TPID TCI Type Payload TPID 0x8100 16bit Pr C 3bit 1 VLAN id 12bit

IEEE 802.1q VLAN hopping! Attacker sends already tagged frames! Frames are addressed to Victim s MAC! Tagged frame is forwarded unmodified to trunk port and gets untagged on destination switch Tagged frame Eth II frame Victim Attacker

Address Resolution Protocol ARP (RFC 826)! IP addresses are resolved into Media Addresses! If the Media Address is unknown, request it via Broadcast! First or most recent answer is used to communicate! Address cache times out on most systems Host A 10.1.1.1/24 Network (3) Data Link (2) Physical (1) Who is 10.1.1.2? I am 10.1.1.2 with MAC 00:00:0C:12:34:56 Host B 10.1.1.2/24 Network (3) Data Link (2) Physical (1)

ARP Interception! Be faster or more chatty than the recipient! Intercept both directions to prevent direct communication! Invisible for Layer 3 integrity checks! Requires bridging/routing (Tool or OS)! Can be used to insert packets or prevent traffic Host A 10.1.1.1/24 I am 10.1.1.2 with MAC 00:00:0F:FE:FE:FE Host B 10.1.1.2/24 Network (3) Data Link (2) Physical (1) Network (3) Data Link (2) Physical (1) Network (3) Data Link (2) Physical (1)

Wireless ARP Attack! The attack works on IEEE 802.11 networks as well... Victim Access Point Attacker Victim

DHCP replaces ARP attacks! Attacker runs exhaustion attack on DHCP server! Clients are supplied with evil DHCP config Client requests DHCP config DHCP Attacker supplies IP config Client uses attacker as DNS and default gateway Host A Attacker Running DHCP & DNS

Discovering Routers! Routers can be discovered passively by! Listening for Multicast emissions (HELLO and Updates)! Listening for Router advertisements, redirects and CDP! Routers can be discovered actively by! Querying Routing processes (AS scanning)! Router Solicitations! OS Fingerprinting! Protocol scans! Port scans! Taking over management systems

Router Discovery Tools! Autonomous System Scanner (ASS) can be used for active or passive detection! Ethereal can decode most routing protocols! ntop can be used to discover central traffic points! tcpdump s -e option shows data link addresses! Fyodor s nmap and Phenoelit s protos scan for IP protocols! DHCP queries reveal router addresses! NMS database contains router information (HPOV)

ICMP Router Discovery Protocol (IRDP RFC 1256)! ICMP Router Discovery Protocol enabled router sends out periodic updates as broadcast! IRDP requests (called Router Solicitations) are send as broadcast by Hosts that look for a default gateway! Announcing Router is inserted in Host routing table! Metric is higher then the static default for normal routers! Metric is lower then anything else! Metric depends on preference value of the updates

IRDP Attacks! Attacker sends IRDP updates! Attacker then makes the default gateway temporary unavailable! CDP overflow attacks (Router reboot)! Temporary ARP interception! Dial on demand routers! Attacker is now the default router Host A Attacker

IRDP Attacks! Can be used targeted (unicast) or wide (broadcast)! Lifetime of a route max 18h:12min:15sec! Windows 9x! does IRDP all the time! can be forced to use the attacker s router by using preference 1000 in the answer and sending an ICMP host unreachable message! Windows NT4 performs IRDP during boot! Windows 2000 and Linux don't care

ICMP Redirects (RFC 792)! Introduced to make routing more effective! Packet is send from Host A to B through router R1! R1 finds next hop R2 on same segment and network! R1 forwards the packet! R1 sends ICMP Redirect to A Host A Host B R1 R2

ICMP Redirect Attack! Packet is sent from Host A to B through router R2! Attacker sees traffic (A->B) and sends spoofed ICMP redirect to Host A! Host A adjusts routing and sends traffic through Attacker! Normally requires copy of the first 64bits of the packet! Even works across routers! Host A Host B Attacker R2

ICMP Redirect Host Reactions! Windows 9x Hosts! Accepts ICMP redirects by default! Adds a host route to routing table! Linux Hosts! Accepts ICMP redirects by default in some distributions! See /proc/sys/net/ipv4/conf/*/accept_redirects Does not show redirects in routing table! Tools:! IRPAS icmp_redirect! icmp_redir from Yuri Volobuev

Interior Gateway Routing Protocol (IGRP)! Cisco proprietary protocol! 2 16-1 = 65535 possible autonomous systems! No authentication! Delay, bandwidth, reliability, load and hop count used to calculate metric! Passive or silent hosts possible (protocol scan)! Spoofed updates have better metric then real links! Requires spoofed source network to be enabled

IGRP Attacks Introducing new routes or modifying routes Server: 10.1.1.2/24 IGRP Update makes R1 the better router IGRP Update makes attacker the next hop router R3 Attacker 10.1.3.2/24 10.1.1.2/24 IGRP R2 Host B R1 10.1.2.2/24

IGRP Attacks Creating routing loops Server: 10.1.1.2/24 Tell R3 that R1 is the best Router to 10.1.2.0/24 R3 Tell R1 that R3 is the best Router to 10.1.2.0/24 IGRP Attacker 10.1.3.2/24 R1 R2 Host B 10.1.2.2/24

Routing Information Protocol (RFC 1058, 2453)! RIP v1 (RFC 1058)! Uses fixed subnet/netmask size by class! No autonomous systems! Runs on UDP port 520! Broadcast or unicast traffic! RIP v2 (RFC 2453)! Supports variable subnet size! Multicast or unicast traffic! Clear text authentication defined! Cisco supports MD5 authentication (double authentication block forbidden by the RFC)

RIP Attacks! Same attacks as with IGRP! Network boundaries are important for RIPv1! Multicast RIPv2 (224.0.0.9) may be forwarded across segments! Split Horizon algorithm with poisoned reverse! Sends unreachable back to sender of the route (metric 16)! May prevent routing loop attacks! Protects only if more than 2 routers are in the segment! Tools:! rprobe.c and srip.c from humble! Nemesis-rip from Mark Grimes! ASS to scan

Enhanced Interior Gateway Routing Protocol (EIGRP)! Yet another Cisco proprietary protocol! 2 32-1 possible autonomous systems (65535 used)! No authentication! Delay, bandwidth, reliability, load and hop count used to calculate metric! Attacker must become neighbor to exchange routing information with AS! Requires spoofed source network to be enabled

EIGRP Route Introduction! Attacker joins as EIGRP neighbor! Attacker injects new route EIGRP Attacker

Opens Shortest Path First OSPF (RFC 2328)! Sends LSA (Link State Advertisements) through the Area! Uses HELO packets to Multicast (224.0.0.5)! Every router knows the status of the Area! No authentication, clear text or md5 defined! IP Protocol 89 (protocol scan)! More security features than other routing protocols! The hard-to-understand factor helps the attacker

OSPF Attacks! Attacks can become very complex! Forged LSAs are contested by routers! For demonstration we use an extended-layer 2 attack! Run modified ARP interception software! Change OSPF packets while bridging them from R1 to R2! Let R2 distribute the false information through the area R1 OSPF R2 Attacker

Border Gateway Protocol BGP 4 (RFC 1771)! Exterior Gateway Protocol that connects Autonomous Systems! Uses TCP Port 179 for communication! IBGP (interior BGP) needs an IGP or static routes to reach neighbors! Possible attacks include:! Bad updates! Abuse of BGP communities! TCP Sequence Number and Layer 2 attacks! IBGP is a softer target than EBGP

Hot Standby Router Protocol HSRP (RFC 2281)! Cisco proprietary protocol for high availability! Standby IP address and MAC address are bound to the active router! There are one or more inactive routers! Multicast driven communication, UDP Port 1985! Authentication is done in clear text! If active router no longer says Hello...! Inactive routers send out a request to take over! Router with the highest priority wins state ACTIVE

HSRP Attacks! New routers with high priority can take over the standby addresses Host A R1 R2 Host B HSRP Attacker

Attacking tunnels! Theory of unencrypted tunnel attacks:! Generate traffic for the inside target network! Encapsulate in tunneling protocol! Send to tunnel destination router! Return path depends on scenario! Vulnerable protocols:! IPX encapsulation (RFC 1234)! AX.25 encapsulation (RFC 1226)! Internet Encapsulation Protocol (RFC 1241)! IPv4 in IPv4 encapsulation (RFC 2003)! Generic Routing Encapsulation (RFC 1701, 1702, 2784)

Generic Routing Encapsulation GRE (RFC 1701, 1702, 2784)! Used to transport protocol A over domain of protocol B in B s payload! IPv4 in IPv4! IPv6 in IPv4! IPX in IPv4! etc.! Optional 32bit tunnel key! Sequence numbers defined but weak! Supports source routing!

Once upon a time... 10.1.5.1/24 62.4.7.8 194.3.5.4 10.1.4.2/24 10.1.5.2/24 Internet 10.1.4.1/24! Company tries to connect private networks! Carrier offers VPN solution based on GRE! IP traffic from remote location to HQ encapsulated in GRE

Making the game interesting! Branch office router:! Does not allow any traffic on outside interface other than GRE from 194.3.5.4! Routes all traffic from the internal network (10.1.5.0/24) into the GRE tunnel! HQ router! Does not allow incoming connections on the outside interface! Does only allow GRE from branch offices

GRE Tunnel Intrusion 10.1.5.1/24 62.4.7.8 194.3.5.4 10.1.4.2/24 10.1.5.2/24 Dest: 62.4.7.8 GRE Dest: 10.1.5.2 Attacker Internet 10.1.4.1/24 VIPPR 208.47.125.33 208.47.125.32

Islands at Risk! IPv4 islands (IP Encapsulation within IP)! IPv6 islands connected by GRE tunnels IPv6 IPv4 Internet IPv6

Phenoelit IRPAS Tools! Autonomous System Scanner! Protocol sender: icmp_redirect, cdp, hsrp, igrp, irdp, irdpresponder! Trace programs: itrace & tctrace! Protocol scanner: protos! Virtual IP attack router (still 1st beta): VIPPR Tools and slides available on http://www.phenoelit.de/

www.darklab.org Explain the code Get the T-Shirt Security Group

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback