2010.01_Attacks and Mitigation with Cisco_[Cisco].pdf

ATTACK

Attacks and

MICHAEL HOWE

Mitigation with

Cisco

Switch Overview. The Data Link Layer, or Layer 2 of the OSI model

is the protocol layer that provides the functional needs for data

transportation between multiple nodes on a network. Ethernet,

PPP, and Frame Relay are examples of data link layer protocols,

while Media Access Control (MAC) and Logical Link Control (LLC)

are sub-layers.

Difficulty

in that it regulates the flow of data – or

frames – between ports. These frames are

sent between end devices over a switched network,

with their source and destination addresses

remaining unchanged. These source addresses

are stored in a Content Addressable Memory

(CAM) table, which is used to map said source

addresses to their corresponding switch port. This

is where the first attack of this article begins

CAM Table Overflow – Attack

Due to the fact that layer 2 technologies and

protocols are relatively old, they are often susceptible

to attacks that were around 10 years ago; thus the

attack vectors are often well developed and very

easy to use. In May 1999, the infamous macof was

released; originally in Perl. It was written in about 100

lines of code, and was designed to flood a switch

with randomly spawned source and destination

MAC addresses, as well as their coinciding IP

addresses. The tool was later rewritten in C and

integrated into the dsniff toolset- a collection of tools

for network auditing and penetration testing.

To perform a CAM Table Overflow attack from

a Debian box (or one of its derivitives), sudo to root

and install the dsniff toolset by typing the following:

WHAT YOU SHOULD

KNOW...

The OSI and its subsequent

layers;

The basics of Cisco switch

configuration;

Basic Linux command line tools,

including apt or yum;

Knowledge of sniffing and how

to do it; and

The fundamentals of networking.

CAM Table Overflow

A CAM Table Overflow occurs when a switch is

inundated with a large number of MAC source

addresses, causing the CAM table to reach its

threshold. This results in the switch reverting to

hub like behavior; it floods traffic out all ports, as

the CAM table is unable to store more source

addresses. This is also known as Switch Jamming.

The flood of traffic caused by a CAM Table

Overflow is limited to the VLAN, or broadcast

domain. In other words, if an attack occurs on

a switch port that is assigned to VLAN10, the

traffic will not be flooded out of the switch ports

that are assigned to VLAN20. This is – of course

– because the switch is broadcasting packets,

which are segregated by the broadcast domain.

A Cisco Catalyst 6000 switch is able to stow

about 128,000 source addresses in its CAM table,

but storage capabilities are different depending

on the switches capabilities, which is generally

determined by its RAM limitations (Figure 1).

user@nullity:~/$ sudo -s

root@nullity:~/# aptitude install dsniff

As mentioned earlier, the macof tool is bundled in the

dsniff toolset, and can be called from the terminal by

the root user with the following command:

root@nullity:~/# macof

WHAT YOU WILL

LEARN...

You will learn layer two attacks

and how to protect against them

using Cisco technology.

You will not learn layer three

network attacks, basics of Cisco,

or ACL configuration.

The terminal window will instantly be flooded with

randomly generated MAC addresses, as will the

network. It doesn’t take macof long to flood the

network with these frames, so to kill the macof

process after a couple of minutes, just press

[ CTRL ]+[ C ].

42 CISCO

1/2009

A Switch is a layer 2 device. It is unlike a hub

ATTACKS AND MITIGATION WITH CISCO

Once macof has run, open a network

packet sniffer and start capturing

packets. If you’re unsure of how to use

a network packet sniffer, the 2-2009

edition of Hakin9 has a short article titled

Ettercap which gives a brief overview of

Ettercap and its uses.

address permitted on that port. If the

number of statically set MAC addresses

is less than that set with the maximum

command, the remaining permitted hosts

will be defined dynamically. Now that

port security has been set to check for a

maximum number of MAC addresses, as

well as the MAC addresses themselves, it’s

imperative that a reaction is enable when a

violation occurs. There are three actions that

can be set when a violated occurs, they are:

• Protect – Much like the restrict

mode, protect mode allows the port

to remain in the up state, dropping

violating packets, but the port will not

log any data.

To enable port-security violation

restrictions on the switch port, use the

following command:

Cisco Mitigation

with Port Security

A feature of Cisco Catalyst switches that

prevents CAM Table Overflow attacks

from being successful is port security.

Port security was integrated into Catalyst

switches to control port access via

MAC addresses. To configure access-

layer switch port protection, enable port

security at the interface-configuration

level with the following command:

(conig-if)# port-security violation

{restrict | protect | shutdown}

• Shutdown – The port is put into the

errdisable state, and is re-enabled

manually or through the errdisable

recovery before any more data will be

allowed through the switch port;

• Restrict – The port remains in an

up state, but any packets containing

violating source addresses are

dropped. SNMP traps and syslog

messages can be set, and the

switch keeps track of the number of

violations that occur on that port; and

The port security configuration should

look something like:

(conig)# interface range fa0/1 – 24

(conig-if)# switchport mode access

(conig-if)# switchport port-security

maximum int

(conig-if)# switchport port-security

mac-address {mac-address |

sticky}

(conig-if)# switchport port-security

Once port security is enabled, allowed

MAC addresses need to be identified for

that particular port. This can be configured

explicitly or dynamically, and a maximum

number of MAC addresses (from 1 to 1,024)

on that port can also be configured. The

following command will specify a maximum

number of source MAC addresses allowed

to connect to the particular port:

��

(conig-if)# switchport port-security

maximum <max>

The above command will enable a

maximum number of source addresses

to connect to a port, where <max> is 1 to

1,024. MAC addresses that are learned

dynamically are sometimes known as sticky

MAC addresses. Sticky MAC addresses

can be set using the following command:

Figure 1. An attacker floods the switch with MAC addresses, resulting in a CAM Table

Overflow

(conig-if)# switchport port-security

mac-address sticky

If business requirements state that a

static MAC address must be set, the

following command can be used:

(conig-if)# switchport port-security

mac-address <xxxx.xxxx.xxxx>

The above will set a static MAC address

where <xxxx.xxxx.xxxx> is the MAC

Figure 2. macof floods the switch with bogus data

1/2009

CISCO

ATTACK

(conig-if)# switchport port-security

violation {protect | restrict |

shutdown}

HSRP and MitM

Hot Standby Router Protocol (HSRP) is

used to provide the access layer with

high availability when hosts require only a

default static route. It is used to group two

or more Layer 2 routers into one virtual

router. The physical routers keep their MAC

and IP addresses, while the virtual router

assumes new information, which is shared

between the physical routers.

In HSRP, one physical router becomes

the active router, which forwards any IP

packets that are sent to the virtual router. The

other physical routers are then used to store

HSRP states, and if the active router fails,

one of these routers takes on the role of the

active router. These routers are known as

standby routers within the HSRP process.

HSRP messages are sent to the

multicast address of 224.0.0.2 for version

1, and 224.0.0.12 for version 2. These

multicast addresses are part of the local

link multicast space, and are limited to the

local Ethernet network segment.

Routers that participate in the HSRP

process use their own IP addresses as

the source address for HSRP protocol

packets; this ensures that participating

routers can be identified by each other.

When it comes to MAC addresses

however, only standby routers use their

own MAC addresses; the virtual MAC

address is used by the active routers

source address (Figure 3).

To display port-security configurations

on a switch, use the following show

commands:

Attacking HSRP

According to the HSRP RFC, the protocol

is not a secure protocol, and is therefore

susceptible to Man in the Middle (MitM)

attacks. From the RFC 2281:

The [HSRP] protocol is easily

subverted by an active intruder on the

LAN. This can result in a packet black hole

and a denial-of-service attack. Yersinia

is a layer 2- attack toolkit designed to

take advantage of weaknesses in various

network protocols. One of these protocols

is HSRP, which has several weaknesses

which Yersinia addresses. These are:

# show port-security

# show port-security interface

# show port-security address

# show mac-address table

# show interfaces status err-disabled

To bring a violated interface back online,

use the following two commands. One will

re-enable the device; the second will clear

the port cache:

# clear port-security dynamic

[address <mac> | interface

<interface>]

# errdisable recovery cause security-

violation

<0> NONDOS attack sending raw HSRP packet

<1> NONDOS attack becoming ACTIVE router

<2> NONDOS attack becoming ACTIVE

router (MITM)

Figure 3. HSRP packet breakdown

Option <0> can be used as a

reconnaissance tool as it allows attacker

to gain information on the HSRP process

within a network. Option <1> is actually

a DoS attack, as it confuses HSRP into

setting a non-existent router as the active

router, essentially sending all frames to a

black hole. Option <2> is much like Option

<1> except that instead of sending all

frames to nowhere, the attacker becomes

the active router and all frames are sent

through the attackers server.

To run the HSRP attack on a Debian

based box, use the following commands:

Figure 4. Enabling a HSRP attack using Yersinia

user@nullity:~/$ sudo -s

root@nullity:~/# aptitude install

yersinia

root@nullity:~/# yersinia -I

��

Note: the -I flag opens Yersinia in the ncurses

interface mode. When in the Yersinia interface,

follow these steps to begin a MitM attack:

��

• Press i to bring up the interface

settings; set the interface and press q

to exit the Global Interfaces window.

• Press g to bring up the Choose

Protocol Mode window; highlight the

HSRP entry and press Enter.

Figure 5. An attacker hijacks the HSRP process with the highest priority

44 1/2009

CISCO

ATTACKS AND MITIGATION WITH CISCO

• Press x to bring up the Attack Panel

window; highlight option <2> and press

Enter to begin the attack.

router is able to participate in the HSRP

process. Of course with Cisco key-chains,

the accept lifetime can be set within the

keychain-key configuration mode. Using this

often depends on business needs, but Cisco

recommends using it when using keychains.

If accept lifetimes are used, ensure that all

router clocks are synchronized.

If an attacker tries to send HSRP

messages to the HSRP process while

authentication is enabled, they will receive

an error similar to the following:

(conig-if)# access-list 101 permit

udp host <ip> host 224.0.0.2 eq 1985

(conig-if)# access-list 101 deny udp

any any eq 1985

(conig-if)# access-list 101 permit ip

any any

With this attack, Yersinia sends a HSRP

packet with the maximum priority of 255.

Provided that forwarding is enabled on

the attacking machine and the static

route is correctly set, all valid HSRP

routers become standby routers, and the

attacking machine will then forward all

network traffic through its interfaces.

Note: Replace <ip> with a valid host IP

address. This line should be used for each

router that participates in the HSRP process.

Note: 1985 is the UDP port number

that HSRP runs on.

Once the ACL is set, attached hosts

will be forbidden from sending HSRP

messages (unless they are explicitly

permitted). Of course, an anti-spoofing

mechanism should probably be

implemented as well; ensuring that no

source spoofing can occur.

HSRP Manipulation

Mitigation

In order to mitigate a HSRP attack, a

number of procedures have to take

place. One is to prevent the attacker from

forging valid HSRP packets, which can be

done using authentication. The other is to

prevent the attacker from sending HSRP

packets, which can be done via access

control lists (ACLs).

To enable HSRP authentication with

a MD5 key-chain, enter the following

configuration:

%HSRP-4-BADAUTH: Bad authentication

from 192.168.0.22, group 1, remote

state Active

With MD5 keychains enabled, the attacker

can no longer see the preshared key that is

– by default – sent in clear text. However, the

HSRP process is still susceptible to replay

attacks, and if an attacker is able to sniff a

packet with a very high priority, they can still

become the active router. To stop this from

happening, Cisco recommends the use of

port security- as outlined earlier in this article.

Access Control Lists (ACLs), are also

recommended to mitigate these attacks.

By only allowing certain IP addresses to

access 224.0.0.2 or 224.0.0.12, it becomes

much harder for the attacker to pull off a

successful strike. To enable an ACL that

sets up these restrictions, use the following:

Conclusion

While this article only covered two of many

layer 2 attack techniques, this often neglected

layer has many vulnerabilities that frequently

lead to Man in the Middle attacks; MitM

attacks, can of course also lead to other

attacks on business critical procedures. I

would love to get into some of these other

layer 2 attack vectors in a future release

of Hakin9, but in the mean time I will be

uploading any research I do to Hakipedia.

It is highly recommended that you

educate your network administrators

in the field of security. Invest in them to

protect your network. The cost of training is

much less than that of recovering from a

compromised system.

I also recommend that network

administrators keep up-to-date with

current security implications. Defcon,

Ruxcon, Blackhat et cetera are all fantastic

conferences that keep you in the know

when it comes to information security.

(conig)# key chain <NAME>

(conig-keychain)# key <ID_number>

(conig-keychain-key)# key-string

(conig-if)# standby 1 authentication

md5 key-chain <NAME>

This should be entered on all HSRP

participating routers to ensure that each

(conig)# interface <interface>

(conig-if)# ip access-group 101 in

Figure 6. Yersinia is no longer able to recover authentication data with MD5 HMAC

Michael Howe

Michael Howe is a certified Cisco

engineer who currently holds the CCNA,

CCNA Security, and several parts of the

CCSP and CCNP. He holds a Diploma

in Network Engineering, an Advanced

Diploma in Network Security, and an

Advanced Diploma in Telecommunication Networks. He

currently works in the data protection field, and dabbles

in virtualization. Michael is also the founder and main

contributor of Hakipedia.com, an open collaborative

made up of black-hat and white-hat hackers alike, sharing

information on computer security, and the hacking

subculture. This Debian GNU/Linux user from Australia

can be contacted via email at: mickismick@gmail.com .

1/2009 CISCO

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: