dugan-winsec02.ppt - Black Hat
Transcript of dugan-winsec02.ppt - Black Hat
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
1
Protecting your Cisco Protecting your Cisco Infrastructure against the Infrastructure against the
latest “Attacktecs™”latest “Attacktecs™”By Stephen Dugan, [email protected]
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
2
IntroductionIntroductionWelcome to the presentation
andThank you for coming!
Who is the speaker?What is the focus of the presentation?Why a talk on Cisco at a Windows show?How will the material be presented?
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
3
AgendaAgendaIntroduction
Section 1 – Physical and Remote Access
Initial ConfigurationDevice Access OptionsPassword IssuesManagement Protocols
Section 2 -Layer 2
VLANs / DesignSTP / VTP / DTPNetwork SniffingVLAN Hopping
Section 3 - Layer 3 ACLsIP Routing ProtocolsHSRP
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
4
Section 1Section 1
Physical and Remote Access
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
5
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Initial Configuration Commandsor…
Commands that belong on all configurations
Turning off unused default features
Turning on features you should be using
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
6
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Globally ON by defaultEchoChargenDiscardFingerBootpAuto-InstallIP Source-RoutingDNS lookup
AttacktecsLots of documented attacks and available tools!
SolutionsTurn them all off
ReasoningMost are not used or neededRarely used for legit purposes
RO(config)# no service tcp-small-servers
RO(config)# no service udp-small-servers
RO(config)# no service finger
RO(config)# no service config
RO(config)# no ip identd
RO(config)# no ip bootp server
RO(config)# no boot network
RO(config)# no ip domain-lookup
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
7
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Interface level ON by defaultUnreachable messagesProxy-ARPRedirectsMask RepliesDirected-broadcast (Before 12.0)
AttacktecsLots of documented attacks and available tools!
SolutionsAgain…Turn them all offShould be done at ALL interfaces
ReasoningMost are not used or neededRarely used for legitimate purposes today
RO(config-if)# no ip unreachables
RO(config-if)# no ip proxy-arp
RO(config-if)# no ip source-route
RO(config-if)# no ip redirects
RO(config-if)# no ip mask-reply
RO(config-if)# no ip directed-broadcast
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
8
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
General Features that should be turned ON
Nagle (RFC 896)Login/MOTD BannersTCP-keepalives-in
Attacktecs Various DoS
ReasoningBanners for legal mattersNagle and TCP-KA can help in DOS attacks or high volume interactive traffic
RO(config)# service nagle
RO(config)# service tcp-keepalives-in
RO(config)# banner motd ^
Get off my network! NOW!
(unless you work here)
YWBPTTFEOTL ^
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
9
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Features that should be turned ON
Cisco Express ForwardingUnicast Reverse Path Forwarding
Attacktecs DDoS Tools: TFN(2K), Trinoo, Etc.See PacketStorm for updated DDoS
SolutionsCEF will boost performanceRFP helps DDoS detection
ReasoningSource Address VerificationForced Asymmetric routingUse BGP Weight or Local
Preference if Multi-Homed
ip cef
! "ip cef distributed" for RSP+VIP
interface serial 0/0
ip address 192.168.8.1 255.255.252.0
ip verify unicast reverse-path
ip route 0.0.0.0 0.0.0.0 Serial 0
Fa0/0
S0/0
Enterprise
Network
Upstream
ISP
Internet
Source = 192.168.11.45
DROPPED
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
10
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Device Access OptionsConsole – Physical Access
AUX – The Dial-in Backdoor
VTY – Access for those Protocols we’ve stopped using for years!
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
11
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Console – Physical AccessUse for initial configsEasy to avoid passwords
AttacktecsPassword RecoveryTheft of EquipmentSOLD on Internet Auction Sites
SolutionsLock the Doors!Guards with M16sSecret IOS Command?!?!
ReasoningALL Cisco devices can be
compromised with Console
line con 0
login
password ClearText
exec-timeout 3 0
Username Steve password EncryptMe
Line Con 0
Login Local
Exec-timeout 3 0
aaa new-modeltacacs-server key NotCleartextaaa authentication login default
tacacs+ local
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
12
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
AUX – Dial-in BackdoorUsed mostly for remote Dial-IN access for administratorsCan be configured to Route Traffic for DDR
AttacktecsWarDial to find NumberUse as a jumping point to launch other attacks
SolutionsUnplug Modem until neededStrong Password ProtectionTimeouts and CD-DROP detect to avoid session theft
ReasoningHas good uses for solving network down type problemsSame Security problems with all Dial type access
line aux 0
login
password ClearText
exec-timeout 3 0
Username Steve password EncryptMe
Line aux 0
Login Local
Exec-timeout 3 0
aaa new-modeltacacs-server key NotCleartextaaa authentication login default
tacacs+ local
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
13
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
VTY – All AccessUsed mostly for telnetSupports LAT, MOP, rLogin, ect.
AttacktecsFlood router with TelnetsMiTM – discover device password watching telnet trafficReverse-Telnet (2000,3000, 7000)
SolutionsUse SSH & ACLsTurn off unused protocolsLast resort...Turn off VTY access
ReasoningStandard for Cisco managementSSH provides encryption for device management sessions
username Steve password ohSSH
ip domain-name router1.101labs.com
cry key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
Access-list 2 permit host 10.1.1.1
line vty 0 4
Login local
IP access-class 2 in
transport input ssh (Default is ALL)
Note: Cisco only uses SSH v1 and has an active advisory for SSH. Also has IOS support for SSH client. Limited platform support. Still A LOT better then cleartext telnet! See link section for more info.
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
14
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Password IssuesUser, Privileged, and custom access
Implications of “No Password”
MD5 and Password Encryption
Password Recovery
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
15
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
User Exec - Level 1 - Router> Can Look at various tables ARP, BGP, Routing etc.Can do simple PINGsTelnet to other places (Jump off point)
Privilege Exec - Level 15 - Router#Essentially “Root” Access for IOS DeviceAll Functions Available
Custom Levels - Levels 2-14 - Router#Set using Username/Password or AAAPrivilege Levels inherit lower levels unless denied.Useful in large environments with different experience levels and job functions of Techs.
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
16
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Implications of “No Password”Login Command on VTY Line will force the Router to Ask for Password even if none is configured. This is the default. Login combined with no password on CON/AUX allows login without challengeTo disable CON or AUX use: Line aux 0
transport input none
transport output none
no exec
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
17
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
MD5 and Password EncryptionMost Passwords stored on Cisco IOS Device configs are in Clear Text.Using the “Service Password-Encryption command will weakly, type 7, encrypt your passwords. (You could decrypt them with Pen&Paper in 40 minutes)The Enable SECRET password is MD5. You should use this for Privilege Exec. Access.
Service Password-encryption
Hostname Router-1
no Enable Password
enable secret 5 $1$y/fP$O.MMCCsH8leilgoRUwBxk1
• Use Type 5 (MD5) for any passwords that let you.
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
18
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Password RecoveryAs simple as...
Power CycleBreak Keyconfreg or o/r 0x2142
Secret IOS Command (some devices)“No Service Password-Recovery”Break Key after Power Cycle will give you a “Factory Default <y/n>” question.
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
19
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Management Protocols
CDP – How they Discover your network
SNMP – More holes than Swiss cheese
NTP – What Time did they break in?
SYSLOG – Another Ignored Log
Loopbacks – Interfaces that don’t go Down
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
20
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
CDP – Cisco Discovery ProtocolUsed to discover the networkL2 Messages Sent every 60 secondsWill discover Device name, IOS revision, L3 addresses, Native VLAN and more.Default is ON for all ports/interfaces
AttacktecsEveryone can discover your networkDOS attack discovered by FXInfo can be used in a variety of ways
SolutionsTurn it off GloballyTurn it off at a port/interfaceLeave it on in the Management VLAN
ReasoningNot needed unless your actively discovering the networkRequired for CiscoWorks 2000
RO(config)# no cdp run
RO(config-if)# no cdp enable
SW> (enable) set cdp disable <mod/port>
(omitting the <mod/port> turns off CDP for the entire Switch)
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
21
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
SNMP V1 & V2“Simple Net-attacks Made Possible”
Main ProblemsUses community strings that are stored/sent in cleartextMany times left unchanged/default as Public/PrivateMany Freeware SNMP tools used for hacking
If it must be usedDon’t enable a RW stringUse ACL
Use V3 if RW is needed
access-list 1 permit host 10.1.1.1
access-list 1 deny any log-input
snmp community not-public ro 1
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
22
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
SYSLOGDefault is console logging onlyStop Console loggingSend messages to syslog server.
NTPGets time from trusted sourceAttach Timestamps to logs
clock timezone MST -7clock summer-time MST recurringntp authenticatentp authentication-key 1 md5 AtTheTonentp trusted-key 1ntp access-group peer 3ntp server 192.168.254.57 key 1access-list 3 permit host 192.168.254.57access-list 3 deny any log
service timestamp log datetime localtimelogging 10.1.1.1no logging console
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
23
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Loopback interfacesLoopbacks are internal/software interfaces
Never go downCan be assigned L3 addressesRouter-ID for OSPF/BGP
Source IP Address in PacketsTelnet/SSHSNMPSYSLOGTFTP / FTP
Interface loopback 0
ip address 192.168.1.1 255.255.255.0
IP telnet source-interface loopback 0
IP tftp source-interface loopback 0
IP ftp source-interface loopback 0
Logging source interface loopback 0
Router ospf 1
Router-id 192.168.1.1
Router bgp 65410
BGP Router-id 192.168.1.1
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
24
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Catalyst Switch Options
Password Commands
Telnet / SSH Connection Options
NTP, SYSLOG, SNMP
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
25
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
Catalyst Switch PasswordsPasswords for User and Enable modes
AttacktecsPassword Recovery
Power off. Passwords Cleared for first 60 SecondsMust Be Attached to Console
SolutionsUse Difficult PasswordsLimit Physical Access
set password (hit Return)
Old Password: *.Eat@JoE$^^_
New Password: JoE$F0Od_Stnks
Retype Password: JoE$F0Od_Stnks
set enable (Hit Return)
Old Enablepass: Stay!0Ff_My-C@
New Enablepass: C@_iN_Da_H@
Retype: C@_iN_Da_H@
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
26
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
NEW ALERT for CAT Switches 1/29/02
ALL Catalysts Running “Set based IOS” are Vulnerable to DoS attackFix by new Code 2/5/02Use SSH and IP Permit
set crypto key rsa 1024
set ip permit enable ssh
show crypto key
show ip permit
set ip http server disable
Catalyst Switch ManagementSame Management management methods as IOS Router
AttacktecsBSD Telnet DoS AttackDiscover device configs and password watching telnets or HTTP traffic
SolutionsUse SSH & IP Permit ListsShut off HTTP AccessLast resort...Turn off TelnetOR… Don’t configure IP on Switch
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
27
Section 1 - Physical and Remote Section 1 - Physical and Remote AccessAccess
NTP, SYSLOG on CATsCisco Recommends modifying some of the logging levels based on environment conditionsNTP configuration is very similar to the configuration commands on Router IOS.
set logging server <IP address>set logging timestamp enableset logging level spantree 6 defaultset logging level sys 6 defaultset logging server severity 4set logging console disable
set ntp client enableset ntp server <address of server>set ntp authentication enableset ntp key <key>set ntp timezone <zone name>set ntp summertime <details>
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
28
Section 2Section 2
Layer 2 - Switching
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
29
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - Switching
VLANSGood Design – Simplifies Security
Default VLANS – 1,1001-1005
Management VLAN - Defaults to VLAN1
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
30
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - Switching
Design Philosophies
Spanning Tree = BADRouting = GOOD
KISP
Plan with security in mind
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
31
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - Switching
Good Design!Bad Design!!!!Switch Block Redundant Rats nest
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
32
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - Switching
VLANsVLAN 1 – The dead VLAN
VLANs 1001 – 1005 – The dead technology VLANs
Clear Trunks of these VLANs
Can’t remove them from switches
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
33
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingManagement VLAN - Defaults to VLAN 1
Change this on all switches to a Random Number (the same number for all switches)NO USER Traffic
Don’t Assign to User PortsACL to block them!
Used for Anything your users should’t seeIP RoutingCDP (if you didn’t want to turn it off)VTP MLSP
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
34
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingManagement VLAN (cont..)
Runs on all switches in the blockUse 1 Management VLAN per block
Trunked with User VLANs on these Links
Should be the only VLAN on this link
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
35
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - Switching
STP / VTP / DTPSpanning Tree Issues
VLAN Trunking Protocol – The “A” DoS
Dynamic Trunking Protocol – To Trunk or not to Trunk?…that is the question.
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
36
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingSpanning Tree Protocol
For loop prevention in an Ethernet NetworkWorks by electing a “root bridge”Sends messages Via BPDUsAttacktecs include
Forced takeover as ROOT bridgeBPDU Flood attackBPDU Change Notification flag
(Unintentional side affect of a switched network)Solutions
Force user ports not send/receive BPDUsPortfast & BPDU-Guard
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
37
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingVTP
VLAN Trunking ProtocolUsed to Maintain VLAN database consistencyCould be used for attack to add/delete VLANsRisky to use under normal conditionsRequired by some CATs to create VLANSSolution
Set all switches to VTP Transparent ModeSet Password to avoid mis-configuration / attacks
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
38
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingDynamic Trunking Protocol“To Trunk or not to Trunk”
All Switch 100mb ports are set to AUTOConnecting a AUTO - AUTO ports doesn’t TrunkConnecting a AUTO - ON ports does TrunkAttacktecs
802.1Q tag manipulationAccess to all VLANs without Router
SolutionSet all non-trunk ports to DTP OFF modeForce Users to 10MB (Lead Balloon?!?!)
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
39
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingCAT OS Commands
SET PORT HOST <mod/port>Batch command that configures
Trunking to OFFPortfast ON
Set Port Disable <mod/port> set spantree portfast bpdu-guard enableset spantree guard root 1/1
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
40
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingVLAN “Hopping”
Works by injecting modified 802.1q tagsCan effectively pass traffic to other VLANs without a router.Solutions
Set Native VLANs on truck ports to an unused VLAN and not VLAN 1Set port VLAN <vlan#> <mod/port>Remember the native VLAN must match on both sides of the trunk
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
41
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingNetwork Sniffing with Switch Ports
H
Attacker running ARP spoofing tool with bridging software
Sends continuous ARP replies telling the PC he’s the Server and the Server that he’s the PC. Traffic is bridged for PC/SERVER to maintain connection.
Solutions:
Private VLANs?
Host IDS!
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
42
Section 2 - Layer 2 - SwitchingSection 2 - Layer 2 - SwitchingFlooding switch with MAC Addresses
or….How to make a switch act like a hub.
HAttacking host PC launches attack that floods the CAM table on the switch. Using all allocated CAM memory. Switch then forwards all traffic like unknown unicasts.
Solutions:Port SecurityMax Mac Count 1
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
43
Section 3Section 3
Layer 3 - RoutingLayer 3 - Routing
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
44
Section 3 - Layer 3 - Routing
Access Control Lists
Standard / Extended / NamedContext Based (CBAC)Other
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
45
Section 3 - Layer 3 - Routing
IP Standard ACLsIP Source Address Based onlyVariety of used (Not just packet filtering)1-99 1300 to 1999 range
IP Extended ACLsLooks at
Source & Destination IPSource & Destination PortsProtocolSYN/RST bit (Established)Can be Logged - Log or Log-input (timestamp and packet info)
100 – 199, 2000 - 2699 RangeIP Named ACLs
Same as STD or EXT except with a Name instead of a number.Can remove a single List entry without removing Whole ACL
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
46
Section 3 - Layer 3 - Routing
Context Based Access Control (CBAC)AKA Cisco IOS Firewall Feature setCreates dynamic inbound ACE entries based upon egress traffic.
Internet
Inbound Base ACL “Deny any”
IP PacketAs Packet exits a short lived dynamic ACE is added to the beginning of the base ingress ACL. Allowing return traffic.
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
47
Section 3 - Layer 3 - RoutingOther IP ACL types
ReflexiveDynamicTime-based
Other ACLsIPXAppleTalk MAC NetBIOS
VACLs
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
48
Section 3 - Layer 3 - Routing
IP Routing Protocols
RIP – May it Rest in Peace (PLEASE!!!)IGRP – I’d rather run RIP first EIGRP – Simple and PowerfulOSPF – You Stubbed your what?
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
49
Section 3 - Layer 3 - Routing
RIPV1
Classfull IP (no VLSM or CIDR)Broadcasts every 30 sec.Cleartext PasswordsAny IP product that has “Routing” features supports itTo many security problem to fix.
V2ClasslessUses Multicasts every 30 secondsMD5 passwordsWide supportStill vulnerable to attacks
“You can tie on pretty ribbon and give it some makeup… but its still the same old RIP”
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
50
Section 3 - Layer 3 - Routing
Setting RIP V2 with Key-chain
key chain MyKey key 1 key-string 1234 ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip rip authentication key-chain MyKey ! router rip version 2 Network 192.168.1.0 passive-interface default no passive-interface E0
E0 E0
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
51
Section 3 - Layer 3 - Routing
IGRPCisco ProprietaryUses (Lowest) Bandwidth and Delay for metricsClassfullBroadcasts every 90 sec.Converges SLOWER than RIPNO SECURITYStill out there because of the CCNA program….
Solution.. Modify your configs and add the “E”
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
52
Section 3 - Layer 3 - Routing
Enhanced IGRP (EIGRP)Acts like a LS Routing protocol when
Discovering neighborsMaintaining neighborsExchanging Routes
Acts like a DV Routing protocol for Calc. metricsUses Lowest Bandwidth and Delay like IGRPClassless MD5 Passwords checked before creating neighborsLess constraints than OSPFDoesn’t force good designCan go Query Crazy
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
53
Section 3 - Layer 3 - Routing
EIGRP with Authentication (Key-Chain)
Router eigrp 1 network 192.168.1.0 passive-interface default no passive-interface E0
Interface E0 ip address 192.168.1.1 255.255.255.0ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 keyname
key chain keyname key 1 key-string 0987654321 accept-lifetime infinite
E0 E0
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
54
Section 3 - Layer 3 - Routing
OSFPIndustry Open Standard
Can be Complex
Classless
Supports MD5 Password protection
Forces good design (sometimes)
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
55
Section 3 - Layer 3 - Routing
OSPF with Authentication
Router OSPF 1 network 192.168.1.1 0.0.0.0 area 0 area 0 authentication message-digest Interface E0 ip address 192.168.1.1 255.255.255.0ip ospf message-digest-key 1 md5 5 myOSPFpass
E0 E0
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
56
Section 3 - Layer 3 - Routing
HSRPHot Swappable ROUTER Protocol
Designed to maintain High Availability of GWsHSRP is Cisco Proprietary VRRP is the new IETF standard Works by sending hello messages between routers to Elect Active and standby RoutersIs Vulnerable to attack when configured correctly
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
57
Section 3 - Layer 3 - Routing
HSRP Attacktecs
Active StandbyN
orm
al P
acke
t Flo
w
Attack sent to make PC appear as an HSRP Router and to “preempt” ACTIVE status
Used as DoS or MiTMAltered Packet Flow
Enterprise Network or Internet
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
58
Section 3 - Layer 3 - Routing
Solutions to HSRP AttackSet HSRP PRIORITY to 255 on both routersACTIVE Router gets Highest IP in SUBNET, Standby gets Second Highest, Virtual Gets ThirdModify the default MAC Address created for HSRPCreate ACL to only permit the HSRP traffic between the appropriate routers (MLS implications…)Have switches only send 224.0.0.2 (0000.5E00.0002) to ports that will have Routers
Caveat: Doing this will force you too disable CGMP or IGMP Snooping, don’t use this last one if your using Multicasting in you network.
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
59
LinksLinksGeneral Cisco Security
http://www.cisco.com/warp/public/707/21.html#httphttp://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.ziphttp://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm
DDoShttp://packetstormsecurity.nl/distributed/http://www.cisco.com/warp/public/707/newsflash.html
Designhttp://www.dcug.org/prezos/DCUG-Campus1-25-2001.zip
SSHhttp://www.cisco.com/warp/public/707/SSH-multiple-pub.htmlhttp://www.cisco.com/warp/public/707/ssh.shtml
February 7, 200213:30 - 14:45
Black Hat - Windows Security 2002 New Orleans, LA
60
Thank you for coming!!Thank you for coming!!Special thanks to
Jeff Moss, Keith Myers and the rest of the Black Hat Crew.
Tony and SPuD for beginning 101labs with me.