Layer 2 Hackery
23
-
Upload
security-b-sides -
Category
Technology
-
view
1.184 -
download
0
Transcript of Layer 2 Hackery
Why bring up this old topic?
Best practices are still being ignored.
ZaCon is the perfect place to rekindle awareness
ZaCon 2009
Compromise on layer 2 == Game Over
ZaCon 2009
Means to an endGetting the upper hand-STP trickery
-ARP poisoning
-DTP/VTP trickery
Using the tactical advantage
-CAM table and DHCP abuse
-Passive sniffing
-DNS spoofing
-MiTM
STP
ZaCon 2009
BPDUs
Single ROOT device in a topology
Avoiding topology loops
By sending crafted BPDUs an attacker can become the root bridge
ZaCon 2009
ZaCon 2009
STP attack mitigation
Enable bpduguard/bpdufilter on access ports
Enable root guard on known STP root ports
Disable STP in a loop-less topology
sw1(config)#int Fa0/1sw1(config-if)#spanning-tree bpdufilterorsw1(config-if)#spanning-tree bpduguard
sw1(config)#no spanning-tree vlan 1-1024
sw1(config)#int GigabitEthernet 0/1 sw1(config-if)#spanning-tree guard root
DTP/VTP
DTP automates trunk port negotiation
Proprietary to Cisco
VTP manages VLANs accross the switching domain
ZaCon 2009
ZaCon 2009
DTP/VTP attack mitigationDisable trunk negotiation on user ports
Explicitly specify allowed VLANs on a trunk
sw1(config)#int Fa0/1sw1(config-if)#switchport mode access
sw1(config)#int Fa0/1sw1(config-if)#switchport mode trunksw1(config-if)#switchport trunk allowed vlan 3,5-7,11
Disable VTP (or at least set a domain password!)sw1(config)#vtp mode transparentorsw1(config)#vtp password T0P53KR3T
ZaCon 2009
CAM flood & DHCP attacksCAM tables contain MAC-to-port mappings
Switch without CAM table == HUB
Fail close vs Fail open
DHCP starvation (DoS)
ZaCon 2009
CAM flood and DHCP starvation mitigation
Port security-Static MAC addresses where possible
sw1(config)#int Fa0/1sw1(config-if)#switchport port-security mac-address 000d.60ce.3c00
-Limit number of dynamic MAC addresses per port
sw1(config)#int Fa0/1sw1(config-if)#switchport port-security maximum 1sw1(config-if)#switchport port-security { protect | restrict | shutdown }
ZaCon 2009
Rogue DHCP
Very effective following a DHCP starvation
Guess what gateway/DNS info an attacker would supply :)
ZaCon 2009
DHCP snooping
Blocks rogue DHCP serverssw1(config)#ip dhcp snoopingsw1(config)#ip dhcp snooping information optionsw1(config)#int Fa0/1sw1(config-if)#ip dhcp snooping trust
Rate-limit DHCP requests on untrusted ports
sw1(config-if)#ip dhcp snooping limit 10
ZaCon 2009
ARP poisoning
Gratuitous ARP
ARP spoofing
ZaCon 2009
ZaCon 2009
Dynamic ARP inspection
sw1(config)#ip arp inspection vlan 2,3
Verifies IP-to-MAC bindings
Requires a trusted database of such bindings-DHCP (with snooping enabled)
sw1(config)#arp access-list laptop-todorsw1(config-arp-nacl)#permit ip host 192.168.0.164 mac host 0023.1206.a634sw1(config)#ip arp inspection filter todor-laptop vlan 2
-Static ACLs
ZaCon 2009
Things to keep in mindVirtual environments
Zombie computers
802.11 networks (public or otherwise)
ZaCon 2009
Using the tactical advantage
Sniffing traffic-Ridiculous amounts of unencrypted data is still seen on the network
-Information gathering is more than just getting auth credentials
DNS spoofing
-DNSSEC does not address client <-> cache security
-dsniff, Wireshark, tcpdump etc. etc. etc.
-Technically an MiTM attack
ZaCon 2009
ZaCon 2009
ZaCon 2009
Using the tactical advantage
Man in the Middle (MitM) attacks
In SSL we trust
Humans are often the weakest link
ZaCon 2009
ZaCon 2009
References
http://seanconvery.com/SEC-2002.pdf
http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf
http://www.yesrinia.net/
http://ettercap.sourceforge.net/
http://ettercap.sourceforge.net/
http://www.thoughtcrime.org/
http://www.cisco.com/
http://www.google.com
