Layer 2 Hackery


Published on

Todor Genov
ZaCon 2009

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Layer 2 Hackery

  1. 1. Layer 2 hackery Todor Genov ZaCon 2009
  2. 2. Why bring up this old topic? Best practices are still being ignored. Compromise on layer 2 == Game Over ZaCon is the perfect place to rekindle awareness ZaCon 2009
  3. 3. Means to an end Getting the upper hand -STP trickery -DTP/VTP trickery -CAM table and DHCP abuse -ARP poisoning Using the tactical advantage -Passive sniffing -DNS spoofing -MiTM ZaCon 2009
  4. 4. STP Avoiding topology loops Single ROOT device in a topology BPDUs By sending crafted BPDUs an attacker can become the root bridge ZaCon 2009
  5. 5. ZaCon 2009
  6. 6. STP attack mitigation Disable STP in a loop-less topology sw1(config)#no spanning-tree vlan 1-1024 Enable bpduguard/bpdufilter on access ports sw1(config)#int Fa0/1 sw1(config-if)#spanning-tree bpdufilter or sw1(config-if)#spanning-tree bpduguard Enable root guard on known STP root ports sw1(config)#int GigabitEthernet 0/1 sw1(config-if)#spanning-tree guard root ZaCon 2009
  7. 7. DTP/VTP Proprietary to Cisco DTP automates trunk port negotiation VTP manages VLANs accross the switching domain
  8. 8. ZaCon 2009
  9. 9. DTP/VTP attack mitigation Disable trunk negotiation on user ports sw1(config)#int Fa0/1 sw1(config-if)#switchport mode access Explicitly specify allowed VLANs on a trunk sw1(config)#int Fa0/1 sw1(config-if)#switchport mode trunk sw1(config-if)#switchport trunk allowed vlan 3,5-7,11 Disable VTP (or at least set a domain password!) sw1(config)#vtp mode transparent or sw1(config)#vtp password T0P53KR3T ZaCon 2009
  10. 10. CAM flood & DHCP attacks CAM tables contain MAC-to-port mappings Switch without CAM table == HUB Fail close vs Fail open DHCP starvation (DoS) ZaCon 2009
  11. 11. CAM flood and DHCP starvation mitigation Port security -Static MAC addresses where possible sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security mac-address 000d.60ce.3c00 -Limit number of dynamic MAC addresses per port sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security maximum 1 sw1(config-if)#switchport port-security { protect | restrict | shutdown } ZaCon 2009
  12. 12. Rogue DHCP Very effective following a DHCP starvation Guess what gateway/DNS info an attacker would supply :) ZaCon 2009
  13. 13. DHCP snooping Blocks rogue DHCP servers sw1(config)#ip dhcp snooping sw1(config)#ip dhcp snooping information option sw1(config)#int Fa0/1 sw1(config-if)#ip dhcp snooping trust Rate-limit DHCP requests on untrusted ports sw1(config-if)#ip dhcp snooping limit 10 ZaCon 2009
  14. 14. ARP poisoning ARP spoofing Gratuitous ARP ZaCon 2009
  15. 15. ZaCon 2009
  16. 16. Dynamic ARP inspection Verifies IP-to-MAC bindings Requires a trusted database of such bindings -DHCP (with snooping enabled) sw1(config)#ip arp inspection vlan 2,3 -Static ACLs sw1(config)#arp access-list laptop-todor sw1(config-arp-nacl)#permit ip host mac host 0023.1206.a634 sw1(config)#ip arp inspection filter todor-laptop vlan 2 ZaCon 2009
  17. 17. Things to keep in mind Virtual environments Zombie computers 802.11 networks (public or otherwise) ZaCon 2009
  18. 18. Using the tactical advantage Sniffing traffic -Ridiculous amounts of unencrypted data is still seen on the network -Information gathering is more than just getting auth credentials -dsniff, Wireshark, tcpdump etc. etc. etc. DNS spoofing -Technically an MiTM attack -DNSSEC does not address client <-> cache security ZaCon 2009
  19. 19. ZaCon 2009
  20. 20. ZaCon 2009
  21. 21. Using the tactical advantage Man in the Middle (MitM) attacks In SSL we trust Humans are often the weakest link ZaCon 2009
  22. 22. ZaCon 2009
  23. 23. References ZaCon 2009