• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Layer 2 Hackery
 

Layer 2 Hackery

on

  • 1,663 views

Todor Genov

Todor Genov
ZaCon 2009
http://www.zacon.org.za/Archives/2009/slides/

Statistics

Views

Total Views
1,663
Views on SlideShare
1,660
Embed Views
3

Actions

Likes
2
Downloads
62
Comments
0

1 Embed 3

http://www.slideshare.net 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Layer 2 Hackery Layer 2 Hackery Presentation Transcript

    • Layer 2 hackery Todor Genov todor@subnet.co.za ZaCon 2009
    • Why bring up this old topic? Best practices are still being ignored. Compromise on layer 2 == Game Over ZaCon is the perfect place to rekindle awareness ZaCon 2009
    • Means to an end Getting the upper hand -STP trickery -DTP/VTP trickery -CAM table and DHCP abuse -ARP poisoning Using the tactical advantage -Passive sniffing -DNS spoofing -MiTM ZaCon 2009
    • STP Avoiding topology loops Single ROOT device in a topology BPDUs By sending crafted BPDUs an attacker can become the root bridge ZaCon 2009
    • ZaCon 2009
    • STP attack mitigation Disable STP in a loop-less topology sw1(config)#no spanning-tree vlan 1-1024 Enable bpduguard/bpdufilter on access ports sw1(config)#int Fa0/1 sw1(config-if)#spanning-tree bpdufilter or sw1(config-if)#spanning-tree bpduguard Enable root guard on known STP root ports sw1(config)#int GigabitEthernet 0/1 sw1(config-if)#spanning-tree guard root ZaCon 2009
    • DTP/VTP Proprietary to Cisco DTP automates trunk port negotiation VTP manages VLANs accross the switching domain
    • ZaCon 2009
    • DTP/VTP attack mitigation Disable trunk negotiation on user ports sw1(config)#int Fa0/1 sw1(config-if)#switchport mode access Explicitly specify allowed VLANs on a trunk sw1(config)#int Fa0/1 sw1(config-if)#switchport mode trunk sw1(config-if)#switchport trunk allowed vlan 3,5-7,11 Disable VTP (or at least set a domain password!) sw1(config)#vtp mode transparent or sw1(config)#vtp password T0P53KR3T ZaCon 2009
    • CAM flood & DHCP attacks CAM tables contain MAC-to-port mappings Switch without CAM table == HUB Fail close vs Fail open DHCP starvation (DoS) ZaCon 2009
    • CAM flood and DHCP starvation mitigation Port security -Static MAC addresses where possible sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security mac-address 000d.60ce.3c00 -Limit number of dynamic MAC addresses per port sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security maximum 1 sw1(config-if)#switchport port-security { protect | restrict | shutdown } ZaCon 2009
    • Rogue DHCP Very effective following a DHCP starvation Guess what gateway/DNS info an attacker would supply :) ZaCon 2009
    • DHCP snooping Blocks rogue DHCP servers sw1(config)#ip dhcp snooping sw1(config)#ip dhcp snooping information option sw1(config)#int Fa0/1 sw1(config-if)#ip dhcp snooping trust Rate-limit DHCP requests on untrusted ports sw1(config-if)#ip dhcp snooping limit 10 ZaCon 2009
    • ARP poisoning ARP spoofing Gratuitous ARP ZaCon 2009
    • ZaCon 2009
    • Dynamic ARP inspection Verifies IP-to-MAC bindings Requires a trusted database of such bindings -DHCP (with snooping enabled) sw1(config)#ip arp inspection vlan 2,3 -Static ACLs sw1(config)#arp access-list laptop-todor sw1(config-arp-nacl)#permit ip host 192.168.0.164 mac host 0023.1206.a634 sw1(config)#ip arp inspection filter todor-laptop vlan 2 ZaCon 2009
    • Things to keep in mind Virtual environments Zombie computers 802.11 networks (public or otherwise) ZaCon 2009
    • Using the tactical advantage Sniffing traffic -Ridiculous amounts of unencrypted data is still seen on the network -Information gathering is more than just getting auth credentials -dsniff, Wireshark, tcpdump etc. etc. etc. DNS spoofing -Technically an MiTM attack -DNSSEC does not address client <-> cache security ZaCon 2009
    • ZaCon 2009
    • ZaCon 2009
    • Using the tactical advantage Man in the Middle (MitM) attacks In SSL we trust Humans are often the weakest link ZaCon 2009
    • ZaCon 2009
    • References http://seanconvery.com/SEC-2002.pdf http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf http://www.yesrinia.net/ http://ettercap.sourceforge.net/ http://ettercap.sourceforge.net/ http://www.thoughtcrime.org/ http://www.cisco.com/ http://www.google.com ZaCon 2009