Uploaded on

Todor Genov …

Todor Genov
ZaCon 2009
http://www.zacon.org.za/Archives/2009/slides/

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,121
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
64
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Layer 2 hackery Todor Genov todor@subnet.co.za ZaCon 2009
  • 2. Why bring up this old topic? Best practices are still being ignored. Compromise on layer 2 == Game Over ZaCon is the perfect place to rekindle awareness ZaCon 2009
  • 3. Means to an end Getting the upper hand -STP trickery -DTP/VTP trickery -CAM table and DHCP abuse -ARP poisoning Using the tactical advantage -Passive sniffing -DNS spoofing -MiTM ZaCon 2009
  • 4. STP Avoiding topology loops Single ROOT device in a topology BPDUs By sending crafted BPDUs an attacker can become the root bridge ZaCon 2009
  • 5. ZaCon 2009
  • 6. STP attack mitigation Disable STP in a loop-less topology sw1(config)#no spanning-tree vlan 1-1024 Enable bpduguard/bpdufilter on access ports sw1(config)#int Fa0/1 sw1(config-if)#spanning-tree bpdufilter or sw1(config-if)#spanning-tree bpduguard Enable root guard on known STP root ports sw1(config)#int GigabitEthernet 0/1 sw1(config-if)#spanning-tree guard root ZaCon 2009
  • 7. DTP/VTP Proprietary to Cisco DTP automates trunk port negotiation VTP manages VLANs accross the switching domain
  • 8. ZaCon 2009
  • 9. DTP/VTP attack mitigation Disable trunk negotiation on user ports sw1(config)#int Fa0/1 sw1(config-if)#switchport mode access Explicitly specify allowed VLANs on a trunk sw1(config)#int Fa0/1 sw1(config-if)#switchport mode trunk sw1(config-if)#switchport trunk allowed vlan 3,5-7,11 Disable VTP (or at least set a domain password!) sw1(config)#vtp mode transparent or sw1(config)#vtp password T0P53KR3T ZaCon 2009
  • 10. CAM flood & DHCP attacks CAM tables contain MAC-to-port mappings Switch without CAM table == HUB Fail close vs Fail open DHCP starvation (DoS) ZaCon 2009
  • 11. CAM flood and DHCP starvation mitigation Port security -Static MAC addresses where possible sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security mac-address 000d.60ce.3c00 -Limit number of dynamic MAC addresses per port sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security maximum 1 sw1(config-if)#switchport port-security { protect | restrict | shutdown } ZaCon 2009
  • 12. Rogue DHCP Very effective following a DHCP starvation Guess what gateway/DNS info an attacker would supply :) ZaCon 2009
  • 13. DHCP snooping Blocks rogue DHCP servers sw1(config)#ip dhcp snooping sw1(config)#ip dhcp snooping information option sw1(config)#int Fa0/1 sw1(config-if)#ip dhcp snooping trust Rate-limit DHCP requests on untrusted ports sw1(config-if)#ip dhcp snooping limit 10 ZaCon 2009
  • 14. ARP poisoning ARP spoofing Gratuitous ARP ZaCon 2009
  • 15. ZaCon 2009
  • 16. Dynamic ARP inspection Verifies IP-to-MAC bindings Requires a trusted database of such bindings -DHCP (with snooping enabled) sw1(config)#ip arp inspection vlan 2,3 -Static ACLs sw1(config)#arp access-list laptop-todor sw1(config-arp-nacl)#permit ip host 192.168.0.164 mac host 0023.1206.a634 sw1(config)#ip arp inspection filter todor-laptop vlan 2 ZaCon 2009
  • 17. Things to keep in mind Virtual environments Zombie computers 802.11 networks (public or otherwise) ZaCon 2009
  • 18. Using the tactical advantage Sniffing traffic -Ridiculous amounts of unencrypted data is still seen on the network -Information gathering is more than just getting auth credentials -dsniff, Wireshark, tcpdump etc. etc. etc. DNS spoofing -Technically an MiTM attack -DNSSEC does not address client <-> cache security ZaCon 2009
  • 19. ZaCon 2009
  • 20. ZaCon 2009
  • 21. Using the tactical advantage Man in the Middle (MitM) attacks In SSL we trust Humans are often the weakest link ZaCon 2009
  • 22. ZaCon 2009
  • 23. References http://seanconvery.com/SEC-2002.pdf http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf http://www.yesrinia.net/ http://ettercap.sourceforge.net/ http://ettercap.sourceforge.net/ http://www.thoughtcrime.org/ http://www.cisco.com/ http://www.google.com ZaCon 2009