Hacking Cisco Networks and Countermeasures
Overview
• Reconnaissance Attacks
– Passive Sniffing
– Ping Sweeps
– Port Scans (tcp&udp)
• Active Attacks
– Password atta...
Reconnaissance Attacks
• Reconnaissance refers to the
overall act of learning
information about a target
network by using ...
Packet Sniffers
• A packet sniffer is a software application that uses a network
adapter card in promiscuous mode to captu...
Passive Sniffing
Packet Sniffer Attack Mitigation
• Here are some packet sniffer mitigation techniques and tools:
– Authentication
– Switch...
Port Scans and Ping Sweeps
• Port scan and ping sweep attacks:
– Identify all services on the network
– Identify all hosts...
Ping Sweep with NMAP
Ping Sweep (cont.)
Blocking Ping Sweeps
access-list 102 deny icmp any any echo
access-list 102 permit ip any any
interface FastEthernet0/0
ip...
Seems like it worked but ???
We give out too much information…
To block messages originating from
the blocking router…
access-list 103 permit icmp any any unreachable
class-map match-al...
Same result…
But this time we don’t share info…
Simple UDP Port Scan
Destination Unreachable (Port)
How to block…
access-list 101 deny icmp any any unreachable
access-list 101 permit ip any any
interface FastEthernet0/0
ip...
We don’t send any unreachable
messages…
After Blocking everything seems
open, some obscurity for scanner…
• Port scans and ping sweeps cannot be prevented without
compromising network capabilities.
Port Scan and Ping Sweep
Attac...
Internet Information Queries
• Sample IP address query
Attackers can use Internet
tools such as whois as a
weapon.
Access Attacks
• Intruders use access attacks on
networks or systems for the these
reasons:
– Retrieve data
– Gain access
...
Password Attacks
• Hackers implement password attacks using:
– Brute-force attacks
– Trojan horse programs
– IP spoofing
–...
Password Attack Example
– The bgp_md5crack tool is used for cracking a secret used for
RFC2385 based packet signing and au...
For Routing Protocols…
Simple Cracking with Cain…
Trust Exploitation
– A hacker leverages
existing trust
relationships.
– Several trust models
exist:
• Microsoft Windows:
–...
Port Redirection
Host B
Attacker
Source: A
Destination: B
Port: 23
Compromised
Host A
Source: Attacker
Destination: A
Port...
Port Redirection Configuration
On HOSTA we create a named pipe using the mkfifo commands:
#pipe will be the name of our na...
Here we are connected to the
internal switch…
IP Spoofing
– IP spoofing occurs when a hacker inside or outside a
network impersonates a trusted source.
– IP spoofing us...
IP Spoofing—Types of Attack
•IP spoofing attacks are either:
– Nonblind spoofing
• The attacker sniffs sequence numbers
(i...
Let’s see in action
Here we drive router to reply to the
other host..
Man-in-the-Middle Attacks
– A man-in-the-middle attack requires that the hacker has
access to network packets that come ac...
IP Spoofing Attack Mitigation
• The threat of IP spoofing can be reduced, but not eliminated,
using these measures:
– Stro...
DoS Attacks
• A DoS attack damages or
corrupts your computer
system or denies you and
others access to your
networks, syst...
TCP SYN Flooding DoS Attack
Attacker
TCP
Client
-------------
Client Ports
1024–65535
Victim TCP
Server
-------------
Serv...
DDoS Attacks
• DoS and DDoS attacks have these characteristics:
– They are not generally targeted to gain access.
– They a...
DDoS Example
Handler
Systems
Client System
4. The client
issues commands
to handlers
that control agents
in a mass attack....
SYN Flooding Attack
Let’s be more creative…
We put almost 1 million packets in one
minute period on the wire, not so bad….
CPU Consumption..
DoS and DDoS Attack Mitigation
• Reduce DoS and DDoS attacks by:
– Protecting yourself against IP spoofing with ingress- a...
Rate Limiting
What rate limiting does:
• Allows network managers to set bandwidth thresholds for users and by traffic type...
Example: ICMP rate limiting
access-list 170 permit icmp any any
Interface f0/0
rate-limit input access-group 170 128000 16...
Spoofing the DHCP Server
1. An attacker activates a DHCP
server on a network segment.
2. The client broadcasts a request
f...
Everything starts with starvation…
Storm Control can be in help…
Interface fastethernet 0/1
storm-control broadcast level 10.00 8.00
DHCP Snooping
– DHCP snooping allows the
configuration of ports as
trusted or untrusted.
• Trusted ports can send
DHCP req...
DHCP Snooping Configuration
ip dhcp snooping
ip dhcp snooping vlan 20
interface FastEthernet0/13
switchport access vlan 20...
ARP Spoofing: Man-in-the-Middle
Attacks
•10.1.1.1 = MAC C.C.C.C
ARP Table in Host A
IP 10.1.1.2
MAC A.A.A.A
A
B
•10.1.1.2 ...
10.1.1.1
Mitigating Man-in-the-Middle
Attacks with DAI
• MAC or IP Tracking Built on DHCP Snooping
10.1.1.2
DHCP Server
DH...
DAI in Action
•A binding table containing IP-address and MAC-address associations is
dynamically populated using DHCP snoo...
DAI Configuration…
ip arp inspection vlan 20
ip arp inspection vlan 20 logging dhcp-bindings all
ip arp inspection validat...
Questions & Discussion
? ??
?
?
?
??
?
?
?
?
?
?
Thank you…
Upcoming SlideShare
Loading in …5
×

Hacking Cisco Networks and Countermeasures

1,836 views
1,727 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,836
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
118
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt
    Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
    Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
    TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  • AntiSniff - http://www.securitysoftwaretech.com/antisniff/
    Check Promiscuous Mode (CPM) – ftp://ftp.cert.org/pub/tools/cpm
    IFSTATUS - ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/
    LiSt Open Files (lsof) - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof
    Neped - http://www.attrition.org/security/newbie/security/sniffer/neped.c
    Promisc - http://www.attrition.org/security/newbie/security/sniffer/promisc.c
    SNORT - http://www.snort.org
  • AntiSniff - http://www.securitysoftwaretech.com/antisniff/
    Check Promiscuous Mode (CPM) – ftp://ftp.cert.org/pub/tools/cpm
    IFSTATUS - ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/
    LiSt Open Files (lsof) - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof
    Neped - http://www.attrition.org/security/newbie/security/sniffer/neped.c
    Promisc - http://www.attrition.org/security/newbie/security/sniffer/promisc.c
    SNORT - http://www.snort.org
  • Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt
    Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
    Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
    TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  • Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt
    Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
    Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
    TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  • Windows Domain Models - http://is-it-true.org/nt/atips/atips307.shtml
    Linux/UNIX Trusts - http://nim.cit.cornell.edu/usr/share/man/info/en_US/a_doc_lib/files/aixfiles/hosts.equiv.htm
  • Allows traffic entering a compromised machine on a particular port (that is, TCP/22-SSH) to be redirected to a different machine on a different port (TCP/23-Telnet)
    Allows an attacker to exploit trust relationships to circumvent the firewall for all hosts once he controls one host.
    Root kit based install allows the redirection process, files, and connections to be hidden.
  • IP Spoofing – an attacker sends a message to a target host with an IP address indicating that the message is coming from a trusted host. The attacker must know the IP address of a trusted host in order to modify the packet headers so that it appears that the packets are coming from that host.
    TCP Session Hijacking – an attacker sniffs for packets being sent from a client to a server in order to identify the two hosts' IP addresses and relative port numbers. Using this information an attacker modifies his packet headers to spoof TCP/IP packets from the client. The attacker then waits to receive an ACK packet from the client communicating with the server (which contains the sequence number of the next packet the client is expecting). The attacker replies to the client using a modified packet with the source address of the server and the destination address of the client. This results in a RST which disconnects the legitimate client. The attacker takes over communications with the server spoofing the expected sequence number from the ACK that was previously sent from the legitimate client to the server.
    IP Fragmentation – Firewalls that support stateful inspection of established connections analyze packets to see if they are being received in the proper sequence. In the case of IP fragments, the firewall attempts to reassemble all fragments prior to forwarding them on to the final destination. If an attacker sends repeated incomplete or out-of-order fragmented packets to the firewall it will log and wait for all remaining fragments to be received before handling the connection. As a result, system resources are exhausted due to logging and the firewall is subject to a denial of service. Also, some Intrusion Detection Systems (IDS) do not handle IP fragmentation, Out-of-Order fragmentation, TCP segment overlap, and Out-of-Order TCP segments properly; which results in packets slipping through because the IDS failed to alarm!!!
  • Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt
    Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
    Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
    TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  • Hacking Cisco Networks and Countermeasures

    1. 1. Hacking Cisco Networks and Countermeasures
    2. 2. Overview • Reconnaissance Attacks – Passive Sniffing – Ping Sweeps – Port Scans (tcp&udp) • Active Attacks – Password attacks – Trust exploitation – Port redirection • External Attacks – IP Spoofing – DoS, DDoS Attacks • Internal Attacks – DHCP and ARP Attacks
    3. 3. Reconnaissance Attacks • Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications. • Reconnaissance attacks include these attacks: – Packet sniffers – Port scans – Ping sweeps – Internet information queries
    4. 4. Packet Sniffers • A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. There are packet sniffer features: – Packet sniffers exploit information passed in clear text. Protocols that pass information in clear text are Telnet, FTP, SNMP, Post Office Protocol (POP), and HTTP. – Packet sniffers must be on the same collision domain as the machine that they are targeting. – Packet sniffers can be used legitimately or can be designed specifically for attack. Host A Host B Router A Router B
    5. 5. Passive Sniffing
    6. 6. Packet Sniffer Attack Mitigation • Here are some packet sniffer mitigation techniques and tools: – Authentication – Switched infrastructure – Antisniffer tools – Cryptography Host A Host B Router A Router B
    7. 7. Port Scans and Ping Sweeps • Port scan and ping sweep attacks: – Identify all services on the network – Identify all hosts and devices on the network – Identify the operating systems on the network – Identify vulnerabilities on the network
    8. 8. Ping Sweep with NMAP
    9. 9. Ping Sweep (cont.)
    10. 10. Blocking Ping Sweeps access-list 102 deny icmp any any echo access-list 102 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 102 in
    11. 11. Seems like it worked but ???
    12. 12. We give out too much information…
    13. 13. To block messages originating from the blocking router… access-list 103 permit icmp any any unreachable class-map match-all STOPSHARING match access-group 103! policy-map STOPSHARING class STOPSHARING drop class class-default control-plane service-policy output STOPSHARING
    14. 14. Same result…
    15. 15. But this time we don’t share info…
    16. 16. Simple UDP Port Scan
    17. 17. Destination Unreachable (Port)
    18. 18. How to block… access-list 101 deny icmp any any unreachable access-list 101 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 101 out
    19. 19. We don’t send any unreachable messages…
    20. 20. After Blocking everything seems open, some obscurity for scanner…
    21. 21. • Port scans and ping sweeps cannot be prevented without compromising network capabilities. Port Scan and Ping Sweep Attack Mitigation However, damage can be mitigated using IPS at the network and host levels. Workstation with HIPS Laptop with HIPS Scan Port Shared Connection IDS and IPS
    22. 22. Internet Information Queries • Sample IP address query Attackers can use Internet tools such as whois as a weapon.
    23. 23. Access Attacks • Intruders use access attacks on networks or systems for the these reasons: – Retrieve data – Gain access – Escalate their access privileges • Access attacks include: – Password attacks – Trust exploitation – Port redirection
    24. 24. Password Attacks • Hackers implement password attacks using: – Brute-force attacks – Trojan horse programs – IP spoofing – Packet sniffers
    25. 25. Password Attack Example – The bgp_md5crack tool is used for cracking a secret used for RFC2385 based packet signing and authentication. It is designed for offline cracking, means to work on a sniffed, correct signed packet. This packet can either be directly sniffed of the wire or be provided in a pcap file.
    26. 26. For Routing Protocols…
    27. 27. Simple Cracking with Cain…
    28. 28. Trust Exploitation – A hacker leverages existing trust relationships. – Several trust models exist: • Microsoft Windows: – Domains – Active directory • Linux and UNIX: – NIS – NIS+ System A User = psmith; Pat Smith System B is compromised by a hacker. User = psmith; Pat Smith Hacker User = psmith; Pat Smithson A hacker gains access to System A . Trust relationships: • System A trusts System B. • System B trusts everyone. • System A trusts everyone.
    29. 29. Port Redirection Host B Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23
    30. 30. Port Redirection Configuration On HOSTA we create a named pipe using the mkfifo commands: #pipe will be the name of our named pipe mkfifo pipe We then create our two way tunnel using Netcat on HOSTA: nc -lvp 25 <pipe | nc -t 10.1.2.253 23 >pipe Then telnet from Attacker machine telnet 10.1.2.1 80
    31. 31. Here we are connected to the internal switch…
    32. 32. IP Spoofing – IP spoofing occurs when a hacker inside or outside a network impersonates a trusted source. – IP spoofing uses trusted internal IP addresses or trusted external IP addresses. – Attackers use IP spoofing for many reasons: • To gain root access • To inject malicious data or commands into an existing data stream • To divert network packets to the hacker who can then reply as a trusted user by changing the routing tables • To crash servers by overloading memory (DoS) • As a step in a larger attack
    33. 33. IP Spoofing—Types of Attack •IP spoofing attacks are either: – Nonblind spoofing • The attacker sniffs sequence numbers (i.e., from inside the subnet of the victim). – Blind spoofing • The attacker calculates sequence numbers. •IP spoofing can lead to these types of attacks: – Man-in-the-middle attack – DoS attack – Distributed DoS (DDoS) attack
    34. 34. Let’s see in action
    35. 35. Here we drive router to reply to the other host..
    36. 36. Man-in-the-Middle Attacks – A man-in-the-middle attack requires that the hacker has access to network packets that come across a network. – A man-in-the-middle attack is implemented using the following: • Network packet sniffers (nonblind attack) • Routing and transport protocols (blind attack) Host A Host B Router A Router B Data in Clear Text
    37. 37. IP Spoofing Attack Mitigation • The threat of IP spoofing can be reduced, but not eliminated, using these measures: – Strong access control at the router • ACLs on outbound interface • ACLs on inbound interface – Data encryption – Additional authentication requirements Host A Host B Router A ISP Router B IPSec tunnel
    38. 38. DoS Attacks • A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services. • DoS attack techniques almost always use IP spoofing.
    39. 39. TCP SYN Flooding DoS Attack Attacker TCP Client ------------- Client Ports 1024–65535 Victim TCP Server ------------- Service Ports 1–1024 80 1SYN 2 SYN and ACK ? SYN Packet with Spoofed Source Address TCP Client ------------- Client Ports 1024–65535 TCP Server ------------- Service Ports 1–1024 80 1SYN 3ACK 2 SYN and ACK TCP Three- Way Handshake
    40. 40. DDoS Attacks • DoS and DDoS attacks have these characteristics: – They are not generally targeted to gain access. – They aim at making a service unavailable. – They require very little effort to execute. – They are difficult to eliminate. • DoS Attack • DDoS Attack Attacker Victim Attack Control Mechanism Zombie Zombie Zombie Victim
    41. 41. DDoS Example Handler Systems Client System 4. The client issues commands to handlers that control agents in a mass attack. 1. The cracker looks for targets. 2. The cracker installs software to scan, compromise, and infect agents with zombies. 3. Agents are loaded with remote control attack software. Agent Systems
    42. 42. SYN Flooding Attack
    43. 43. Let’s be more creative…
    44. 44. We put almost 1 million packets in one minute period on the wire, not so bad….
    45. 45. CPU Consumption..
    46. 46. DoS and DDoS Attack Mitigation • Reduce DoS and DDoS attacks by: – Protecting yourself against IP spoofing with ingress- and egress-filtering ACLs – Using antivirus software to find zombie agents – Using anti-DoS features on routers and firewalls • ip verify unicast reverse-path interface command • ACLs to filter all private Internet address space (RFC 1918) – Using traffic rate limiting at the ISP level • Use class-based traffic policing on ICMP packets • Use SYN rate limiting
    47. 47. Rate Limiting What rate limiting does: • Allows network managers to set bandwidth thresholds for users and by traffic type Benefits: • Prevents the deliberate or accidental flooding of the network • Keeps traffic flowing smoothly Rate Limiting for Different Classes of UsersNetwork Manager Teachers Students 2 Mbps 10 Mbps 50 Mbps Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.
    48. 48. Example: ICMP rate limiting access-list 170 permit icmp any any Interface f0/0 rate-limit input access-group 170 128000 16000 24000 conform-action transmit exceed-action drop
    49. 49. Spoofing the DHCP Server 1. An attacker activates a DHCP server on a network segment. 2. The client broadcasts a request for DHCP configuration information. 3. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. 4. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. ClientRogue DHCP Attacker Legitimate DHCP Server
    50. 50. Everything starts with starvation…
    51. 51. Storm Control can be in help… Interface fastethernet 0/1 storm-control broadcast level 10.00 8.00
    52. 52. DHCP Snooping – DHCP snooping allows the configuration of ports as trusted or untrusted. • Trusted ports can send DHCP requests and acknowledgements. • Untrusted ports can forward only DHCP requests. – DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. – Use the ip dhcp snooping command. Client Rogue DHCP Attacker Legitimate DHCP Server
    53. 53. DHCP Snooping Configuration ip dhcp snooping ip dhcp snooping vlan 20 interface FastEthernet0/13 switchport access vlan 20 ip dhcp snooping trust Switch#sh ip dhcp snooping binnding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:14:A8:96:2C:40 10.1.2.12 86371 dhcp-snooping 20 FastEthernet0/24 00:14:6A:1D:B8:00 10.1.2.13 86371 dhcp-snooping 20 FastEthernet0/23 Total number of bindings: 2
    54. 54. ARP Spoofing: Man-in-the-Middle Attacks •10.1.1.1 = MAC C.C.C.C ARP Table in Host A IP 10.1.1.2 MAC A.A.A.A A B •10.1.1.2 = MAC C.C.C.C ARP Table in Host B •10.1.1.1 = MAC B.B.B.B •10.1.1.2 = MAC A.A.A.A ARP Table in Host C CIP 10.1.1.3 MAC C.C.C.C 1. IP 10.1.1.2 ? MAC for 10.1.1.1 2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies •10.1.1.1 bound to C.C.C.C •10.1.1.2 bound to C.C.C.C Attacker IP 10.1.1.1 MAC B.B.B.B A B C A = host A B = host B C = host C
    55. 55. 10.1.1.1 Mitigating Man-in-the-Middle Attacks with DAI • MAC or IP Tracking Built on DHCP Snooping 10.1.1.2 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. DAI Function: Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP
    56. 56. DAI in Action •A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping. 10.1.1.1 10.1.1.2 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1
    57. 57. DAI Configuration… ip arp inspection vlan 20 ip arp inspection vlan 20 logging dhcp-bindings all ip arp inspection validate src-mac
    58. 58. Questions & Discussion ? ?? ? ? ? ?? ? ? ? ? ? ?
    59. 59. Thank you…

    ×