Your SlideShare is downloading. ×
0
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Hacking on L2 Switches
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hacking on L2 Switches

257

Published on

My presentation to my juniors. …

My presentation to my juniors.

https://www.dropbox.com/s/d8ghsc8hvbf2yyg/hacking_l2.pptx

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
257
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HACKING ON L2 DEVICES
  • 2. Why We need Layer 2 security? OSI layer was build to allow different layers to work without knowledge of each other. Layer 2 can be very weak link in the network.
  • 3. If any one of the layer hacked, communications are compromised.
  • 4. Topics 1. 2. 3. 4. 5. MAC Attacks VLAN hopping attacks ARP attacks Spanning Tree Attacks DHCP Starvation Attack
  • 5. What is MAC and CAM ? MAC is 48 Bit L2 address 1234.5678.9ABC First 24 bits is manufacture code Assigned by IEEE 00-50-56XX-XXXX Second 24 bits is specific interface, Assigned by Manufacture XXXX-XXC0-00-01 Content Addressable memory (CAM) table stores information such as MAC addressed available on physical ports with their associated VLAN parameters. http://www.nirsoft.net/utils/mac_address_lookup_find.html
  • 6. Normal CAM operation (1/3)
  • 7. Normal CAM operation (2/3)
  • 8. Normal CAM operation (3/3)
  • 9. How Bypass the CAM? 1. Due to hardware restrictions, CAM has fixed size memory 2. Different switches has different size of CAM table 3. Overload the CAM to bypass the MAC table restriction
  • 10. CAM Overflow attack
  • 11. CAM Overflow attack
  • 12. CAM Overflow attack Example output of macof tool
  • 13. Duration of this attack • 63 bits of source (MAC, VLAN, misc) creates 17 Bits of hash value and it will get stored in the CAM table. • In a Cisco Catalyst 5650, we can store appox. 131,000 CAM entries • Dsniff macof tool can create 1,55,000 MAC entries in a minute.
  • 14. How to overcome this attack? We can overcome this attack by enabling switch port security such as 1. Static Secure MAC Addresses 2. Dynamic Secure MAC addresses 3. Sticky secure MAC addresses. Cisco# conf t Cisco(config)# interface fastethernet0/1 Cisco(config-if)# switchport mode access Cisco(config-if)# switchport port-security Cisco(config-if)# switchport port-security maximum 5 Cisco(config-if)# switchport port-security violation restrict Cisco(config-if)# switchport port-security mac-address aaaa.aaaa.aaaa Cisco(config-if)# switchport port-security mac-address bbbb.bbbb.bbbb Limitations: 1. A secure port can’t be a SPAN port 2. A secure port cannot be an 802.1X port. 3. A secure port cannot belong to an EtherChannel port-channel interface.
  • 15. What is mean by Trunk Port? • Trunk port have access to all the VLANs by default. • It used to route traffic of multiple VLANs across the same physical link. • Encapsulation can be 802.1Q or ISL (Cisco preparatory)
  • 16. Rogue Trunk / Switch Spoof attack 1. A computer can spoof as a switch with 802.1Q or ISL signaling. 2. DTP signaling is required. 3. Requires trunking favorable setting on the switch port.
  • 17. Double encapsulated VLAN attack 1. Attacker sends double tagged 802.1Q frames 2. Switch can perform only one level of decapsulation, so the frame will be forwarded as per the second tag. 3. VLAN hopping occurs
  • 18. The Yersinia
  • 19. Security practices to avoid the attacks • • • • Always use dedicated VLAN ID for all trunk ports Disable Unused ports and put them on unused VLANs Don’t use VLAN1 for anything Set DTP off
  • 20. ARP recall An ARP request message should be placed in a frame and broadcast to all computers on the network Each computer receives the request and examines the IP address The computer mentioned in the request sends a response; all other computers process and discard the request without sending a response
  • 21. Gratuitous ARP Gratuitous ARP is used by hosts to announce their IP address to the local network and avoid duplicate IP addresses on the network; routers and other network hardware may use cache information gained from gratuitous ARPs
  • 22. ARP Spoofing • ARP has no security on IP / MAC addresses • Host W broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC in regular interval • When the host x requests the MAC of gateway, it will be overwritten by the gratuitous ARP packet Even a static ARP entry for 1.2.3.1 on Y will get overwritten by the Gratuitous ARP on some Oss.
  • 23. Dsniff Output
  • 24. Sniffed output Sniffed credentials by Cain and Abel
  • 25. ARP Spoof Mitigation • • • • Some IDS systems will watch for an unusually high amount of ARP traffic ARPWatch, AntiARP tools are available to avoid ARP spoofing Static ARP on critical systems ARP firewall feature is implemented in some Cisco devices.
  • 26. STP Basics STP is used to avoid loops and broadcast storms Messages are sent using Bridge Protocol Data Units (BPDUs). Basic messages include: configuration, topology change notification/acknowledgment. (TCN/TCA)
  • 27. Standard 802.1d STP takes 30-45 seconds to deal with a failure or Root bridge change. Sending BPDUs from the attacker can force these changes and create a root bridge change.
  • 28. Now attacker can see any frames MITM, DoS, etc. all possible
  • 29. STP Attack Mitigation We can avoid this attack by enabling Root guard BPDU guard in the switch
  • 30. DHCP Starvation Attack • This attack performing by broadcasting number of DHCP requests by spoofed source MAC • If enough request flooded onto the network, the attacker can completely exhaust the address space allocated by the DHCP servers for an indefinite period of time.
  • 31. DHCP Starvation Attack • Yersinia is used here for DHCP starvation attack.
  • 32. Mitigation of DHCP Starvation attack • Port security should be enabled. • DHCP snooping to be enabled Cisco(config)#interface range GigabitEthernet1/0/1 - 48 Cisco(config-if)#description Access Ports Cisco(config-if)#switchport port-security Cisco(config-if)#switchport port-security maximum 4 Cisco(config-if)#switchport port-security aging time 5 Cisco(config-if)#switchport port-security aging type inactivity Cisco(config-if)#switchport port-security violation shutdown Cisco(config-if)#exit Cisco(config)#interface GigabitEthernet1/0/49 Cisco(config-if)#description Uplink to DHCP Server Cisco(config-if)#ip dhcp snooping trust Cisco(config-if)#exit Cisco(config)#ip dhcp snooping Cisco(config)#ip dhcp snooping vlan 1-10 Cisco(config)#ip dhcp snooping database tftp://remotehost.company.com/Ciscodhcpsnoop.txt Cisco(config)#ip dhcp snooping verify mac-address Cisco(config)#end Cisco#

Ă—