Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking Cisco


Published on

Hacking Cisco

  1. 1. Hacking Cisco Networks and Countermeasures
  2. 2. Overview <ul><li>Reconnaissance Attacks </li></ul><ul><ul><li>Passive Sniffing </li></ul></ul><ul><ul><li>Ping Sweeps </li></ul></ul><ul><ul><li>Port Scans (tcp&udp) </li></ul></ul><ul><li>Active Attacks </li></ul><ul><ul><li>Password attacks </li></ul></ul><ul><ul><li>Trust exploitation </li></ul></ul><ul><ul><li>Port redirection </li></ul></ul><ul><li>External Attacks </li></ul><ul><ul><li>IP Spoofing </li></ul></ul><ul><ul><li>DoS, DDoS Attacks </li></ul></ul><ul><li>Internal Attacks </li></ul><ul><ul><li>DHCP and ARP Attacks </li></ul></ul>
  3. 3. Reconnaissance Attacks <ul><li>Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications. </li></ul><ul><li>Reconnaissance attacks include these attacks: </li></ul><ul><ul><li>Packet sniffers </li></ul></ul><ul><ul><li>Port scans </li></ul></ul><ul><ul><li>Ping sweeps </li></ul></ul><ul><ul><li>Internet information queries </li></ul></ul>
  4. 4. Packet Sniffers <ul><li>A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. There are packet sniffer features: </li></ul><ul><ul><li>Packet sniffers exploit information passed in clear text. Protocols that pass information in clear text are Telnet, FTP, SNMP, Post Office Protocol (POP), and HTTP. </li></ul></ul><ul><ul><li>Packet sniffers must be on the same collision domain as the machine that they are targeting. </li></ul></ul><ul><ul><li>Packet sniffers can be used legitimately or can be designed specifically for attack. </li></ul></ul>Host A Host B Router A Router B
  5. 5. Passive Sniffing
  6. 6. Packet Sniffer Attack Mitigation <ul><li>Here are some packet sniffer mitigation techniques and tools: </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Switched infrastructure </li></ul></ul><ul><ul><li>Antisniffer tools </li></ul></ul><ul><ul><li>Cryptography </li></ul></ul>Host A Host B Router A Router B
  7. 7. Port Scans and Ping Sweeps <ul><li>Port scan and ping sweep attacks: </li></ul><ul><ul><li>Identify all services on the network </li></ul></ul><ul><ul><li>Identify all hosts and devices on the network </li></ul></ul><ul><ul><li>Identify the operating systems on the network </li></ul></ul><ul><ul><li>Identify vulnerabilities on the network </li></ul></ul>
  8. 8. Ping Sweep with NMAP
  9. 9. Ping Sweep (cont.)
  10. 10. Blocking Ping Sweeps <ul><li>access-list 102 deny icmp any any echo </li></ul><ul><li>access-list 102 permit ip any any </li></ul><ul><li>interface FastEthernet0/0 </li></ul><ul><li>ip address </li></ul><ul><li>ip access-group 102 in </li></ul>
  11. 11. Seems like it worked but ???
  12. 12. We give out too much information…
  13. 13. To block messages originating from the blocking router… <ul><li>access-list 103 permit icmp any any unreachable </li></ul><ul><li>class-map match-all STOPSHARING </li></ul><ul><li> match access-group 103! </li></ul><ul><li>policy-map STOPSHARING </li></ul><ul><li>class STOPSHARING </li></ul><ul><li>drop </li></ul><ul><li>class class-default </li></ul><ul><li>control-plane </li></ul><ul><li> service-policy output STOPSHARING </li></ul>
  14. 14. Same result…
  15. 15. But this time we don’t share info…
  16. 16. Simple UDP Port Scan
  17. 17. Destination Unreachable (Port)
  18. 18. How to block… <ul><li>access-list 101 deny icmp any any unreachable </li></ul><ul><li>access-list 101 permit ip any any </li></ul><ul><li>interface FastEthernet0/0 </li></ul><ul><li> ip address </li></ul><ul><li> ip access-group 101 out </li></ul>
  19. 19. We don’t send any unreachable messages…
  20. 20. After Blocking everything seems open, some obscurity for scanner…
  21. 21. <ul><li>Port scans and ping sweeps cannot be prevented without compromising network capabilities. </li></ul>Port Scan and Ping Sweep Attack Mitigation However, damage can be mitigated using IPS at the network and host levels. Workstation with HIPS Laptop with HIPS Scan Port Shared Connection IDS and IPS
  22. 22. Internet Information Queries <ul><li>Sample IP address query </li></ul>Attackers can use Internet tools such as whois as a weapon.
  23. 23. Access Attacks <ul><li>Intruders use access attacks on networks or systems for the these reasons: </li></ul><ul><ul><li>Retrieve data </li></ul></ul><ul><ul><li>Gain access </li></ul></ul><ul><ul><li>Escalate their access privileges </li></ul></ul><ul><li>Access attacks include: </li></ul><ul><ul><li>Password attacks </li></ul></ul><ul><ul><li>Trust exploitation </li></ul></ul><ul><ul><li>Port redirection </li></ul></ul>
  24. 24. Password Attacks <ul><li>Hackers implement password attacks using: </li></ul><ul><ul><li>Brute-force attacks </li></ul></ul><ul><ul><li>Trojan horse programs </li></ul></ul><ul><ul><li>IP spoofing </li></ul></ul><ul><ul><li>Packet sniffers </li></ul></ul>
  25. 25. Password Attack Example <ul><ul><li>The bgp_md5crack tool is used for cracking a secret used for RFC2385 based packet signing and authentication. It is designed for offline cracking, means to work on a sniffed, correct signed packet. This packet can either be directly sniffed of the wire or be provided in a pcap file. </li></ul></ul>
  26. 26. For Routing Protocols…
  27. 27. Simple Cracking with Cain…
  28. 28. Trust Exploitation <ul><ul><li>A hacker leverages existing trust relationships. </li></ul></ul><ul><ul><li>Several trust models exist: </li></ul></ul><ul><ul><ul><li>Microsoft Windows: </li></ul></ul></ul><ul><ul><ul><ul><li>Domains </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Active directory </li></ul></ul></ul></ul><ul><ul><ul><li>Linux and UNIX: </li></ul></ul></ul><ul><ul><ul><ul><li>NIS </li></ul></ul></ul></ul><ul><ul><ul><ul><li>NIS+ </li></ul></ul></ul></ul>System A User = psmith; Pat Smith System B is compromised by a hacker. User = psmith; Pat Smith Hacker User = psmith; Pat Smithson A hacker gains access to System A . <ul><li>Trust relationships: </li></ul><ul><li>System A trusts System B. </li></ul><ul><li>System B trusts everyone. </li></ul><ul><li>System A trusts everyone. </li></ul>
  29. 29. Port Redirection Host B Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23
  30. 30. Port Redirection Configuration <ul><li>On HOSTA we create a named pipe using the mkfifo commands: #pipe will be the name of our named pipe mkfifo pipe </li></ul><ul><li>We then create our two way tunnel using Netcat on HOSTA: nc -lvp 25 <pipe | nc -t 23 >pipe </li></ul><ul><li>Then telnet from Attacker machine </li></ul><ul><li>telnet 80 </li></ul>
  31. 31. Here we are connected to the internal switch…
  32. 32. IP Spoofing <ul><ul><li>IP spoofing occurs when a hacker inside or outside a network impersonates a trusted source. </li></ul></ul><ul><ul><li>IP spoofing uses trusted internal IP addresses or trusted external IP addresses. </li></ul></ul><ul><ul><li>Attackers use IP spoofing for many reasons: </li></ul></ul><ul><ul><ul><li>To gain root access </li></ul></ul></ul><ul><ul><ul><li>To inject malicious data or commands into an existing data stream </li></ul></ul></ul><ul><ul><ul><li>To divert network packets to the hacker who can then reply as a trusted user by changing the routing tables </li></ul></ul></ul><ul><ul><ul><li>To crash servers by overloading memory (DoS) </li></ul></ul></ul><ul><ul><ul><li>As a step in a larger attack </li></ul></ul></ul>
  33. 33. IP Spoofing—Types of Attack <ul><li>IP spoofing attacks are either: </li></ul><ul><ul><li>Nonblind spoofing </li></ul></ul><ul><ul><ul><li>The attacker sniffs sequence numbers (i.e., from inside the subnet of the victim). </li></ul></ul></ul><ul><ul><li>Blind spoofing </li></ul></ul><ul><ul><ul><li>The attacker calculates sequence numbers. </li></ul></ul></ul><ul><li>IP spoofing can lead to these types of attacks: </li></ul><ul><ul><li>Man-in-the-middle attack </li></ul></ul><ul><ul><li>DoS attack </li></ul></ul><ul><ul><li>Distributed DoS (DDoS) attack </li></ul></ul>
  34. 34. Let’s see in action
  35. 35. Here we drive router to reply to the other host..
  36. 36. Man-in-the-Middle Attacks <ul><ul><li>A man-in-the-middle attack requires that the hacker has access to network packets that come across a network. </li></ul></ul><ul><ul><li>A man-in-the-middle attack is implemented using the following: </li></ul></ul><ul><ul><ul><li>Network packet sniffers (nonblind attack) </li></ul></ul></ul><ul><ul><ul><li>Routing and transport protocols (blind attack) </li></ul></ul></ul>Host A Host B Router A Router B Data in Clear Text
  37. 37. IP Spoofing Attack Mitigation <ul><li>The threat of IP spoofing can be reduced, but not eliminated, using these measures: </li></ul><ul><ul><li>Strong access control at the router </li></ul></ul><ul><ul><ul><li>ACLs on outbound interface </li></ul></ul></ul><ul><ul><ul><li>ACLs on inbound interface </li></ul></ul></ul><ul><ul><li>Data encryption </li></ul></ul><ul><ul><li>Additional authentication requirements </li></ul></ul>Host A Host B Router A ISP Router B IPSec tunnel
  38. 38. DoS Attacks <ul><li>A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services. </li></ul><ul><li>DoS attack techniques almost always use IP spoofing. </li></ul>
  39. 39. TCP SYN Flooding DoS Attack AttackerTCP Client ------------- Client Ports 1024 – 65535 Victim TCP Server ------------- Service Ports 1–1024 80 ? SYN Packet with Spoofed Source Address TCP Client ------------- Client Ports 1024–65535 TCP Three-Way Handshake 1 SYN 2 SYN and ACK TCP Server ------------- Service Ports 1 – 1024 80 1 SYN 3 ACK 2 SYN and ACK
  40. 40. DDoS Attacks <ul><li>DoS Attack </li></ul><ul><li>DoS and DDoS attacks have these characteristics: </li></ul><ul><ul><li>They are not generally targeted to gain access. </li></ul></ul><ul><ul><li>They aim at making a service unavailable. </li></ul></ul><ul><ul><li>They require very little effort to execute. </li></ul></ul><ul><ul><li>They are difficult to eliminate. </li></ul></ul><ul><li>DDoS Attack </li></ul>Attacker Victim Attack Control Mechanism Victim Zombie Zombie Zombie
  41. 41. DDoS Example Handler Systems Client System <ul><li>The client issues commands to handlers that control agents in a mass attack. </li></ul><ul><li>The cracker looks for targets. </li></ul><ul><li>The cracker installs software to scan, compromise, and infect agents with zombies. </li></ul><ul><li>Agents are loaded with remote control attack software. </li></ul>Agent Systems
  42. 42. SYN Flooding Attack
  43. 43. Let’s be more creative…
  44. 44. We put almost 1 million packets in one minute period on the wire, not so bad….
  45. 45. CPU Consumption..
  46. 46. DoS and DDoS Attack Mitigation <ul><li>Reduce DoS and DDoS attacks by: </li></ul><ul><ul><li>Protecting yourself against IP spoofing with ingress- and egress-filtering ACLs </li></ul></ul><ul><ul><li>Using antivirus software to find zombie agents </li></ul></ul><ul><ul><li>Using anti-DoS features on routers and firewalls </li></ul></ul><ul><ul><ul><li>ip verify unicast reverse-path interface command </li></ul></ul></ul><ul><ul><ul><li>ACLs to filter all private Internet address space (RFC 1918) </li></ul></ul></ul><ul><ul><li>Using traffic rate limiting at the ISP level </li></ul></ul><ul><ul><ul><li>Use class-based traffic policing on ICMP packets </li></ul></ul></ul><ul><ul><ul><li>Use SYN rate limiting </li></ul></ul></ul>
  47. 47. Rate Limiting <ul><li>What rate limiting does: </li></ul><ul><ul><li>Allows network managers to set bandwidth thresholds for users and by traffic type </li></ul></ul><ul><li>Benefits: </li></ul><ul><ul><li>Prevents the deliberate or accidental flooding of the network </li></ul></ul><ul><ul><li>Keeps traffic flowing smoothly </li></ul></ul>Rate Limiting for Different Classes of Users Network Manager Teachers Students 2 Mbps 10 Mbps 50 Mbps Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.
  48. 48. Example: ICMP rate limiting <ul><li>access-list 170 permit icmp any any </li></ul><ul><li>Interface f0/0 </li></ul><ul><li>rate-limit input access-group 170 128000 16000 24000 conform-action transmit exceed-action drop </li></ul>
  49. 49. Spoofing the DHCP Server <ul><ul><li>An attacker activates a DHCP server on a network segment. </li></ul></ul><ul><ul><li>The client broadcasts a request for DHCP configuration information. </li></ul></ul><ul><ul><li>The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. </li></ul></ul><ul><ul><li>Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. </li></ul></ul>Client Rogue DHCP Attacker Legitimate DHCP Server
  50. 50. Everything starts with starvation…
  51. 51. Storm Control can be in help… <ul><li>Interface fastethernet 0/1 </li></ul><ul><li>storm-control broadcast level 10.00 8.00 </li></ul>
  52. 52. DHCP Snooping <ul><ul><li>DHCP snooping allows the configuration of ports as trusted or untrusted . </li></ul></ul><ul><ul><ul><li>Trusted ports can send DHCP requests and acknowledgements. </li></ul></ul></ul><ul><ul><ul><li>Untrusted ports can forward only DHCP requests. </li></ul></ul></ul><ul><ul><li>DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. </li></ul></ul><ul><ul><li>Use the ip dhcp snooping command. </li></ul></ul>Client Rogue DHCP Attacker Legitimate DHCP Server
  53. 53. DHCP Snooping Configuration <ul><li>ip dhcp snooping </li></ul><ul><li>ip dhcp snooping vlan 20 </li></ul><ul><li>interface FastEthernet0/13 </li></ul><ul><li>switchport access vlan 20 </li></ul><ul><li>ip dhcp snooping trust </li></ul><ul><li>Switch#sh ip dhcp snooping binnding </li></ul><ul><li>MacAddress IpAddress Lease(sec) Type VLAN Interface </li></ul><ul><li>------------------ --------------- ---------- ------------- ---- -------------------- </li></ul><ul><li>00:14:A8:96:2C:40 86371 dhcp-snooping 20 FastEthernet0/24 </li></ul><ul><li>00:14:6A:1D:B8:00 86371 dhcp-snooping 20 FastEthernet0/23 </li></ul><ul><li>Total number of bindings: 2 </li></ul>
  54. 54. ARP Spoofing: Man-in-the-Middle Attacks <ul><li> = MAC C.C.C.C </li></ul>ARP Table in Host A IP MAC A.A.A.A A B <ul><li> = MAC C.C.C.C </li></ul>ARP Table in Host B <ul><li> = MAC B.B.B.B </li></ul><ul><li> = MAC A.A.A.A </li></ul>ARP Table in Host C C IP MAC C.C.C.C 1. IP ? MAC for 2. Legitimate ARP reply = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies <ul><li> bound to C.C.C.C </li></ul><ul><li> bound to C.C.C.C </li></ul>Attacker IP MAC B.B.B.B A B C A = host A B = host B C = host C
  55. 55. Mitigating Man-in-the-Middle Attacks with DAI <ul><li>MAC or IP Tracking Built on DHCP Snooping </li></ul> DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP DAI Function:
  56. 56. DAI in Action <ul><li>A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping. </li></ul> GARP is sent to attempt to change the IP address to MAC bindings. Gateway is Attacker is not gateway according to this binding table I am your gateway:
  57. 57. DAI Configuration… <ul><li>ip arp inspection vlan 20 </li></ul><ul><li>ip arp inspection vlan 20 logging dhcp-bindings all </li></ul><ul><li>ip arp inspection validate src-mac </li></ul>
  58. 58. Questions & Discussion ? ? ? ? ? ? ? ? ? ? ? ? ? ?
  59. 59. Thank you…