An Introduction to layer 2 attacks & mitigation

1. An Introduction to Layer 2 Attacks
&
Mitigation
Rishabh Dangwal
www.TheProhack.com | Twitter @prohack

2. Agenda
 Layer 2 Security - The What, Why and What Now ?
 Switching Basics
 Quick Knowledge Check
 The Attacks & their mitigation.
 ARP based
 Cisco Specific
 STP & VLAN Attacks
 Switch Configuration Review – What to look
 Question Answer session.

3. Layer 2 Security
The What, Why and What Now ?
 OSI is a layered model and if one layer gets hacked, all layers are
compromised.
 Layer 2 Attacks are still very much relevant today.
 Poorly configured Network environments.
 Information gap between Network and Security Personnel (refer
next slide).
 Different architectures , same protocols; henceforth same
weaknesses.
 Security is only as strong as your weakest link.

4. Switching Basics
 What is a Switch exactly ?
 How does it function ?
 VLAN basics.
 Tagged and Untagged ports (also called as edge/access and Trunk
ports).
 Spanning Tree Basics.
 Layer 3 Switching ?
 More Layer 2 Switching Vendor specific technologies.

5. Quick Knowledge Check
Kind questions to ask to your Network & Security Admins
1. How do they handle Network Security issues?
2. Is their network segmented by VLANs ?
3. Are their networked VLANs secure by design ?
4. What is the process of IP Segment allocation ?
5. Is there a formal Change Process in place ?

6. Flooding & Spoofing Attacks
Attacks which utilize either flooding or resource starvation
 ARP Poisoning
 DHCP Starvation
 CAM Table overflow

7. ARP Attacks
 ARP Poisoning : can be easily carried out.
 Stateless protocol.
 NO inbuilt authentication
 Limited to local network segments.
 Can be escalated/exploited to MITM , SSH Interception , DOS,
session hijacking attacks.
 Tools of Trade : Ettercap, Cain & Abel , Dsniff

8. DHCP Starvation
 DHCP Scope exhaustion by installing a rogue DHCP server.
 Spoofed MAC requests broadcast/flood network.
 Resource starvation occurs which may make a rogue server more
effective.
 Tools of Trade : Yersinia

9. CAM Table Overflow
 Content Addressable Memory (CAM) is used in highly efficient
search based environments.
 Cisco switches use CAM to make MAC & interface mapping tables.
 One can flood MAC in network which can fill CAM & thereby make
a switch act like a hub.
 Tools of Trade : Dsniff, Ettercap, Cain & Abel and
more..

10. Flooding & Spoofing Attacks −
Mitigation
 Ensure Port Security is enabled (static ARP entries)
 Enable Port Security
 Enable DHCP Snooping.
 Question Network admin on requirement of PARP / GARP if
present in configuration.
 Dynamic Arp Inspection .

11. Cisco Specific Attacks
 CDP attacks − Applicable to Cisco IOS based devices.
 VTP attacks − Applicable to Cisco Switches.
 DTP Attack − Applicable to Cisco IOS based devices.
 HSRP Abuse − Applicable to Cisco IOS based devices.

12. Cisco − CDP Attacks
 Cisco Discovery Protocol (CDP) allows Cisco Devices to
communicate with each other.
 CDP communicates is unencrypted , unauthenticated & carries a
ton of information.
 CDP can be exploited to 
 CDP DOS (Even WLCs are vulnerable)
 Overflow / Pollution / Corruption of CDP Cache
 Raking up power bills (POE abuse)
 Tools to Use : Yersinia

13. CDP Attacks − Mitigation
 Turn CDP Off.
 Check with Network guys for any specific requirement of CDP
(VOIP phones/Tshoot).
 All unused ports shall be shut by default.
 BONUS : Different vendors have similar protocols −
 Juniper / Huawei LLDP (LLDP Attack Framework)
 Brocade FDP
 Maipu MDSP

14. Cisco − VTP Attack
 Virtual Trunking Protocol (VTP) is used by Cisco to propagate
VLAN information.
 VTP uses a versioning system with a client server architecture.
 Clients sync their configuration with Server to maintain current
VLAN database revision.
 Attack involves DOS by sending VTP messages in the network.
 Tools of Trade : Yersinia

15. VTP Attack − Mitigation
 Check with admin if VTP is required, if NO, recommend them to
configure switches in transparent mode.
 If Yes, check if following parameters are configured correctly 
 VTP password should be there and shall be md5 encrypted
(Service Password Encryption)
 Non participating switches should be configured in
transparent mode.
 VTP pruning should be enabled.
 All unused ports shall be shut by default.

16. DTP Attack
 Dynamic Trunking Protocol (DTP) negotiates port states between 2
devices.
 By default an interface is negotiated to become a Trunk (Tagged)
port, hence its name.
 One can send RAW DTP packets on Access interface & can make it
trunk.
 Trunk interface can then be used to escalate/exploit
STP/VTP/VLAN based attacks.
 Tools of Trade : Yersinia

17. DTP Attack − Mitigation
 Turn of DTP by enabling no more auto-negotiation.
 Refer below configuration for access (untagged) port, settings are
hardcoded , nothing is auto.
 All unused ports shall be shut by default.

18. HSRP Abuse
 Hot Standby Router Protocol (HSRP) is used for achieving HA
between Cisco devices.
 Functions in Active/Passive mode, UDP 1985.
 Uses multicast, by default password configured in plain text.
 Attacker can send raw HSRP packet.
 Compromise and become Active device with real or spoofed IP.
 Tool to use : Yersinia

19. HSRP Abuse − Mitigation
 Use MD5 authentication.
 Hardcode everything.

20. Spanning Tree Attacks
 Invented by Dr Radia Perlman, Spanning Tree Protocol (STP) is
used for providing a loop free topology for a LAN or bridged
network.
 An attacker can disrupt STP topology by
 Masquerading as a rogue switch.
 Introducing a real switch in network.
 Spoofing Root Switch
 Sending malicious BPDU’s
 Claiming roles in topology
 Tools of Trade : Yersinia

21. Spanning Tree Attacks − Mitigation
 Enable Root Guard on Cisco Switches, Root Protection on
Juniper Switches.
 Enable BPDU Guard on Cisco Switches, BPDU Protection on
Juniper Switches.
 All unused ports shall be shut by default.

22. Multicast Brute force
 Switch receives a number of multicast frames in rapid succession.
 Frames to leak into other VLAN instead of containing it on original
VLAN.
 May lead to DOS.
 Rare nowadays.

23. Multicast Brute Force Attack −
Mitigation
 Buy switches with better queues/buffer and memory support.
 Upgrade your supervisors (4500X and above , Cisco Only).

24. VLAN Based Attacks
• VLAN Hopping − 802.1Q abuse.
• PVLAN − Bypassing Layer 2 segregation logic.

25. VLAN Hopping
 VLAN Hopping refers to emulation of a network switch & send
frames (802.1Q/ISL).
 An attacker can also send double tagged frames on trunk / access
interface.
 First frame will be stripped by switch and it will forward the frame
to outgoing interface.
 Since the frame is having one more tag, it will be forwarded as it is
to next unintended VLAN.
 Tools of Trade : Scapy, Ostinato

26. VLAN Hopping Attack − Mitigation
 Disable DTP
 Hardcode everything.
 Unused ports shall be configured as access (untagged) ports.
 Native VLAN segregation.
 Management VLAN segregation.
 Don’t use VLAN 1 for *anything*.

27. PVLAN Attacks
 Community ports can communicate between themselves &
promiscuous ports.
 This logic can be bypassed using a proxy server or a Layer 3
Device on a promiscuous port.
 L3 device will overwrite destination mac on frame & then sends
frame back.
 Unidirectional attack can be leveraged to a bidirectional attack by
compromising hosts.
 Tools of Trade : Scapy / Ostinato

28. PVLAN Attacks – Mitigation
 Configure ACL on Layer 3 device.

29. Bonus : SNMP Snarfing
 Simple Network Management Protocol (SNMP) is used to monitor
and manage devices.
 Vendor agonistic , has 3 versions, version 1.0 & version 2.0 most
commonly used.
 Plain text authentication.
 Community strings can be bruteforced , fuzzed & hacked.
 Wreak havoc using read write community.
 Tools of Trade : Ettercap, dsniff.

30. SNMP Snarfing – Mitigation
 Use SNMPv3 *only*, don’t use it in backwards compatible mode.
 Don’t use community strings with write access.
 Be SNMP Aware, don’t let it become “Security is Not My Problem”.

31. Switch Configuration Review
 What to look in a sample Switch configuration dump.
 Best Practices.
 Looking at the big picture.

32. Conclusion
 Ensure Switches are managed in a secured manner.
 Hardcode everything.
 Ensure there is a Change Management process for any Network and
Security Changes.
 Disable protocols which are not in use (CDP/VTP).
 All unused ports should be shut by default.
 Use Port-Security.
 Use Root Guard/BPDU guard.
 Be careful about SNMP community strings.

33. Questions?
Reach me out at admin@theprohack.com

34. Thank You!