Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to layer 2 attacks & mitigation

12,235 views

Published on

An Introduction to layer 2 attacks & mitigation

Published in: Technology

Introduction to layer 2 attacks & mitigation

  1. 1. An Introduction to Layer 2 Attacks & Mitigation Rishabh Dangwal www.TheProhack.com | Twitter @prohack
  2. 2. Agenda  Layer 2 Security - The What, Why and What Now ?  Switching Basics  Quick Knowledge Check  The Attacks & their mitigation.  ARP based  Cisco Specific  STP & VLAN Attacks  Switch Configuration Review – What to look  Question Answer session.
  3. 3. Layer 2 Security The What, Why and What Now ?  OSI is a layered model and if one layer gets hacked, all layers are compromised.  Layer 2 Attacks are still very much relevant today.  Poorly configured Network environments.  Information gap between Network and Security Personnel (refer next slide).  Different architectures , same protocols; henceforth same weaknesses.  Security is only as strong as your weakest link.
  4. 4. Switching Basics  What is a Switch exactly ?  How does it function ?  VLAN basics.  Tagged and Untagged ports (also called as edge/access and Trunk ports).  Spanning Tree Basics.  Layer 3 Switching ?  More Layer 2 Switching Vendor specific technologies.
  5. 5. Quick Knowledge Check Kind questions to ask to your Network & Security Admins 1. How do they handle Network Security issues? 2. Is their network segmented by VLANs ? 3. Are their networked VLANs secure by design ? 4. What is the process of IP Segment allocation ? 5. Is there a formal Change Process in place ?
  6. 6. Flooding & Spoofing Attacks Attacks which utilize either flooding or resource starvation  ARP Poisoning  DHCP Starvation  CAM Table overflow
  7. 7. ARP Attacks  ARP Poisoning : can be easily carried out.  Stateless protocol.  NO inbuilt authentication  Limited to local network segments.  Can be escalated/exploited to MITM , SSH Interception , DOS, session hijacking attacks.  Tools of Trade : Ettercap, Cain & Abel , Dsniff
  8. 8. DHCP Starvation  DHCP Scope exhaustion by installing a rogue DHCP server.  Spoofed MAC requests broadcast/flood network.  Resource starvation occurs which may make a rogue server more effective.  Tools of Trade : Yersinia
  9. 9. CAM Table Overflow  Content Addressable Memory (CAM) is used in highly efficient search based environments.  Cisco switches use CAM to make MAC & interface mapping tables.  One can flood MAC in network which can fill CAM & thereby make a switch act like a hub.  Tools of Trade : Dsniff, Ettercap, Cain & Abel and more..
  10. 10. Flooding & Spoofing Attacks − Mitigation  Ensure Port Security is enabled (static ARP entries)  Enable Port Security  Enable DHCP Snooping.  Question Network admin on requirement of PARP / GARP if present in configuration.  Dynamic Arp Inspection .
  11. 11. Cisco Specific Attacks  CDP attacks − Applicable to Cisco IOS based devices.  VTP attacks − Applicable to Cisco Switches.  DTP Attack − Applicable to Cisco IOS based devices.  HSRP Abuse − Applicable to Cisco IOS based devices.
  12. 12. Cisco − CDP Attacks  Cisco Discovery Protocol (CDP) allows Cisco Devices to communicate with each other.  CDP communicates is unencrypted , unauthenticated & carries a ton of information.  CDP can be exploited to   CDP DOS (Even WLCs are vulnerable)  Overflow / Pollution / Corruption of CDP Cache  Raking up power bills (POE abuse)  Tools to Use : Yersinia
  13. 13. CDP Attacks − Mitigation  Turn CDP Off.  Check with Network guys for any specific requirement of CDP (VOIP phones/Tshoot).  All unused ports shall be shut by default.  BONUS : Different vendors have similar protocols −  Juniper / Huawei LLDP (LLDP Attack Framework)  Brocade FDP  Maipu MDSP
  14. 14. Cisco − VTP Attack  Virtual Trunking Protocol (VTP) is used by Cisco to propagate VLAN information.  VTP uses a versioning system with a client server architecture.  Clients sync their configuration with Server to maintain current VLAN database revision.  Attack involves DOS by sending VTP messages in the network.  Tools of Trade : Yersinia
  15. 15. VTP Attack − Mitigation  Check with admin if VTP is required, if NO, recommend them to configure switches in transparent mode.  If Yes, check if following parameters are configured correctly   VTP password should be there and shall be md5 encrypted (Service Password Encryption)  Non participating switches should be configured in transparent mode.  VTP pruning should be enabled.  All unused ports shall be shut by default.
  16. 16. DTP Attack  Dynamic Trunking Protocol (DTP) negotiates port states between 2 devices.  By default an interface is negotiated to become a Trunk (Tagged) port, hence its name.  One can send RAW DTP packets on Access interface & can make it trunk.  Trunk interface can then be used to escalate/exploit STP/VTP/VLAN based attacks.  Tools of Trade : Yersinia
  17. 17. DTP Attack − Mitigation  Turn of DTP by enabling no more auto-negotiation.  Refer below configuration for access (untagged) port, settings are hardcoded , nothing is auto.  All unused ports shall be shut by default.
  18. 18. HSRP Abuse  Hot Standby Router Protocol (HSRP) is used for achieving HA between Cisco devices.  Functions in Active/Passive mode, UDP 1985.  Uses multicast, by default password configured in plain text.  Attacker can send raw HSRP packet.  Compromise and become Active device with real or spoofed IP.  Tool to use : Yersinia
  19. 19. HSRP Abuse − Mitigation  Use MD5 authentication.  Hardcode everything.
  20. 20. Spanning Tree Attacks  Invented by Dr Radia Perlman, Spanning Tree Protocol (STP) is used for providing a loop free topology for a LAN or bridged network.  An attacker can disrupt STP topology by  Masquerading as a rogue switch.  Introducing a real switch in network.  Spoofing Root Switch  Sending malicious BPDU’s  Claiming roles in topology  Tools of Trade : Yersinia
  21. 21. Spanning Tree Attacks − Mitigation  Enable Root Guard on Cisco Switches, Root Protection on Juniper Switches.  Enable BPDU Guard on Cisco Switches, BPDU Protection on Juniper Switches.  All unused ports shall be shut by default.
  22. 22. Multicast Brute force  Switch receives a number of multicast frames in rapid succession.  Frames to leak into other VLAN instead of containing it on original VLAN.  May lead to DOS.  Rare nowadays.
  23. 23. Multicast Brute Force Attack − Mitigation  Buy switches with better queues/buffer and memory support.  Upgrade your supervisors (4500X and above , Cisco Only).
  24. 24. VLAN Based Attacks • VLAN Hopping − 802.1Q abuse. • PVLAN − Bypassing Layer 2 segregation logic.
  25. 25. VLAN Hopping  VLAN Hopping refers to emulation of a network switch & send frames (802.1Q/ISL).  An attacker can also send double tagged frames on trunk / access interface.  First frame will be stripped by switch and it will forward the frame to outgoing interface.  Since the frame is having one more tag, it will be forwarded as it is to next unintended VLAN.  Tools of Trade : Scapy, Ostinato
  26. 26. VLAN Hopping Attack − Mitigation  Disable DTP  Hardcode everything.  Unused ports shall be configured as access (untagged) ports.  Native VLAN segregation.  Management VLAN segregation.  Don’t use VLAN 1 for *anything*.
  27. 27. PVLAN Attacks  Community ports can communicate between themselves & promiscuous ports.  This logic can be bypassed using a proxy server or a Layer 3 Device on a promiscuous port.  L3 device will overwrite destination mac on frame & then sends frame back.  Unidirectional attack can be leveraged to a bidirectional attack by compromising hosts.  Tools of Trade : Scapy / Ostinato
  28. 28. PVLAN Attacks – Mitigation  Configure ACL on Layer 3 device.
  29. 29. Bonus : SNMP Snarfing  Simple Network Management Protocol (SNMP) is used to monitor and manage devices.  Vendor agonistic , has 3 versions, version 1.0 & version 2.0 most commonly used.  Plain text authentication.  Community strings can be bruteforced , fuzzed & hacked.  Wreak havoc using read write community.  Tools of Trade : Ettercap, dsniff.
  30. 30. SNMP Snarfing – Mitigation  Use SNMPv3 *only*, don’t use it in backwards compatible mode.  Don’t use community strings with write access.  Be SNMP Aware, don’t let it become “Security is Not My Problem”.
  31. 31. Switch Configuration Review  What to look in a sample Switch configuration dump.  Best Practices.  Looking at the big picture.
  32. 32. Conclusion  Ensure Switches are managed in a secured manner.  Hardcode everything.  Ensure there is a Change Management process for any Network and Security Changes.  Disable protocols which are not in use (CDP/VTP).  All unused ports should be shut by default.  Use Port-Security.  Use Root Guard/BPDU guard.  Be careful about SNMP community strings.
  33. 33. Questions? Reach me out at admin@theprohack.com
  34. 34. Thank You!

×