SlideShare a Scribd company logo

Exploiting First Hop Protocols to Own the Network - Paul Coggin

EC-Council
EC-Council

This talk will focus on how to exploit a network by targeting the various first hop protocols. Attack vectors for crafting custom packets as well a few of the available tools for layer 2 network protocols exploitation will be covered. Defensive mitigations and recommendations for adding secure visualization and instrumentation for layer 2 will be provided.

Technology
1 of 25
Download to read offline
UNCLASSIFIED V100230_Faint UNCLASSIFIED 1 UNCLASSIFIED0000-00-yymm Information Engineering Solutions www.dynetics.com 1V## Goes Here Exploiting First Hop Protocols to Own the Network Hacker Halted 2015 Paul Coggin Senior Principal Cyber Security Analyst @PaulCoggin
UNCLASSIFIED V100230_Faint UNCLASSIFIED 2 UNCLASSIFIED0000-00-yymm Information Engineering Solutions OSI and TCP/IP Model OSI Model 7 6 5 4 3 2 1 Application Presentation Session Transport Network Data Link Physical TCP/IP Model Network Interface Application Transport Internet Frame Header OwntheNetwork
UNCLASSIFIED V100230_Faint UNCLASSIFIED 3 UNCLASSIFIED0000-00-yymm Information Engineering Solutions ARP Poisoning Corporate Server IP 172.16.1.1 User 1 IP 192.168.1.2 MAC 2222.2222.2222 User 3 IP 192.168.1.3 MAC 3333.3333.3333 Router IP 192.168.1.1 MAC 1111.1111.1111 Gratuitous ARP – User 1 traffic to server redirected to User 3 172.16.1.1 MAC 3333.3333.3333 Gratuitous ARP – Return traffic redirected to User 3 192.168.1.2 MAC 3333.3333.3333 Cain and Abel Ettercap User 1 ARP Cache Poisoned Router ARP Cache Poisoned
UNCLASSIFIED V100230_Faint UNCLASSIFIED 4 UNCLASSIFIED0000-00-yymm Information Engineering Solutions ARP Poisoning •  Dynamic ARP Inspection •  IP Source Inspection •  SNMP Alerts and Syslog monitoring
UNCLASSIFIED V100230_Faint UNCLASSIFIED 5 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Rogue DHCP Server DHCP Client Corporate DHCP Server Rogue User Unauthorized DHCP Server •  Allocates bad DNS server or default gateway Denial of service by exhausting the leases in the DHCP scope •  Tools – Yersinia, Gobbler Mitigation •  Limit MAC addresses per interface •  VACL’s to block DHCP UDP 68 •  DHCP snooping TrustedUntrusted (mitigates client hardware address change)
UNCLASSIFIED V100230_Faint UNCLASSIFIED 6 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Lawful Intercept Identify Physical Source of Traffic DHCP with Option 82 Support Example Enterprise Network DHCP Option 82 provides the DSLAM and Switch Name and the Physical Interface That Requested a DHCP IP Address DHCP request DHCP response with IP address DHCP request with sub ID in Option identifier (RFC 3046) Ethernet Access Domain MAC B MAC C MAC A ISP DHCP ServerADSL modem IP DSLAM PE-AGG DSL CPE L3VPN-PE
UNCLASSIFIED V100230_Faint UNCLASSIFIED 7 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Spanning Tree Protocol - Architecture STP calculates loop-free topology BPDU sent every 2 seconds Priority 0 – 65535 Default priority – 32768 Lowest priority elected Root Root STP 802.1d, MSTP, PVSTP+ , RSTP
UNCLASSIFIED V100230_Faint UNCLASSIFIED 8 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Spanning Tree Protocol – Attack Implement Root Guard, BPDU Guard, Syslog, SNMPv3 Alerts Root Bridge MITM, DoS (Yersinia) BPDU  w/  priority    0   Root
UNCLASSIFIED V100230_Faint UNCLASSIFIED 9 UNCLASSIFIED0000-00-yymm Information Engineering Solutions VLAN Hopping – Dynamic Trunking Protocol •  Dynamic Trunk Protocol (DTP) Modes : Auto, On, Off, Desirable, Non-negotiate •  IP Phones, Wireless Access Points •  All VLANs are trunked by default •  Native VLAN (untagged); Default Native VLAN 1 and required by DTP •  Yersinia or other packet crafting tools •  Disable trunking on interfaces where not in use •  Specify VLANs to be allowed on trunk interfaces •  Do not use Native VLAN 1 VLAN 50 VLAN 60 VLAN 50 VLAN 40 VLAN 60 DTP Trunk Spoof DTP to look like switch (Yersinia)
UNCLASSIFIED V100230_Faint UNCLASSIFIED 10 UNCLASSIFIED0000-00-yymm Information Engineering Solutions VLAN Hopping – Double VLAN Tag •  No two-way communication. Frames sent to target with no response to sender. •  Craft Frames with double encapsulated frames •  VLAN trunking is not required in this scenario •  Disable AUTODYNAMIC NEGOTIATION! •  Don’t use native VLAN 1. Use tagged mode for native VLAN x on trunks •  Disable interfaces not in use VLAN 50 VLAN 60 VLAN 50 VLAN 40 VLAN 60 VLAN 10 Yersinia VLAN  10,  VLAN  40   VLAN  40  Tag  Frame   Untagged  Frame   Switch strips off first VLAN ID
UNCLASSIFIED V100230_Faint UNCLASSIFIED 11 UNCLASSIFIED0000-00-yymm Information Engineering Solutions CAM Table Overflow Attack Yersinia, Macof, DSNIFF Node  2  to  Node  4   Node  2  to  Node  4   Node 1 Node 2 Node 4 Node 3 Node  2  to  Node  4   Switch CAM table exploited resulting in switch VLAN operating like a shared Ethernet hub Attack may cause multiple switches to fallback to shared Ethernet behavior Implement port security to limit MACs per interface, SNMP Traps
UNCLASSIFIED V100230_Faint UNCLASSIFIED 12 UNCLASSIFIED0000-00-yymm Information Engineering Solutions VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q Trunk 802.1Q Trunk 802.1Q Trunk •  VLANs are addedremoved on VTP Server •  VLAN modifications propagated to VTP Clients •  Common VTP Domain name and password •  Same Native VLAN on Trunk •  Sync to latest changes VTP Client 802.1Q Trunk
UNCLASSIFIED V100230_Faint UNCLASSIFIED 13 UNCLASSIFIED0000-00-yymm Information Engineering Solutions VLAN Trunking Protocol (VTP) - Security VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q Trunk 802.1Q Trunk 802.1Q Trunk •  Existing network running default VTP settings •  Switches sync to higher rev VTP DB resulting in VLAN config being lost!! •  Everyone has a current VLAN.DAT backup right?? •  Configure a password for VTP Domain (NOT Cisco….SanFran….) •  Delete VLAN.DAT before connecting a new switch •  Change the native VLAN to something other than 1 VTP Client 802.1Q Trunk Switch with higher rev of VTP DB added
UNCLASSIFIED V100230_Faint UNCLASSIFIED 14 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Broadcast Storms VLAN 20 VLAN 20 VLAN 20 VLAN 20 VLAN 20 Rogue Insider Misconfigured Application Failed NIC Broadcast storm propagated across VLAN VLAN 20 Traffic Storm Control limits unicast, multicast, broadcast traffic to a % of port BW •  Not enabled on interfaces by default (add to template configuration for port security) •  Traffic that exceeds configured threshold will be dropped •  Violations can be configured to be shutdown or send a SNMP Trap(recommend v3)
UNCLASSIFIED V100230_Faint UNCLASSIFIED 15 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Protocol Hacking Tools GSN3 SCAPY Colasoft Packet Builder Many others… (Remember to enable IP forwarding) First Hop Redundancy Protocols Global Load Balancing Protocol (GLBP) Hot Standby Router Protocol (HSRP) Virtual Redundant Router Protocol (VRRP) Active router 192.168.1.1 Backup router 192.168.1.2Virtual router 192.168.1.3 192.168.1.50 Multicast protocol Priority elects role MD5, clear, no authentication V V Rogue Insider
UNCLASSIFIED V100230_Faint UNCLASSIFIED 16 UNCLASSIFIED0000-00-yymm Information Engineering Solutions HSRP MITM – Packet Analysis HSRP Password Clear Text
UNCLASSIFIED V100230_Faint UNCLASSIFIED 17 UNCLASSIFIED0000-00-yymm Information Engineering Solutions FHRP – Crafted HSRP Packets Routers Rogue Insider Crafted HSRP coup packet with higher priority
UNCLASSIFIED V100230_Faint UNCLASSIFIED 18 UNCLASSIFIED0000-00-yymm Information Engineering Solutions IPv6 Neighbor Discover Protocol Filter on IPv6 or Ethernet Type 0x86DD to Identify IPv6 Packets IPv6 uses multicast No more broadcast
UNCLASSIFIED V100230_Faint UNCLASSIFIED 19 UNCLASSIFIED0000-00-yymm Information Engineering Solutions IPv6 SLACC MITM IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools -  Chiron, -  Evil FOCA -  THC Parasite6 -  SCAPY -  Colasoft Packet Builder Windows Linux Mac Default - Hosts Send ICMPv6 Router Solicitation Rogue Insider Sending RA’s Man-in-the-Middle Mitigations -  RAguard -  802.1x -  Private VLANs -  IPv6 port security -  SourceDestination Guard -  SeND (encrypt NDP)
UNCLASSIFIED V100230_Faint UNCLASSIFIED 20 UNCLASSIFIED0000-00-yymm Information Engineering Solutions IPv6 Network Discovery Spoofing MITM Windows Linux Mac Mitigations -  SourceDestination Guard -  802.1x -  Private VLANs -  IPv6 port security -  NDP Spoofing -  DHCP Snooping -  SourceDestination Guard -  SeND (encrypt NDP) Rogue Insider Network Discovery Spoofing - MITM (ARP Spoofing equivalent for IPv6) IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools -  Chiron -  Evil FOCA -  THC Parasite6 -  SCAPY -  Colasoft Packet Builder
UNCLASSIFIED V100230_Faint UNCLASSIFIED 21 UNCLASSIFIED0000-00-yymm Information Engineering Solutions DMZ Layer 2 Security Secure DMZ Trusts - PVLAN - VACL - Separate Virtual or Physical Int w/ ACL’s - Develop a network traffic matrix to define required network traffic flows WWW DNS SMTP SharePoint DMZ -  Typically single VLAN -  Open trusts Inside VLAN -  DMZ to Internal AD integ. -  Pivot from DMZ to Internal network Internal Network Database Email DNS *NIX w/NIS(AD Integ.) Active Directory Internet
UNCLASSIFIED V100230_Faint UNCLASSIFIED 22 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Layer 2 – Secure Visualization and Instrumentation TAP/Sniffer NOC SOC Out-of-bound Network Whitelist the Layer 2 Network Trust Relationships Whitelist Trusted Information Flows in Monitoring Secure Control, Management, Data Planes In-band Monitoring EPC SPAN RSPAN ERSPAN Netflow
UNCLASSIFIED V100230_Faint UNCLASSIFIED 23 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Layer 2 Security Recommendations •  Cisco TrustSec – Identity Services Engine •  802.1x with 2 factor authentication •  Private VLANs •  VLAN Access Control Lists (VACL) •  Root Guard •  BPDU Guard •  Secure VTP protocol •  Disable VLAN trunking where not in use •  Storm Control •  IPv6 Port Security •  Dynamic ARP Inspection •  IP Source Inspection •  DHCP Option 82 Logging •  Secure DHCP Trusts •  Layer 2 Secure Visualization and Instrumentation
UNCLASSIFIED V100230_Faint UNCLASSIFIED 24 UNCLASSIFIED0000-00-yymm Information Engineering Solutions References LAN  Switch  Security  –  What  Hackers  Know  About  Your  Switches,  Eric  Vyncke,  Christopher  Paggen,  Cisco  Press   Enno  Rey  -­‐  @Enno_Insinuator,  @WEareTROOPERS  ,  ERNW  Papers  and  Resources  ,www.ernw.de,  www.insinuator.net   Ivan  PepeInjak  -­‐  @IOShints,  Papers  and  Resources,  hWp://www.ipspace.net   IPv6  Security,  ScoW  Hogg  and  Eric  Vyncke,  Cisco  Press   IPv6  Security,  ScoW  Hogg,   hWp://www.gtri.com/wp-­‐content/uploads/2014/10/IPv6-­‐Hacker-­‐Halted-­‐The-­‐Hacker-­‐Code-­‐Angels-­‐vs-­‐Demons.pdf   The  Pracce  of  Network  Security  Monitoring,  Ricard  Bejtlich,  No  Starch  Press   Router  Security  Strategies  Securing  IP  Network  Traffic  Planes,  Gregg  Schudel,  David  J.  Smith,  Cisco  Press   hWps://www.cisco.com/go/safe   hWp://docwiki.cisco.com/wiki/FHS   hWp://www.netopcs.com/blog/01-­‐07-­‐2011/sample-­‐pcap-­‐files   hWp://www.cisco.com/c/en/us/td/docs/ios-­‐xml/ios/ipapp_drp/configuraon/12-­‐4/dp-­‐12-­‐4-­‐book.html   hWp://www.cisco.com/c/en/us/td/docs/soluons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html   hWp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-­‐2SX/best/pracces/recommendaons.html   hWp://www.cisco.com/c/en/us/td/docs/soluons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html   hWp://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html   hWp://www.cisco.com/c/en/us/support/docs/ip/access-­‐lists/13608-­‐21.html   hWp://monkey.org/~dugsong/dsniff/   hWps://www.yersinia.net   hWps://www.nsa.gov/ia/_files/factsheets/Factsheet-­‐Cisco%20Port%20Security.pdf   hWp://iase.disa.mil/sgs/net_perimeter/network-­‐infrastructure/Pages/index.aspx    
UNCLASSIFIED V100230_Faint UNCLASSIFIED 25 UNCLASSIFIED0000-00-yymm Information Engineering Solutions     Ques&ons?   h+p://www.dyne&cs.com/insights   @PaulCoggin      

Recommended

VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
Faelix Ltd
 
Webinar NETGEAR - Switch Prosafe Stackable per l'alta disponibilità (HA) dell...
Webinar NETGEAR - Switch Prosafe Stackable per l'alta disponibilità (HA) dell...Webinar NETGEAR - Switch Prosafe Stackable per l'alta disponibilità (HA) dell...
Webinar NETGEAR - Switch Prosafe Stackable per l'alta disponibilità (HA) dell...
Netgear Italia
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Packet Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 RoutingPacket Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 RoutingJohnson Liu
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
Faelix Ltd
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
Indonesia Network Operators Group
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Faelix Ltd
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
NetProtocol Xpert
 

Recommended

VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
Faelix Ltd
 
Webinar NETGEAR - Switch Prosafe Stackable per l'alta disponibilità (HA) dell...
Webinar NETGEAR - Switch Prosafe Stackable per l'alta disponibilità (HA) dell...Webinar NETGEAR - Switch Prosafe Stackable per l'alta disponibilità (HA) dell...
Webinar NETGEAR - Switch Prosafe Stackable per l'alta disponibilità (HA) dell...
Netgear Italia
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Packet Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 RoutingPacket Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 RoutingJohnson Liu
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
Faelix Ltd
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
Indonesia Network Operators Group
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Faelix Ltd
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
NetProtocol Xpert
 
Dell networking-x-series-spec-sheet
Dell networking-x-series-spec-sheetDell networking-x-series-spec-sheet
Dell networking-x-series-spec-sheet
Asgar Ali
 
CloudKC: Evolution of Network Virtualization
CloudKC: Evolution of Network VirtualizationCloudKC: Evolution of Network Virtualization
CloudKC: Evolution of Network Virtualization
Cynthia Thomas
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
Hamed Moghaddam
 
Hachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACHachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAAC
Chema Alonso
 
PROYECTO VLANS
PROYECTO VLANSPROYECTO VLANS
PROYECTO VLANS
rubendavidsuarez
 
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Chema Alonso
 
Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011Dân Chơi
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
Faelix Ltd
 
Midokura @ OpenStack Seattle
Midokura @ OpenStack SeattleMidokura @ OpenStack Seattle
Midokura @ OpenStack Seattle
Cynthia Thomas
 
Software Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFVSoftware Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFV
Yoshihiro Nakajima
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
RHC Technologies
 
Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)
DH Da Lat
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
Security Date
 
Lab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relayLab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relay
Manuel Garcia Meza
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
NetProtocol Xpert
 
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandosConfigurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos1 2d
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
APNIC
 
Linux firewall
Linux firewallLinux firewall
Linux firewall
chanmyaeag
 
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-Toshimitsu YAMAGUCHI
 
Tema3
Tema3Tema3
Tema3lili zuka
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programming
Marton Kiss
 

More Related Content

What's hot

Dell networking-x-series-spec-sheet
Dell networking-x-series-spec-sheetDell networking-x-series-spec-sheet
Dell networking-x-series-spec-sheet
Asgar Ali
 
CloudKC: Evolution of Network Virtualization
CloudKC: Evolution of Network VirtualizationCloudKC: Evolution of Network Virtualization
CloudKC: Evolution of Network Virtualization
Cynthia Thomas
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
Hamed Moghaddam
 
Hachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACHachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAAC
Chema Alonso
 
PROYECTO VLANS
PROYECTO VLANSPROYECTO VLANS
PROYECTO VLANS
rubendavidsuarez
 
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Chema Alonso
 
Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011Dân Chơi
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
Faelix Ltd
 
Midokura @ OpenStack Seattle
Midokura @ OpenStack SeattleMidokura @ OpenStack Seattle
Midokura @ OpenStack Seattle
Cynthia Thomas
 
Software Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFVSoftware Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFV
Yoshihiro Nakajima
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
RHC Technologies
 
Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)
DH Da Lat
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
Security Date
 
Lab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relayLab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relay
Manuel Garcia Meza
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
NetProtocol Xpert
 
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandosConfigurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos1 2d
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
APNIC
 
Linux firewall
Linux firewallLinux firewall
Linux firewall
chanmyaeag
 
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-Toshimitsu YAMAGUCHI
 

What's hot (20)

Dell networking-x-series-spec-sheet
Dell networking-x-series-spec-sheetDell networking-x-series-spec-sheet
Dell networking-x-series-spec-sheet
 
CloudKC: Evolution of Network Virtualization
CloudKC: Evolution of Network VirtualizationCloudKC: Evolution of Network Virtualization
CloudKC: Evolution of Network Virtualization
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
 
Hachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACHachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAAC
 
PROYECTO VLANS
PROYECTO VLANSPROYECTO VLANS
PROYECTO VLANS
 
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
 
Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
Midokura @ OpenStack Seattle
Midokura @ OpenStack SeattleMidokura @ OpenStack Seattle
Midokura @ OpenStack Seattle
 
Software Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFVSoftware Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFV
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
 
Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
Lab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relayLab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relay
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
 
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandosConfigurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos
Configurando vlan, vtp, trunking e vmps em cisco catalyst switches comandos
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
 
Linux firewall
Linux firewallLinux firewall
Linux firewall
 
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
 

Similar to Exploiting First Hop Protocols to Own the Network - Paul Coggin

Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programming
Marton Kiss
 
Technical introduction to MidoNet
Technical introduction to MidoNetTechnical introduction to MidoNet
Technical introduction to MidoNet
MidoNet
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
Louis Göhl
 
Day 14.2 configuringvla ns
Day 14.2 configuringvla nsDay 14.2 configuringvla ns
Day 14.2 configuringvla ns
CYBERINTELLIGENTS
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
Tim Martin
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
雄也 日下部
 
Avaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBaseAvaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBase
PacketBase, Inc.
 
CCNA ppt Day 9
CCNA ppt Day 9CCNA ppt Day 9
CCNA ppt Day 9
VISHNU N
 
PLNOG 5: Piotr Szołkowski - Data Center i nie tylko...
PLNOG 5: Piotr Szołkowski - Data Center i nie tylko...PLNOG 5: Piotr Szołkowski - Data Center i nie tylko...
PLNOG 5: Piotr Szołkowski - Data Center i nie tylko...
PROIDEA
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Icnd210 s02l01
Icnd210 s02l01Icnd210 s02l01
Icnd210 s02l01
computerlenguyen
 
HP Virtual Connect technical fundamental101 v2.1
HP Virtual Connect technical fundamental101 v2.1HP Virtual Connect technical fundamental101 v2.1
HP Virtual Connect technical fundamental101 v2.1
ผู้ชาย แห่งสายลม
 
CCN3Switching_lab_5_5_2
CCN3Switching_lab_5_5_2CCN3Switching_lab_5_5_2
CCN3Switching_lab_5_5_2alan moreno
 
VLANs_Module_3.pptx
VLANs_Module_3.pptxVLANs_Module_3.pptx
VLANs_Module_3.pptx
BOURY1
 
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
AreaNetworking.it
 
ACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACITACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACIT
Sleek International
 
Free CCNP switching workbook by networkershome pdf
Free CCNP switching workbook by networkershome pdfFree CCNP switching workbook by networkershome pdf
Free CCNP switching workbook by networkershome pdf
Networkershome
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
RootedCON
 
Virtual Local Area Network
Virtual Local Area NetworkVirtual Local Area Network
Virtual Local Area Network
Atakan ATAK
 

Similar to Exploiting First Hop Protocols to Own the Network - Paul Coggin (20)

Tema3
Tema3Tema3
Tema3
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programming
 
Technical introduction to MidoNet
Technical introduction to MidoNetTechnical introduction to MidoNet
Technical introduction to MidoNet
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
Day 14.2 configuringvla ns
Day 14.2 configuringvla nsDay 14.2 configuringvla ns
Day 14.2 configuringvla ns
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
Avaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBaseAvaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBase
 
CCNA ppt Day 9
CCNA ppt Day 9CCNA ppt Day 9
CCNA ppt Day 9
 
PLNOG 5: Piotr Szołkowski - Data Center i nie tylko...
PLNOG 5: Piotr Szołkowski - Data Center i nie tylko...PLNOG 5: Piotr Szołkowski - Data Center i nie tylko...
PLNOG 5: Piotr Szołkowski - Data Center i nie tylko...
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Icnd210 s02l01
Icnd210 s02l01Icnd210 s02l01
Icnd210 s02l01
 
HP Virtual Connect technical fundamental101 v2.1
HP Virtual Connect technical fundamental101 v2.1HP Virtual Connect technical fundamental101 v2.1
HP Virtual Connect technical fundamental101 v2.1
 
CCN3Switching_lab_5_5_2
CCN3Switching_lab_5_5_2CCN3Switching_lab_5_5_2
CCN3Switching_lab_5_5_2
 
VLANs_Module_3.pptx
VLANs_Module_3.pptxVLANs_Module_3.pptx
VLANs_Module_3.pptx
 
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
CisCon 2017 - I problemi di scalabilità delle tradizionali reti IP nei modern...
 
ACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACITACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACIT
 
Free CCNP switching workbook by networkershome pdf
Free CCNP switching workbook by networkershome pdfFree CCNP switching workbook by networkershome pdf
Free CCNP switching workbook by networkershome pdf
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
 
Virtual Local Area Network
Virtual Local Area NetworkVirtual Local Area Network
Virtual Local Area Network
 

More from EC-Council

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
EC-Council
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
EC-Council
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
EC-Council
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
EC-Council
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
EC-Council
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
EC-Council
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
EC-Council
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
EC-Council
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
EC-Council
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
EC-Council
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
EC-Council
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
EC-Council
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
EC-Council
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
EC-Council
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
EC-Council
 

More from EC-Council (20)

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 

Exploiting First Hop Protocols to Own the Network - Paul Coggin

  • 1. UNCLASSIFIED V100230_Faint UNCLASSIFIED 1 UNCLASSIFIED0000-00-yymm Information Engineering Solutions www.dynetics.com 1V## Goes Here Exploiting First Hop Protocols to Own the Network Hacker Halted 2015 Paul Coggin Senior Principal Cyber Security Analyst @PaulCoggin
  • 2. UNCLASSIFIED V100230_Faint UNCLASSIFIED 2 UNCLASSIFIED0000-00-yymm Information Engineering Solutions OSI and TCP/IP Model OSI Model 7 6 5 4 3 2 1 Application Presentation Session Transport Network Data Link Physical TCP/IP Model Network Interface Application Transport Internet Frame Header OwntheNetwork
  • 3. UNCLASSIFIED V100230_Faint UNCLASSIFIED 3 UNCLASSIFIED0000-00-yymm Information Engineering Solutions ARP Poisoning Corporate Server IP 172.16.1.1 User 1 IP 192.168.1.2 MAC 2222.2222.2222 User 3 IP 192.168.1.3 MAC 3333.3333.3333 Router IP 192.168.1.1 MAC 1111.1111.1111 Gratuitous ARP – User 1 traffic to server redirected to User 3 172.16.1.1 MAC 3333.3333.3333 Gratuitous ARP – Return traffic redirected to User 3 192.168.1.2 MAC 3333.3333.3333 Cain and Abel Ettercap User 1 ARP Cache Poisoned Router ARP Cache Poisoned
  • 4. UNCLASSIFIED V100230_Faint UNCLASSIFIED 4 UNCLASSIFIED0000-00-yymm Information Engineering Solutions ARP Poisoning •  Dynamic ARP Inspection •  IP Source Inspection •  SNMP Alerts and Syslog monitoring
  • 5. UNCLASSIFIED V100230_Faint UNCLASSIFIED 5 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Rogue DHCP Server DHCP Client Corporate DHCP Server Rogue User Unauthorized DHCP Server •  Allocates bad DNS server or default gateway Denial of service by exhausting the leases in the DHCP scope •  Tools – Yersinia, Gobbler Mitigation •  Limit MAC addresses per interface •  VACL’s to block DHCP UDP 68 •  DHCP snooping TrustedUntrusted (mitigates client hardware address change)
  • 6. UNCLASSIFIED V100230_Faint UNCLASSIFIED 6 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Lawful Intercept Identify Physical Source of Traffic DHCP with Option 82 Support Example Enterprise Network DHCP Option 82 provides the DSLAM and Switch Name and the Physical Interface That Requested a DHCP IP Address DHCP request DHCP response with IP address DHCP request with sub ID in Option identifier (RFC 3046) Ethernet Access Domain MAC B MAC C MAC A ISP DHCP ServerADSL modem IP DSLAM PE-AGG DSL CPE L3VPN-PE
  • 7. UNCLASSIFIED V100230_Faint UNCLASSIFIED 7 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Spanning Tree Protocol - Architecture STP calculates loop-free topology BPDU sent every 2 seconds Priority 0 – 65535 Default priority – 32768 Lowest priority elected Root Root STP 802.1d, MSTP, PVSTP+ , RSTP
  • 8. UNCLASSIFIED V100230_Faint UNCLASSIFIED 8 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Spanning Tree Protocol – Attack Implement Root Guard, BPDU Guard, Syslog, SNMPv3 Alerts Root Bridge MITM, DoS (Yersinia) BPDU  w/  priority    0   Root
  • 9. UNCLASSIFIED V100230_Faint UNCLASSIFIED 9 UNCLASSIFIED0000-00-yymm Information Engineering Solutions VLAN Hopping – Dynamic Trunking Protocol •  Dynamic Trunk Protocol (DTP) Modes : Auto, On, Off, Desirable, Non-negotiate •  IP Phones, Wireless Access Points •  All VLANs are trunked by default •  Native VLAN (untagged); Default Native VLAN 1 and required by DTP •  Yersinia or other packet crafting tools •  Disable trunking on interfaces where not in use •  Specify VLANs to be allowed on trunk interfaces •  Do not use Native VLAN 1 VLAN 50 VLAN 60 VLAN 50 VLAN 40 VLAN 60 DTP Trunk Spoof DTP to look like switch (Yersinia)
  • 10. UNCLASSIFIED V100230_Faint UNCLASSIFIED 10 UNCLASSIFIED0000-00-yymm Information Engineering Solutions VLAN Hopping – Double VLAN Tag •  No two-way communication. Frames sent to target with no response to sender. •  Craft Frames with double encapsulated frames •  VLAN trunking is not required in this scenario •  Disable AUTODYNAMIC NEGOTIATION! •  Don’t use native VLAN 1. Use tagged mode for native VLAN x on trunks •  Disable interfaces not in use VLAN 50 VLAN 60 VLAN 50 VLAN 40 VLAN 60 VLAN 10 Yersinia VLAN  10,  VLAN  40   VLAN  40  Tag  Frame   Untagged  Frame   Switch strips off first VLAN ID
  • 11. UNCLASSIFIED V100230_Faint UNCLASSIFIED 11 UNCLASSIFIED0000-00-yymm Information Engineering Solutions CAM Table Overflow Attack Yersinia, Macof, DSNIFF Node  2  to  Node  4   Node  2  to  Node  4   Node 1 Node 2 Node 4 Node 3 Node  2  to  Node  4   Switch CAM table exploited resulting in switch VLAN operating like a shared Ethernet hub Attack may cause multiple switches to fallback to shared Ethernet behavior Implement port security to limit MACs per interface, SNMP Traps
  • 12. UNCLASSIFIED V100230_Faint UNCLASSIFIED 12 UNCLASSIFIED0000-00-yymm Information Engineering Solutions VLAN Trunking Protocol (VTP) VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q Trunk 802.1Q Trunk 802.1Q Trunk •  VLANs are addedremoved on VTP Server •  VLAN modifications propagated to VTP Clients •  Common VTP Domain name and password •  Same Native VLAN on Trunk •  Sync to latest changes VTP Client 802.1Q Trunk
  • 13. UNCLASSIFIED V100230_Faint UNCLASSIFIED 13 UNCLASSIFIED0000-00-yymm Information Engineering Solutions VLAN Trunking Protocol (VTP) - Security VTP Server Transparent (VTP DB rev 0) VTP Client VTP Client 802.1Q Trunk 802.1Q Trunk 802.1Q Trunk •  Existing network running default VTP settings •  Switches sync to higher rev VTP DB resulting in VLAN config being lost!! •  Everyone has a current VLAN.DAT backup right?? •  Configure a password for VTP Domain (NOT Cisco….SanFran….) •  Delete VLAN.DAT before connecting a new switch •  Change the native VLAN to something other than 1 VTP Client 802.1Q Trunk Switch with higher rev of VTP DB added
  • 14. UNCLASSIFIED V100230_Faint UNCLASSIFIED 14 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Broadcast Storms VLAN 20 VLAN 20 VLAN 20 VLAN 20 VLAN 20 Rogue Insider Misconfigured Application Failed NIC Broadcast storm propagated across VLAN VLAN 20 Traffic Storm Control limits unicast, multicast, broadcast traffic to a % of port BW •  Not enabled on interfaces by default (add to template configuration for port security) •  Traffic that exceeds configured threshold will be dropped •  Violations can be configured to be shutdown or send a SNMP Trap(recommend v3)
  • 15. UNCLASSIFIED V100230_Faint UNCLASSIFIED 15 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Protocol Hacking Tools GSN3 SCAPY Colasoft Packet Builder Many others… (Remember to enable IP forwarding) First Hop Redundancy Protocols Global Load Balancing Protocol (GLBP) Hot Standby Router Protocol (HSRP) Virtual Redundant Router Protocol (VRRP) Active router 192.168.1.1 Backup router 192.168.1.2Virtual router 192.168.1.3 192.168.1.50 Multicast protocol Priority elects role MD5, clear, no authentication V V Rogue Insider
  • 16. UNCLASSIFIED V100230_Faint UNCLASSIFIED 16 UNCLASSIFIED0000-00-yymm Information Engineering Solutions HSRP MITM – Packet Analysis HSRP Password Clear Text
  • 17. UNCLASSIFIED V100230_Faint UNCLASSIFIED 17 UNCLASSIFIED0000-00-yymm Information Engineering Solutions FHRP – Crafted HSRP Packets Routers Rogue Insider Crafted HSRP coup packet with higher priority
  • 18. UNCLASSIFIED V100230_Faint UNCLASSIFIED 18 UNCLASSIFIED0000-00-yymm Information Engineering Solutions IPv6 Neighbor Discover Protocol Filter on IPv6 or Ethernet Type 0x86DD to Identify IPv6 Packets IPv6 uses multicast No more broadcast
  • 19. UNCLASSIFIED V100230_Faint UNCLASSIFIED 19 UNCLASSIFIED0000-00-yymm Information Engineering Solutions IPv6 SLACC MITM IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools -  Chiron, -  Evil FOCA -  THC Parasite6 -  SCAPY -  Colasoft Packet Builder Windows Linux Mac Default - Hosts Send ICMPv6 Router Solicitation Rogue Insider Sending RA’s Man-in-the-Middle Mitigations -  RAguard -  802.1x -  Private VLANs -  IPv6 port security -  SourceDestination Guard -  SeND (encrypt NDP)
  • 20. UNCLASSIFIED V100230_Faint UNCLASSIFIED 20 UNCLASSIFIED0000-00-yymm Information Engineering Solutions IPv6 Network Discovery Spoofing MITM Windows Linux Mac Mitigations -  SourceDestination Guard -  802.1x -  Private VLANs -  IPv6 port security -  NDP Spoofing -  DHCP Snooping -  SourceDestination Guard -  SeND (encrypt NDP) Rogue Insider Network Discovery Spoofing - MITM (ARP Spoofing equivalent for IPv6) IPv6 Neighbor Discovery Protocol (NDP) (Think ARP for IPv6) IPv6 MITM Tools -  Chiron -  Evil FOCA -  THC Parasite6 -  SCAPY -  Colasoft Packet Builder
  • 21. UNCLASSIFIED V100230_Faint UNCLASSIFIED 21 UNCLASSIFIED0000-00-yymm Information Engineering Solutions DMZ Layer 2 Security Secure DMZ Trusts - PVLAN - VACL - Separate Virtual or Physical Int w/ ACL’s - Develop a network traffic matrix to define required network traffic flows WWW DNS SMTP SharePoint DMZ -  Typically single VLAN -  Open trusts Inside VLAN -  DMZ to Internal AD integ. -  Pivot from DMZ to Internal network Internal Network Database Email DNS *NIX w/NIS(AD Integ.) Active Directory Internet
  • 22. UNCLASSIFIED V100230_Faint UNCLASSIFIED 22 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Layer 2 – Secure Visualization and Instrumentation TAP/Sniffer NOC SOC Out-of-bound Network Whitelist the Layer 2 Network Trust Relationships Whitelist Trusted Information Flows in Monitoring Secure Control, Management, Data Planes In-band Monitoring EPC SPAN RSPAN ERSPAN Netflow
  • 23. UNCLASSIFIED V100230_Faint UNCLASSIFIED 23 UNCLASSIFIED0000-00-yymm Information Engineering Solutions Layer 2 Security Recommendations •  Cisco TrustSec – Identity Services Engine •  802.1x with 2 factor authentication •  Private VLANs •  VLAN Access Control Lists (VACL) •  Root Guard •  BPDU Guard •  Secure VTP protocol •  Disable VLAN trunking where not in use •  Storm Control •  IPv6 Port Security •  Dynamic ARP Inspection •  IP Source Inspection •  DHCP Option 82 Logging •  Secure DHCP Trusts •  Layer 2 Secure Visualization and Instrumentation
  • 24. UNCLASSIFIED V100230_Faint UNCLASSIFIED 24 UNCLASSIFIED0000-00-yymm Information Engineering Solutions References LAN  Switch  Security  –  What  Hackers  Know  About  Your  Switches,  Eric  Vyncke,  Christopher  Paggen,  Cisco  Press   Enno  Rey  -­‐  @Enno_Insinuator,  @WEareTROOPERS  ,  ERNW  Papers  and  Resources  ,www.ernw.de,  www.insinuator.net   Ivan  PepeInjak  -­‐  @IOShints,  Papers  and  Resources,  hWp://www.ipspace.net   IPv6  Security,  ScoW  Hogg  and  Eric  Vyncke,  Cisco  Press   IPv6  Security,  ScoW  Hogg,   hWp://www.gtri.com/wp-­‐content/uploads/2014/10/IPv6-­‐Hacker-­‐Halted-­‐The-­‐Hacker-­‐Code-­‐Angels-­‐vs-­‐Demons.pdf   The  Pracce  of  Network  Security  Monitoring,  Ricard  Bejtlich,  No  Starch  Press   Router  Security  Strategies  Securing  IP  Network  Traffic  Planes,  Gregg  Schudel,  David  J.  Smith,  Cisco  Press   hWps://www.cisco.com/go/safe   hWp://docwiki.cisco.com/wiki/FHS   hWp://www.netopcs.com/blog/01-­‐07-­‐2011/sample-­‐pcap-­‐files   hWp://www.cisco.com/c/en/us/td/docs/ios-­‐xml/ios/ipapp_drp/configuraon/12-­‐4/dp-­‐12-­‐4-­‐book.html   hWp://www.cisco.com/c/en/us/td/docs/soluons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html   hWp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-­‐2SX/best/pracces/recommendaons.html   hWp://www.cisco.com/c/en/us/td/docs/soluons/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html   hWp://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html   hWp://www.cisco.com/c/en/us/support/docs/ip/access-­‐lists/13608-­‐21.html   hWp://monkey.org/~dugsong/dsniff/   hWps://www.yersinia.net   hWps://www.nsa.gov/ia/_files/factsheets/Factsheet-­‐Cisco%20Port%20Security.pdf   hWp://iase.disa.mil/sgs/net_perimeter/network-­‐infrastructure/Pages/index.aspx    
  • 25. UNCLASSIFIED V100230_Faint UNCLASSIFIED 25 UNCLASSIFIED0000-00-yymm Information Engineering Solutions     Ques&ons?   h+p://www.dyne&cs.com/insights   @PaulCoggin