Abdessamad TEMMAR, profile picture
Uploaded byAbdessamad TEMMAR
PPTX, PDF2,346 views

Pentesting layer 2 protocols

Layer 2 protocols like CDP, VTP, DTP, and HSRP are vulnerable to attacks if not properly secured. An attacker can use tools like Yersinia to perform reconnaissance on layer 2 protocols to gain information about devices, protocols, and network topology. Common attacks include denial of service attacks, traffic hijacking, and bypassing network restrictions. To prevent attacks, companies should secure switches, use secure trunking configurations, disable unused ports and protocols, and deploy security features like DHCP snooping.

Embed presentation

Downloaded 64 times
1 PENTESTING LAYER 2 PROTOCOLS By Temmar Abdessamad temmar.abdessamad@gmail.com
2 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols 1
3 Why Worry About Layer 2 Security ? Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Physical Links MAC addresses IP addresses Initial Compromise • Application Stream POP3, IMAP, IM SSL, SSH ... Compromised • OSI model was built to allow different layers to work without the knowledge of each other • Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem • When it comes to networking ... layer 2 can be a very weak link ! • Security is only as strong as the weakest link
4 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology Playing with Layer 2 protocols2
5 LAYER 2 : EQUIPMENT, PROTOCOLS & ATTACKS Categories CDP (Cisco Discovery Protocol) VTP (VLAN Trunking Protocol) DTP (Dynamic Truncking protocol) HSRP (Hot Standby Router Protocol) DHCP (Dynamic Host Configuration Protocol) Protocols Reconnaissance Attacks : an attackers tries to learn information about the target network (devices, protocols, topology ...) ; DoS attacks : the objective is to interrupt or suspend normal network’s services functions (routing, IP addressing) Hijacking Attacks : hijack network’s traffic so the attacker will be able to sniff/intercept sensitive data (MiTM) ; Bypass Attacks : an attacker try to bypass network restriction in ordre to reach other VLAN ; Topology Attacks : the main objective is to take control of the target network and alter his topology.
6 Cisco Discovery Protocol (CDP)  Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol  Allows Cisco devices to discover each other (IP address, software version, router model, etc)  How it works : Each network entity broadcasts a CDP packet once per minute  CDP does not run over IP : it runs directly over the data link layer. Presentation Vulnerabilities Attacks Mitigation
7 Cisco Discovery Protocol (CDP)  CDP is clear text and unauthenticated  Information leak :  Software version and hardware platform  specific release with a well-known bug that’s ready to be exploited.  Auxiliary VLAN. An attacker can learn which VLAN is used by IP telephony Presentation Vulnerabilities Attacks Mitigation End Users
8 Cisco Discovery Protocol (CDP)  CDP Cache Pollution - CDP table becomes unusable because it contains a lot of false information Presentation Vulnerabilities Attacks Mitigation Network A Switch> sh cdp neighbors Port Device-ID Port-ID Platform -------- ---------------- -------------------- ------------ 2/16 2651e FastEthernet0/1 cisco 2651 2/21 inet3 FastEthernet0/0 cisco 2651 2/36 r2-7206 Ethernet2/0.1 cisco 7206VXR 2/47 00M55I1 Ethernet0 yersinia 2/47 00N55I1 Ethernet0 yersinia 2/47 00N66I1 Ethernet0 yersinia
9 Cisco Discovery Protocol (CDP)  Only enable CDP on ports to other network devices and uplinks, & disabling it to access ports  But, CDP must remain enabled on ports to IP phones  To turn off CDP : Presentation Vulnerabilities Attacks Mitigation CatOS> (enable) set cdp disable <mod>/<port> | all IOS(config)#no cdp run IOS(config-if)#no cdp enable
10 Hot Standby Router Protocol (HSRP)  It makes a group of adjacent routers appear as a single virtual router.  Each physical router has its own MAC and IP addresses, but it shares one MAC and one IP address for the virtual router.  Routers exchanges HSRP messages to elect the active router. A standby router can becomes active when  It receives no more HSRP hello messages from the active router  The active router explicitly wants to become standby Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group
11  HSRP is clear text : HSRP commits a slight information leackage by adverstising all the routers’IP addresses, authentication Data ...  There is a possibility for a standby router to immediatly take over the role of the active router :  Standby routers used their own MAC addresses as source MAC  The active router uses the virtual MAC addresses Hot Standby Router Protocol (HSRP) Presentation Vulnerabilities Attacks Mitigation
12 Hot Standby Router Protocol (HSRP)  DoS attack - an attacker send fake HSRP packet where the priority is set to the maximum value 255 & the correct value for Authentication Data, Group virtual IP address. All trafic sent to a black hole. Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.7 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Network A Network B
13 Hot Standby Router Protocol (HSRP)  Man-In-The-Middle attack – attacker can intercept, listen & modify unprotected data Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware
14 Hot Standby Router Protocol (HSRP)  The ways to mitigate these attacks rely on preventing :  Forging valid authentication data. If the attacker is unable to present the correct credentials, all other routers reject his packets.  Sending HSRP packets. The network infrastructure blocks all HSRP packets except those sent by authorized HSRP routers. Presentation Vulnerabilities Attacks Mitigation How to protect us from these attacks ? Okey ... But How ?! Using strong authentication : MD5 Key Chain to authenticate HSRP messages
15 Others Attacks This protocol gives an attacker the ability to add and remove VLAN from the network. If a switch port has been configured to send and/or listen to DTP advertisements, a hacker can easily coerce the port into becoming a trunk. Hijacking Traffic Using DHCP Rogue Servers DNS Server DHCP Server File Server ClientAttacker 10.50.72.66 Attacker replies with Fraudulent information. This include his own computer as the gateway, so all packets from clients pass through his server. Hi may I please have IP, Gateway & DNS @ ? Client sends DHCP requests packets for IP, DNS & gateway addresses IP : 10.50.72.0/24 GW :10.50.72.66 DNS : 10.50.72.66 VTP (VLAN Trunking Protocol) DTP (Dynamic Trunking Protocol) DHCP (Dynamic Host Configuration Protocol )
16 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
17 Pentesting Layer 2 - Methodology Sniffing (CDP, VTP, HSRP, DHCP ...) NoAnalyze CDP packets & pick your own IP @ Reconnaissance attacks Yes CDP packet analysis HSRP packets DHCP information Become an active router Introduce rogue DHCP server MiTM DNS Hijacking DTP protocol analysis Enable truncking mode Sniff network traffic of top layersHijacking attacks DHCP Enabled ?
18 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
19 Conclusion  According to our last pen test missions, 95 % of these attacks are successful, which prove that layer 2 security is always ignored by companies  In general we recommend :  Managing switches in as secure a manner as possible (SSH, permit lists, etc.)  Using a dedicated VLAN ID for all trunk ports. Be paranoid: do not use VLAN 1 for anything.  Setting users ports to a non trunking state.  Deploying port-security whenever possible for user ports.  Using private VLANS where appropriate to further divide L2 networks.  Disabling all unused ports and put them in an unused VLAN.  Disabling CDP whenever possible  Ensuring DHCP attack prevention (DHCP snooping)
20 REFERENCES LAN Switch Security: What Hackers Know About Your Switches Eric Vyncke, Christopher Paggen Yersinia, a framework for layer 2 attacks - Black Hat Berrueta Andres

More Related Content

PDF
HISTORY OF COMPUTERS.pdf
byssuser4dd301
 
PPTX
CPU and Storage devices
byAdeela Armaghan
 
PPTX
Phonet
byArijit Chakraborty
 
PPTX
Computer Basics
byHuggermugger Eran
 
ODP
Free Open Source Software - Introduction
byIr. Dr. R.Badlishah Ahmad
 
PPT
Input devices_(Mouse and Keyboard)
byHossain Md Shakhawat
 
PPTX
Flash Memory
bykadammanoj1990
 
PPTX
Hiren’s Boot
byAngelly Delgado
 
HISTORY OF COMPUTERS.pdf
byssuser4dd301
 
CPU and Storage devices
byAdeela Armaghan
 
Phonet
byArijit Chakraborty
 
Computer Basics
byHuggermugger Eran
 
Free Open Source Software - Introduction
byIr. Dr. R.Badlishah Ahmad
 
Input devices_(Mouse and Keyboard)
byHossain Md Shakhawat
 
Flash Memory
bykadammanoj1990
 
Hiren’s Boot
byAngelly Delgado
 

What's hot

PPTX
Hard Disk Drive
byADVAIT MANE
 
PPT
Linux
bydwarfyray
 
PPTX
Solid state drive (ssd)
byMukesh Mirrey
 
PPTX
OPEN SOURCE SEMINAR PRESENTATION
byRitwick Halder
 
PPT
Introduction to computer sciences
byfikirabc
 
PDF
Machine language
by鍾誠 陳鍾誠
 
PPT
Introduction to operating syatem
byRafi Dar
 
PPTX
Computer Generations
byMonika Deswal
 
DOCX
Cuadro sinoptico de la historia de la computadora.
byInmaculada Concepción
 
PPT
Introduction to five generation of computer
byCollegeDataComptroll
 
PDF
SL3NM51-CORONA M WILSON-LÍNEA DE TIEMPO EVOLUCIÓN DE LAS TIC
byWilson Corona
 
Hard Disk Drive
byADVAIT MANE
 
Linux
bydwarfyray
 
Solid state drive (ssd)
byMukesh Mirrey
 
OPEN SOURCE SEMINAR PRESENTATION
byRitwick Halder
 
Introduction to computer sciences
byfikirabc
 
Machine language
by鍾誠 陳鍾誠
 
Introduction to operating syatem
byRafi Dar
 
Computer Generations
byMonika Deswal
 
Cuadro sinoptico de la historia de la computadora.
byInmaculada Concepción
 
Introduction to five generation of computer
byCollegeDataComptroll
 
SL3NM51-CORONA M WILSON-LÍNEA DE TIEMPO EVOLUCIÓN DE LAS TIC
byWilson Corona
 

Viewers also liked

PPT
Switch and Router Security Testing
byConferencias FIST
 
PPT
Protocol Security Testing best practice
bygaoliang641
 
PPT
Chapter 3 v6.0
bySudeep Reddy
 
PPT
Router and Routing Protocol Attacks
byConferencias FIST
 
PPTX
IEEE 802.1 x
byAnwesh Dixit
 
PDF
Network Virtualization using Shortest Path Bridging
byMotty Ben Atia
 
PDF
Network Forensics
byConferencias FIST
 
PDF
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
byrjain51
 
PPTX
Ch 18 intro to network layer - section 3
byHossam El-Deen Osama
 
PPTX
Ch 19 Network-layer protocols - section 2
byHossam El-Deen Osama
 
PPTX
Ch 18 intro to network layer - section 4
byHossam El-Deen Osama
 
PPTX
Ch 18 intro to network layer - section 1
byHossam El-Deen Osama
 
PPT
Datalinklayer tanenbaum
byMahesh Kumar Chelimilla
 
PPTX
IEEE 802 standards
byRosie Jane Enomar
 
PDF
IEEE 802 Standard for Computer Networks
byPradeep Kumar TS
 
Switch and Router Security Testing
byConferencias FIST
 
Protocol Security Testing best practice
bygaoliang641
 
Chapter 3 v6.0
bySudeep Reddy
 
Router and Routing Protocol Attacks
byConferencias FIST
 
IEEE 802.1 x
byAnwesh Dixit
 
Network Virtualization using Shortest Path Bridging
byMotty Ben Atia
 
Network Forensics
byConferencias FIST
 
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
byrjain51
 
Ch 18 intro to network layer - section 3
byHossam El-Deen Osama
 
Ch 19 Network-layer protocols - section 2
byHossam El-Deen Osama
 
Ch 18 intro to network layer - section 4
byHossam El-Deen Osama
 
Ch 18 intro to network layer - section 1
byHossam El-Deen Osama
 
Datalinklayer tanenbaum
byMahesh Kumar Chelimilla
 
IEEE 802 standards
byRosie Jane Enomar
 
IEEE 802 Standard for Computer Networks
byPradeep Kumar TS
 

Similar to Pentesting layer 2 protocols

PPTX
Layer Two ( 2 ) Security of Cisco switch
byssuserb1479b
 
PPTX
Introduction to layer 2 attacks & mitigation
byRishabh Dangwal
 
PPT
Lecture7-8-Network Protocls attack in cyber.ppt
byMuhammadSaleemKhan26
 
PPT
Cisco L3 security and CCIE training .ppt
byAniruddhSharma65
 
PPTX
Hacking L2 Switches
byNavaneetha Sankar
 
PDF
L2 Attacks.pdf
byvinaykumar947680
 
PDF
Ch 13: Network Protection Systems
bySam Bowne
 
PPT
Cisco Security Training on ASA and FMC.ppt.ppt
byAniruddhSharma65
 
PPTX
Common Layer 2 Threats, Attacks & Mitigation
byNetProtocol Xpert
 
PPT
Network Security - Layer 2
bysamis
 
PDF
1-300-206 (SENSS)=Firewall (642-618)
byMohmed Abou Elenein Attia
 
PPSX
SwitchSecurity SwitchSecurity SwitchSecurity SwitchSecurity
byVahidMouasvi
 
PPT
Mitigating Layer2 Attacks
bydkaya
 
PPTX
CCNP Switching Chapter 6
byChaing Ravuth
 
PDF
Understanding and Preventing Layer 2 Attacks
byTien Dung
 
PDF
2.0 Design Objectives ggfghfgfhfghgfhgfhgfh
bymps125
 
PPT
Ch13 Protecting Networks with Security Devices
byphanleson
 
PPT
network-security_for cybersecurity_experts
byabacusgtuc
 
PPT
CCNA Security 07-Securing the local area network
byAhmed Habib
 
PDF
IRJET- Secured LAN Network Topology of a Small Office with Redundancy
byIRJET Journal
 
Layer Two ( 2 ) Security of Cisco switch
byssuserb1479b
 
Introduction to layer 2 attacks & mitigation
byRishabh Dangwal
 
Lecture7-8-Network Protocls attack in cyber.ppt
byMuhammadSaleemKhan26
 
Cisco L3 security and CCIE training .ppt
byAniruddhSharma65
 
Hacking L2 Switches
byNavaneetha Sankar
 
L2 Attacks.pdf
byvinaykumar947680
 
Ch 13: Network Protection Systems
bySam Bowne
 
Cisco Security Training on ASA and FMC.ppt.ppt
byAniruddhSharma65
 
Common Layer 2 Threats, Attacks & Mitigation
byNetProtocol Xpert
 
Network Security - Layer 2
bysamis
 
1-300-206 (SENSS)=Firewall (642-618)
byMohmed Abou Elenein Attia
 
SwitchSecurity SwitchSecurity SwitchSecurity SwitchSecurity
byVahidMouasvi
 
Mitigating Layer2 Attacks
bydkaya
 
CCNP Switching Chapter 6
byChaing Ravuth
 
Understanding and Preventing Layer 2 Attacks
byTien Dung
 
2.0 Design Objectives ggfghfgfhfghgfhgfhgfh
bymps125
 
Ch13 Protecting Networks with Security Devices
byphanleson
 
network-security_for cybersecurity_experts
byabacusgtuc
 
CCNA Security 07-Securing the local area network
byAhmed Habib
 
IRJET- Secured LAN Network Topology of a Small Office with Redundancy
byIRJET Journal
 

Recently uploaded

PDF
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
PDF
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PPTX
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PDF
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
PDF
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PDF
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
PDF
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
DOCX
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 

Pentesting layer 2 protocols

  • 1.
    1 PENTESTING LAYER 2PROTOCOLS By Temmar Abdessamad temmar.abdessamad@gmail.com
  • 2.
    2 Outline 1 Why WorryAbout Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols 1
  • 3.
    3 Why Worry AboutLayer 2 Security ? Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Physical Links MAC addresses IP addresses Initial Compromise • Application Stream POP3, IMAP, IM SSL, SSH ... Compromised • OSI model was built to allow different layers to work without the knowledge of each other • Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem • When it comes to networking ... layer 2 can be a very weak link ! • Security is only as strong as the weakest link
  • 4.
    4 Outline 1 Why WorryAbout Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology Playing with Layer 2 protocols2
  • 5.
    5 LAYER 2 :EQUIPMENT, PROTOCOLS & ATTACKS Categories CDP (Cisco Discovery Protocol) VTP (VLAN Trunking Protocol) DTP (Dynamic Truncking protocol) HSRP (Hot Standby Router Protocol) DHCP (Dynamic Host Configuration Protocol) Protocols Reconnaissance Attacks : an attackers tries to learn information about the target network (devices, protocols, topology ...) ; DoS attacks : the objective is to interrupt or suspend normal network’s services functions (routing, IP addressing) Hijacking Attacks : hijack network’s traffic so the attacker will be able to sniff/intercept sensitive data (MiTM) ; Bypass Attacks : an attacker try to bypass network restriction in ordre to reach other VLAN ; Topology Attacks : the main objective is to take control of the target network and alter his topology.
  • 6.
    6 Cisco Discovery Protocol(CDP)  Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol  Allows Cisco devices to discover each other (IP address, software version, router model, etc)  How it works : Each network entity broadcasts a CDP packet once per minute  CDP does not run over IP : it runs directly over the data link layer. Presentation Vulnerabilities Attacks Mitigation
  • 7.
    7 Cisco Discovery Protocol(CDP)  CDP is clear text and unauthenticated  Information leak :  Software version and hardware platform  specific release with a well-known bug that’s ready to be exploited.  Auxiliary VLAN. An attacker can learn which VLAN is used by IP telephony Presentation Vulnerabilities Attacks Mitigation End Users
  • 8.
    8 Cisco Discovery Protocol(CDP)  CDP Cache Pollution - CDP table becomes unusable because it contains a lot of false information Presentation Vulnerabilities Attacks Mitigation Network A Switch> sh cdp neighbors Port Device-ID Port-ID Platform -------- ---------------- -------------------- ------------ 2/16 2651e FastEthernet0/1 cisco 2651 2/21 inet3 FastEthernet0/0 cisco 2651 2/36 r2-7206 Ethernet2/0.1 cisco 7206VXR 2/47 00M55I1 Ethernet0 yersinia 2/47 00N55I1 Ethernet0 yersinia 2/47 00N66I1 Ethernet0 yersinia
  • 9.
    9 Cisco Discovery Protocol(CDP)  Only enable CDP on ports to other network devices and uplinks, & disabling it to access ports  But, CDP must remain enabled on ports to IP phones  To turn off CDP : Presentation Vulnerabilities Attacks Mitigation CatOS> (enable) set cdp disable <mod>/<port> | all IOS(config)#no cdp run IOS(config-if)#no cdp enable
  • 10.
    10 Hot Standby RouterProtocol (HSRP)  It makes a group of adjacent routers appear as a single virtual router.  Each physical router has its own MAC and IP addresses, but it shares one MAC and one IP address for the virtual router.  Routers exchanges HSRP messages to elect the active router. A standby router can becomes active when  It receives no more HSRP hello messages from the active router  The active router explicitly wants to become standby Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group
  • 11.
    11  HSRP isclear text : HSRP commits a slight information leackage by adverstising all the routers’IP addresses, authentication Data ...  There is a possibility for a standby router to immediatly take over the role of the active router :  Standby routers used their own MAC addresses as source MAC  The active router uses the virtual MAC addresses Hot Standby Router Protocol (HSRP) Presentation Vulnerabilities Attacks Mitigation
  • 12.
    12 Hot Standby RouterProtocol (HSRP)  DoS attack - an attacker send fake HSRP packet where the priority is set to the maximum value 255 & the correct value for Authentication Data, Group virtual IP address. All trafic sent to a black hole. Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.7 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Network A Network B
  • 13.
    13 Hot Standby RouterProtocol (HSRP)  Man-In-The-Middle attack – attacker can intercept, listen & modify unprotected data Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware
  • 14.
    14 Hot Standby RouterProtocol (HSRP)  The ways to mitigate these attacks rely on preventing :  Forging valid authentication data. If the attacker is unable to present the correct credentials, all other routers reject his packets.  Sending HSRP packets. The network infrastructure blocks all HSRP packets except those sent by authorized HSRP routers. Presentation Vulnerabilities Attacks Mitigation How to protect us from these attacks ? Okey ... But How ?! Using strong authentication : MD5 Key Chain to authenticate HSRP messages
  • 15.
    15 Others Attacks This protocolgives an attacker the ability to add and remove VLAN from the network. If a switch port has been configured to send and/or listen to DTP advertisements, a hacker can easily coerce the port into becoming a trunk. Hijacking Traffic Using DHCP Rogue Servers DNS Server DHCP Server File Server ClientAttacker 10.50.72.66 Attacker replies with Fraudulent information. This include his own computer as the gateway, so all packets from clients pass through his server. Hi may I please have IP, Gateway & DNS @ ? Client sends DHCP requests packets for IP, DNS & gateway addresses IP : 10.50.72.0/24 GW :10.50.72.66 DNS : 10.50.72.66 VTP (VLAN Trunking Protocol) DTP (Dynamic Trunking Protocol) DHCP (Dynamic Host Configuration Protocol )
  • 16.
    16 Outline 1 Why WorryAbout Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
  • 17.
    17 Pentesting Layer 2- Methodology Sniffing (CDP, VTP, HSRP, DHCP ...) NoAnalyze CDP packets & pick your own IP @ Reconnaissance attacks Yes CDP packet analysis HSRP packets DHCP information Become an active router Introduce rogue DHCP server MiTM DNS Hijacking DTP protocol analysis Enable truncking mode Sniff network traffic of top layersHijacking attacks DHCP Enabled ?
  • 18.
    18 Outline 1 Why WorryAbout Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
  • 19.
    19 Conclusion  According toour last pen test missions, 95 % of these attacks are successful, which prove that layer 2 security is always ignored by companies  In general we recommend :  Managing switches in as secure a manner as possible (SSH, permit lists, etc.)  Using a dedicated VLAN ID for all trunk ports. Be paranoid: do not use VLAN 1 for anything.  Setting users ports to a non trunking state.  Deploying port-security whenever possible for user ports.  Using private VLANS where appropriate to further divide L2 networks.  Disabling all unused ports and put them in an unused VLAN.  Disabling CDP whenever possible  Ensuring DHCP attack prevention (DHCP snooping)
  • 20.
    20 REFERENCES LAN Switch Security:What Hackers Know About Your Switches Eric Vyncke, Christopher Paggen Yersinia, a framework for layer 2 attacks - Black Hat Berrueta Andres

Editor's Notes

  • #10 Because CDP is mainly interesting to use between network devices and not toward end-user hosts, the best way to prevent both the DoS attacks and information leaks is to only enable CDP on ports to other network devices and uplinks while disabling it to access ports. Because of the low level of risk and the benefits of CDP in IP phone deployment, as well as for network operation and troubleshooting, it is better to leave CDP enabled on all ports. Of course, the best option is to only configure CDP on ports where it is required (such as those with an IP phone) to reduce risk exposure.