SlideShare a Scribd company logo

Pentesting layer 2 protocols

Download as PPTX, PDF
Abdessamad TEMMAR
Abdessamad TEMMAR

Pentesting layer 2 protocols

Technology
1 of 20
1 PENTESTING LAYER 2 PROTOCOLS By Temmar Abdessamad temmar.abdessamad@gmail.com
2 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols 1
3 Why Worry About Layer 2 Security ? Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Physical Links MAC addresses IP addresses Initial Compromise • Application Stream POP3, IMAP, IM SSL, SSH ... Compromised • OSI model was built to allow different layers to work without the knowledge of each other • Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem • When it comes to networking ... layer 2 can be a very weak link ! • Security is only as strong as the weakest link
4 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology Playing with Layer 2 protocols2
5 LAYER 2 : EQUIPMENT, PROTOCOLS & ATTACKS Categories CDP (Cisco Discovery Protocol) VTP (VLAN Trunking Protocol) DTP (Dynamic Truncking protocol) HSRP (Hot Standby Router Protocol) DHCP (Dynamic Host Configuration Protocol) Protocols Reconnaissance Attacks : an attackers tries to learn information about the target network (devices, protocols, topology ...) ; DoS attacks : the objective is to interrupt or suspend normal network’s services functions (routing, IP addressing) Hijacking Attacks : hijack network’s traffic so the attacker will be able to sniff/intercept sensitive data (MiTM) ; Bypass Attacks : an attacker try to bypass network restriction in ordre to reach other VLAN ; Topology Attacks : the main objective is to take control of the target network and alter his topology.
6 Cisco Discovery Protocol (CDP)  Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol  Allows Cisco devices to discover each other (IP address, software version, router model, etc)  How it works : Each network entity broadcasts a CDP packet once per minute  CDP does not run over IP : it runs directly over the data link layer. Presentation Vulnerabilities Attacks Mitigation
7 Cisco Discovery Protocol (CDP)  CDP is clear text and unauthenticated  Information leak :  Software version and hardware platform  specific release with a well-known bug that’s ready to be exploited.  Auxiliary VLAN. An attacker can learn which VLAN is used by IP telephony Presentation Vulnerabilities Attacks Mitigation End Users
8 Cisco Discovery Protocol (CDP)  CDP Cache Pollution - CDP table becomes unusable because it contains a lot of false information Presentation Vulnerabilities Attacks Mitigation Network A Switch> sh cdp neighbors Port Device-ID Port-ID Platform -------- ---------------- -------------------- ------------ 2/16 2651e FastEthernet0/1 cisco 2651 2/21 inet3 FastEthernet0/0 cisco 2651 2/36 r2-7206 Ethernet2/0.1 cisco 7206VXR 2/47 00M55I1 Ethernet0 yersinia 2/47 00N55I1 Ethernet0 yersinia 2/47 00N66I1 Ethernet0 yersinia
9 Cisco Discovery Protocol (CDP)  Only enable CDP on ports to other network devices and uplinks, & disabling it to access ports  But, CDP must remain enabled on ports to IP phones  To turn off CDP : Presentation Vulnerabilities Attacks Mitigation CatOS> (enable) set cdp disable <mod>/<port> | all IOS(config)#no cdp run IOS(config-if)#no cdp enable
10 Hot Standby Router Protocol (HSRP)  It makes a group of adjacent routers appear as a single virtual router.  Each physical router has its own MAC and IP addresses, but it shares one MAC and one IP address for the virtual router.  Routers exchanges HSRP messages to elect the active router. A standby router can becomes active when  It receives no more HSRP hello messages from the active router  The active router explicitly wants to become standby Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group
11  HSRP is clear text : HSRP commits a slight information leackage by adverstising all the routers’IP addresses, authentication Data ...  There is a possibility for a standby router to immediatly take over the role of the active router :  Standby routers used their own MAC addresses as source MAC  The active router uses the virtual MAC addresses Hot Standby Router Protocol (HSRP) Presentation Vulnerabilities Attacks Mitigation
12 Hot Standby Router Protocol (HSRP)  DoS attack - an attacker send fake HSRP packet where the priority is set to the maximum value 255 & the correct value for Authentication Data, Group virtual IP address. All trafic sent to a black hole. Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.7 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Network A Network B
13 Hot Standby Router Protocol (HSRP)  Man-In-The-Middle attack – attacker can intercept, listen & modify unprotected data Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware
14 Hot Standby Router Protocol (HSRP)  The ways to mitigate these attacks rely on preventing :  Forging valid authentication data. If the attacker is unable to present the correct credentials, all other routers reject his packets.  Sending HSRP packets. The network infrastructure blocks all HSRP packets except those sent by authorized HSRP routers. Presentation Vulnerabilities Attacks Mitigation How to protect us from these attacks ? Okey ... But How ?! Using strong authentication : MD5 Key Chain to authenticate HSRP messages
15 Others Attacks This protocol gives an attacker the ability to add and remove VLAN from the network. If a switch port has been configured to send and/or listen to DTP advertisements, a hacker can easily coerce the port into becoming a trunk. Hijacking Traffic Using DHCP Rogue Servers DNS Server DHCP Server File Server ClientAttacker 10.50.72.66 Attacker replies with Fraudulent information. This include his own computer as the gateway, so all packets from clients pass through his server. Hi may I please have IP, Gateway & DNS @ ? Client sends DHCP requests packets for IP, DNS & gateway addresses IP : 10.50.72.0/24 GW :10.50.72.66 DNS : 10.50.72.66 VTP (VLAN Trunking Protocol) DTP (Dynamic Trunking Protocol) DHCP (Dynamic Host Configuration Protocol )
16 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
17 Pentesting Layer 2 - Methodology Sniffing (CDP, VTP, HSRP, DHCP ...) NoAnalyze CDP packets & pick your own IP @ Reconnaissance attacks Yes CDP packet analysis HSRP packets DHCP information Become an active router Introduce rogue DHCP server MiTM DNS Hijacking DTP protocol analysis Enable truncking mode Sniff network traffic of top layersHijacking attacks DHCP Enabled ?
18 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
19 Conclusion  According to our last pen test missions, 95 % of these attacks are successful, which prove that layer 2 security is always ignored by companies  In general we recommend :  Managing switches in as secure a manner as possible (SSH, permit lists, etc.)  Using a dedicated VLAN ID for all trunk ports. Be paranoid: do not use VLAN 1 for anything.  Setting users ports to a non trunking state.  Deploying port-security whenever possible for user ports.  Using private VLANS where appropriate to further divide L2 networks.  Disabling all unused ports and put them in an unused VLAN.  Disabling CDP whenever possible  Ensuring DHCP attack prevention (DHCP snooping)
20 REFERENCES LAN Switch Security: What Hackers Know About Your Switches Eric Vyncke, Christopher Paggen Yersinia, a framework for layer 2 attacks - Black Hat Berrueta Andres

Recommended

Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Microcontroller part 4
Microcontroller part 4Microcontroller part 4
Microcontroller part 4Keroles karam khalil
 
Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Codership Oy - Creators of Galera Cluster
 
Information Security and Ethical Hacking
Information Security and Ethical HackingInformation Security and Ethical Hacking
Information Security and Ethical HackingDivyank Jindal
 
Mininet Basics
Mininet BasicsMininet Basics
Mininet BasicsEueung Mulyana
 
Vlsm
VlsmVlsm
VlsmGLIM Digital
 
Static Routing
Static RoutingStatic Routing
Static RoutingSachii Dosti
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 

Recommended

Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Microcontroller part 4
Microcontroller part 4Microcontroller part 4
Microcontroller part 4Keroles karam khalil
 
Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Codership Oy - Creators of Galera Cluster
 
Information Security and Ethical Hacking
Information Security and Ethical HackingInformation Security and Ethical Hacking
Information Security and Ethical HackingDivyank Jindal
 
Mininet Basics
Mininet BasicsMininet Basics
Mininet BasicsEueung Mulyana
 
Vlsm
VlsmVlsm
VlsmGLIM Digital
 
Static Routing
Static RoutingStatic Routing
Static RoutingSachii Dosti
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
I P S P O O F I N G
I P S P O O F I N GI P S P O O F I N G
I P S P O O F I N Gavinashkanchan
 
6 STM32's USART.ppt
6 STM32's USART.ppt6 STM32's USART.ppt
6 STM32's USART.pptMdRayhanTanvir
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentFred Posner
 
What is IANA?
What is IANA?What is IANA?
What is IANA?ICANN
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training PresentationRohit Singh
 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6Syed Arshad
 
Assignment 1 iap
Assignment 1 iapAssignment 1 iap
Assignment 1 iapuniversity of Gujrat, pakistan
 
Np unit2
Np unit2Np unit2
Np unit2vamsitricks
 
IP Addressing and Subnetting
IP Addressing and SubnettingIP Addressing and Subnetting
IP Addressing and SubnettingAtakan ATAK
 
IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6Adeel Rasheed
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Mikrotik Tutorial
Mikrotik TutorialMikrotik Tutorial
Mikrotik TutorialMd Sohrab Hossain Sourav
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for studentsKandarp Shah
 
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)PROIDEA
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorismAccenture
 
DNS server config on cisco packet tracer
DNS server config on cisco packet tracerDNS server config on cisco packet tracer
DNS server config on cisco packet tracerArjun Das
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Protocol Security Testing best practice
Protocol Security Testing best practiceProtocol Security Testing best practice
Protocol Security Testing best practicegaoliang641
 

More Related Content

What's hot

Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentFred Posner
 
What is IANA?
What is IANA?What is IANA?
What is IANA?ICANN
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training PresentationRohit Singh
 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6Syed Arshad
 
IP Addressing and Subnetting
IP Addressing and SubnettingIP Addressing and Subnetting
IP Addressing and SubnettingAtakan ATAK
 
IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6Adeel Rasheed
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for studentsKandarp Shah
 
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)PROIDEA
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorismAccenture
 
DNS server config on cisco packet tracer
DNS server config on cisco packet tracerDNS server config on cisco packet tracer
DNS server config on cisco packet tracerArjun Das
 

What's hot (20)

I P S P O O F I N G
I P S P O O F I N GI P S P O O F I N G
I P S P O O F I N G
 
6 STM32's USART.ppt
6 STM32's USART.ppt6 STM32's USART.ppt
6 STM32's USART.ppt
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
 
What is IANA?
What is IANA?What is IANA?
What is IANA?
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training Presentation
 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6
 
Assignment 1 iap
Assignment 1 iapAssignment 1 iap
Assignment 1 iap
 
Np unit2
Np unit2Np unit2
Np unit2
 
IP Addressing and Subnetting
IP Addressing and SubnettingIP Addressing and Subnetting
IP Addressing and Subnetting
 
IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Mikrotik Tutorial
Mikrotik TutorialMikrotik Tutorial
Mikrotik Tutorial
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
 
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorism
 
DNS server config on cisco packet tracer
DNS server config on cisco packet tracerDNS server config on cisco packet tracer
DNS server config on cisco packet tracer
 

Viewers also liked

Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Protocol Security Testing best practice
Protocol Security Testing best practiceProtocol Security Testing best practice
Protocol Security Testing best practicegaoliang641
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol AttacksConferencias FIST
 
Network Virtualization using Shortest Path Bridging
Network Virtualization using Shortest Path Bridging Network Virtualization using Shortest Path Bridging
Network Virtualization using Shortest Path Bridging Motty Ben Atia
 
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...rjain51
 
Ch 18 intro to network layer - section 3
Ch 18 intro to network layer - section 3Ch 18 intro to network layer - section 3
Ch 18 intro to network layer - section 3Hossam El-Deen Osama
 
Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Hossam El-Deen Osama
 
Ch 18 intro to network layer - section 4
Ch 18 intro to network layer - section 4Ch 18 intro to network layer - section 4
Ch 18 intro to network layer - section 4Hossam El-Deen Osama
 
Ch 18 intro to network layer - section 1
Ch 18 intro to network layer - section 1Ch 18 intro to network layer - section 1
Ch 18 intro to network layer - section 1Hossam El-Deen Osama
 
IEEE 802 Standard for Computer Networks
IEEE 802 Standard for Computer NetworksIEEE 802 Standard for Computer Networks
IEEE 802 Standard for Computer NetworksPradeep Kumar TS
 

Viewers also liked (15)

Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
 
Protocol Security Testing best practice
Protocol Security Testing best practiceProtocol Security Testing best practice
Protocol Security Testing best practice
 
Chapter 3 v6.0
Chapter 3 v6.0Chapter 3 v6.0
Chapter 3 v6.0
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
 
IEEE 802.1 x
IEEE 802.1 xIEEE 802.1 x
IEEE 802.1 x
 
Network Virtualization using Shortest Path Bridging
Network Virtualization using Shortest Path Bridging Network Virtualization using Shortest Path Bridging
Network Virtualization using Shortest Path Bridging
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
 
Ch 18 intro to network layer - section 3
Ch 18 intro to network layer - section 3Ch 18 intro to network layer - section 3
Ch 18 intro to network layer - section 3
 
Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2
 
Ch 18 intro to network layer - section 4
Ch 18 intro to network layer - section 4Ch 18 intro to network layer - section 4
Ch 18 intro to network layer - section 4
 
Ch 18 intro to network layer - section 1
Ch 18 intro to network layer - section 1Ch 18 intro to network layer - section 1
Ch 18 intro to network layer - section 1
 
Datalinklayer tanenbaum
Datalinklayer tanenbaumDatalinklayer tanenbaum
Datalinklayer tanenbaum
 
IEEE 802 standards
IEEE 802 standardsIEEE 802 standards
IEEE 802 standards
 
IEEE 802 Standard for Computer Networks
IEEE 802 Standard for Computer NetworksIEEE 802 Standard for Computer Networks
IEEE 802 Standard for Computer Networks
 

Similar to Pentesting layer 2 protocols

Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Ccna 1 chapter 9 v4.0 answers 2011
Ccna 1 chapter 9 v4.0 answers 2011Ccna 1 chapter 9 v4.0 answers 2011
Ccna 1 chapter 9 v4.0 answers 2011Dân Chơi
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Chapter6ccna
Chapter6ccnaChapter6ccna
Chapter6ccnarobertoxe
 

Similar to Pentesting layer 2 protocols (20)

Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
6.Routing
6.Routing6.Routing
6.Routing
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Practice
PracticePractice
Practice
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
Tcp
TcpTcp
Tcp
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
Linux router
Linux routerLinux router
Linux router
 
Ccna 1 chapter 9 v4.0 answers 2011
Ccna 1 chapter 9 v4.0 answers 2011Ccna 1 chapter 9 v4.0 answers 2011
Ccna 1 chapter 9 v4.0 answers 2011
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Chapter6ccna
Chapter6ccnaChapter6ccna
Chapter6ccna
 
Chapter6ccna
Chapter6ccnaChapter6ccna
Chapter6ccna
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Pentesting layer 2 protocols

  • 1. 1 PENTESTING LAYER 2 PROTOCOLS By Temmar Abdessamad temmar.abdessamad@gmail.com
  • 2. 2 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols 1
  • 3. 3 Why Worry About Layer 2 Security ? Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Physical Links MAC addresses IP addresses Initial Compromise • Application Stream POP3, IMAP, IM SSL, SSH ... Compromised • OSI model was built to allow different layers to work without the knowledge of each other • Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem • When it comes to networking ... layer 2 can be a very weak link ! • Security is only as strong as the weakest link
  • 4. 4 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology Playing with Layer 2 protocols2
  • 5. 5 LAYER 2 : EQUIPMENT, PROTOCOLS & ATTACKS Categories CDP (Cisco Discovery Protocol) VTP (VLAN Trunking Protocol) DTP (Dynamic Truncking protocol) HSRP (Hot Standby Router Protocol) DHCP (Dynamic Host Configuration Protocol) Protocols Reconnaissance Attacks : an attackers tries to learn information about the target network (devices, protocols, topology ...) ; DoS attacks : the objective is to interrupt or suspend normal network’s services functions (routing, IP addressing) Hijacking Attacks : hijack network’s traffic so the attacker will be able to sniff/intercept sensitive data (MiTM) ; Bypass Attacks : an attacker try to bypass network restriction in ordre to reach other VLAN ; Topology Attacks : the main objective is to take control of the target network and alter his topology.
  • 6. 6 Cisco Discovery Protocol (CDP)  Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol  Allows Cisco devices to discover each other (IP address, software version, router model, etc)  How it works : Each network entity broadcasts a CDP packet once per minute  CDP does not run over IP : it runs directly over the data link layer. Presentation Vulnerabilities Attacks Mitigation
  • 7. 7 Cisco Discovery Protocol (CDP)  CDP is clear text and unauthenticated  Information leak :  Software version and hardware platform  specific release with a well-known bug that’s ready to be exploited.  Auxiliary VLAN. An attacker can learn which VLAN is used by IP telephony Presentation Vulnerabilities Attacks Mitigation End Users
  • 8. 8 Cisco Discovery Protocol (CDP)  CDP Cache Pollution - CDP table becomes unusable because it contains a lot of false information Presentation Vulnerabilities Attacks Mitigation Network A Switch> sh cdp neighbors Port Device-ID Port-ID Platform -------- ---------------- -------------------- ------------ 2/16 2651e FastEthernet0/1 cisco 2651 2/21 inet3 FastEthernet0/0 cisco 2651 2/36 r2-7206 Ethernet2/0.1 cisco 7206VXR 2/47 00M55I1 Ethernet0 yersinia 2/47 00N55I1 Ethernet0 yersinia 2/47 00N66I1 Ethernet0 yersinia
  • 9. 9 Cisco Discovery Protocol (CDP)  Only enable CDP on ports to other network devices and uplinks, & disabling it to access ports  But, CDP must remain enabled on ports to IP phones  To turn off CDP : Presentation Vulnerabilities Attacks Mitigation CatOS> (enable) set cdp disable <mod>/<port> | all IOS(config)#no cdp run IOS(config-if)#no cdp enable
  • 10. 10 Hot Standby Router Protocol (HSRP)  It makes a group of adjacent routers appear as a single virtual router.  Each physical router has its own MAC and IP addresses, but it shares one MAC and one IP address for the virtual router.  Routers exchanges HSRP messages to elect the active router. A standby router can becomes active when  It receives no more HSRP hello messages from the active router  The active router explicitly wants to become standby Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group
  • 11. 11  HSRP is clear text : HSRP commits a slight information leackage by adverstising all the routers’IP addresses, authentication Data ...  There is a possibility for a standby router to immediatly take over the role of the active router :  Standby routers used their own MAC addresses as source MAC  The active router uses the virtual MAC addresses Hot Standby Router Protocol (HSRP) Presentation Vulnerabilities Attacks Mitigation
  • 12. 12 Hot Standby Router Protocol (HSRP)  DoS attack - an attacker send fake HSRP packet where the priority is set to the maximum value 255 & the correct value for Authentication Data, Group virtual IP address. All trafic sent to a black hole. Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.7 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Network A Network B
  • 13. 13 Hot Standby Router Protocol (HSRP)  Man-In-The-Middle attack – attacker can intercept, listen & modify unprotected data Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware
  • 14. 14 Hot Standby Router Protocol (HSRP)  The ways to mitigate these attacks rely on preventing :  Forging valid authentication data. If the attacker is unable to present the correct credentials, all other routers reject his packets.  Sending HSRP packets. The network infrastructure blocks all HSRP packets except those sent by authorized HSRP routers. Presentation Vulnerabilities Attacks Mitigation How to protect us from these attacks ? Okey ... But How ?! Using strong authentication : MD5 Key Chain to authenticate HSRP messages
  • 15. 15 Others Attacks This protocol gives an attacker the ability to add and remove VLAN from the network. If a switch port has been configured to send and/or listen to DTP advertisements, a hacker can easily coerce the port into becoming a trunk. Hijacking Traffic Using DHCP Rogue Servers DNS Server DHCP Server File Server ClientAttacker 10.50.72.66 Attacker replies with Fraudulent information. This include his own computer as the gateway, so all packets from clients pass through his server. Hi may I please have IP, Gateway & DNS @ ? Client sends DHCP requests packets for IP, DNS & gateway addresses IP : 10.50.72.0/24 GW :10.50.72.66 DNS : 10.50.72.66 VTP (VLAN Trunking Protocol) DTP (Dynamic Trunking Protocol) DHCP (Dynamic Host Configuration Protocol )
  • 16. 16 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
  • 17. 17 Pentesting Layer 2 - Methodology Sniffing (CDP, VTP, HSRP, DHCP ...) NoAnalyze CDP packets & pick your own IP @ Reconnaissance attacks Yes CDP packet analysis HSRP packets DHCP information Become an active router Introduce rogue DHCP server MiTM DNS Hijacking DTP protocol analysis Enable truncking mode Sniff network traffic of top layersHijacking attacks DHCP Enabled ?
  • 18. 18 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
  • 19. 19 Conclusion  According to our last pen test missions, 95 % of these attacks are successful, which prove that layer 2 security is always ignored by companies  In general we recommend :  Managing switches in as secure a manner as possible (SSH, permit lists, etc.)  Using a dedicated VLAN ID for all trunk ports. Be paranoid: do not use VLAN 1 for anything.  Setting users ports to a non trunking state.  Deploying port-security whenever possible for user ports.  Using private VLANS where appropriate to further divide L2 networks.  Disabling all unused ports and put them in an unused VLAN.  Disabling CDP whenever possible  Ensuring DHCP attack prevention (DHCP snooping)
  • 20. 20 REFERENCES LAN Switch Security: What Hackers Know About Your Switches Eric Vyncke, Christopher Paggen Yersinia, a framework for layer 2 attacks - Black Hat Berrueta Andres

Editor's Notes

  1. Because CDP is mainly interesting to use between network devices and not toward end-user hosts, the best way to prevent both the DoS attacks and information leaks is to only enable CDP on ports to other network devices and uplinks while disabling it to access ports. Because of the low level of risk and the benefits of CDP in IP phone deployment, as well as for network operation and troubleshooting, it is better to leave CDP enabled on all ports. Of course, the best option is to only configure CDP on ports where it is required (such as those with an IP phone) to reduce risk exposure.