Pentesting layer 2 protocols

1

PENTESTING LAYER 2 PROTOCOLS

ByTemmar Abdessamad

[email protected]

2

Outline

1 Why Worry About Layer 2 Security ?

4 Conclusion

3 Pentesting Layer 2 methodology

2 Playing with Layer 2 protocols

1

3

Why Worry About Layer 2 Security ?

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

PhysicalPhysical Links

MAC addresses

IP addresses

Initial Compromise

• Application Stream

POP3, IMAP, IMSSL, SSH ...

Com

prom

ised

Host A Host B

• OSI model was built to allow different layers to work without the knowledge of each other• Unfortunately this means if one layer is hacked, communications are compromised without the other

layers being aware of the problem• When it comes to networking ... layer 2 can be a very weak link !

• Security is only as strong as the weakest link

4

Outline


4 Conclusion


Playing with Layer 2 protocols2

5

LAYER 2 : EQUIPMENT, PROTOCOLS & ATTACKS

Categories

CDP (Cisco Discovery Protocol)VTP (VLAN Trunking Protocol)DTP (Dynamic Truncking protocol)HSRP (Hot Standby Router Protocol)DHCP (Dynamic Host Configuration Protocol)

Protocols

Reconnaissance Attacks : an attackers tries to learn information about the target network (devices, protocols, topology ...) ;

DoS attacks : the objective is to interrupt or suspend normal network’s services functions (routing, IP addressing)

Hijacking Attacks : hijack network’s traffic so the attacker will be able to sniff/intercept sensitive data (MiTM) ;

Bypass Attacks : an attacker try to bypass network restriction in ordre to reach other VLAN ;

Topology Attacks : the main objective is to take control of the target network and alter his topology.

6

Cisco Discovery Protocol (CDP)

Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol

Allows Cisco devices to discover each other (IP address, software version, router model, etc)

How it works : Each network entity broadcasts a CDP packet once per minute

CDP does not run over IP : it runs directly over the data link layer.

Presentation Vulnerabilities Attacks Mitigation

7


CDP is clear text and unauthenticated

Information leak :

Software version and hardware platform

specific release with a well-known bug that’s ready to be exploited.

Auxiliary VLAN. An attacker can learn which VLAN is used by IP telephony


End Users

8


CDP Cache Pollution - CDP table becomes unusable because it contains a lot of false information


Network ASwitch> sh cdp neighbors

Port Device-ID Port-ID Platform-------- ---------------- -------------------- ------------2/16 2651e FastEthernet0/1 cisco 26512/21 inet3 FastEthernet0/0 cisco 26512/36 r2-7206 Ethernet2/0.1 cisco 7206VXR2/47 00M55I1 Ethernet0 yersinia2/47 00N55I1 Ethernet0 yersinia2/47 00N66I1 Ethernet0 yersinia

9


Only enable CDP on ports to other network devices and uplinks, & disabling it to access ports

But, CDP must remain enabled on ports to IP phones

To turn off CDP :


CatOS> (enable) set cdp disable <mod>/<port> | allIOS(config)#no cdp runIOS(config-if)#no cdp enable

10

Hot Standby Router Protocol (HSRP)

It makes a group of adjacent routers appear as a single virtual router.

Each physical router has its own MAC and IP addresses, but it shares one MAC and one IP address for the virtual router.

Routers exchanges HSRP messages to elect the active router. A standby router can becomes active when

It receives no more HSRP hello messages from the active router

The active router explicitly wants to become standby


Hosts with a Default Route to 192.168.0.8

Router AIP : 192.168.0.7MAC : From Hardware

Router BIP : 192.168.0.7MAC : 000.0C07.AC01

Router CIP : 192.168.0.7MAC : From Hardware

HSRP Group

11

HSRP is clear text : HSRP commits a slight information leackage by adverstising all the routers’IP addresses, authentication Data ...

There is a possibility for a standby router to immediatly take over the role of the active router :

Standby routers used their own MAC addresses as source MAC

The active router uses the virtual MAC addresses



12


DoS attack - an attacker send fake HSRP packet where the priority is set to the maximum value 255 & the correct value for Authentication Data, Group virtual IP address. All trafic sent to a black hole.






HSRP Group

Active Virtual RouterIP : 192.168.0.7MAC : 000.0C07.AC01

Network A

Network B

13


Man-In-The-Middle attack – attacker can intercept, listen & modify unprotected data





HSRP Group

Active Virtual RouterIP : 192.168.0.7MAC : 000.0C07.AC01


14


The ways to mitigate these attacks rely on preventing :

Forging valid authentication data. If the attacker is unable to present the correct credentials, all other routers reject his packets.

Sending HSRP packets. The network infrastructure blocks all HSRP packets except those sent by authorized HSRP routers.


How to protect us from these attacks ?

Okey ... But How ?!

Using strong authentication : MD5 Key Chain to authenticate HSRP messages

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhp-hsrp-md5.html

15

Others Attacks

This protocol gives an attacker the ability to add and remove VLAN from the network.

If a switch port has been configured to send and/or listen to DTP advertisements, a hacker can easily coerce the port into becoming a trunk.

Hijacking Traffic Using DHCP Rogue ServersDNS Server DHCP Server File Server

ClientAttacker10.50.72.66

Attacker replies withFraudulent information.This include his own computer as the gateway, so all packets from clients pass through his server.

Hi may I please have IP, Gateway & DNS @ ?

Client sends DHCP requests packets for IP, DNS & gateway addresses

IP : 10.50.72.0/24GW :10.50.72.66DNS : 10.50.72.66

VTP (VLAN Trunking Protocol)

DTP (Dynamic Trunking Protocol)

DHCP (Dynamic Host Configuration Protocol )

16

Outline


4 Conclusion



17

Pentesting Layer 2 - Methodology

Sniffing(CDP, VTP, HSRP, DHCP ...)

NoAnalyze CDP packets& pick your own IP @

Reconnaissance attacks

Yes

CDP packet analysis

HSRP packets

DHCP information

Become an active router

Introduce rogue DHCP server

MiTM

DNS Hijacking

DTP protocol analysis Enable truncking mode

Sniff network traffic of top layersHijacking attacks

DHCP Enabled ?

18

Outline


4 Conclusion



19

Conclusion

According to our last pen test missions, 95 % of these attacks are successful, which prove that layer 2 security is always ignored by companies

In general we recommend :

Managing switches in as secure a manner as possible (SSH, permit lists, etc.)

Using a dedicated VLAN ID for all trunk ports. Be paranoid: do not use VLAN 1 for anything.

Setting users ports to a non trunking state.

Deploying port-security whenever possible for user ports.

Using private VLANS where appropriate to further divide L2 networks.

Disabling all unused ports and put them in an unused VLAN.

Disabling CDP whenever possible

Ensuring DHCP attack prevention (DHCP snooping)

20

REFERENCES

LAN Switch Security: What Hackers Know About Your Switches

Eric Vyncke, Christopher Paggen

Yersinia, a framework for layer 2 attacks - Black Hat

Berrueta Andres

Pentesting layer 2 protocols

Technology

Transcript of Pentesting layer 2 protocols