Router and Switch Security

By:Kulin Shah

Krunal Shah

LAB GOAL

• This lab will introduce students to the concept of security of network devices

• Few attacks on routers as well as switches and their countermeasures

PHYSICAL ACCESS COMPROMISE

• We will use the virtual XP machine and one Cisco router and switch on the playstation to carry out the attack.

• we assume that the attacker has physical access to the router • Connect a console cable from routers console port to the serial port

of the computer • Configure the settings are as shown below• Set "Bits per second" to 9600 • Set "Data Bits" to 8• Set "Stop Bits" to 1 • Set "Flow control" to none

Router break-in

• Send a break signal to the router within 60 seconds of the power up

• will put the router into the ROM monitor (ROMMON) mode. The break sequence would depend on your terminal emulation program. The break signal for the HyperTerminal is (CTRL-BREAK)

• So basically aim is to make it boot from the ROM than the NVRAM

*** System received an abort due to Break Key ***

signal= 0x3, code= 0x500, context= 0x813ac158PC = 0x802d0b60, Vector rommon 1 > confreg 0x2142 

 rommon 2 > reset 

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)Copyright (c) 1999 by cisco Systems, Inc.TAC:Home:SW:IOS:Specials for infoC2600 platform with 32768 Kbytes of main memory  program load complete, entry point: 0x80008000, size: 0x6fdb4c Self decompressing the image : ######################################################################################################################################################################################################################################################## [OK]

• Copy the NVRAM config file into RAM with copy start run

• Whoa!!• Counter measure : block the break signal dropping an attacker into

ROMMON on a Cisco router using

no service password-recovery command

PVLAN on CISCO SWITCHES

• Primarily to achieve isolation without going through the pain of creating VLANS

• Multiple IPs not required

Lab set up for PVLAN

EXECUTION

HTTP AUTHENTICATION VULNERABILITY

• When the HTTP server is enabled and local authorization is used on Cisco device.

• It is possible, to bypass the authentication and execute any command on the device.

• All commands will be executed with the highest privilege (level 15).

• All releases of Cisco IOS software, starting with release 11.3 and later, are vulnerable.

ATTACK EXECUTION

• By sending a particular URL to a Cisco IOS device with the HTTP server enabled, a remote attacker may be able to execute commands with the administrator privileges. The malicious URL is of the following form:

• http://<address>/level/XX/exec/...

• XX is a number between 16 & 99.

• This vulnerability is documented as Cisco Bug ID CSCdt93862

VULNERABLE PRODUCTS

Cisco devices that may be running with affected Cisco IOS software releases include but are not limited to:

• Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 series.

• Most recent versions of the LS1010 ATM switch.

• The Catalyst 6000 and 5000 if they are running Cisco IOS software.

• The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco IOS software.

• The Catalyst 2900 and 3000 series LAN switches are affected.

COUNTERMEASURES

• Upgrading IOS to 12.0 or later

• Disabling HTTP

• Terminal Access Controller Access Control System (TACACS+) or Remote Authentication Dial in Service (Radius) for authentication.

MACOF ATTACK

• When a Layer 2 switch receives a frame, the switch looks in the CAM table for the destination MAC address.

• If an entry exists for the MAC address in the CAM table, the switch forwards the frame to the port designated in the CAM table for that MAC address.

• If no entry exists for the MAC address the frame, the switch looks at the source of the frame and adds it to CAM table entry.

• And the frame is essentially broadcasted on each and every port. This is the mechanism switches used to build their CAM table.

ATTACK EXECUTION

• CAM overflow

ATTACK SUCCESSFUL

COUNTERMEASURES

• If no protection against MAC address spoofing is setting up, this attack could succeed.

• By protecting the interface with “switchport port-security maximum 3”

• The port shut down after having seen the third different MAC address.

• Thus this attack has been defeated.

CONCLUSION

• We have exploited some of the vulnerabilities.

• Due to the ignorance and lack of knowledge of the system administrator it is easy to exploit many such vulnerabilities prevalent in the network devices.

• This lab aims to educate students about the threats and vulnerabilities existing in the network devices.

REFERENCES• www.askapache.com• www.tech-faq.com• www.antionline.com• www.cisco.com• www.securityfocus.com/infocus/1734• “Virtual LAN Security: weaknesses and countermeasures GIAC Security Essentials

Practical Assignment” - Steve A. Rouiller•  “Hacking Exposed Cisco Security Secrets and Solutions”- Andrew A. Vladimirov,

Konstantin V. Gavrilenko, Janis N. Vizulis and Andrei A. Mikhailovsky• www.arin.net• http://www.cisco.com/warp/public/474/index.shtml• http://www.modemsite.com/56k/x2-hyperterm.asp• http://www.cisco.com/en/US/tech/tk389/tk390/tk181/tsd_technology_support_sub-

protocol_home.html• http://www.cisco.com/warp/public/473/63.html• http://www.brandonhutchinson.com/installing_dsniff_2_3.html

QUESTIONS??