Protecting your Cisco Infrastructure against the latest
Download
Report
Transcript Protecting your Cisco Infrastructure against the latest
Protecting your Cisco
Infrastructure against the
latest “Attacktecs™”
By Stephen Dugan, CCSI
[email protected]
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
1
Introduction
Welcome to the presentation
and
Thank you for coming!
Who is the speaker?
What is the focus of the presentation?
Why a talk on Cisco at a Windows show?
How will the material be presented?
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
2
Agenda
Introduction
Section 1 –
Physical and
Remote Access
Initial Configuration
Device Access Options
Password Issues
Management Protocols
February 7, 2002
13:30 - 14:45
Section 2 -Layer 2
VLANs / Design
STP / VTP / DTP
Network Sniffing
VLAN Hopping
Section 3 - Layer 3
ACLs
IP Routing Protocols
HSRP
Black Hat - Windows Security 2002
New Orleans, LA
3
Section 1
Physical and Remote Access
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
4
Section 1 - Physical and Remote Access
Initial Configuration Commands
or…
Commands that belong on all configurations
Turning off unused default features
Turning on features you should be using
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
5
Section 1 - Physical and Remote Access
Globally ON by default
Echo
Chargen
Discard
Finger
Bootp
Auto-Install
IP Source-Routing
DNS lookup
Attacktecs
RO(config)# no service tcp-small-servers
RO(config)# no service udp-small-servers
RO(config)# no service finger
RO(config)# no service config
RO(config)# no ip identd
RO(config)# no ip bootp server
RO(config)# no boot network
Lots of documented attacks and RO(config)# no ip domain-lookup
available tools!
Solutions
Turn them all off
Reasoning
Most are not used or needed
Rarely used for legit purposes
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
6
Section 1 - Physical and Remote Access
Interface level ON by default
Unreachable messages
Proxy-ARP
Redirects
Mask Replies
Directed-broadcast (Before 12.0)
Attacktecs
Lots of documented attacks and
available tools!
RO(config-if)# no ip unreachables
RO(config-if)# no ip proxy-arp
RO(config-if)# no ip source-route
RO(config-if)# no ip redirects
RO(config-if)# no ip mask-reply
RO(config-if)# no ip directed-broadcast
Solutions
Again…Turn them all off
Should be done at ALL interfaces
Reasoning
Most are not used or needed
Rarely used for legitimate purposes
today
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
7
Section 1 - Physical and Remote Access
General Features that
should be turned ON
Nagle (RFC 896)
Login/MOTD Banners
TCP-keepalives-in
RO(config)# service nagle
RO(config)# service tcp-keepalives-in
RO(config)# banner motd ^
Get off my network! NOW!
(unless you work here)
Attacktecs
Various DoS
YWBPTTFEOTL ^
Reasoning
Banners for legal matters
Nagle and TCP-KA can help
in DOS attacks or high
volume interactive traffic
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
8
Section 1 - Physical and Remote Access
Features that should be turned ON
Cisco Express Forwarding
Unicast Reverse Path Forwarding
Attacktecs
ip cef
! "ip cef distributed" for RSP+VIP
interface serial 0/0
DDoS Tools: TFN(2K), Trinoo, Etc.
See PacketStorm for updated DDoS
ip address 192.168.8.1 255.255.252.0
CEF will boost performance
RFP helps DDoS detection
ip route 0.0.0.0 0.0.0.0 Serial 0
Solutions
ip verify unicast reverse-path
Reasoning
Source Address Verification
Forced Asymmetric routing
Use BGP Weight or Local
Preference if Multi-Homed
Fa0/0
Internet
S0/0
Upstream
Enterprise
Network
ISP
Source = 192.168.11.45
DROPPED
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
9
Section 1 - Physical and Remote Access
Device Access Options
Console – Physical Access
AUX – The Dial-in Backdoor
VTY – Access for those Protocols we’ve
stopped using for years!
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
10
Section 1 - Physical and Remote Access
Console – Physical Access
line con 0
Use for initial configs
Easy to avoid passwords
login
Attacktecs
Password Recovery
Theft of Equipment
SOLD on Internet Auction Sites
Solutions
Lock the Doors!
Guards with M16s
Secret IOS Command?!?!
Reasoning
ALL Cisco devices can be
compromised with Console
February 7, 2002
13:30 - 14:45
password ClearText
exec-timeout 3 0
Username Steve password EncryptMe
Line Con 0
Login Local
Exec-timeout 3 0
aaa new-model
tacacs-server key NotCleartext
aaa authentication login default
tacacs+ local
Black Hat - Windows Security 2002
New Orleans, LA
11
Section 1 - Physical and Remote Access
AUX – Dial-in Backdoor
Used mostly for remote Dial-IN
access for administrators
Can be configured to Route
Traffic for DDR
Attacktecs
WarDial to find Number
Use as a jumping point to
launch other attacks
Solutions
Unplug Modem until needed
Strong Password Protection
Timeouts and CD-DROP
detect to avoid session theft
Reasoning
Has good uses for solving
network down type problems
Same Security problems with
all Dial type access
February 7, 2002
13:30 - 14:45
line aux 0
login
password ClearText
exec-timeout 3 0
Username Steve password EncryptMe
Line aux 0
Login Local
Exec-timeout 3 0
aaa new-model
tacacs-server key NotCleartext
aaa authentication login default
tacacs+ local
Black Hat - Windows Security 2002
New Orleans, LA
12
Section 1 - Physical and Remote Access
VTY – All Access
username Steve password ohSSH
Used mostly for telnet
Supports LAT, MOP, rLogin, ect.
Attacktecs
cry key generate rsa
ip ssh time-out 60
Flood router with Telnets
MiTM – discover device password
watching telnet traffic
Reverse-Telnet (2000,3000, 7000)
Solutions
Use SSH & ACLs
Turn off unused protocols
Last resort...Turn off VTY access
Reasoning
Standard for Cisco management
SSH provides encryption for device
management sessions
February 7, 2002
13:30 - 14:45
ip domain-name router1.101labs.com
ip ssh authentication-retries 2
Access-list 2 permit host 10.1.1.1
line vty 0 4
Login local
IP access-class 2 in
transport input ssh (Default is ALL)
Note: Cisco only uses SSH v1 and has an
active advisory for SSH. Also has IOS
support for SSH client. Limited platform
support. Still A LOT better then cleartext
telnet! See link section for more info.
Black Hat - Windows Security 2002
New Orleans, LA
13
Section 1 - Physical and Remote Access
Password Issues
User, Privileged, and custom access
Implications of “No Password”
MD5 and Password Encryption
Password Recovery
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
14
Section 1 - Physical and Remote Access
User Exec - Level 1 - Router>
Can Look at various tables ARP, BGP, Routing etc.
Can do simple PINGs
Telnet to other places (Jump off point)
Privilege Exec - Level 15 - Router#
Essentially “Root” Access for IOS Device
All Functions Available
Custom Levels - Levels 2-14 - Router#
Set using Username/Password or AAA
Privilege Levels inherit lower levels unless denied.
Useful in large environments with different experience levels and job
functions of Techs.
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
15
Section 1 - Physical and Remote Access
Implications of “No Password”
Login Command on VTY Line will force the Router to
Ask for Password even if none is configured. This is
the default.
Login combined with no password on CON/AUX
allows login without challenge
To disable CON or AUX use:
Line aux 0
transport input none
transport output none
no exec
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
16
Section 1 - Physical and Remote Access
MD5 and Password Encryption
Most Passwords stored on Cisco IOS Device configs are in
Clear Text.
Using the “Service Password-Encryption command will weakly,
type 7, encrypt your passwords. (You could decrypt them with
Pen&Paper in 40 minutes)
The Enable SECRET password is MD5. You should use this for
Privilege Exec. Access.
• Use Type 5 (MD5) for
any passwords that let
you.
Service Password-encryption
Hostname Router-1
no Enable Password
enable secret 5 $1$y/fP$O.MMCCsH8leilgoRUwBxk1
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
17
Section 1 - Physical and Remote Access
Password Recovery
As simple as...
Power Cycle
Break Key
confreg or o/r 0x2142
Secret IOS Command (some devices)
“No Service Password-Recovery”
Break Key after Power Cycle will give you a “Factory
Default <y/n>” question.
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
18
Section 1 - Physical and Remote Access
Management Protocols
CDP – How they Discover your network
SNMP – More holes than Swiss cheese
NTP – What Time did they break in?
SYSLOG – Another Ignored Log
Loopbacks – Interfaces that don’t go Down
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
19
Section 1 - Physical and Remote Access
CDP – Cisco Discovery Protocol
Used to discover the network
L2 Messages Sent every 60 seconds
Will discover Device name, IOS
revision, L3 addresses, Native VLAN
and more.
Default is ON for all ports/interfaces
Attacktecs
RO(config)# no cdp run
RO(config-if)# no cdp enable
SW> (enable) set cdp disable <mod/port>
(omitting the <mod/port> turns off CDP for
the entire Switch)
Everyone can discover your network
DOS attack discovered by FX
Info can be used in a variety of ways
Solutions
Turn it off Globally
Turn it off at a port/interface
Leave it on in the Management VLAN
Reasoning
Not needed unless your actively
discovering the network
Required for CiscoWorks 2000
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
20
Section 1 - Physical and Remote Access
SNMP V1 & V2
“Simple Net-attacks Made Possible”
Main Problems
Uses community strings that are stored/sent in cleartext
Many times left unchanged/default as Public/Private
Many Freeware SNMP tools used for hacking
If it must be used
Don’t enable a RW string
Use ACL
access-list 1 permit host 10.1.1.1
access-list 1 deny any log-input
snmp community not-public ro 1
Use V3 if RW is needed
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
21
Section 1 - Physical and Remote Access
SYSLOG
service timestamp log datetime localtime
Default is console logging only logging 10.1.1.1
no logging console
Stop Console logging
Send messages to syslog
server.
clock timezone MST -7
clock summer-time MST recurring
NTP
ntp authenticate
Gets time from trusted source ntp authentication-key 1 md5 AtTheTone
ntp trusted-key 1
Attach Timestamps to logs
ntp access-group peer 3
ntp server 192.168.254.57 key 1
access-list 3 permit host 192.168.254.57
access-list 3 deny any log
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
22
Section 1 - Physical and Remote Access
Loopback interfaces
Loopbacks are internal/software interfaces
Never go down
Can be assigned L3 addresses
Router-ID for OSPF/BGP
Source IP Address in Packets
Telnet/SSH
SNMP
SYSLOG
TFTP / FTP
Interface loopback 0
ip address 192.168.1.1 255.255.255.0
IP telnet source-interface loopback 0
IP tftp source-interface loopback 0
IP ftp source-interface loopback 0
Logging source interface loopback 0
Router ospf 1
Router-id 192.168.1.1
Router bgp 65410
BGP Router-id 192.168.1.1
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
23
Section 1 - Physical and Remote Access
Catalyst Switch Options
Password Commands
Telnet / SSH Connection Options
NTP, SYSLOG, SNMP
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
24
Section 1 - Physical and Remote Access
Catalyst Switch Passwords
Passwords for User and Enable
modes
Attacktecs
Old Password: *.Eat@JoE$^^_
New Password: JoE$F0Od_Stnks
Password Recovery
Power off.
Passwords Cleared for first 60
Seconds
Must Be Attached to Console
Solutions
Use Difficult Passwords
Limit Physical Access
February 7, 2002
13:30 - 14:45
set password (hit Return)
Retype Password: JoE$F0Od_Stnks
set enable (Hit Return)
Old Enablepass: Stay!0Ff_My-C@
New Enablepass: C@_iN_Da_H@
Retype: C@_iN_Da_H@
Black Hat - Windows Security 2002
New Orleans, LA
25
Section 1 - Physical and Remote Access
Catalyst Switch Management
Same Management management
methods as IOS Router
Attacktecs
BSD Telnet DoS Attack
Discover device configs and
password watching telnets or HTTP
traffic
Solutions
Use SSH & IP Permit Lists
Shut off HTTP Access
Last resort...Turn off Telnet
OR… Don’t configure IP on Switch
February 7, 2002
13:30 - 14:45
set crypto key rsa 1024
set ip permit enable ssh
show crypto key
show ip permit
set ip http server disable
NEW ALERT for CAT
Switches 1/29/02
ALL Catalysts Running
“Set based IOS” are
Vulnerable to DoS attack
Fix by new Code 2/5/02
Use SSH and IP Permit
Black Hat - Windows Security 2002
New Orleans, LA
26
Section 1 - Physical and Remote Access
NTP, SYSLOG on CATs
Cisco Recommends
modifying some of the
logging levels based
on environment
conditions
NTP configuration is
very similar to the
configuration
commands on Router
IOS.
February 7, 2002
13:30 - 14:45
set logging server <IP address>
set logging timestamp enable
set logging level spantree 6 default
set logging level sys 6 default
set logging server severity 4
set logging console disable
set ntp client enable
set ntp server <address of server>
set ntp authentication enable
set ntp key <key>
set ntp timezone <zone name>
set ntp summertime <details>
Black Hat - Windows Security 2002
New Orleans, LA
27
Section 2
Layer 2 - Switching
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
28
Section 2 - Layer 2 - Switching
VLANS
Good Design – Simplifies Security
Default VLANS – 1,1001-1005
Management VLAN - Defaults to VLAN1
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
29
Section 2 - Layer 2 - Switching
Design Philosophies
Spanning Tree = BAD
Routing = GOOD
KISP
Plan with security in mind
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
30
Section 2 - Layer 2 - Switching
Good Design!
Switch Block
February 7, 2002
13:30 - 14:45
Bad Design!!!!
Redundant Rats nest
Black Hat - Windows Security 2002
New Orleans, LA
31
Section 2 - Layer 2 - Switching
VLANs
VLAN 1 – The dead VLAN
VLANs 1001 – 1005 – The dead technology VLANs
Clear Trunks of these VLANs
Can’t remove them from switches
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
32
Section 2 - Layer 2 - Switching
Management VLAN - Defaults to VLAN 1
Change this on all switches to a Random Number
(the same number for all switches)
NO USER Traffic
Don’t Assign to User Ports
ACL to block them!
Used for Anything your users should’t see
IP Routing
CDP (if you didn’t want to turn it off)
VTP
MLSP
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
33
Section 2 - Layer 2 - Switching
Management VLAN (cont..)
Runs on all switches in the block
Use 1 Management VLAN per block
Should be the only VLAN on this link
Trunked with User VLANs on these Links
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
34
Section 2 - Layer 2 - Switching
STP / VTP / DTP
Spanning Tree Issues
VLAN Trunking Protocol – The “A” DoS
Dynamic Trunking Protocol – To Trunk or not
to Trunk?…that is the question.
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
35
Section 2 - Layer 2 - Switching
Spanning Tree Protocol
For loop prevention in an Ethernet Network
Works by electing a “root bridge”
Sends messages Via BPDUs
Attacktecs include
Forced takeover as ROOT bridge
BPDU Flood attack
BPDU Change Notification flag
(Unintentional side affect of a switched network)
Solutions
Force user ports not send/receive BPDUs
Portfast & BPDU-Guard
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
36
Section 2 - Layer 2 - Switching
VTP
VLAN Trunking Protocol
Used to Maintain VLAN database consistency
Could be used for attack to add/delete VLANs
Risky to use under normal conditions
Required by some CATs to create VLANS
Solution
Set all switches to VTP Transparent Mode
Set Password to avoid mis-configuration / attacks
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
37
Section 2 - Layer 2 - Switching
Dynamic Trunking Protocol
“To Trunk or not to Trunk”
All Switch 100mb ports are set to AUTO
Connecting a AUTO - AUTO ports doesn’t Trunk
Connecting a AUTO - ON ports does Trunk
Attacktecs
802.1Q tag manipulation
Access to all VLANs without Router
Solution
Set all non-trunk ports to DTP OFF mode
Force Users to 10MB (Lead Balloon?!?!)
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
38
Section 2 - Layer 2 - Switching
CAT OS Commands
SET PORT HOST <mod/port>
Batch command that configures
Trunking to OFF
Portfast ON
Set Port Disable <mod/port>
set spantree portfast bpdu-guard enable
set spantree guard root 1/1
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
39
Section 2 - Layer 2 - Switching
VLAN “Hopping”
Works by injecting modified 802.1q tags
Can effectively pass traffic to other VLANs
without a router.
Solutions
Set Native VLANs on truck ports to an unused VLAN
and not VLAN 1
Set port VLAN <vlan#> <mod/port>
Remember the native VLAN must match on both
sides of the trunk
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
40
Section 2 - Layer 2 - Switching
Network Sniffing with Switch Ports
Attacker running ARP spoofing
tool with bridging software
Sends continuous ARP replies
telling the PC he’s the Server
and the Server that he’s the
PC. Traffic is bridged for
PC/SERVER to maintain
connection.
H
Solutions:
Private VLANs?
Host IDS!
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
41
Section 2 - Layer 2 - Switching
Flooding switch with MAC Addresses
or….
How to make a switch act like a hub.
Attacking host PC launches
attack that floods the CAM table
on the switch. Using all
allocated CAM memory. Switch
then forwards all traffic like
unknown unicasts.
February 7, 2002
13:30 - 14:45
H
Black Hat - Windows Security 2002
New Orleans, LA
Solutions:
Port Security
Max Mac Count 1
42
Section 3
Layer 3 - Routing
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
43
Section 3 - Layer 3 - Routing
Access Control Lists
Standard / Extended / Named
Context Based (CBAC)
Other
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
44
Section 3 - Layer 3 - Routing
IP Standard ACLs
IP Source Address Based only
Variety of used (Not just packet filtering)
1-99 1300 to 1999 range
IP Extended ACLs
Looks at
Source & Destination IP
Source & Destination Ports
Protocol
SYN/RST bit (Established)
Can be Logged - Log or Log-input (timestamp and packet info)
100 – 199, 2000 - 2699 Range
IP Named ACLs
Same as STD or EXT except with a Name instead of a number.
Can remove a single List entry without removing Whole ACL
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
45
Section 3 - Layer 3 - Routing
Context Based Access Control (CBAC)
AKA Cisco IOS Firewall Feature set
Creates dynamic inbound ACE entries
based upon egress traffic.
Inbound Base ACL “Deny any”
Internet
IP Packet
As Packet exits a short lived dynamic
ACE is added to the beginning of the
base ingress ACL. Allowing return
traffic.
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
46
Section 3 - Layer 3 - Routing
Other IP ACL types
Reflexive
Dynamic
Time-based
Other ACLs
IPX
AppleTalk
MAC
NetBIOS
VACLs
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
47
Section 3 - Layer 3 - Routing
IP Routing Protocols
RIP – May it Rest in Peace (PLEASE!!!)
IGRP – I’d rather run RIP first
EIGRP – Simple and Powerful
OSPF – You Stubbed your what?
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
48
Section 3 - Layer 3 - Routing
RIP
V1
Classfull IP (no VLSM or CIDR)
Broadcasts every 30 sec.
Cleartext Passwords
Any IP product that has “Routing” features supports it
To many security problem to fix.
V2
Classless
Uses Multicasts every 30 seconds
MD5 passwords
Wide support
Still vulnerable to attacks
“You can tie on pretty ribbon and give it some
makeup… but its still the same old RIP”
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
49
Section 3 - Layer 3 - Routing
Setting RIP V2 with Key-chain
key chain MyKey
key 1
key-string 1234
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip rip authentication key-chain MyKey
!
router rip
version 2
Network 192.168.1.0
passive-interface default
no passive-interface E0
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
E0
E0
50
Section 3 - Layer 3 - Routing
IGRP
Cisco Proprietary
Uses (Lowest) Bandwidth and Delay for metrics
Classfull
Broadcasts every 90 sec.
Converges SLOWER than RIP
NO SECURITY
Still out there because of the CCNA program….
Solution.. Modify your configs and add the “E”
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
51
Section 3 - Layer 3 - Routing
Enhanced IGRP (EIGRP)
Acts like a LS Routing protocol when
Discovering neighbors
Maintaining neighbors
Exchanging Routes
Acts like a DV Routing protocol for Calc. metrics
Uses Lowest Bandwidth and Delay like IGRP
Classless
MD5 Passwords checked before creating neighbors
Less constraints than OSPF
Doesn’t force good design
Can go Query Crazy
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
52
Section 3 - Layer 3 - Routing
EIGRP with Authentication (Key-Chain)
Router eigrp 1
network 192.168.1.0
passive-interface default
no passive-interface E0
Interface E0
ip address 192.168.1.1 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 keyname
E0
E0
key chain keyname
key 1
key-string 0987654321
accept-lifetime infinite
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
53
Section 3 - Layer 3 - Routing
OSFP
Industry Open Standard
Can be Complex
Classless
Supports MD5 Password protection
Forces good design (sometimes)
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
54
Section 3 - Layer 3 - Routing
OSPF with Authentication
Router OSPF 1
network 192.168.1.1 0.0.0.0 area 0
area 0 authentication message-digest
Interface E0
ip address 192.168.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 5 myOSPFpass
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
E0
E0
55
Section 3 - Layer 3 - Routing
HSRP
Hot Swappable ROUTER Protocol
Designed to maintain High Availability of GWs
HSRP is Cisco Proprietary
VRRP is the new IETF standard
Works by sending hello messages between
routers to Elect Active and standby Routers
Is Vulnerable to attack when configured
correctly
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
56
Section 3 - Layer 3 - Routing
Enterprise Network or Internet
Standby
Active
HSRP
Attacktecs
Attack sent to make PC
appear as an HSRP
Router and to “preempt”
ACTIVE status
Used as DoS or MiTM
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
57
Section 3 - Layer 3 - Routing
Solutions to HSRP Attack
Set HSRP PRIORITY to 255 on both routers
ACTIVE Router gets Highest IP in SUBNET, Standby gets
Second Highest, Virtual Gets Third
Modify the default MAC Address created for HSRP
Create ACL to only permit the HSRP traffic between the
appropriate routers (MLS implications…)
Have switches only send 224.0.0.2 (0000.5E00.0002) to
ports that will have Routers
Caveat: Doing this will force you too disable CGMP or IGMP
Snooping, don’t use this last one if your using Multicasting
in you network.
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
58
Links
General Cisco Security
http://www.cisco.com/warp/public/707/21.html#http
http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm
DDoS
http://packetstormsecurity.nl/distributed/
http://www.cisco.com/warp/public/707/newsflash.html
Design
http://www.dcug.org/prezos/DCUG-Campus1-25-2001.zip
SSH
http://www.cisco.com/warp/public/707/SSH-multiple-pub.html
http://www.cisco.com/warp/public/707/ssh.shtml
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
59
Thank you for coming!!
Special thanks to
Jeff Moss, Keith Myers and the rest
of the Black Hat Crew.
Tony and SPuD for beginning
101labs with me.
February 7, 2002
13:30 - 14:45
Black Hat - Windows Security 2002
New Orleans, LA
60