Router and Switch Security By: Kulin Shah Krunal Shah.
-
Upload
primrose-morrison -
Category
Documents
-
view
235 -
download
2
Transcript of Router and Switch Security By: Kulin Shah Krunal Shah.
LAB GOAL
• This lab will introduce students to the concept of security of network devices
• Few attacks on routers as well as switches and their countermeasures
PHYSICAL ACCESS COMPROMISE
• We will use the virtual XP machine and one Cisco router and switch on the playstation to carry out the attack.
• we assume that the attacker has physical access to the router • Connect a console cable from routers console port to the serial port
of the computer • Configure the settings are as shown below• Set "Bits per second" to 9600 • Set "Data Bits" to 8• Set "Stop Bits" to 1 • Set "Flow control" to none
Router break-in
• Send a break signal to the router within 60 seconds of the power up
• will put the router into the ROM monitor (ROMMON) mode. The break sequence would depend on your terminal emulation program. The break signal for the HyperTerminal is (CTRL-BREAK)
• So basically aim is to make it boot from the ROM than the NVRAM
*** System received an abort due to Break Key ***
signal= 0x3, code= 0x500, context= 0x813ac158PC = 0x802d0b60, Vector rommon 1 > confreg 0x2142
rommon 2 > reset
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)Copyright (c) 1999 by cisco Systems, Inc.TAC:Home:SW:IOS:Specials for infoC2600 platform with 32768 Kbytes of main memory program load complete, entry point: 0x80008000, size: 0x6fdb4c Self decompressing the image : ######################################################################################################################################################################################################################################################## [OK]
• Copy the NVRAM config file into RAM with copy start run
• Whoa!!• Counter measure : block the break signal dropping an attacker into
ROMMON on a Cisco router using
no service password-recovery command
PVLAN on CISCO SWITCHES
• Primarily to achieve isolation without going through the pain of creating VLANS
• Multiple IPs not required
HTTP AUTHENTICATION VULNERABILITY
• When the HTTP server is enabled and local authorization is used on Cisco device.
• It is possible, to bypass the authentication and execute any command on the device.
• All commands will be executed with the highest privilege (level 15).
• All releases of Cisco IOS software, starting with release 11.3 and later, are vulnerable.
ATTACK EXECUTION
• By sending a particular URL to a Cisco IOS device with the HTTP server enabled, a remote attacker may be able to execute commands with the administrator privileges. The malicious URL is of the following form:
• http://<address>/level/XX/exec/...
• XX is a number between 16 & 99.
• This vulnerability is documented as Cisco Bug ID CSCdt93862
VULNERABLE PRODUCTS
Cisco devices that may be running with affected Cisco IOS software releases include but are not limited to:
• Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 series.
• Most recent versions of the LS1010 ATM switch.
• The Catalyst 6000 and 5000 if they are running Cisco IOS software.
• The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco IOS software.
• The Catalyst 2900 and 3000 series LAN switches are affected.
COUNTERMEASURES
• Upgrading IOS to 12.0 or later
• Disabling HTTP
• Terminal Access Controller Access Control System (TACACS+) or Remote Authentication Dial in Service (Radius) for authentication.
MACOF ATTACK
• When a Layer 2 switch receives a frame, the switch looks in the CAM table for the destination MAC address.
• If an entry exists for the MAC address in the CAM table, the switch forwards the frame to the port designated in the CAM table for that MAC address.
• If no entry exists for the MAC address the frame, the switch looks at the source of the frame and adds it to CAM table entry.
• And the frame is essentially broadcasted on each and every port. This is the mechanism switches used to build their CAM table.
COUNTERMEASURES
• If no protection against MAC address spoofing is setting up, this attack could succeed.
• By protecting the interface with “switchport port-security maximum 3”
• The port shut down after having seen the third different MAC address.
• Thus this attack has been defeated.
CONCLUSION
• We have exploited some of the vulnerabilities.
• Due to the ignorance and lack of knowledge of the system administrator it is easy to exploit many such vulnerabilities prevalent in the network devices.
• This lab aims to educate students about the threats and vulnerabilities existing in the network devices.
REFERENCES• www.askapache.com• www.tech-faq.com• www.antionline.com• www.cisco.com• www.securityfocus.com/infocus/1734• “Virtual LAN Security: weaknesses and countermeasures GIAC Security Essentials
Practical Assignment” - Steve A. Rouiller• “Hacking Exposed Cisco Security Secrets and Solutions”- Andrew A. Vladimirov,
Konstantin V. Gavrilenko, Janis N. Vizulis and Andrei A. Mikhailovsky• www.arin.net• http://www.cisco.com/warp/public/474/index.shtml• http://www.modemsite.com/56k/x2-hyperterm.asp• http://www.cisco.com/en/US/tech/tk389/tk390/tk181/tsd_technology_support_sub-
protocol_home.html• http://www.cisco.com/warp/public/473/63.html• http://www.brandonhutchinson.com/installing_dsniff_2_3.html