Protecting your Cisco Infrastructure against the

hardsweetlipsΔίκτυα και Επικοινωνίες

28 Οκτ 2013 (πριν από 4 χρόνια και 13 μέρες)

93 εμφανίσεις

February 7, 2002

13:30
-

14:45

Black Hat
-

Windows Security 2002

New Orleans, LA

1

Protecting your Cisco
Infrastructure against the
latest “Attacktecs™”

By Stephen Dugan, CCSI

scdugan@101labs.com


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


2

Introduction


Welcome to the presentation

and

Thank you for coming!


Who is the speaker?

What is the focus of the presentation?

Why a talk on Cisco at a Windows show?

How will the material be presented?



February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


3

Agenda

Introduction


Section 1


Physical and
Remote Access

Initial Configuration

Device Access Options

Password Issues

Management Protocols


Section 2
-
Layer 2


VLANs / Design

STP / VTP / DTP

Network Sniffing

VLAN Hopping

Section 3
-

Layer 3

ACLs

IP Routing Protocols

HSRP


February 7, 2002

13:30
-

14:45

Black Hat
-

Windows Security 2002

New Orleans, LA

4

Section 1

Physical and Remote Access

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


5

Section 1
-

Physical and Remote Access


Initial Configuration Commands

or…


Commands that belong on all configurations


Turning off unused default features


Turning on features you should be using







February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


6

Section 1
-

Physical and Remote Access


Globally ON by default

Echo

Chargen

Discard

Finger

Bootp

Auto
-
Install

IP Source
-
Routing

DNS lookup

Attacktecs

Lots of documented attacks and
available tools!

Solutions

Turn them all off

Reasoning

Most are not used or needed

Rarely used for legit purposes

RO(config)# no service

tcp
-
small
-
servers

RO(config)# no service udp
-
small
-
servers

RO(config)# no service finger

RO(config)# no service config

RO(config)# no ip identd

RO(config)# no ip bootp server

RO(config)# no boot network

RO(config)# no ip domain
-
lookup

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


7

Section 1
-

Physical and Remote Access


Interface level ON by default

Unreachable messages

Proxy
-
ARP

Redirects

Mask Replies

Directed
-
broadcast (Before 12.0)

Attacktecs

Lots of documented attacks and
available tools!

Solutions

Again…Turn them all off

Should be done at ALL interfaces

Reasoning

Most are not used or needed

Rarely used for legitimate purposes
today

RO(config
-
if)# no ip unreachables

RO(config
-
if)# no ip proxy
-
arp

RO(config
-
if)# no ip source
-
route

RO(config
-
if)# no ip redirects

RO(config
-
if)# no ip mask
-
reply

RO(config
-
if)# no ip directed
-
broadcast

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


8

Section 1
-

Physical and Remote Access


General Features that
should be turned ON

Nagle (RFC 896)

Login/MOTD Banners

TCP
-
keepalives
-
in

Attacktecs


Various DoS

Reasoning

Banners for legal matters

Nagle and TCP
-
KA can help
in DOS attacks or high
volume interactive traffic


RO(config)# service nagle

RO(config)# service tcp
-
keepalives
-
in

RO(config)# banner motd ^

Get off my network! NOW!

(unless you work here)

YWBPTTFEOTL

^


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


9

Section 1
-

Physical and Remote Access


Features that should be turned ON

Cisco Express Forwarding

Unicast Reverse Path Forwarding

Attacktecs

DDoS Tools: TFN(2K), Trinoo, Etc.

See PacketStorm for updated DDoS

Solutions

CEF will boost performance

RFP helps DDoS detection

Reasoning

Source Address Verification

Forced Asymmetric routing

Use BGP Weight or Local


Preference if Multi
-
Homed


ip cef

! "ip cef distributed" for RSP+VIP

interface serial 0/0


ip address 192.168.8.1 255.255.252.0


ip verify unicast reverse
-
path

ip route 0.0.0.0 0.0.0.0 Serial 0

Fa0/0

S0/0

Enterprise

Network

Upstream

ISP

Internet

Source = 192.168.11.45

DROPPED

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


10

Section 1
-

Physical and Remote Access

Device Access Options

Console


Physical Access


AUX


The Dial
-
in Backdoor


VTY


Access for those Protocols we’ve
stopped using for years!

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


11

Section 1
-

Physical and Remote Access


Console


Physical Access

Use for initial configs

Easy to avoid passwords

Attacktecs

Password Recovery

Theft of Equipment

SOLD on Internet Auction Sites

Solutions

Lock the Doors!

Guards with M16s

Secret IOS Command?!?!

Reasoning

ALL Cisco devices can be


compromised with Console

line con 0


login


password ClearText


exec
-
timeout 3 0

Username Steve password EncryptMe

Line Con 0


Login Local


Exec
-
timeout 3 0

aaa new
-
model

tacacs
-
server key NotCleartext

aaa authentication login default


tacacs+ local


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


12

Section 1
-

Physical and Remote Access


AUX


Dial
-
in Backdoor

Used mostly for remote Dial
-
IN
access for administrators

Can be configured to Route
Traffic for DDR

Attacktecs

WarDial to find Number

Use as a jumping point to
launch other attacks

Solutions

Unplug Modem until needed

Strong Password Protection

Timeouts and CD
-
DROP
detect to avoid session theft

Reasoning

Has good uses for solving
network down type problems

Same Security problems with
all Dial type access

line aux 0


login


password ClearText


exec
-
timeout 3 0


Username Steve password EncryptMe

Line aux 0


Login Local


Exec
-
timeout 3 0

aaa new
-
model

tacacs
-
server key NotCleartext

aaa authentication login default


tacacs+ local


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


13

Section 1
-

Physical and Remote Access


VTY


All Access

Used mostly for telnet

Supports LAT, MOP, rLogin,
ect.

Attacktecs

Flood router with Telnets

MiTM


discover device password
watching telnet traffic

Reverse
-
Telnet (2000,3000, 7000)

Solutions

Use SSH & ACLs

Turn off unused protocols

Last resort...Turn off VTY access

Reasoning

Standard for Cisco management

SSH provides encryption for device
management sessions

username Steve password ohSSH

ip domain
-
name router1.101labs.com

cry key generate rsa

ip ssh time
-
out 60

ip ssh authentication
-
retries 2

Access
-
list 2 permit host 10.1.1.1

line vty 0 4


Login local


IP access
-
class 2 in


transport input ssh (Default is ALL)

Note: Cisco only uses SSH v1 and has an
active advisory for SSH. Also has IOS
support for SSH client. Limited platform
support. Still A LOT better then cleartext
telnet! See link section for more info.

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


14

Section 1
-

Physical and Remote Access


Password Issues

User, Privileged, and custom access


Implications of “No Password”


MD5 and Password Encryption


Password Recovery




February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


15

Section 1
-

Physical and Remote Access


User Exec
-

Level 1
-

Router>

Can Look at various tables ARP, BGP, Routing etc.

Can do simple PINGs

Telnet to other places (Jump off point)

Privilege Exec
-

Level 15
-

Router#

Essentially “Root” Access for IOS Device

All Functions Available

Custom Levels
-

Levels 2
-
14
-

Router#

Set using Username/Password or AAA

Privilege Levels inherit lower levels unless denied.

Useful in large environments with different experience levels and job
functions of Techs.

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


16

Section 1
-

Physical and Remote Access

Implications of “No Password”

Login Command on VTY Line will force the Router to
Ask for Password even if none is configured. This is
the default.

Login combined with no password on CON/AUX
allows login without challenge

To disable CON or AUX use:

Line aux 0


transport input none


transport output none


no exec

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


17

Section 1
-

Physical and Remote Access

MD5 and Password Encryption

Most Passwords stored on Cisco IOS Device configs are in
Clear Text.

Using the “Service Password
-
Encryption command will weakly,
type 7, encrypt your passwords. (You could decrypt them with
Pen&Paper in 40 minutes)

The Enable SECRET password is MD5. You should use this for
Privilege Exec. Access.


Service Password
-
encryption

Hostname Router
-
1

no Enable Password

enable secret 5 $1$y/fP$O.MMCCsH8leilgoRUwBxk1



Use Type 5 (MD5) for
any passwords that let
you.


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


18

Section 1
-

Physical and Remote Access

Password Recovery

As simple as...

Power Cycle

Break Key

confreg or o/r 0x2142

Secret IOS Command (some devices)

“No Service Password
-
Recovery”

Break Key after Power Cycle will give you a “Factory
Default <y/n>” question.

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


19

Section 1
-

Physical and Remote Access


Management Protocols


CDP


How they Discover your network


SNMP


More holes than Swiss cheese


NTP


What Time did they break in?


SYSLOG


Another Ignored Log


Loopbacks


Interfaces that don’t go Down

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


20

Section 1
-

Physical and Remote Access


CDP


Cisco Discovery Protocol

Used to discover the network

L2 Messages Sent every 60 seconds

Will discover Device name, IOS
revision, L3 addresses, Native VLAN
and more.

Default is ON for all ports/interfaces

Attacktecs

Everyone can discover your network

DOS attack discovered by FX

Info can be used in a variety of ways

Solutions

Turn it off Globally

Turn it off at a port/interface

Leave it on in the Management VLAN

Reasoning

Not needed unless your actively
discovering the network

Required for CiscoWorks 2000

RO(config)# no cdp run

RO(config
-
if)# no cdp enable

SW> (enable) set cdp disable <mod/port>

(omitting the <mod/port> turns off CDP for
the entire Switch)


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


21

Section 1
-

Physical and Remote Access


SNMP V1 & V2

“Simple Net
-
attacks Made Possible”

Main Problems

Uses community strings that are stored/sent in cleartext

Many times left unchanged/default as Public/Private

Many Freeware SNMP tools used for hacking

If it must be used

Don’t enable a RW string

Use ACL

Use V3 if RW is needed

access
-
list 1 permit host 10.1.1.1

access
-
list 1 deny any log
-
input

snmp community not
-
public ro 1

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


22

Section 1
-

Physical and Remote Access


SYSLOG

Default is console logging only

Stop Console logging

Send messages to syslog
server.

NTP

Gets time from trusted source

Attach Timestamps to logs

clock timezone MST
-
7

clock summer
-
time MST recurring

ntp authenticate

ntp authentication
-
key 1 md5 AtTheTone

ntp trusted
-
key 1

ntp access
-
group peer 3

ntp server 192.168.254.57 key 1

access
-
list 3 permit host 192.168.254.57

access
-
list 3 deny any log

service timestamp log datetime localtime

logging 10.1.1.1

no logging console

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


23

Section 1
-

Physical and Remote Access


Loopback interfaces

Loopbacks are internal/software interfaces

Never go down

Can be assigned L3 addresses

Router
-
ID for OSPF/BGP

Source IP Address in Packets

Telnet/SSH

SNMP

SYSLOG

TFTP / FTP

Interface loopback 0


ip address 192.168.1.1 255.255.255.0

IP telnet source
-
interface loopback 0

IP tftp source
-
interface loopback 0

IP ftp source
-
interface loopback 0

Logging source interface loopback 0

Router ospf 1


Router
-
id 192.168.1.1

Router bgp 65410


BGP Router
-
id 192.168.1.1

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


24

Section 1
-

Physical and Remote Access


Catalyst Switch Options


Password Commands


Telnet / SSH Connection Options


NTP, SYSLOG, SNMP

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


25

Section 1
-

Physical and Remote Access

Catalyst Switch Passwords

Passwords for User and Enable
modes

Attacktecs

Password Recovery

Power off.

Passwords Cleared for first 60
Seconds

Must Be Attached to Console

Solutions

Use Difficult Passwords

Limit Physical Access

set password (hit Return)


Old Password: *.Eat@JoE$^^_


New Password: JoE$F0Od_Stnks


Retype Password: JoE$F0Od_Stnks


set enable (Hit Return)


Old Enablepass: Stay!0Ff_My
-
C@


New Enablepass: C@_iN_Da_H@


Retype: C@_iN_Da_H@


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


26

Section 1
-

Physical and Remote Access

NEW ALERT for CAT
Switches 1/29/02

ALL Catalysts Running
“Set based IOS” are
Vulnerable to DoS attack

Fix by new Code 2/5/02

Use SSH and IP Permit

set crypto key rsa 1024

set ip permit enable ssh

show crypto key

show ip permit

set ip http server disable

Catalyst Switch Management

Same Management management
methods as IOS Router

Attacktecs

BSD Telnet DoS Attack

Discover device configs and
password watching telnets or HTTP
traffic

Solutions

Use SSH & IP Permit Lists

Shut off HTTP Access

Last resort...Turn off Telnet

OR… Don’t configure IP on Switch

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


27

Section 1
-

Physical and Remote Access

NTP, SYSLOG on CATs

Cisco Recommends
modifying some of the
logging levels based
on environment
conditions

NTP configuration is
very similar to the
configuration
commands on Router
IOS.

set logging server <IP address>

set logging timestamp enable

set logging level spantree 6 default

set logging level sys 6 default

set logging server severity 4

set logging console disable

set ntp client enable

set ntp server <address of server>

set ntp authentication enable

set ntp key <key>

set ntp timezone <zone name>

set ntp summertime <details>


February 7, 2002

13:30
-

14:45

Black Hat
-

Windows Security 2002

New Orleans, LA

28

Section 2

Layer 2
-

Switching

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


29

Section 2
-

Layer 2
-

Switching


VLANS

Good Design


Simplifies Security


Default VLANS


1,1001
-
1005


Management VLAN
-

Defaults to VLAN1

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


30

Section 2
-

Layer 2
-

Switching


Design Philosophies


Spanning Tree = BAD

Routing = GOOD


KISP


Plan with security in mind



February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


31

Section 2
-

Layer 2
-

Switching



Good Design!



Bad Design!!!!

Switch Block



Redundant Rats nest

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


32

Section 2
-

Layer 2
-

Switching


VLANs

VLAN 1


The dead VLAN


VLANs 1001


1005


The dead technology VLANs


Clear Trunks of these VLANs


Can’t remove them from switches


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


33

Section 2
-

Layer 2
-

Switching


Management VLAN
-

Defaults to VLAN 1

Change this on all switches to a Random Number
(the same number for all switches)

NO USER Traffic

Don’t Assign to User Ports

ACL to block them!

Used for Anything your users should’t see

IP Routing

CDP (if you didn’t want to turn it off)

VTP

MLSP


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


34

Section 2
-

Layer 2
-

Switching


Management VLAN (cont..)

Runs on all switches in the block

Use 1 Management VLAN per block

Trunked with User VLANs on these Links

Should be the only VLAN on this link

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


35

Section 2
-

Layer 2
-

Switching


STP / VTP / DTP

Spanning Tree Issues


VLAN Trunking Protocol


The “A” DoS


Dynamic Trunking Protocol


To Trunk or not
to Trunk?…that is the question.



February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


36

Section 2
-

Layer 2
-

Switching


Spanning Tree Protocol

For loop prevention in an Ethernet Network

Works by electing a “root bridge”

Sends messages Via BPDUs

Attacktecs include

Forced takeover as ROOT bridge

BPDU Flood attack

BPDU Change Notification flag


(Unintentional side affect of a switched network)

Solutions

Force user ports not send/receive BPDUs

Portfast & BPDU
-
Guard

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


37

Section 2
-

Layer 2
-

Switching


VTP

VLAN Trunking Protocol

Used to Maintain VLAN database consistency

Could be used for attack to add/delete VLANs

Risky to use under normal conditions

Required by some CATs to create VLANS

Solution

Set all switches to VTP Transparent Mode

Set Password to avoid mis
-
configuration / attacks

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


38

Section 2
-

Layer 2
-

Switching


Dynamic Trunking Protocol

“To Trunk or not to Trunk”

All Switch 100mb ports are set to AUTO

Connecting a AUTO
-

AUTO ports doesn’t Trunk

Connecting a AUTO
-

ON ports does Trunk

Attacktecs

802.1Q tag manipulation

Access to all VLANs without Router

Solution

Set all non
-
trunk ports to DTP OFF mode

Force Users to 10MB (Lead Balloon?!?!)

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


39

Section 2
-

Layer 2
-

Switching


CAT OS Commands


SET PORT HOST <mod/port>

Batch command that configures

Trunking to OFF

Portfast ON

Set Port Disable <mod/port>

set spantree portfast bpdu
-
guard enable

set spantree guard root 1/1

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


40

Section 2
-

Layer 2
-

Switching


VLAN “Hopping”

Works by injecting modified 802.1q tags

Can effectively pass traffic to other VLANs
without a router.

Solutions

Set Native VLANs on truck ports to an unused VLAN
and not VLAN 1

Set port VLAN <vlan#> <mod/port>

Remember the native VLAN must match on both
sides of the trunk

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


41

Section 2
-

Layer 2
-

Switching


Network Sniffing with Switch Ports


H

Attacker running ARP spoofing
tool with bridging software

Sends continuous ARP replies
telling the PC he’s the Server
and the Server that he’s the
PC. Traffic is bridged for
PC/SERVER to maintain
connection.

Solutions:

Private VLANs?

Host IDS!

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


42

Section 2
-

Layer 2
-

Switching

Flooding switch with MAC Addresses

or….

How to make a switch act like a hub.

H

Attacking host PC launches
attack that floods the CAM table
on the switch. Using all
allocated CAM memory. Switch
then forwards all traffic like
unknown unicasts.

Solutions:

Port Security

Max Mac Count 1

February 7, 2002

13:30
-

14:45

Black Hat
-

Windows Security 2002

New Orleans, LA

43

Section 3


Layer 3
-

Routing

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


44

Section 3
-

Layer 3
-

Routing


Access Control Lists


Standard / Extended / Named

Context Based (CBAC)

Other

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


45

Section 3
-

Layer 3
-

Routing


IP Standard ACLs

IP Source Address Based only

Variety of used (Not just packet filtering)

1
-
99 1300 to 1999

range

IP Extended ACLs

Looks at

Source & Destination IP

Source & Destination Ports

Protocol

SYN/RST bit (Established)

Can be Logged
-

Log or Log
-
input (timestamp and packet info)

100


199, 2000
-

2699 Range

IP Named ACLs

Same as STD or EXT except with a Name instead of a number.

Can remove a single List entry without removing Whole ACL

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


46

Section 3
-

Layer 3
-

Routing

Context Based Access Control (CBAC)

AKA

Cisco IOS Firewall Feature set

Creates dynamic inbound ACE entries
based upon egress traffic.

Internet

Inbound Base ACL “Deny any”

IP Packet

As Packet exits a short lived dynamic
ACE is added to the beginning of the
base ingress ACL. Allowing return
traffic.

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


47

Section 3
-

Layer 3
-

Routing

Other IP ACL types

Reflexive

Dynamic

Time
-
based

Other ACLs

IPX

AppleTalk

MAC

NetBIOS

VACLs

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


48

Section 3
-

Layer 3
-

Routing

IP Routing Protocols


RIP


May it Rest in Peace (PLEASE!!!)

IGRP


I’d rather run RIP first

EIGRP


Simple and Powerful

OSPF


You Stubbed your what?

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


49

Section 3
-

Layer 3
-

Routing

RIP

V1

Cl assfull IP (no VLSM or CIDR)

Broadcasts every 30 sec.

Cl eartext Passwords

Any IP product that has “Routing” features supports i t

To many security problem to fi x.

V2

Cl assless

Uses Multicasts every 30 seconds

MD5 passwords

Wi de support

Sti ll vul nerable to attacks

“You can tie on pretty ribbon and give it some
makeup… but its still the same old RIP”


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


50

Section 3
-

Layer 3
-

Routing

Setting RIP V2 with Key
-
chain

key chain MyKey


key 1


key
-
string 1234


!


interface Ethernet0


ip address 192.168.1.1 255.255.255.0


ip rip authentication key
-
chain MyKey


!


router rip


version 2


Network 192.168.1.0


passive
-
interface default


no passive
-
interface E0



E0

E0

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


51

Section 3
-

Layer 3
-

Routing

IGRP

Cisco Proprietary

Uses (Lowest) Bandwidth and Delay for metrics

Classfull

Broadcasts every 90 sec.

Converges SLOWER than RIP

NO SECURITY

Still out there because of the CCNA program….


Solution.. Modify your configs and add the “E”


February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


52

Section 3
-

Layer 3
-

Routing

Enhanced IGRP (EIGRP)

Acts like a LS Routing protocol when

Discovering neighbors

Maintaining neighbors

Exchanging Routes

Acts like a DV Routing protocol for Calc. metrics

Uses Lowest Bandwidth and Delay like IGRP

Classless

MD5 Passwords checked before creating neighbors

Less constraints than OSPF

Doesn’t force good design

Can go Query Crazy

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


53

Section 3
-

Layer 3
-

Routing

EIGRP with Authentication (Key
-
Chain)

Router eigrp 1


network 192.168.1.0


passive
-
interface default


no passive
-
interface E0


Interface E0

ip address 192.168.1.1 255.255.255.0

ip authentication mode eigrp 1 md5

ip authentication key
-
chain eigrp 1 keyname


key chain keyname


key 1


key
-
string 0987654321


accept
-
lifetime infinite

E0

E0

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


54

Section 3
-

Layer 3
-

Routing

OSFP

Industry Open Standard


Can be Complex


Classless


Supports MD5 Password protection


Forces good design (sometimes)

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


55

Section 3
-

Layer 3
-

Routing

OSPF with Authentication

Router OSPF 1


network 192.168.1.1 0.0.0.0 area 0


area 0 authentication message
-
digest



Interface E0

ip address 192.168.1.1 255.255.255.0

ip ospf message
-
digest
-
key 1 md5 5 myOSPFpass


E0

E0

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


56

Section 3
-

Layer 3
-

Routing

HSRP

Hot Swappable ROUTER Protocol

Designed to maintain High Availability of GWs

HSRP is Cisco Proprietary

VRRP is the new IETF standard

Works by sending hello messages between
routers to Elect Active and standby Routers

Is Vulnerable to attack when configured
correctly

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


57

Section 3
-

Layer 3
-

Routing

HSRP
Attacktecs

Active

Standby

Attack sent to make PC
appear as an HSRP
Router and to “preempt”
ACTIVE status

Used as DoS or MiTM

Enterprise Network or Internet

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


58

Section 3
-

Layer 3
-

Routing

Solutions to HSRP Attack

Set HSRP PRIORITY to 255 on both routers

ACTIVE Router gets Highest IP in SUBNET, Standby gets
Second Highest, Virtual Gets Third

Modify the default MAC Address created for HSRP

Create ACL to only permit the HSRP traffic between the
appropriate routers (MLS implications…)

Have switches only send 224.0.0.2 (0000.5E00.0002) to
ports that will have Routers

Caveat: Doing this will force you too disable CGMP or IGMP
Snooping, don’t use this last one if your using Multicasting
in you network.

February 7, 2002

13:30
-

14:45


Black Hat
-

Windows Security 2002

New Orleans, LA


59

Links

General Cisco Security

http://www.cisco.com/warp/public/707/21.html#http

http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm

DDoS

http://packetstormsecurity.nl/distributed/

http://www.cisco.com/warp/public/707/newsflash.html

Design

http://www.dcug.org/prezos/DCUG
-
Campus1
-
25
-
2001.zip

SSH

http://www.cisco.com/warp/public/707/SSH
-
multiple
-
pub.html

http://www.cisco.com/warp/public/707/ssh.shtml




February 7, 2002

13:30
-

14:45

Black Hat
-

Windows Security 2002

New Orleans, LA

60

Thank you for coming!!

Special thanks to

Jeff Moss, Keith Myers and the rest
of the Black Hat Crew.

Tony and SPuD for beginning
101labs with me.