600 likes | 919 Views
Protecting your Cisco Infrastructure against the latest “Attacktecs™”. By Stephen Dugan, CCSI scdugan@101labs.com. Introduction. Welcome to the presentation and Thank you for coming! Who is the speaker? What is the focus of the presentation? Why a talk on Cisco at a Windows show?
E N D
Protecting your Cisco Infrastructure against the latest “Attacktecs™” By Stephen Dugan, CCSI scdugan@101labs.com Black Hat - Windows Security 2002 New Orleans, LA
Introduction Welcome to the presentation and Thank you for coming! • Who is the speaker? • What is the focus of the presentation? • Why a talk on Cisco at a Windows show? • How will the material be presented? Black Hat - Windows Security 2002 New Orleans, LA
Introduction Section 1 – Physical and Remote Access Initial Configuration Device Access Options Password Issues Management Protocols Section 2 -Layer 2 VLANs / Design STP / VTP / DTP Network Sniffing VLAN Hopping Section 3 - Layer 3 ACLs IP Routing Protocols HSRP Agenda Black Hat - Windows Security 2002 New Orleans, LA
Section 1 Physical and Remote Access Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access Initial Configuration Commands or… Commands that belong on all configurations • Turning off unused default features • Turning on features you should be using Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access RO(config)# no servicetcp-small-servers RO(config)# no service udp-small-servers RO(config)# no service finger RO(config)# no service config RO(config)# no ip identd RO(config)# no ip bootp server RO(config)# no boot network RO(config)# no ip domain-lookup • Globally ON by default • Echo • Chargen • Discard • Finger • Bootp • Auto-Install • IP Source-Routing • DNS lookup • Attacktecs • Lots of documented attacks and available tools! • Solutions • Turn them all off • Reasoning • Most are not used or needed • Rarely used for legit purposes Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access RO(config-if)# no ip unreachables RO(config-if)# no ip proxy-arp RO(config-if)# no ip source-route RO(config-if)# no ip redirects RO(config-if)# no ip mask-reply RO(config-if)# no ip directed-broadcast • Interface level ON by default • Unreachable messages • Proxy-ARP • Redirects • Mask Replies • Directed-broadcast (Before 12.0) • Attacktecs • Lots of documented attacks and available tools! • Solutions • Again…Turn them all off • Should be done at ALL interfaces • Reasoning • Most are not used or needed • Rarely used for legitimate purposes today Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access RO(config)# service nagle RO(config)# service tcp-keepalives-in RO(config)# banner motd ^ Get off my network! NOW! (unless you work here) YWBPTTFEOTL ^ • General Features that should be turned ON • Nagle (RFC 896) • Login/MOTD Banners • TCP-keepalives-in • Attacktecs • Various DoS • Reasoning • Banners for legal matters • Nagle and TCP-KA can help in DOS attacks or high volume interactive traffic Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access ip cef ! "ip cef distributed" for RSP+VIP interface serial 0/0 ip address 192.168.8.1 255.255.252.0 ip verify unicast reverse-path ip route 0.0.0.0 0.0.0.0 Serial 0 • Features that should be turned ON • Cisco Express Forwarding • Unicast Reverse Path Forwarding • Attacktecs • DDoS Tools: TFN(2K), Trinoo, Etc. • See PacketStorm for updated DDoS • Solutions • CEF will boost performance • RFP helps DDoS detection • Reasoning • Source Address Verification • Forced Asymmetric routing • Use BGP Weight or Local Preference if Multi-Homed Fa0/0 Internet S0/0 Upstream ISP Enterprise Network Source = 192.168.11.45 DROPPED Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access Device Access Options • Console – Physical Access • AUX – The Dial-in Backdoor • VTY – Access for those Protocols we’ve stopped using for years! Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access line con 0 login password ClearText exec-timeout 3 0 Username Steve password EncryptMe Line Con 0 Login Local Exec-timeout 3 0 • Console – Physical Access • Use for initial configs • Easy to avoid passwords • Attacktecs • Password Recovery • Theft of Equipment • SOLD on Internet Auction Sites • Solutions • Lock the Doors! • Guards with M16s • Secret IOS Command?!?! • Reasoning • ALL Cisco devices can be compromised with Console aaa new-model tacacs-server key NotCleartext aaa authentication login default tacacs+ local Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access line aux 0 login password ClearText exec-timeout 3 0 Username Steve password EncryptMe Line aux 0 Login Local Exec-timeout 3 0 • AUX – Dial-in Backdoor • Used mostly for remote Dial-IN access for administrators • Can be configured to Route Traffic for DDR • Attacktecs • WarDial to find Number • Use as a jumping point to launch other attacks • Solutions • Unplug Modem until needed • Strong Password Protection • Timeouts and CD-DROP detect to avoid session theft • Reasoning • Has good uses for solving network down type problems • Same Security problems with all Dial type access aaa new-model tacacs-server key NotCleartext aaa authentication login default tacacs+ local Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access username Steve password ohSSH ip domain-name router1.101labs.com cry key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 Access-list 2 permit host 10.1.1.1 line vty 0 4 Login local IP access-class 2 in transport input ssh (Default is ALL) • VTY – All Access • Used mostly for telnet • Supports LAT, MOP, rLogin, ect. • Attacktecs • Flood router with Telnets • MiTM – discover device password watching telnet traffic • Reverse-Telnet (2000,3000, 7000) • Solutions • Use SSH & ACLs • Turn off unused protocols • Last resort...Turn off VTY access • Reasoning • Standard for Cisco management • SSH provides encryption for device management sessions • Note: Cisco only uses SSH v1 and has an active advisory for SSH. Also has IOS support for SSH client. Limited platform support. Still A LOT better then cleartext telnet! See link section for more info. Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access Password Issues • User, Privileged, and custom access • Implications of “No Password” • MD5 and Password Encryption • Password Recovery Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access • User Exec - Level 1 - Router> • Can Look at various tables ARP, BGP, Routing etc. • Can do simple PINGs • Telnet to other places (Jump off point) • Privilege Exec - Level 15 - Router# • Essentially “Root” Access for IOS Device • All Functions Available • Custom Levels - Levels 2-14 - Router# • Set using Username/Password or AAA • Privilege Levels inherit lower levels unless denied. • Useful in large environments with different experience levels and job functions of Techs. Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access Implications of “No Password” • Login Command on VTY Line will force the Router to Ask for Password even if none is configured. This is the default. • Login combined with no password on CON/AUX allows login without challenge • To disable CON or AUX use: Line aux 0 transport input none transport output none no exec Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access MD5 and Password Encryption • Most Passwords stored on Cisco IOS Device configs are in Clear Text. • Using the “Service Password-Encryption command will weakly, type 7, encrypt your passwords. (You could decrypt them with Pen&Paper in 40 minutes) • The Enable SECRET password is MD5. You should use this for Privilege Exec. Access. Service Password-encryption Hostname Router-1 no Enable Password enable secret 5 $1$y/fP$O.MMCCsH8leilgoRUwBxk1 • Use Type 5 (MD5) for any passwords that let you. Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access Password Recovery • As simple as... • Power Cycle • Break Key • confreg or o/r 0x2142 • Secret IOS Command (some devices) • “No Service Password-Recovery” • Break Key after Power Cycle will give you a “Factory Default <y/n>” question. Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access Management Protocols • CDP – How they Discover your network • SNMP – More holes than Swiss cheese • NTP – What Time did they break in? • SYSLOG – Another Ignored Log • Loopbacks – Interfaces that don’t go Down Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access RO(config)# no cdp run RO(config-if)# no cdp enable SW> (enable) set cdp disable <mod/port> (omitting the <mod/port> turns off CDP for the entire Switch) • CDP – Cisco Discovery Protocol • Used to discover the network • L2 Messages Sent every 60 seconds • Will discover Device name, IOS revision, L3 addresses, Native VLAN and more. • Default is ON for all ports/interfaces • Attacktecs • Everyone can discover your network • DOS attack discovered by FX • Info can be used in a variety of ways • Solutions • Turn it off Globally • Turn it off at a port/interface • Leave it on in the Management VLAN • Reasoning • Not needed unless your actively discovering the network • Required for CiscoWorks 2000 Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access SNMP V1 & V2 “Simple Net-attacks Made Possible” • Main Problems • Uses community strings that are stored/sent in cleartext • Many times left unchanged/default as Public/Private • Many Freeware SNMP tools used for hacking • If it must be used • Don’t enable a RW string • Use ACL • Use V3 if RW is needed access-list 1 permit host 10.1.1.1 access-list 1 deny any log-input snmp community not-public ro 1 Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access • SYSLOG • Default is console logging only • Stop Console logging • Send messages to syslog server. • NTP • Gets time from trusted source • Attach Timestamps to logs service timestamp log datetime localtime logging 10.1.1.1 no logging console clock timezone MST -7 clock summer-time MST recurring ntp authenticate ntp authentication-key 1 md5 AtTheTone ntp trusted-key 1 ntp access-group peer 3 ntp server 192.168.254.57 key 1 access-list 3 permit host 192.168.254.57 access-list 3 deny any log Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access Loopback interfaces • Loopbacks are internal/software interfaces • Never go down • Can be assigned L3 addresses • Router-ID for OSPF/BGP • Source IP Address in Packets • Telnet/SSH • SNMP • SYSLOG • TFTP / FTP Interface loopback 0 ip address 192.168.1.1 255.255.255.0 IP telnet source-interface loopback 0 IP tftp source-interface loopback 0 IP ftp source-interface loopback 0 Logging source interface loopback 0 Router ospf 1 Router-id 192.168.1.1 Router bgp 65410 BGP Router-id 192.168.1.1 Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access Catalyst Switch Options • Password Commands • Telnet / SSH Connection Options • NTP, SYSLOG, SNMP Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access • Catalyst Switch Passwords • Passwords for User and Enable modes • Attacktecs • Password Recovery • Power off. • Passwords Cleared for first 60 Seconds • Must Be Attached to Console • Solutions • Use Difficult Passwords • Limit Physical Access set password (hit Return) Old Password: *.Eat@JoE$^^_ New Password: JoE$F0Od_Stnks Retype Password: JoE$F0Od_Stnks set enable (Hit Return) Old Enablepass: Stay!0Ff_My-C@ New Enablepass: C@_iN_Da_H@ Retype: C@_iN_Da_H@ Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access • Catalyst Switch Management • Same Management management methods as IOS Router • Attacktecs • BSD Telnet DoS Attack • Discover device configs and password watching telnets or HTTP traffic • Solutions • Use SSH & IP Permit Lists • Shut off HTTP Access • Last resort...Turn off Telnet • OR… Don’t configure IP on Switch • NEW ALERT for CAT Switches 1/29/02 • ALL Catalysts Running “Set based IOS” are Vulnerable to DoS attack • Fix by new Code 2/5/02 • Use SSH and IP Permit set crypto key rsa 1024 set ip permit enable ssh show crypto key show ip permit set ip http server disable Black Hat - Windows Security 2002 New Orleans, LA
Section 1 - Physical and Remote Access • NTP, SYSLOG on CATs • Cisco Recommends modifying some of the logging levels based on environment conditions • NTP configuration is very similar to the configuration commands on Router IOS. set logging server <IP address> set logging timestamp enable set logging level spantree 6 default set logging level sys 6 default set logging server severity 4 set logging console disable set ntp client enable set ntp server <address of server> set ntp authentication enable set ntp key <key> set ntp timezone <zone name> set ntp summertime <details> Black Hat - Windows Security 2002 New Orleans, LA
Section 2 Layer 2 - Switching Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching VLANS • Good Design – Simplifies Security • Default VLANS – 1,1001-1005 • Management VLAN - Defaults to VLAN1 Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching • Design Philosophies • Spanning Tree = BAD • Routing = GOOD • KISP • Plan with security in mind Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching Good Design! Bad Design!!!! Switch Block Redundant Rats nest Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching VLANs • VLAN 1 – The dead VLAN • VLANs 1001 – 1005 – The dead technology VLANs • Clear Trunks of these VLANs • Can’t remove them from switches Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching Management VLAN - Defaults to VLAN 1 • Change this on all switches to a Random Number (the same number for all switches) • NO USER Traffic • Don’t Assign to User Ports • ACL to block them! • Used for Anything your users should’t see • IP Routing • CDP (if you didn’t want to turn it off) • VTP • MLSP Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching Management VLAN (cont..) • Runs on all switches in the block • Use 1 Management VLAN per block Should be the only VLAN on this link Trunked with User VLANs on these Links Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching STP / VTP / DTP • Spanning Tree Issues • VLAN Trunking Protocol – The “A” DoS • Dynamic Trunking Protocol – To Trunk or not to Trunk?…that is the question. Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching Spanning Tree Protocol • For loop prevention in an Ethernet Network • Works by electing a “root bridge” • Sends messages Via BPDUs • Attacktecs include • Forced takeover as ROOT bridge • BPDU Flood attack • BPDU Change Notification flag (Unintentional side affect of a switched network) • Solutions • Force user ports not send/receive BPDUs • Portfast & BPDU-Guard Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching VTP VLAN Trunking Protocol • Used to Maintain VLAN database consistency • Could be used for attack to add/delete VLANs • Risky to use under normal conditions • Required by some CATs to create VLANS • Solution • Set all switches to VTP Transparent Mode • Set Password to avoid mis-configuration / attacks Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching Dynamic Trunking Protocol “To Trunk or not to Trunk” • All Switch 100mb ports are set to AUTO • Connecting a AUTO - AUTO ports doesn’t Trunk • Connecting a AUTO - ON ports does Trunk • Attacktecs • 802.1Q tag manipulation • Access to all VLANs without Router • Solution • Set all non-trunk ports to DTP OFF mode • Force Users to 10MB (Lead Balloon?!?!) Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching CAT OS Commands • SET PORT HOST <mod/port> • Batch command that configures • Trunking to OFF • Portfast ON • Set Port Disable <mod/port> • set spantree portfast bpdu-guard enable • set spantree guard root 1/1 Black Hat - Windows Security 2002 New Orleans, LA
Section 2 - Layer 2 - Switching VLAN “Hopping” • Works by injecting modified 802.1q tags • Can effectively pass traffic to other VLANs without a router. • Solutions • Set Native VLANs on truck ports to an unused VLAN and not VLAN 1 • Set port VLAN <vlan#> <mod/port> • Remember the native VLAN must match on both sides of the trunk Black Hat - Windows Security 2002 New Orleans, LA
H Section 2 - Layer 2 - Switching Network Sniffing with Switch Ports Attacker running ARP spoofing tool with bridging software Sends continuous ARP replies telling the PC he’s the Server and the Server that he’s the PC. Traffic is bridged for PC/SERVER to maintain connection. Solutions: Private VLANs? Host IDS! Black Hat - Windows Security 2002 New Orleans, LA
H Section 2 - Layer 2 - Switching Flooding switch with MAC Addresses or…. How to make a switch act like a hub. Solutions: Port Security Max Mac Count 1 Attacking host PC launches attack that floods the CAM table on the switch. Using all allocated CAM memory. Switch then forwards all traffic like unknown unicasts. Black Hat - Windows Security 2002 New Orleans, LA
Section 3 Layer 3 - Routing Black Hat - Windows Security 2002 New Orleans, LA
Section 3 - Layer 3 - Routing Access Control Lists • Standard / Extended / Named • Context Based (CBAC) • Other Black Hat - Windows Security 2002 New Orleans, LA
Section 3 - Layer 3 - Routing • IP Standard ACLs • IP Source Address Based only • Variety of used (Not just packet filtering) • 1-99 1300 to 1999range • IP Extended ACLs • Looks at • Source & Destination IP • Source & Destination Ports • Protocol • SYN/RST bit (Established) • Can be Logged - Log or Log-input (timestamp and packet info) • 100 – 199, 2000 - 2699 Range • IP Named ACLs • Same as STD or EXT except with a Name instead of a number. • Can remove a single List entry without removing Whole ACL Black Hat - Windows Security 2002 New Orleans, LA
Section 3 - Layer 3 - Routing • Context Based Access Control (CBAC) • AKA Cisco IOS Firewall Feature set • Creates dynamic inbound ACE entries based upon egress traffic. Inbound Base ACL “Deny any” Internet IP Packet As Packet exits a short lived dynamic ACE is added to the beginning of the base ingress ACL. Allowing return traffic. Black Hat - Windows Security 2002 New Orleans, LA
Section 3 - Layer 3 - Routing • Other IP ACL types • Reflexive • Dynamic • Time-based • Other ACLs • IPX • AppleTalk • MAC • NetBIOS • VACLs Black Hat - Windows Security 2002 New Orleans, LA
Section 3 - Layer 3 - Routing IP Routing Protocols • RIP – May it Rest in Peace (PLEASE!!!) • IGRP – I’d rather run RIP first • EIGRP – Simple and Powerful • OSPF – You Stubbed your what? Black Hat - Windows Security 2002 New Orleans, LA
Section 3 - Layer 3 - Routing • RIP • V1 • Classfull IP (no VLSM or CIDR) • Broadcasts every 30 sec. • Cleartext Passwords • Any IP product that has “Routing” features supports it • To many security problem to fix. • V2 • Classless • Uses Multicasts every 30 seconds • MD5 passwords • Wide support • Still vulnerable to attacks “You can tie on pretty ribbon and give it some makeup… but its still the same old RIP” Black Hat - Windows Security 2002 New Orleans, LA
E0 E0 Section 3 - Layer 3 - Routing Setting RIP V2 with Key-chain key chain MyKey key 1 key-string 1234 ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip rip authentication key-chain MyKey ! router rip version 2 Network 192.168.1.0 passive-interface default no passive-interface E0 Black Hat - Windows Security 2002 New Orleans, LA