680 likes | 800 Views
Neutering Ettercap in Cisco Switched Networks. For fun and Profit. What’s With the Title? (AKA Scope). How the protocols function under normal and malicious circumstances Ettercap’s Capabilities for Protocol Abuse DHCP Spoofing - ARP Poisoning ICMP Redirects - Port Stealing
E N D
Neutering Ettercapin Cisco Switched Networks For fun and Profit
What’s With the Title? (AKA Scope) • How the protocols function under normal and malicious circumstances • Ettercap’s Capabilities for Protocol Abuse DHCP Spoofing - ARP Poisoning ICMP Redirects - Port Stealing • Countermeasures to defend against these kind of abuses
What’s With the Title? (AKA Scope) • Configuring Countermeasures for CiscoIOS • Best Practices for implementation • This is for CISCO NETWORKS ONLY! (sorry Juniper)
Why Protocol Abuse Works • The Protocols are OLD! Created during a more friendly time in networking. • Were not created with authentication measures or security in mind • Engineers were focused on transmitting data without errors, not who was sending it or what was being sent.
Lets spoof some DHCP! You can trust me, I’m a nice DHCP Server.;)
DHCP Spoofing – Function Dynamic Host Configuration Protocol(DHCP), permits host connected to a Local Area Network(LAN) segment to be dynamically assigned parameters necessary for the host to send and receive data over a network. The exchange of DHCP information is sent as a 'broadcast', which means that any host on the LAN segment will receive a copy of the DHCP exchange.
DHCP Spoofing – Function Normally, a host would ignore this exchange, but Ettercaphas a feature built in to intercept and quickly reply to these DHCP messages before the authentic DHCP server can reply. This will cause the host to continue the exchange with the Ettercap and ignore the authenticate server.
DHCP Spoofing – Function The main purpose of this is to tell the host to use the Ettercapmachine as its 'Default Gateway', the address it will forward data destined for off the network. This will allow for a 'Half-Duplex' MitM, meaning the attacker will only see half of the exchange, as the return packets will not be seen by the attacker unless combined with tunneling techniques.
DHCP Spoofing – Function • Normal DHCP
DHCP Spoofing – Function • Normal DHCP
DHCP Spoofing – Function • Normal DHCP
DHCP Spoofing – Function • Normal DHCP
DHCP Spoofing – Function EVE • Ettercap DHCP
DHCP Spoofing – Function EVE • Ettercap DHCP
DHCP Spoofing – Function EVE • Ettercap DHCP
DHCP Spoofing – Countermeasures To combat not only Ettercap, but all rogue DHCP Servers, the ‘IP DHCP Snooping’ process will be enabled. Available on both Layer2&3 switches, DHCP Snooping applies a two pronged approach.
DHCP Spoofing – Countermeasures IP DHCP Snooping only allows authentic DHCP servers to be able to reply to transactions. Rogue servers that send replies to DHCP request will have the reply packet dropped by the switch and a log message will be generated. The DHCP Transaction will still be visible to all host on the LAN segment, but replies are strictly policed using 'Trusted Interfaces'.
DHCP Spoofing – Countermeasures DHCP replies received on a Trusted Interface(Switch port) are forwarded automatically, however, all ports on the switch will be Untrusted by default. Only ports leading to Gateway Routers and/or other DHCP Snooping enabled switches should be set to Trusted.
DHCP Spoofing – Countermeasures IMPORTANT NOTE: Unless your DHCP server supports Option 82 tagging, you must disable it! Cisco switches by default will tag snooped DHCP transactions with Option 82 information before forwarding. This will more than likely cause the DHCP server to ignore the request, creating an inadvertent DoS situation.
DHCP Spoofing – Configuration • Enable IP DHCP Snooping process • Switch(config)# ipdhcpsnooping • Define which VLAN's to be Snooped • Switch(config)# ipdhcp snooping vlan <VLAN_RANGE> • Ie. 1,2,3-5,8-10,23,25-50 • Disable DHCP Option 82 tagging • Switch(config)# no ipdhcp snooping information option
DHCP Spoofing – Configuration • Trust Gateway/Inter-Switch Links • Switch(config)# int fa0/1 • Switch(config-if)# ipdhcp snooping trust • Create a DHCP Binding Database • Switch(config)# ipdhcp snooping database <URL> • Best Practice is to store this DB in Switch Flash Memory • Re-DHCP all host on the LAN segment to populate the DHCP Binding DB
DHCP Spoofing – Countermeasures Bonus! • To prevent DHCP Starvation Attacks, set a DHCP packet-per-second limit on untrustedinterfaces • Switch(config-if)# int range fa0/2-24 • Switch(config-if)# ipdhcp snooping limit rate <#_OF_DHCP_PPS> • 3 DHCP Packets-Per-Second is a best practice
Won’t some one think of the child.. Er… ARPs?! All your ARPS are belongs to us!
ARP Poisoning - Function Address Resolution Protocol(ARP), allows host to communicate over a LAN segment with each other. Networks are defined by their physical(Layer2), and logical(Layer3) design, or topology. It is normal for the two topologies to be completely different, and ARP allows for a mapping between the two.
ARP Poisoning - Function This is important due to the fact of how switches and routers forward data. Switches forward data primarily based on the physical topology, where as Routers forward based solely on the logical topology. If layer 2 can be controlled, so can every other OSI Layer above it.
ARP Poisoning - Function By producing falsified ARP broadcast, Ettercap can convince both host and Routers alike to forward all of their traffic through the attacker's host physical address. Ettercap will basically trick all or some of the host on the LAN, that its physical address is equal to the victim's logical address.
ARP Poisoning - Function This is very powerful, as it creates a Full-Duplex MitM, in that both sent and received data will be seen by the attacker. Particularly powerful functionality of Ettercap is the ability to intercept negotiation of encryption parameters for SSH and SSL tunnels, allowing the attacker to read the encrypted data in plain text.
ARP Poisoning - Function MAC: aaaa.aaaa.aaaa A • Normal ARPs MAC: bbbb.bbbb.bbbb B MAC: dddd.dddd.dddd MAC: cccc.cccc.cccc What is the server’s MAC address? C MAC: 1111.1111.1111
ARP Poisoning - Function MAC: aaaa.aaaa.aaaa • Normal ARPs A MAC: bbbb.bbbb.bbbb B MAC: dddd.dddd.dddd MAC: cccc.cccc.cccc What is the server’s MAC address? C MAC: 1111.1111.1111
ARP Poisoning - Function MAC: aaaa.aaaa.aaaa • Normal ARPs A MAC: bbbb.bbbb.bbbb B MAC: dddd.dddd.dddd MAC: cccc.cccc.cccc The Server is @ dddd.dddd.dddd C MAC: 1111.1111.1111
ARP Poisoning - Function MAC: aaaa.aaaa.aaaa • Normal ARPs A MAC: bbbb.bbbb.bbbb B MAC: dddd.dddd.dddd MAC: cccc.cccc.cccc The Server is @ dddd.dddd.dddd C MAC: 1111.1111.1111
ARP Poisoning - Function MAC: aaaa.aaaa.aaaa • Normal Traffic Flow A MAC: bbbb.bbbb.bbbb B MAC: dddd.dddd.dddd MAC: cccc.cccc.cccc C MAC: 1111.1111.1111
ARP Poisoning - Function MAC: aaaa.aaaa.aaaa • Poisoned ARPs A MAC: bbbb.bbbb.bbbb B MAC: dddd.dddd.dddd MAC: cccc.cccc.cccc EVE All Host are @ 1111.1111.1111 C MAC: 1111.1111.1111
ARP Poisoning - Function MAC: aaaa.aaaa.aaaa • Poisoned ARPs A MAC: bbbb.bbbb.bbbb B MAC: dddd.dddd.dddd MAC: cccc.cccc.cccc EVE All Host are @ 1111.1111.1111 C MAC: 1111.1111.1111
ARP Poisoning - Function MAC: aaaa.aaaa.aaaa • Hairpin Traffic Flow A MAC: bbbb.bbbb.bbbb B MAC: dddd.dddd.dddd MAC: cccc.cccc.cccc EVE C MAC: 1111.1111.1111
ARP Poisoning - Countermeasures Cisco Switches, both layer2 & layer3, support a process called 'Dynamic ARP Inspection'(DAI). The DAI process works in tandem with DHCP Snooping. DHCP Snooping builds an internal database of Layer2-to-3 mappings, the very thing ARP is used to determine.
ARP Poisoning - Countermeasures Since the switch has seen the entire DHCP transaction, and knows which of its switch ports the request came from, it is able to track these bindings to indentify false ARP broadcast and kill them before they propagate to other host.
ARP Poisoning - Countermeasures Every Invalid ARP Reply will be dropped by the switch and generates a log message. ARP Request will still be allowed to propagate as normal, since they need to reach their target to elicit a reply.
ARP Poisoning - Countermeasures Only ARP Replies are being policed, and must pass inspection of the first receiving switch, which will then place it in a 'trust-zone' of clean ARPs. DAI places all interfaces in an untrusted state by default, meaning ARP replies received on that interface must be validated.
ARP Poisoning - Countermeasures Router/Inter-switch Links connected only to other DAI enabled switches should be trusted(ARP Access-List is a more secure option for routers). Host that have static network assignments, will have a static binding set on the switch they are directly connected too.
ARP Poisoning - Configuration • Enable DAI Process on appropriate VLANs • Switch(config)#iparp inspection <VLAN_RANGE> • Trust links connected ONLY to Routers & other DAI enabled switches • Switch(config)# intfa0/1 • Switch(config-if)# iparp inspection trust • Set a ARP PPS limit on untrustedinterfaces • Switch(config)# int range fa0/2-24 • Switch(config-if)# iparp inspection limit rate <#_OF_ARP_PPS>
ARP Poisoning - Configuration • Define static bindings for non-DHCP host • Switch(config)#arp access-list <ARP_ACL_NAME> • Switch(config-acl)# permit ip host <HOST_IP> mac host <HOST_MAC> [log] • ie. permit ip host 192.168.1.1 mac host 1111.1111.1111 log • [REPEAT 'permit' STATEMENT FOR EACH STATICLY ASSIGNED HOST] • Switch(config-acl)# exit
ARP Poisoning - Countermeasures • Apply ARP ACL to DAI process • Switch(config)# iparp inspection filter <ARP_ACL_NAME> vlan <VLAN_RANGE> [static] • ARPs matched in the ARP ACL 'permit' statements will not be checked against the DHCP snooping database. Use the 'static' keyword with caution, as the ACL is checked before the DHCP Snooping Database. When 'static' is set, if no match is found in the ARP ACL, the ARP Reply will be considered invalid without checking the DHCP Snooping Database!
ICMP; Networking Ballistic Missiles! Break Out the SPF 9000!
ICMP Redirects - Function The Internet Control Message Protocol(ICMP) is in reality a small suite of protocols used to pass network information between nodes. ICMP is more or less a legacy protocol, in that most of its functionality has been replaced and improved upon by other protocols. However, host operating systems still process most, if not all, ICMP request in the spirit of backwards compatibility.
ICMP Redirects - Function ICMP Redirects were used to notify routers/host about better pathways to reach specific networks. Ettercap can send these Redirects to host on a LAN telling them to forward traffic for other networks to the Attacker instead of their default gateway. This is a very simple Half-Duplex MitM by itself, but can be combined with techniques to gleen host information& become Full-Duplex.
ICMP Redirects – Function Reach server.com via EVE’s IP Address EVE
ICMP Redirects – Function Reach server.com via EVE’s IP Address EVE
ICMP Redirects - Countermeasures VLAN Access-Control Lists(VACLs), can be configured on Layer3 switches to police traffic passing within a VLAN. Unlike traditional ACLs, VLANs do not understand the concept of 'inbound' or 'outbound', so they are applied with the use of a ‘VLAN access-map'. VLAN Access-maps can reference ACLs to determine protocols that can be allowed or denied on the VLAN segment.