Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Infrastructure Insecurity

Similar presentations

Presentation on theme: "Network Infrastructure Insecurity"— Presentation transcript:

1 Network Infrastructure Insecurity
The authentication, management and routing protocols that run your network

2 Topics Overview Basic protocol flaws Network allocation flaws
Routing protocol flaws Authentication flaws Network Management and other fun flaws Application of attacks

3 The Network DMZ Internet Firewall Switch Router Host Host Host Host
Hub Host Printer Radius Server

4 The Network DMZ Switch Router Host Host Host Host Hub Host Printer
Radius Server

5 The Network Switch Router Host Host Host Host Hub Host Printer
Radius Server

6 The Network Switch Router Hub Printer Radius Server

7 Overview Network Infrastructure The building blocks of a network
basic network protocols network management authentication routing other random things switches, hubs printers routers

8 Overview Does this stuff matter?
Absolutely - the network depends on these Basic protocols - obvious network management & allocation simplify network design and machine deployment Authentication access control Routing Getting from A to B Other stuff The network RUNS on these

9 Overview Impacts Attacking protocols can allow for hijacking, spoofing and impersonation control network devices elevate access change network flow hide connections sniffing …and more

10 Basic Protocols Security at the IP layer discussed over and over
Security at the link layer ignored

11 ARP Address Resolution Protocol
Used for mapping network IP addresses to physical (in the case of ethernet, MAC) interface addresses. Broadcast at the link layer.

12 ARP Security Flaws Lack of Authentication Limited Table Entries
ARP caches can be overpopulated and flushed

13 ARP Authentication Flaws
Lack of Authentication Arp replies are typically accepted and cached without concern for origin when received. No method to distinguish between legitimate and illegitimate messages

14 ARP Lack of Authentication
Invalid ARP replies When an ARP who-is is broadcast on the wire, anyone can reply and be mapped to the associated network address. Gratuitous ARP replies ARP replies without requests can be sent out and cached, diverting traffic from the compromised network address to the attacker.

15 ARP Attacks Replace entries in arp caches for existing addresses
Denial of Service Reply to requests with compromised host adress as router or nameserver. Non-blind traffic hijacking Exploitation of host-based trusts.

16 ARP Attacks ARP Cache Overpopulation
Sending too many gratuitous ARP replies flushing the target ARP cache in some implementations. Reach cache maximum, can cause devices like switches to re-enter “learning mode”

17 DHCP Dynamic Host Configuration Protocol
Popular amongst pc users for ease of installation and configuration UDP transport To broadcast, from

18 DHCP Security Problems
Unauthenticated Anyone can request an address Undirected Anyone can respond Limited ACL capabilities Limit addresses per mac

19 DHCP Attacks Get all addresses Deregister hosts Denial Of Service
Reply to requests with compromised host set as router or nameserver Deregister hosts hijack ip’s, connections

20 DHCP Fixes Authentication
ISC is adding authentication in their 3.1 implementation Others have implemented proprietary authentication mechanisms Don’t allow dynamic assignment of DNS servers or routers Statically define these

21 Gateway Protocols IGP RIPv1 RIPv2 OSPF

22 RIP Routing Information Protocol
Widely used distance-vector IGP (Interior Gateway Protocol) within autonomous systems. Exists in two forms, Version 1 and the backwards compatible Version 2. RIPv1 is extremely vulnerable to serious attack.

23 RIP Security Flaws Transport Method Authentication

24 RIP Transport Method Flaws
Based on UDP, utilizing port 520 for sending and receiving messages. UDP is unreliable, no sequencing of packets. Easy to send arbitrary data to target . Since sequencing is not a concern, forging source address can be very effective. May be able to receive data from anywhere on the internet.

25 RIP Authentication Flaws
Lack of any authentication in RIPv1 Cleartext Authentication recommended in RFC 2453 RIPv2 Specifications MD5 Key/KeyID Digest Based Authentication described in RFC 2082.

26 RIP Attacks Forging RIP messages
Spoofing source address and sending invalid routes, altering traffic flow. Traffic Hijacking Traffic Monitoring Redirecting traffic from trusted to untrusted. Obtaining Cleartext RIPv2 "password" when sent across network. Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with consequences listed above.

27 RIP Solutions Disabling RIPv1 and using RIPv2 with MD5 authentication.
Enabling MD5 based authentication for RIPv2 Disabling RIP completely and using OSPF with MD5 authentication as interior gateway protocol. OSPF is the suggested IGP.

28 OSPF OSPF - Open Shortest Path First
Link-State Interior Gateway Protocol. In wide use within autonomous systems. OSPF is the recommended IGP, intended as a replacement for RIP.

29 OSPF Security Flaws Authentication

30 OSPF Authentication Flaws
Default Lack of Authentication By default in some implementations, OSPF authentication may be off. Cleartext "simple password" Authentication Commonly a default setting, clear-text password included in OSPF message used to authenticate peers. Type of authentication determined by "CODE" field in the OSPF message header.

31 OSPF Attacks Forging OSPF messages
Can be somewhat difficult but theoretically possible if no authentication required or cleartext password obtained.

32 OSPF Solution Enable MD5 Authentication in OSPF implementation.

33 Authentication Flaw Overview
Authentication is a means for verification and granting of access Problems range from denial of service to active and passive attacks leading to total compromise gain access elevate access

34 Authentication Mechanisms

35 RADIUS Remote Authentication Dial In User Service RFC 2138 & 2139
Used to authenticate users Off-machine/device authentication Central authentication server called a NAS Popular implementations from Livingston and Merit

36 Radius Security Model UDP Based transport
Each packet contains an authenticator Access-Requests md5(secret + authenticator) ^ user password Access-Reject & Access-Accept md5(Code + ID + Length + Request-Auth + Attributes + Secret)

37 Radius Flaws Gaining the shared secret
Send Access-Request with all known values Authenticator = 0 User Name/Password = known Code = Access-Request (1) ID = 0, length = known Reply will come back with the following md5( length user name attr + user pass attr + Secret) Dictionary attack for Secret radbrute.tar.gz

38 Radius Flaws... Passive attack
Knowledge of a user password will allow attack if sniffing is possible Request-Access uses user password + authenticator + shared secret md5(authenticator + shared secret) ^ user pass obtain md5 by ^ userpass brute force dictionary attack with known authenticator

39 Radius Flaws... Replay Radius servers must not reuse authenticator
if authenticator isn’t cryptographically random, repeat authentications until an authenticator is reused, and replay server Request-Accept Failure limits and logging limit the effectivity Predictable authenticator If authenticator can be predicted, replay attacks become easier and more effective

Terminal Access Controller Access Control System?? Old protocol developed by BBN for Milnet Similar in concept to RADIUS Central authentication server moves authentication off device or host RFC 1492, Internet Draft “The TACACS+ Protocol”

41 TACACS, etc Flaws TACACS & XTACACS UDP Transport
spoof RESPONSE messages from server trivially Cleartext authentication normal User names and password sent exposed MD5 in newer implementations Good way to crack passwords online Easy, fast way to grind for accounts with bad passwords

42 TACACS+ TCP Transport Authentication and Encryption
Doesn’t suffer from easy spoofing; may be hijackable Authentication and Encryption May be possible to conduct attacks similar to RADIUS Defaults and failure modes may pose problems tacacs-server last-resort succeed

43 TACACS+ ... Authentication Encryption No integrity checking
Vulnerable to replay Encryption Heavy dependence on session id’s may be easy to force collision too small Lack of padding in critical places

44 NIS and NIS+ Network Information Service Originally from Sun
Popular scheme for distributing password, name service, etc RPC based transport

45 NIS and NIS+ Flaws NIS transports in plaintext
NIS is only protected by a domainname easily guessed Many vulnerabilities in implementations quick search for NIS and NIS+ vulnerabilities resulted in over a dozen individual problems NIS+ is sufficiently complex to install that no one uses it

46 NIS and NIS+ Solutions Run NIS+ if at all possible
Investigate alternatives like LDAP

47 LDAP Lightweight Directory Access Protocol
Operates on distinguished name (DN) and attribute pairs or collections

48 LDAP Flaws New and relatively untested Unfamiliar
Default ACL’s are typically poor Authentication mechanisms still not fully implemented CA based authentication still only part there DoS attacks Flood with requests

49 Network Management and Other Fun Flaws
SNMP printers

50 SNMP Simple Network Management Protocol
The most popular network management protocol Hosts, firewalls, routers, switches…UPS, power strips, ATM cards -- ubiquitous “One of the single biggest security nightmares on networks today”

51 SNMPv1 Security Flaws Transport Mechanism Authentication
Data manipulation Denial of Service Replay Authentication Host Based Community Based Information Disclosure

52 SNMP Transport Mechanism Flaws
UDP Based Unreliable - packets may or may not be received Easily forged - trivial to forge source of packets

53 SNMP Authentication Flaws
Host Based Fails due to UDP transport DNS cache poisoning Community Based Cleartext community Community name prediction/brute forcing Default communities

54 SNMP Popular Defaults Popular defaults public private write
“all private” monitor manager security admin lan default password tivoli openview community snmp snmpd system and on and on...

55 SNMPv1 Information Disclosure
Routing tables Network topology Network traffic patterns Filter rules

56 RMON and RMON2 Security SNMPv1’s flaws
additional hazards by introducing “action invocation” objects collects extensive info on subnet packet captures

57 SNMP Fixes Disable it ACL It Read-Only

58 Printers Flaws Actually a very large potential problem
Laundering of hacking spoils bounce attacks Denial of service

59 Printer flaws... Many printers have FTP servers Allow anonymous access
store as much data as memory or disk space in the printer - great place to store hacking tools, sniffer logs, and other stolen things Most are poor implementations easily used in more complex attacks ftp bounce Berkeley lpd flaws

60 Printer flaws... Denial of Service Used as a tool to conduct DoS
most love to respond to broadcast pings smurf Service denied poor tcp/ip implementations crash easily poor service implementation SNMP ftp

61 Printer fixes? Disable everything you can

62 Example applications Defeat sniffing Race hosts on ARP replies
reply to ARP’s with broadcast address overpopulate caches some switches will flush their caches alter routing on the host you want to sniff

63 Examples Defeating things like SSH Gaining router access Alter routing
Create SSH proxy Client will note key mismatch, but who ever pays attention? Gaining router access Obtain auth protocol key via brute force Extract passwords on the wire Just plain old sniff

64 What to do? Maintain good perimeter defenses
At least you only have to trust your employees… Use cryptographically secure transports Crypto is good But crypto fails without good policy Disable unneeded services Not using SNMP?

65 What to do... Disable things like routed on hosts
99% of the time, static routes work fine on end machines Use the strongest authentication methods possible Long keys, strong crypto

66 Questions? Jeremy Rauch

Download ppt "Network Infrastructure Insecurity"

Similar presentations

Ads by Google