Router and Switch Security By: Kulin Shah Krunal Shah
LAB GOAL This lab will introduce students to the concept of security of network devices Few attacks on routers as well as switches and their countermeasures
PHYSICAL ACCESS COMPROMISE We will use the virtual XP machine and one Cisco router and switch on the playstation to carry out the attack. we assume that the attacker has physical access to the router Connect a console cable from routers console port to the serial port of the computer Configure the settings are as shown below Set "Bits per second" to 9600 Set "Data Bits" to 8 Set "Stop Bits" to 1 Set "Flow control" to none
Router break-in Send a break signal to the router within 60 seconds of the power up will put the router into the ROM monitor (ROMMON) mode. The break sequence would depend on your terminal emulation program. The break signal for the HyperTerminal is (CTRL-BREAK) So basically aim is to make it boot from the ROM than the NVRAM
*** System received an abort due to Break Key *** signal= 0x3, code= 0x500, context= 0x813ac158PC = 0x802d0b60, Vector rommon 1 > confreg 0x2142 rommon 2 > reset System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)Copyright (c) 1999 by cisco Systems, Inc.TAC:Home:SW:IOS:Specials for infoC2600 platform with Kbytes of main memory program load complete, entry point: 0x , size: 0x6fdb4c Self decompressing the image : ############################################################ ############################################################ ############################################################ ############################################################ ######## [OK]
Copy the NVRAM config file into RAM with copy start run Whoa!! Counter measure : block the break signal dropping an attacker into ROMMON on a Cisco router using no service password-recovery command
PVLAN on CISCO SWITCHES Primarily to achieve isolation without going through the pain of creating VLANS Multiple IPs not required
Lab set up for PVLAN
EXECUTION
HTTP AUTHENTICATION VULNERABILITY When the HTTP server is enabled and local authorization is used on Cisco device. It is possible, to bypass the authentication and execute any command on the device. All commands will be executed with the highest privilege (level 15). All releases of Cisco IOS software, starting with release 11.3 and later, are vulnerable.
ATTACK EXECUTION By sending a particular URL to a Cisco IOS device with the HTTP server enabled, a remote attacker may be able to execute commands with the administrator privileges. The malicious URL is of the following form: /level/XX/exec/... XX is a number between 16 & 99. This vulnerability is documented as Cisco Bug ID CSCdt93862
VULNERABLE PRODUCTS Cisco devices that may be running with affected Cisco IOS software releases include but are not limited to: Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and series. Most recent versions of the LS1010 ATM switch. The Catalyst 6000 and 5000 if they are running Cisco IOS software. The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco IOS software. The Catalyst 2900 and 3000 series LAN switches are affected.
COUNTERMEASURES Upgrading IOS to 12.0 or later Disabling HTTP Terminal Access Controller Access Control System (TACACS+) or Remote Authentication Dial in Service (Radius) for authentication.
MACOF ATTACK When a Layer 2 switch receives a frame, the switch looks in the CAM table for the destination MAC address. If an entry exists for the MAC address in the CAM table, the switch forwards the frame to the port designated in the CAM table for that MAC address. If no entry exists for the MAC address the frame, the switch looks at the source of the frame and adds it to CAM table entry. And the frame is essentially broadcasted on each and every port. This is the mechanism switches used to build their CAM table.
ATTACK EXECUTION CAM overflow
ATTACK SUCCESSFUL
COUNTERMEASURES If no protection against MAC address spoofing is setting up, this attack could succeed. By protecting the interface with “switchport port-security maximum 3” The port shut down after having seen the third different MAC address. Thus this attack has been defeated.
CONCLUSION We have exploited some of the vulnerabilities. Due to the ignorance and lack of knowledge of the system administrator it is easy to exploit many such vulnerabilities prevalent in the network devices. This lab aims to educate students about the threats and vulnerabilities existing in the network devices.
REFERENCES “Virtual LAN Security: weaknesses and countermeasures GIAC Security Essentials Practical Assignment” - Steve A. Rouiller “Hacking Exposed Cisco Security Secrets and Solutions”- Andrew A. Vladimirov, Konstantin V. Gavrilenko, Janis N. Vizulis and Andrei A. Mikhailovsky protocol_home.htmlhttp:// protocol_home.html
QUESTIONS??