Neutering Ettercap in Cisco Switched Networks For fun and Profit What’s With the Title? (AKA Scope) How the protocols function under normal and malicious circumstances Ettercap’s Capabilities for Protocol Abuse DHCP Spoofing - ARP Poisoning ICMP Redirects - Port Stealing Countermeasures to defend against these kind of abuses 2 What’s With the Title? (AKA Scope) Configuring Countermeasures for CiscoIOS Best Practices for implementation This is for CISCO NETWORKS ONLY! (sorry Juniper) 3 Why Protocol Abuse Works The Protocols are OLD! Created during a more friendly time in networking. Were not created with authentication measures or security in mind Engineers were focused on transmitting data without errors, not who was sending it or what was being sent. 4 Lets spoof some DHCP! You can trust me, I’m a nice DHCP Server. ;) 5 DHCP Spoofing – Function Dynamic Host Configuration Protocol(DHCP), permits host connected to a Local Area Network(LAN) segment to be dynamically assigned parameters necessary for the host to send and receive data over a network. The exchange of DHCP information is sent as a 'broadcast', which means that any host on the LAN segment will receive a copy of the DHCP exchange. 6 DHCP Spoofing – Function Normally, a host would ignore this exchange, but Ettercap has a feature built in to intercept and quickly reply to these DHCP messages before the authentic DHCP server can reply. This will cause the host to continue the exchange with the Ettercap and ignore the authenticate server. 7 DHCP Spoofing – Function The main purpose of this is to tell the host to use the Ettercap machine as its 'Default Gateway', the address it will forward data destined for off the network. This will allow for a 'Half-Duplex' MitM, meaning the attacker will only see half of the exchange, as the return packets will not be seen by the attacker unless combined with tunneling techniques. 8 DHCP Spoofing – Function 9 DHCP Spoofing – Function 10 DHCP Spoofing – Function 11 DHCP Spoofing – Function 12 DHCP Spoofing – Function EVE 13 DHCP Spoofing – Function EVE 14 DHCP Spoofing – Function EVE 15 DHCP Spoofing – Countermeasures To combat not only Ettercap, but all rogue DHCP Servers, the ‘IP DHCP Snooping’ process will be enabled. Available on both Layer2&3 switches, DHCP Snooping applies a two pronged approach. 16 DHCP Spoofing – Countermeasures IP DHCP Snooping only allows authentic DHCP servers to be able to reply to transactions. Rogue servers that send replies to DHCP request will have the reply packet dropped by the switch and a log message will be generated. The DHCP Transaction will still be visible to all host on the LAN segment, but replies are strictly policed using 'Trusted Interfaces'. 17 DHCP Spoofing – Countermeasures DHCP replies received on a Trusted Interface(Switch port) are forwarded automatically, however, all ports on the switch will be Untrusted by default. Only ports leading to Gateway Routers and/or other DHCP Snooping enabled switches should be set to Trusted. 18 DHCP Spoofing – Countermeasures IMPORTANT NOTE: Unless your DHCP server supports Option 82 tagging, you must disable it! Cisco switches by default will tag snooped DHCP transactions with Option 82 information before forwarding. This will more than likely cause the DHCP server to ignore the request, creating an inadvertent DoS situation. 19 DHCP Spoofing – Configuration • Enable IP DHCP Snooping process – Switch(config)# ip dhcp snooping • Define which VLAN's to be Snooped – Switch(config)# ip dhcp snooping vlan <VLAN_RANGE> • Ie. 1,2,3-5,8-10,23,25-50 • Disable DHCP Option 82 tagging – Switch(config)# no ip dhcp snooping information option 20 DHCP Spoofing – Configuration • Trust Gateway/Inter-Switch Links – Switch(config)# int fa0/1 – Switch(config-if)# ip dhcp snooping trust • Create a DHCP Binding Database – Switch(config)# ip dhcp snooping database <URL> • Best Practice is to store this DB in Switch Flash Memory • Re-DHCP all host on the LAN segment to populate the DHCP Binding DB 21 DHCP Spoofing – Countermeasures Bonus! • To prevent DHCP Starvation Attacks, set a DHCP packet-per-second limit on untrusted interfaces – Switch(config-if)# int range fa0/2-24 – Switch(config-if)# ip dhcp snooping limit rate <#_OF_DHCP_PPS> • 3 DHCP Packets-Per-Second is a best practice 22 Won’t some one think of the child.. Er… ARPs?! All your ARPS are belongs to us! 23 ARP Poisoning - Function Address Resolution Protocol(ARP), allows host to communicate over a LAN segment with each other. Networks are defined by their physical(Layer2), and logical(Layer3) design, or topology. It is normal for the two topologies to be completely different, and ARP allows for a mapping between the two. 24 ARP Poisoning - Function This is important due to the fact of how switches and routers forward data. Switches forward data primarily based on the physical topology, where as Routers forward based solely on the logical topology. If layer 2 can be controlled, so can every other OSI Layer above it. 25 ARP Poisoning - Function By producing falsified ARP broadcast, Ettercap can convince both host and Routers alike to forward all of their traffic through the attacker's host physical address. Ettercap will basically trick all or some of the host on the LAN, that its physical address is equal to the victim's logical address. 26 ARP Poisoning - Function This is very powerful, as it creates a FullDuplex MitM, in that both sent and received data will be seen by the attacker. Particularly powerful functionality of Ettercap is the ability to intercept negotiation of encryption parameters for SSH and SSL tunnels, allowing the attacker to read the encrypted data in plain text. 27 ARP Poisoning - Function What is the server’s MAC address? 28 ARP Poisoning - Function What is the server’s MAC address? 29 ARP Poisoning - Function The Server is @ dddd.dddd.dddd 30 ARP Poisoning - Function The Server is @ dddd.dddd.dddd 31 ARP Poisoning - Function 32 ARP Poisoning - Function EVE All Host are @ 1111.1111.1111 33 ARP Poisoning - Function EVE All Host are @ 1111.1111.1111 34 ARP Poisoning - Function EVE 35 ARP Poisoning - Countermeasures Cisco Switches, both layer2 & layer3, support a process called 'Dynamic ARP Inspection'(DAI). The DAI process works in tandem with DHCP Snooping. DHCP Snooping builds an internal database of Layer2-to-3 mappings, the very thing ARP is used to determine. 36 ARP Poisoning - Countermeasures Since the switch has seen the entire DHCP transaction, and knows which of its switch ports the request came from, it is able to track these bindings to indentify false ARP broadcast and kill them before they propagate to other host. 37 ARP Poisoning - Countermeasures Every Invalid ARP Reply will be dropped by the switch and generates a log message. ARP Request will still be allowed to propagate as normal, since they need to reach their target to elicit a reply. 38 ARP Poisoning - Countermeasures Only ARP Replies are being policed, and must pass inspection of the first receiving switch, which will then place it in a 'trust-zone' of clean ARPs. DAI places all interfaces in an untrusted state by default, meaning ARP replies received on that interface must be validated. 39 ARP Poisoning - Countermeasures Router/Inter-switch Links connected only to other DAI enabled switches should be trusted(ARP Access-List is a more secure option for routers). Host that have static network assignments, will have a static binding set on the switch they are directly connected too. 40 ARP Poisoning - Configuration • Enable DAI Process on appropriate VLANs – Switch(config)#ip arp inspection <VLAN_RANGE> • Trust links connected ONLY to Routers & other DAI enabled switches – Switch(config)# int fa0/1 – Switch(config-if)# ip arp inspection trust • Set a ARP PPS limit on untrusted interfaces – Switch(config)# int range fa0/2-24 – Switch(config-if)# ip arp inspection limit rate <#_OF_ARP_PPS> 41 ARP Poisoning - Configuration • Define static bindings for non-DHCP host – Switch(config)#arp access-list <ARP_ACL_NAME> – Switch(config-acl)# permit ip host <HOST_IP> mac host <HOST_MAC> [log] • ie. permit ip host 192.168.1.1 mac host 1111.1111.1111 log • [REPEAT 'permit' STATEMENT FOR EACH STATICLY ASSIGNED HOST] • Switch(config-acl)# exit 42 ARP Poisoning - Countermeasures • Apply ARP ACL to DAI process – Switch(config)# ip arp inspection filter <ARP_ACL_NAME> vlan <VLAN_RANGE> [static] • ARPs matched in the ARP ACL 'permit' statements will not be checked against the DHCP snooping database. Use the 'static' keyword with caution, as the ACL is checked before the DHCP Snooping Database. When 'static' is set, if no match is found in the ARP ACL, the ARP Reply will be considered invalid without checking the DHCP Snooping Database! 43 ICMP; Networking Ballistic Missiles! Break Out the SPF 9000! 44 ICMP Redirects - Function The Internet Control Message Protocol(ICMP) is in reality a small suite of protocols used to pass network information between nodes. ICMP is more or less a legacy protocol, in that most of its functionality has been replaced and improved upon by other protocols. However, host operating systems still process most, if not all, ICMP request in the spirit of backwards compatibility. 45 ICMP Redirects - Function ICMP Redirects were used to notify routers/host about better pathways to reach specific networks. Ettercap can send these Redirects to host on a LAN telling them to forward traffic for other networks to the Attacker instead of their default gateway. This is a very simple Half-Duplex MitM by itself, but can be combined with techniques to gleen host information& become Full-Duplex. 46 ICMP Redirects – Function EVE Reach server.com via EVE’s IP Address 47 ICMP Redirects – Function EVE Reach server.com via EVE’s IP Address 48 ICMP Redirects – Function EVE 49 ICMP Redirects - Countermeasures VLAN Access-Control Lists(VACLs), can be configured on Layer3 switches to police traffic passing within a VLAN. Unlike traditional ACLs, VLANs do not understand the concept of 'inbound' or 'outbound', so they are applied with the use of a ‘VLAN access-map'. VLAN Access-maps can reference ACLs to determine protocols that can be allowed or denied on the VLAN segment. 50 ICMP Redirects – Configuration • !Define Extended ACL! – The 'permit' statement does not mean ICMP redirects will be permitted, but that the VLAN access-map is allowed to act upon packets that match it. • Switch(config)#ip access-list extended <ACL_NAME> • Switch(config-acl)# permit icmp any any redirect 51 ICMP Redirects – Configuration • !Define the VLAN access-map! – Best practice Sequencing is to initially use increments of 10 to allow for future adjustments; lower sequence numbers are evaluated first. • • • • • • Switch(config)# vlan access-map <VAM_NAME> <SEQ_#> Switch(config-access-map)# match ip address <ACL_NAME> Switch(config-access-map)# action drop Switch(config-access-map)# vlan access-map <VAM_NAME> <SEQ_#> Switch(config-access-map)# action forward Switch(config-access-map)# exit 52 ICMP Redirects – Configuration • !Apply VACL filter to the VLAN(s)! –Switch(config)# vlan filter <VAM_NAME> vlan-list <VLAN_RANGE> 53 Thou Shall Not Port Steal! I promise to bring it right back! 54 Port Stealing - Function Port Stealing is not the best term to describe this particular MitM. This method of Ettercap abuses how switches build their Layer2 forwarding table. When data is sent from a host, it is tagged with Destination and Sender addresses. 55 Port Stealing - Function Switches will note the Sender Layer2 address and associate it will the port it was recieved on. In this way, the switch maps Layer2 to Layer1 addresses so it can forward data as quickly as possible. 56 Port Stealing - Function Switch CAM Table aaaa.aaaa.aaaa @ Port1 dddd.dddd.dddd @ Port2 1111.1111.1111 @ Port3 57 Port Stealing - Function Switch CAM Table 1111.1111.1111 aaaa.aaaa.aaaa @ @ Port1 Port3 dddd.dddd.dddd @ Port2 1111.1111.1111 aaaa.aaaa.aaaa @ @ Port3 Port3 EVE Senders MAC: aaaa.aaaa.aaaa 58 Port Stealing - Function Switch CAM Table 1111.1111.1111 @ Port3 Port1 dddd.dddd.dddd @ Port2 aaaa.aaaa.aaaa @ Port3 EVE Senders MAC: 1111.1111.1111 59 Port Stealing - Function Switch CAM Table 1111.1111.1111 @ Port3 dddd.dddd.dddd @ Port2 aaaa.aaaa.aaaa @ Port3 EVE UnKnown Unicast become Broadcast 60 Port Stealing - Function Switch CAM Table 1111.1111.1111 @ Port3 dddd.dddd.dddd @ Port2 aaaa.aaaa.aaaa @ Port3 EVE 61 Port Stealing - Countermeasures With modern day fast & gigabit Ethernet standards, and improved switching hardware, this particular MitM is the least effective of Ettercap's arsenal, and it also the easiest to defend against. Using Cisco port-security, forged Layer 2 sender data can trigger a number of responses, including up to completely disabling an interface. The parameters for Cisco port-security will vary depending on network requirements. 62 Port Stealing - Configuration • Select the range of host ports – Switch(config)# int range fa0/2-24 – Switch(config-if)# switchport host ‘switchport host’ is an IOS macro that will place the interface in access mode, enable Spanning-tree poftfast, and disable etherchannel. To use Cisco port-security though, you only need the 'switchport mode access‘ command. 63 Port Stealing - Configuration • Enable Cisco Port-Security – Switch(config-if)# switchport port-security • Define Maximum # of MAC Addresses permitted on the interface – Switch(config-if)# switchport port-security maximum <#> • Two is recommended for networks w/ VOIP phones 64 Port Stealing - Configuration • Define port-security response – All will drop offending frames. Protect does not generate a log message. Restrict generates a log message. Shutdown generates a log message and disables the interface! Switch(config-if)# switchport port-security violation Restrict 65 Port Stealing - Configuration • Define host MAC address or allow dynamic learning with 'sticky‘ – Switch(config-if)# switchport port-security macaddress [<H.H.H>|sticky] 66 Conclusion Y’all play nice now. 67 Conclusion While Ettercap is not the only program to perform DHCP Spoofing, ARP Poisoning, ICMP Redirect, & Port Stealing MitMs, it is one of the most popular. Keeping vigilant and understanding threats facing networks are fundamental for network security officers. Understanding the functions of Ettercap and similar tools can give administrators new insight to reassessing security measures. 68