Router and Switch Security
By:
Kulin Shah
Krunal Shah
LAB GOAL
• This lab will introduce students to the concept of security of network
devices
• Few attacks on routers as well as switches and their countermeasures
PHYSICAL ACCESS COMPROMISE
• We will use the virtual XP machine and one Cisco router and switch
on the playstation to carry out the attack.
• we assume that the attacker has physical access to the router
• Connect a console cable from routers console port to the serial port
of the computer
• Configure the settings are as shown below
• Set "Bits per second" to 9600
• Set "Data Bits" to 8
• Set "Stop Bits" to 1
• Set "Flow control" to none
Router break-in
• Send a break signal to the router within 60 seconds of
the power up
• will put the router into the ROM monitor (ROMMON)
mode. The break sequence would depend on your
terminal emulation program. The break signal for the
HyperTerminal is (CTRL-BREAK)
• So basically aim is to make it boot from the ROM than
the NVRAM
*** System received an abort due to Break Key ***
signal= 0x3, code= 0x500, context= 0x813ac158PC = 0x802d0b60, Vector
rommon 1 > confreg 0x2142
rommon 2 > reset
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE
(fc1)Copyright (c) 1999 by cisco Systems,
Inc.TAC:Home:SW:IOS:Specials for infoC2600 platform with 32768
Kbytes of main memory program load complete, entry point: 0x80008000,
size: 0x6fdb4c Self decompressing the image :
############################################################
############################################################
############################################################
############################################################
######## [OK]
• Copy the NVRAM config file into RAM with copy
start run
• Whoa!!
•
Counter measure : block the break signal dropping an attacker into
ROMMON on a Cisco router using
no service password-recovery command
PVLAN on CISCO SWITCHES
• Primarily to achieve isolation without going
through the pain of creating VLANS
• Multiple IPs not required
Lab set up for PVLAN
EXECUTION
HTTP AUTHENTICATION
VULNERABILITY
• When the HTTP server is enabled and
local authorization is used on Cisco
device.
• It is possible, to bypass the authentication
and execute any command on the device.
• All commands will be executed with the
highest privilege (level 15).
• All releases of Cisco IOS software, starting
with release 11.3 and later, are vulnerable.
ATTACK EXECUTION
• By sending a particular URL to a Cisco IOS
device with the HTTP server enabled, a
remote attacker may be able to execute
commands with the administrator privileges.
The malicious URL is of the following form:
• http://<address>/level/XX/exec/...
• XX is a number between 16 & 99.
• This vulnerability is documented as Cisco
Bug ID CSCdt93862
VULNERABLE PRODUCTS
Cisco devices that may be running with affected Cisco IOS software
releases include but are not limited to:
•
Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000,
1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700,
AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and
12000 series.
•
Most recent versions of the LS1010 ATM switch.
•
The Catalyst 6000 and 5000 if they are running Cisco IOS software.
•
The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco IOS
software.
•
The Catalyst 2900 and 3000 series LAN switches are affected.
COUNTERMEASURES
• Upgrading IOS to 12.0 or later
• Disabling HTTP
• Terminal Access Controller Access
Control System (TACACS+) or Remote
Authentication Dial in Service (Radius) for
authentication.
MACOF ATTACK
• When a Layer 2 switch receives a frame, the switch
looks in the CAM table for the destination MAC
address.
• If an entry exists for the MAC address in the CAM
table, the switch forwards the frame to the port
designated in the CAM table for that MAC address.
• If no entry exists for the MAC address the frame, the
switch looks at the source of the frame and adds it to
CAM table entry.
• And the frame is essentially broadcasted on each and
every port. This is the mechanism switches used to
build their CAM table.
ATTACK EXECUTION
• CAM overflow
ATTACK SUCCESSFUL
COUNTERMEASURES
• If no protection against MAC address
spoofing is setting up, this attack could
succeed.
• By protecting the interface with
“switchport port-security maximum 3”
• The port shut down after having seen the
third different MAC address.
• Thus this attack has been defeated.
CONCLUSION
• We have exploited some of the
vulnerabilities.
• Due to the ignorance and lack of
knowledge of the system administrator it is
easy to exploit many such vulnerabilities
prevalent in the network devices.
• This lab aims to educate students about
the threats and vulnerabilities existing in
the network devices.
REFERENCES
•
•
•
•
•
•
•
•
•
•
•
•
•
www.askapache.com
www.tech-faq.com
www.antionline.com
www.cisco.com
www.securityfocus.com/infocus/1734
“Virtual LAN Security: weaknesses and countermeasures GIAC Security Essentials
Practical Assignment” - Steve A. Rouiller
“Hacking Exposed Cisco Security Secrets and Solutions”- Andrew A. Vladimirov,
Konstantin V. Gavrilenko, Janis N. Vizulis and Andrei A. Mikhailovsky
www.arin.net
http://www.cisco.com/warp/public/474/index.shtml
http://www.modemsite.com/56k/x2-hyperterm.asp
http://www.cisco.com/en/US/tech/tk389/tk390/tk181/tsd_technology_support_subprotocol_home.html
http://www.cisco.com/warp/public/473/63.html
http://www.brandonhutchinson.com/installing_dsniff_2_3.html
QUESTIONS??