Vlan Layer2 Attacking

8/16/2019 Vlan Layer2 Attacking

1/40

K &T :: IGS :: MAFK &T :: IGS :: MAF 11

VLANs Layer 2 Attacks:VLANs Layer 2 Attacks:

Their RelevanceTheir Relevanceandand

Their KryptoniteTheir Kryptonite


2/40

VLAN Layer 2 Attacks

K &T :: IGS :: MAFK &T :: IGS :: MAF22

Se

curity is only as strong as the weakest linkSecurity is only as strong as the weakest link

Layer 2 attacks are timeworn ut still rele!ant in to"ay#s networkingLayer 2 attacks are timeworn ut still rele!ant in to"ay#s networking

en!ironmenten!ironment

$rime an" security sur!ey show "i%%erent tyes o% attacks %or the year o%$rime an" security sur!ey show "i%%erent tyes o% attacks %or the year o%

2''() $SI * F+I sur!eys also show that , o% 1, tyes o% attacks coul"2''() $SI * F+I sur!eys also show that , o% 1, tyes o% attacks coul"

target routers an" switchestarget routers an" switches

A t t a

c k s ( o t h

e r )

P o s s

i b l e

L a y

e r 2


3/40


$isco -.''/ 2.'' routers$isco -.''/ 2.'' routers $isco 2,''/ -0''/ ''. switches$isco 2,''/ -0''/ ''. switches

i%i 3etgear & $isco4Linksysi%i 3etgear & $isco4Linksys

ToolsTools

ScayScay 5ersinia5ersinia

Maco% Maco%

T$67umT$67um

$ain & Ael$ain & Ael

8tter$a8tter$a

8thereal8thereal

K &T :: IGS :: MAFK &T :: IGS :: MAF

--

EquipmentEquipment

AttacksAttacks ARP AttacksARP Attacks

MA !loo"in# Attack$ AM Table %&er'lo AttacksMA !loo"in# Attack$ AM Table %&er'lo Attacks

*P +tar&ation Attack*P +tar&ation Attack

P AttackP Attack

+pannin#,Tree Attack+pannin#,Tree Attack

Multicast -rute !orceMulticast -rute !orce

VLAN Trunkin# Protocol AttackVLAN Trunkin# Protocol Attack

Pri&ate VLAN AttackPri&ate VLAN Attack

VLAN *oppin# AttackVLAN *oppin# Attack

ouble,Encapsulate" ./201$Neste" VLAN Attackouble,Encapsulate" ./201$Neste" VLAN Attack

VLAN Mana#ement Policy ser&er VMP+$ VLANVLAN Mana#ement Policy ser&er VMP+$ VLAN

uery Protocol VP Attackuery Protocol VP Attack


4/40


*o to #et a lab 'or testin# purposes*o to #et a lab 'or testin# purposes

K &T :: IGS :: MAFK &T :: IGS :: MAF


5/40


9ust ask

7 Moore;s IS69ust ask 7 Moore;s IS6

Someone was A1-:':-,)(.?'00 '':10:%2::c":-a @ '':10:%2::"':c,/ ethertye A


6/40


K &T :: IGS :: MAFK &T :: IGS :: MAF ..

A


7/40


K &T :: IGS :: MAFK &T :: IGS :: MAF ((


8/40


A


9/40


Port +ecurityPort +ecurity

Non chan#in# ARP entries ("on3t aste your time)Non chan#in# ARP entries ("on3t aste your time)

*P +noopin# (the netork "e&ice maintains a recor" o'*P +noopin# (the netork "e&ice maintains a recor" o'

the MA a""ress that are connecte" to ARP port)the MA a""ress that are connecte" to ARP port) Arpatch (listens to arp replies)Arpatch (listens to arp replies)

Arp%NArp%N

K &T :: IGS :: MAFK &T :: IGS :: MAF ,,


10/40


K &T :: IGS :: MAFK &T :: IGS :: MAF 1'1'

MA 'loo"in# attacks are o'ten i#nore" in the corporate en&ironment0 MA 'loo"in# 4 sitch ports act like a hub hen o&erloa"e"

AM table , table 'ills an" the sitch be#ins to echo any recei&e" 'rameto all port (tra''ic blee"s out)0 Tools to per'orm this attack5

sni'' Maco' ain 6 Able Ettercap


11/40



Maco% at work %loo"ing the $isco switch


12/40



Switch is lee"ing out the tra%%ic


13/40


Same as the A


14/40



A *P +cope e7haustion (client spoo's other clients)A *P +cope e7haustion (client spoo's other clients)

8nstallation o' a ro#ue *P ser&er 8nstallation o' a ro#ue *P ser&er

ToolsTools

9ersinia 9ersinia

:obbler :obbler


15/40




16/40


K &T :: IGS :: MAFK &T :: IGS :: MAF 1.1.

6ossile to setu a rogue 7$6 ser!er)

The attacker may hiCack tra%%ic an" this can ha!e

"e!astating results)


17/40


7emo Time7emo Time

7$6 Star!ation 7emo7$6 Star!ation 7emo

K &T :: IGS :: MAFK &T :: IGS :: MAF 1(1(


18/40


+y limiting the numer o% MA$ a""resses+y limiting the numer o% MA$ a""resses

on a switch ort will re"uce the risk o%on a switch ort will re"uce the risk o%

7$6 star!ation attacks)7$6 star!ation attacks)

7$6 Snooing D monitors an" restricts7$6 Snooing D monitors an" restricts7$67$6

K &T :: IGS :: MAFK &T :: IGS :: MAF 1?1?


19/40


K &T :: IGS :: MAFK &T :: IGS :: MAF 1,1,

• isco isco&ery Protocol allos isco "e&ices toisco isco&ery Protocol allos isco "e&ices to

communicate amon#st one another (8P a""ress; so'tarecommunicate amon#st one another (8P a""ress; so'tare&ersion; router mo"el; etc) P is clear te7t an"&ersion; router mo"el; etc) P is clear te7t an"

unauthenticate"0unauthenticate"0

• P enial %' +er&ice (Many companies "o not up#ra"e theirP enial %' +er&ice (Many companies "o not up#ra"e their

8%+ o'ten enou#h to 120207 an" current &ersions o' at%+)8%+ o'ten enou#h to 120207 an" current &ersions o' at%+)

• P cache o&er'lo 4 a so'tare bu# can reset the sitchP cache o&er'lo 4 a so'tare bu# can reset the sitch

•

Poer e7haustion 4 claimin# to be a Vo8P phone an attackerPoer e7haustion 4 claimin# to be a Vo8P phone an attackercan reser&e electrical poer can reser&e electrical poer

• P cache pollution 4 P table becomes unusable becauseP cache pollution 4 P table becomes unusable because

it contains a lot o' 'alse in'ormation it contains a lot o' 'alse in'ormation


20/40


K &T :: IGS :: MAFK &T :: IGS :: MAF 2'2'


21/40


Turn the shEt o%% Turn the shEt o%%


22/40



Sen"ing


23/40


K &T :: IGS :: MAFK &T :: IGS :: MAF2-2-

ST6 sen"ing con% +67s 7oSST6 sen"ing con% +67s 7oS


24/40


Sanning tree %unctions must e "isale" on all userSanning tree %unctions must e "isale" on all user

inter%aces ut maintaine" %or 3etwork to 3etworkinter%aces ut maintaine" %or 3etwork to 3etwork

Inter%aces to a!oi" a network loo)Inter%aces to a!oi" a network loo)

8nale8nale root #uar"root #uar" on $isco euiment/ or +67on $isco euiment/ or +67guar" on users orts to "isale the thus o% riority eroguar" on users orts to "isale the thus o% riority ero

an" hence ecoming a root ri"ge)an" hence ecoming a root ri"ge)

8=amle:8=amle:sanning4tree ort%ast ""uguar"sanning4tree ort%ast ""uguar"

inter%ace %a'*1'inter%ace %a'*1'

sanning4tree guar" rootsanning4tree guar" root



25/40



This in!ol!es soo%ing/ in rai"This in!ol!es soo%ing/ in rai"

succession/ a series o% multicast %ramessuccession/ a series o% multicast %rames

Frames leak into other LA3s i% theFrames leak into other LA3s i% therouting mechanism in lace etween therouting mechanism in lace etween the

LA3SLA3S

InCecting ackets into multicast also canInCecting ackets into multicast also cancause a 7oS scenariocause a 7oS scenario


26/40


+uy more caale switches>+uy more caale switches>

The Layer 2 multicast ackets shoul" eThe Layer 2 multicast ackets shoul" e

constraine" within the ingress LA3) 3oconstraine" within the ingress LA3) 3oackets shoul" e #leake"# to otherackets shoul" e #leake"# to other

LA3s)LA3s)

K &T :: IGS :: MAFK &T :: IGS :: MAF 2.2.


27/40


K &T :: IGS :: MAFK &T :: IGS :: MAF 2(2(

T6 has the aility to a"" an" remo!e LA3 %rom theT6 has the aility to a"" an" remo!e LA3 %rom the

network) Someone will get %ire" i% this haens>Bnetwork) Someone will get %ire" i% this haens>B

T6 in!ol!es a station sen"ing T6 messages throughT6 in!ol!es a station sen"ing T6 messages through

the network/ a"!ertising that there are no LA3s)the network/ a"!ertising that there are no LA3s) All client T6 switches erase their LA3s once All client T6 switches erase their LA3s once

recei!ing the messagerecei!ing the message

Attacks: Attacks:

Sen"ing T6 6acketSen"ing T6 6acket 7eleting all T6 LA3s7eleting all T6 LA3s

7eleting one LA37eleting one LA3

A""ing one LA3 A""ing one LA3


28/40


K &T :: IGS :: MAFK &T :: IGS :: MAF 2?2?

I% you like your Co "on;t use T6>I% you like your Co "on;t use T6>


29/40


K &T :: IGS :: MAFK &T :: IGS :: MAF 2,2,

6ri!ate LA3s only isolate tra%%ic at6ri!ate LA3s only isolate tra%%ic at

Layer 2Layer 2

Forwar" all tra%%ic !ia Layer - to get to theForwar" all tra%%ic !ia Layer - to get to theri!ate LA3ri!ate LA3

ScayScay is your est %rien">is your est %rien">


30/40


K &T :: IGS :: MAFK &T :: IGS :: MAF -'-'


31/40


$on%igure LA3 access lists on the$on%igure LA3 access lists on the

router inter%acerouter inter%ace

8=amle:8=amle: !lan access4ma maname '4.00-0B !lan access4ma maname '4.00-0B

K &T :: IGS :: MAFK &T :: IGS :: MAF -1-1


32/40



Attacker con%igures a system to soo% Attacker con%igures a system to soo%

itsel% as a switch y emulating eitheritsel% as a switch y emulating either

?'2)1 or ISL?'2)1 or ISL Another !ariation in!ol!es tagging Another !ariation in!ol!es tagging

transmitte" %rames with two ?'2)1transmitte" %rames with two ?'2)1

hea"ers)hea"ers)


33/40


K &T :: IGS :: MAFK &T :: IGS :: MAF ----


34/40


K &T :: IGS :: MAFK &T :: IGS :: MAF --

7isale auto4trunking7isale auto4trunking

nuse" orts/ other than trunk ort shoul" e remo!e")nuse" orts/ other than trunk ort shoul" e remo!e")

For ackone switch to switch connections/ e=licitlyFor ackone switch to switch connections/ e=licitly

con%igure trunkingcon%igure trunking

7o not use the user nati!e LA3 as the trunk ort nati!e7o not use the user nati!e LA3 as the trunk ort nati!e

LA3LA3

7o not use LA3 1 as the switch management LA37o not use LA3 1 as the switch management LA3


35/40



VLAN numbers an" i"enti'ication areVLAN numbers an" i"enti'ication arecarrie" in a special e7ten"e" 'ormat0carrie" in a special e7ten"e" 'ormat0

8nstea"; outsi"e o' a sitch; the ta##in#8nstea"; outsi"e o' a sitch; the ta##in#rules are "ictate" by stan"ar"s such as 8+Lrules are "ictate" by stan"ar"s such as 8+Lor ./2010or ./2010

This allos the 'orar"in# path to maintainThis allos the 'orar"in# path to maintainVLAN isolation 'rom en" to en" ithout lossVLAN isolation 'rom en" to en" ithout losso' in'ormation0o' in'ormation0


36/40


K &T :: IGS :: MAFK &T :: IGS :: MAF -.-.


37/40


K &T :: IGS :: MAFK &T :: IGS :: MAF -(-(

8nsure that the nati!e LA3 is not8nsure that the nati!e LA3 is not

assigne" to any ortassigne" to any ort

Force all tra%%ic on the trunk to alwaysForce all tra%%ic on the trunk to alwayscarry a tagcarry a tag


38/40


K &T :: IGS :: MAFK &T :: IGS :: MAF -?-?

The VLAN Mana#ement Policy +er&er is 'or assi#nin# "ynamicallyThe VLAN Mana#ement Policy +er&er is 'or assi#nin# "ynamically

create" VLANs base" on MA$8P a""ress or *TTP authenticationcreate" VLANs base" on MA$8P a""ress or *TTP authentication

(


39/40


K &T :: IGS :: MAFK &T :: IGS :: MAF -,-,

M6S tra%%ic shall e transmitte" on a Jut J% +an"M6S tra%%ic shall e transmitte" on a Jut J% +an"

asis user tra%%ic searate networkB or not use")asis user tra%%ic searate networkB or not use")


40/40


K &T IGS MAFK &T IGS MAF ''

Mana#e sitches in as secure a manner as possible (++*; %%-; permitMana#e sitches in as secure a manner as possible (++*; %%-; permitlists; etc0)lists; etc0)

Alays use a "e"icate" VLAN 8 'or all trunk ports0 -e paranoi"5 "o notAlays use a "e"icate" VLAN 8 'or all trunk ports0 -e paranoi"5 "o notuse VLAN 1 'or anythin#0use VLAN 1 'or anythin#0

eploy port security0eploy port security0

+et users ports to a non trunkin# state0+et users ports to a non trunkin# state0 eploy port,security hene&er possible 'or user ports0eploy port,security hene&er possible 'or user ports0

+electi&ely use +NMP an" treat community strin#s like root passor"s0+electi&ely use +NMP an" treat community strin#s like root passor"s0

*a&e a plan 'or the ARP security issues in your netork0*a&e a plan 'or the ARP security issues in your netork0

Vlan Layer2 Attacking

Documents