8/16/2019 Vlan Layer2 Attacking
1/40
K &T :: IGS :: MAFK &T :: IGS :: MAF 11
VLANs Layer 2 Attacks:VLANs Layer 2 Attacks:
Their RelevanceTheir Relevanceandand
Their KryptoniteTheir Kryptonite
8/16/2019 Vlan Layer2 Attacking
2/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF22
Se
curity is only as strong as the weakest linkSecurity is only as strong as the weakest link
Layer 2 attacks are timeworn ut still rele!ant in to"ay#s networkingLayer 2 attacks are timeworn ut still rele!ant in to"ay#s networking
en!ironmenten!ironment
$rime an" security sur!ey show "i%%erent tyes o% attacks %or the year o%$rime an" security sur!ey show "i%%erent tyes o% attacks %or the year o%
2''() $SI * F+I sur!eys also show that , o% 1, tyes o% attacks coul"2''() $SI * F+I sur!eys also show that , o% 1, tyes o% attacks coul"
target routers an" switchestarget routers an" switches
A t t a
c k s ( o t h
e r )
P o s s
i b l e
L a y
e r 2
8/16/2019 Vlan Layer2 Attacking
3/40
VLAN Layer 2 Attacks
$isco -.''/ 2.'' routers$isco -.''/ 2.'' routers $isco 2,''/ -0''/ ''. switches$isco 2,''/ -0''/ ''. switches
i%i 3etgear & $isco4Linksysi%i 3etgear & $isco4Linksys
ToolsTools
ScayScay 5ersinia5ersinia
Maco% Maco%
T$67umT$67um
$ain & Ael$ain & Ael
8tter$a8tter$a
8thereal8thereal
K &T :: IGS :: MAFK &T :: IGS :: MAF
--
EquipmentEquipment
AttacksAttacks ARP AttacksARP Attacks
MA !loo"in# Attack$ AM Table %&er'lo AttacksMA !loo"in# Attack$ AM Table %&er'lo Attacks
*P +tar&ation Attack*P +tar&ation Attack
P AttackP Attack
+pannin#,Tree Attack+pannin#,Tree Attack
Multicast -rute !orceMulticast -rute !orce
VLAN Trunkin# Protocol AttackVLAN Trunkin# Protocol Attack
Pri&ate VLAN AttackPri&ate VLAN Attack
VLAN *oppin# AttackVLAN *oppin# Attack
ouble,Encapsulate" ./201$Neste" VLAN Attackouble,Encapsulate" ./201$Neste" VLAN Attack
VLAN Mana#ement Policy ser&er VMP+$ VLANVLAN Mana#ement Policy ser&er VMP+$ VLAN
uery Protocol VP Attackuery Protocol VP Attack
8/16/2019 Vlan Layer2 Attacking
4/40
VLAN Layer 2 Attacks
*o to #et a lab 'or testin# purposes*o to #et a lab 'or testin# purposes
K &T :: IGS :: MAFK &T :: IGS :: MAF
8/16/2019 Vlan Layer2 Attacking
5/40
VLAN Layer 2 Attacks
9ust ask
7 Moore;s IS69ust ask 7 Moore;s IS6
Someone was A1-:':-,)(.?'00 '':10:%2::c":-a @ '':10:%2::"':c,/ ethertye A
8/16/2019 Vlan Layer2 Attacking
6/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF ..
A
8/16/2019 Vlan Layer2 Attacking
7/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF ((
8/16/2019 Vlan Layer2 Attacking
8/40
VLAN Layer 2 Attacks
A
8/16/2019 Vlan Layer2 Attacking
9/40
VLAN Layer 2 Attacks
Port +ecurityPort +ecurity
Non chan#in# ARP entries ("on3t aste your time)Non chan#in# ARP entries ("on3t aste your time)
*P +noopin# (the netork "e&ice maintains a recor" o'*P +noopin# (the netork "e&ice maintains a recor" o'
the MA a""ress that are connecte" to ARP port)the MA a""ress that are connecte" to ARP port) Arpatch (listens to arp replies)Arpatch (listens to arp replies)
Arp%NArp%N
K &T :: IGS :: MAFK &T :: IGS :: MAF ,,
8/16/2019 Vlan Layer2 Attacking
10/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 1'1'
MA 'loo"in# attacks are o'ten i#nore" in the corporate en&ironment0 MA 'loo"in# 4 sitch ports act like a hub hen o&erloa"e"
AM table , table 'ills an" the sitch be#ins to echo any recei&e" 'rameto all port (tra''ic blee"s out)0 Tools to per'orm this attack5
sni'' Maco' ain 6 Able Ettercap
8/16/2019 Vlan Layer2 Attacking
11/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 1111
Maco% at work %loo"ing the $isco switch
8/16/2019 Vlan Layer2 Attacking
12/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 1212
Switch is lee"ing out the tra%%ic
8/16/2019 Vlan Layer2 Attacking
13/40
VLAN Layer 2 Attacks
Same as the A
8/16/2019 Vlan Layer2 Attacking
14/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 11
A *P +cope e7haustion (client spoo's other clients)A *P +cope e7haustion (client spoo's other clients)
8nstallation o' a ro#ue *P ser&er 8nstallation o' a ro#ue *P ser&er
ToolsTools
9ersinia 9ersinia
:obbler :obbler
8/16/2019 Vlan Layer2 Attacking
15/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 1010
8/16/2019 Vlan Layer2 Attacking
16/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 1.1.
6ossile to setu a rogue 7$6 ser!er)
The attacker may hiCack tra%%ic an" this can ha!e
"e!astating results)
8/16/2019 Vlan Layer2 Attacking
17/40
VLAN Layer 2 Attacks
7emo Time7emo Time
7$6 Star!ation 7emo7$6 Star!ation 7emo
K &T :: IGS :: MAFK &T :: IGS :: MAF 1(1(
8/16/2019 Vlan Layer2 Attacking
18/40
VLAN Layer 2 Attacks
+y limiting the numer o% MA$ a""resses+y limiting the numer o% MA$ a""resses
on a switch ort will re"uce the risk o%on a switch ort will re"uce the risk o%
7$6 star!ation attacks)7$6 star!ation attacks)
7$6 Snooing D monitors an" restricts7$6 Snooing D monitors an" restricts7$67$6
K &T :: IGS :: MAFK &T :: IGS :: MAF 1?1?
8/16/2019 Vlan Layer2 Attacking
19/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 1,1,
• isco isco&ery Protocol allos isco "e&ices toisco isco&ery Protocol allos isco "e&ices to
communicate amon#st one another (8P a""ress; so'tarecommunicate amon#st one another (8P a""ress; so'tare&ersion; router mo"el; etc) P is clear te7t an"&ersion; router mo"el; etc) P is clear te7t an"
unauthenticate"0unauthenticate"0
• P enial %' +er&ice (Many companies "o not up#ra"e theirP enial %' +er&ice (Many companies "o not up#ra"e their
8%+ o'ten enou#h to 120207 an" current &ersions o' at%+)8%+ o'ten enou#h to 120207 an" current &ersions o' at%+)
• P cache o&er'lo 4 a so'tare bu# can reset the sitchP cache o&er'lo 4 a so'tare bu# can reset the sitch
•
Poer e7haustion 4 claimin# to be a Vo8P phone an attackerPoer e7haustion 4 claimin# to be a Vo8P phone an attackercan reser&e electrical poer can reser&e electrical poer
• P cache pollution 4 P table becomes unusable becauseP cache pollution 4 P table becomes unusable because
it contains a lot o' 'alse in'ormation it contains a lot o' 'alse in'ormation
8/16/2019 Vlan Layer2 Attacking
20/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 2'2'
8/16/2019 Vlan Layer2 Attacking
21/40
VLAN Layer 2 Attacks
Turn the shEt o%% Turn the shEt o%%
8/16/2019 Vlan Layer2 Attacking
22/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 2222
Sen"ing
8/16/2019 Vlan Layer2 Attacking
23/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF2-2-
ST6 sen"ing con% +67s 7oSST6 sen"ing con% +67s 7oS
8/16/2019 Vlan Layer2 Attacking
24/40
VLAN Layer 2 Attacks
Sanning tree %unctions must e "isale" on all userSanning tree %unctions must e "isale" on all user
inter%aces ut maintaine" %or 3etwork to 3etworkinter%aces ut maintaine" %or 3etwork to 3etwork
Inter%aces to a!oi" a network loo)Inter%aces to a!oi" a network loo)
8nale8nale root #uar"root #uar" on $isco euiment/ or +67on $isco euiment/ or +67guar" on users orts to "isale the thus o% riority eroguar" on users orts to "isale the thus o% riority ero
an" hence ecoming a root ri"ge)an" hence ecoming a root ri"ge)
8=amle:8=amle:sanning4tree ort%ast ""uguar"sanning4tree ort%ast ""uguar"
inter%ace %a'*1'inter%ace %a'*1'
sanning4tree guar" rootsanning4tree guar" root
K &T :: IGS :: MAFK &T :: IGS :: MAF 22
8/16/2019 Vlan Layer2 Attacking
25/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 2020
This in!ol!es soo%ing/ in rai"This in!ol!es soo%ing/ in rai"
succession/ a series o% multicast %ramessuccession/ a series o% multicast %rames
Frames leak into other LA3s i% theFrames leak into other LA3s i% therouting mechanism in lace etween therouting mechanism in lace etween the
LA3SLA3S
InCecting ackets into multicast also canInCecting ackets into multicast also cancause a 7oS scenariocause a 7oS scenario
8/16/2019 Vlan Layer2 Attacking
26/40
VLAN Layer 2 Attacks
+uy more caale switches>+uy more caale switches>
The Layer 2 multicast ackets shoul" eThe Layer 2 multicast ackets shoul" e
constraine" within the ingress LA3) 3oconstraine" within the ingress LA3) 3oackets shoul" e #leake"# to otherackets shoul" e #leake"# to other
LA3s)LA3s)
K &T :: IGS :: MAFK &T :: IGS :: MAF 2.2.
8/16/2019 Vlan Layer2 Attacking
27/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 2(2(
T6 has the aility to a"" an" remo!e LA3 %rom theT6 has the aility to a"" an" remo!e LA3 %rom the
network) Someone will get %ire" i% this haens>Bnetwork) Someone will get %ire" i% this haens>B
T6 in!ol!es a station sen"ing T6 messages throughT6 in!ol!es a station sen"ing T6 messages through
the network/ a"!ertising that there are no LA3s)the network/ a"!ertising that there are no LA3s) All client T6 switches erase their LA3s once All client T6 switches erase their LA3s once
recei!ing the messagerecei!ing the message
Attacks: Attacks:
Sen"ing T6 6acketSen"ing T6 6acket 7eleting all T6 LA3s7eleting all T6 LA3s
7eleting one LA37eleting one LA3
A""ing one LA3 A""ing one LA3
8/16/2019 Vlan Layer2 Attacking
28/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 2?2?
I% you like your Co "on;t use T6>I% you like your Co "on;t use T6>
8/16/2019 Vlan Layer2 Attacking
29/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF 2,2,
6ri!ate LA3s only isolate tra%%ic at6ri!ate LA3s only isolate tra%%ic at
Layer 2Layer 2
Forwar" all tra%%ic !ia Layer - to get to theForwar" all tra%%ic !ia Layer - to get to theri!ate LA3ri!ate LA3
ScayScay is your est %rien">is your est %rien">
8/16/2019 Vlan Layer2 Attacking
30/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF -'-'
8/16/2019 Vlan Layer2 Attacking
31/40
VLAN Layer 2 Attacks
$on%igure LA3 access lists on the$on%igure LA3 access lists on the
router inter%acerouter inter%ace
8=amle:8=amle: !lan access4ma maname '4.00-0B !lan access4ma maname '4.00-0B
K &T :: IGS :: MAFK &T :: IGS :: MAF -1-1
8/16/2019 Vlan Layer2 Attacking
32/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF -2-2
Attacker con%igures a system to soo% Attacker con%igures a system to soo%
itsel% as a switch y emulating eitheritsel% as a switch y emulating either
?'2)1 or ISL?'2)1 or ISL Another !ariation in!ol!es tagging Another !ariation in!ol!es tagging
transmitte" %rames with two ?'2)1transmitte" %rames with two ?'2)1
hea"ers)hea"ers)
8/16/2019 Vlan Layer2 Attacking
33/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF ----
8/16/2019 Vlan Layer2 Attacking
34/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF --
7isale auto4trunking7isale auto4trunking
nuse" orts/ other than trunk ort shoul" e remo!e")nuse" orts/ other than trunk ort shoul" e remo!e")
For ackone switch to switch connections/ e=licitlyFor ackone switch to switch connections/ e=licitly
con%igure trunkingcon%igure trunking
7o not use the user nati!e LA3 as the trunk ort nati!e7o not use the user nati!e LA3 as the trunk ort nati!e
LA3LA3
7o not use LA3 1 as the switch management LA37o not use LA3 1 as the switch management LA3
8/16/2019 Vlan Layer2 Attacking
35/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF -0-0
VLAN numbers an" i"enti'ication areVLAN numbers an" i"enti'ication arecarrie" in a special e7ten"e" 'ormat0carrie" in a special e7ten"e" 'ormat0
8nstea"; outsi"e o' a sitch; the ta##in#8nstea"; outsi"e o' a sitch; the ta##in#rules are "ictate" by stan"ar"s such as 8+Lrules are "ictate" by stan"ar"s such as 8+Lor ./2010or ./2010
This allos the 'orar"in# path to maintainThis allos the 'orar"in# path to maintainVLAN isolation 'rom en" to en" ithout lossVLAN isolation 'rom en" to en" ithout losso' in'ormation0o' in'ormation0
8/16/2019 Vlan Layer2 Attacking
36/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF -.-.
8/16/2019 Vlan Layer2 Attacking
37/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF -(-(
8nsure that the nati!e LA3 is not8nsure that the nati!e LA3 is not
assigne" to any ortassigne" to any ort
Force all tra%%ic on the trunk to alwaysForce all tra%%ic on the trunk to alwayscarry a tagcarry a tag
8/16/2019 Vlan Layer2 Attacking
38/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF -?-?
The VLAN Mana#ement Policy +er&er is 'or assi#nin# "ynamicallyThe VLAN Mana#ement Policy +er&er is 'or assi#nin# "ynamically
create" VLANs base" on MA$8P a""ress or *TTP authenticationcreate" VLANs base" on MA$8P a""ress or *TTP authentication
(
8/16/2019 Vlan Layer2 Attacking
39/40
VLAN Layer 2 Attacks
K &T :: IGS :: MAFK &T :: IGS :: MAF -,-,
M6S tra%%ic shall e transmitte" on a Jut J% +an"M6S tra%%ic shall e transmitte" on a Jut J% +an"
asis user tra%%ic searate networkB or not use")asis user tra%%ic searate networkB or not use")
8/16/2019 Vlan Layer2 Attacking
40/40
VLAN Layer 2 Attacks
K &T IGS MAFK &T IGS MAF ''
Mana#e sitches in as secure a manner as possible (++*; %%-; permitMana#e sitches in as secure a manner as possible (++*; %%-; permitlists; etc0)lists; etc0)
Alays use a "e"icate" VLAN 8 'or all trunk ports0 -e paranoi"5 "o notAlays use a "e"icate" VLAN 8 'or all trunk ports0 -e paranoi"5 "o notuse VLAN 1 'or anythin#0use VLAN 1 'or anythin#0
eploy port security0eploy port security0
+et users ports to a non trunkin# state0+et users ports to a non trunkin# state0 eploy port,security hene&er possible 'or user ports0eploy port,security hene&er possible 'or user ports0
+electi&ely use +NMP an" treat community strin#s like root passor"s0+electi&ely use +NMP an" treat community strin#s like root passor"s0
*a&e a plan 'or the ARP security issues in your netork0*a&e a plan 'or the ARP security issues in your netork0