Protect your network against HSRP attacks!

As in my earlier post, I’m writing a series of postings to help protect your network against attacks. A good hacker will always find a way to hurt your network. But with the recommendations described in this series of postings it will be more difficult for the hacker to find a way in.

In this post I will describe the hacking of HSRP operations and off course I will describe a solution to this problem.

As always I use GNS3. Below the topology and the configuration of multilayer switch R2.
topology

R2
!
interface FastEthernet0/0
switchport mode trunk
!
interface FastEthernet0/5
switchport access vlan 13
no cdp enable
!
interface Vlan10
ip address 10.0.0.253 255.255.255.0
standby 10 ip 10.0.0.254
!
interface Vlan11
ip address 172.18.100.253 255.255.255.0
standby 11 ip 172.18.100.254
!
interface Vlan12
ip address 192.168.157.253 255.255.255.0
standby 12 ip 192.168.157.254
!
interface Vlan13
ip address 192.168.80.253 255.255.255.0
standby 13 ip 192.168.80.254
!

HSRP
The cisco.com website explains HSRP as follows:

“HSRP is Cisco’s standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP routes IP traffic without relying on the availability of any single router. It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN. When HSRP is configured on a network or segment, it provides a virtual Media Access Control (MAC) address and an IP address that is shared among a group of configured routers. HSRP allows two or more HSRP-configured routers to use the MAC address and IP network address of a virtual router. The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. One of the routers is selected to be the active router and another to be the standby router, which assumes control of the group MAC address and IP address should the designated active router fail.”

So in short, HSRP provides a virtual default gateway. And that’s the problem, when someone or something finds a way to hack into the HSRP operations it is possible to change the default gateway and reroute networktraffic or blackhole the networktraffic. This turns out to be very simple with Kali. Below a simple explanation how to change the behaviour of HSRP operations.

Start Kali, start yersinia, click the HSRP tab, choose to become active router, give in an ip address and that’s al there is:
hsrp_att

hsrp ip

 

When you have enable terminal monitor on your switch, you’ll see a state change
state change
Now check the HSRP settings with “show standby vlan 13” and you’ll see that the gateway has changed to 10.10.10.10
sh stand vlan 13

When you look closer to the config you’ll notice something else:
config change
For Yersinia to be able to take over the HSRP operations, it alters the config by entering a static entry to the mac address table!

Again this al there is to! To prevent this, make sure u use authetication on your HSRP interfaces as described in the following example:

First create a key-chain
key chain

 

Then configure the authentication on the vlan interface. If your are in a production network. First configure the standby unit, then the active unit. Otherwise the actions are disruptive!

 

stand auth

Now try the HSRP attack again and you’ll see it will not work this time!
stand vlan 13 auth

 

And to make it even more clear, when terminal monitor is enabled you’ll get the message depicted in the picture below
bad auth

 

 

 

Advertisements

Install and configure Tacacs.net

A customer asked me for a central management point for switch and router logins. Also they want the option of accounting these logins.

The first option that comes in mind is Cisco ACS, but that should have been to easy. The customer told me it had to be a cost efficient solution.
After searching the internet I came across Tacacs.net, after reading the configuration guide I came to the conclusion that this piece of software had all the features the customer was asking for. Tacacs.net is able to perform authentication, authorization and accounting. Tacacs.net has also the ability to use a Microsoft active directory for credential authorization.
Tacas.net is fully build in xml, so configuring is not that difficult. Although there is a configuration guide available, there are some tricky parts.
So below a walktrough for configuring tacacs.net
  • First download the tacas.net zip file from http://www.tacacs.net
  • Tacas.net can be installed on all windows platforms starting at windows 2000 server, for this customer I chose Windows 2008 R2.
  • Follow the instructions and for most customers the standard installation is sufficient. While installing tacacs.net asks for a tacacs key. Choose a random string of numbers and/or letters and write it down somewhere. This key is needed when configuring the network equipment
  • After installaling check if the tacacs.net service is running, it can be checked by start–>run–>services.msc
  • After checking this the real configuration can start
  • First check the tacplus.xml file. Change the ip address from 127.0.0.1 to the local ip address. This is not really necessary if there is only one network interface. But it is always recommended to configure it manually.
  • Now open the authentication.xml. The customer want to connect tacacs.net to their active directory. Make sure the section under “Active Directory configuration” looks like the configuration below:

<UserGroup>

<Name>Network Operations</Name>

<AuthenticationType>Windows_Domain</AuthenticationType>

<LDAPServer>{ip address of DC:389</LDAPServer>

​  <LDAPUserDirectorySubtree>OU=<group>,OU=<group>,OU=<group>,OU=<group>,DC=<domain>,DC=<domain></LDAPUserDirectorySubtree>

​  <LDAPGroupName>{AD group name with tacacs users}</LDAPGroupName>

​  <LDAPAccessUserName>{user with domain admin rights}</LDAPAccessUserName>

​  <LDAPAccessUserPassword ClearText=”{password in clear text}” DES=”{password in DES format”></LDAPAccessUserPassword>

​ </UserGroup>

  • To make this configuration to work you need to configure a DES format password. This is just the clear text password in encrypted format. The DES password can created by starting TACDES. This program is in de default tacacs.net installation. Start it by clicking start–>program files–>tacacs.net–>tacdes.
  • Type at the command prompt “tacdes <cleartext password>, copy the outcome in the above configuration at the DES section.
  • Now click save and close the authentication.xml file.
Open up the clients.xml and make sure the configuration looks like below

<ClientGroup Name=”INTERNAL”>

<Secret ClearText=”{tacacs password in cleartext}” DES=”{tacacs password in DES format}”> </Secret>

<Clients>

<Client>{ip address or subnet}</Client>

</Clients>

</ClientGroup>

Now the basic configuration of the tacacs server is done and is fully functional after restarting the tacacs.net service and configuring the switches or routers.
The tacacs.net service can be stopped and started again with the following commands:
start–>run–>cmd–>net stop tacacs.net and net start tacacs.net
On the switch, router or firewall the following lines have to be configured. Before you configure this, make sure you configure a local user and password in case the tacacs server fails. If the tacacs server fails the switch can still be reached with the local credentials.
!
aaa new-model
aaa authentication login default group tacacs local
aaa authentication enable default group tacacs+ enable
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
tacacs-server host <ip address tacacs server>
tacacs-server key 0 <tacacs password>
!
!
To check the accounting, login to the tacacs.net server and go to C:\ProgramData\TACACS.net\Logs and open up accounting.txt.
The output will look something like below:

<102> 2012-12-05 14:36:02 [<ip address>:28691] 12/05/2012 14:36:02 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=36 timezone=CET service=shell priv-lvl=15 cmd=show running-config <cr>
<102> 2012-12-05 14:36:14 [<ip address>:22679] 12/05/2012 14:36:14 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=37 timezone=CET service=shell priv-lvl=15 cmd=show running-config <cr>
<102> 2012-12-05 14:36:17 [<ip address>:64422] 12/05/2012 14:36:17 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=38 timezone=CET service=shell priv-lvl=15 cmd=configure terminal <cr>
<102> 2012-12-05 14:36:36 [<ip address>:58260] 12/05/2012 14:36:36 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=39 timezone=CET service=shell priv-lvl=15 cmd=aaa accounting commands 0 default start-stop group tacacs+ <cr>
<102> 2012-12-05 14:36:41 [<ip address>:33050] 12/05/2012 14:36:41 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=40 timezone=CET service=shell priv-lvl=15 cmd=aaa accounting commands 3 default start-stop group tacacs+ <cr>
<102> 2012-12-05 14:36:42 [<ip address>:38303] 12/05/2012 14:36:42 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=41 timezone=CET service=shell priv-lvl=0 cmd=end <cr>