Protect your network against HSRP attacks!

As in my earlier post, I’m writing a series of postings to help protect your network against attacks. A good hacker will always find a way to hurt your network. But with the recommendations described in this series of postings it will be more difficult for the hacker to find a way in.

In this post I will describe the hacking of HSRP operations and off course I will describe a solution to this problem.

As always I use GNS3. Below the topology and the configuration of multilayer switch R2.
topology

R2
!
interface FastEthernet0/0
switchport mode trunk
!
interface FastEthernet0/5
switchport access vlan 13
no cdp enable
!
interface Vlan10
ip address 10.0.0.253 255.255.255.0
standby 10 ip 10.0.0.254
!
interface Vlan11
ip address 172.18.100.253 255.255.255.0
standby 11 ip 172.18.100.254
!
interface Vlan12
ip address 192.168.157.253 255.255.255.0
standby 12 ip 192.168.157.254
!
interface Vlan13
ip address 192.168.80.253 255.255.255.0
standby 13 ip 192.168.80.254
!

HSRP
The cisco.com website explains HSRP as follows:

“HSRP is Cisco’s standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP routes IP traffic without relying on the availability of any single router. It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN. When HSRP is configured on a network or segment, it provides a virtual Media Access Control (MAC) address and an IP address that is shared among a group of configured routers. HSRP allows two or more HSRP-configured routers to use the MAC address and IP network address of a virtual router. The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. One of the routers is selected to be the active router and another to be the standby router, which assumes control of the group MAC address and IP address should the designated active router fail.”

So in short, HSRP provides a virtual default gateway. And that’s the problem, when someone or something finds a way to hack into the HSRP operations it is possible to change the default gateway and reroute networktraffic or blackhole the networktraffic. This turns out to be very simple with Kali. Below a simple explanation how to change the behaviour of HSRP operations.

Start Kali, start yersinia, click the HSRP tab, choose to become active router, give in an ip address and that’s al there is:
hsrp_att

hsrp ip

 

When you have enable terminal monitor on your switch, you’ll see a state change
state change
Now check the HSRP settings with “show standby vlan 13” and you’ll see that the gateway has changed to 10.10.10.10
sh stand vlan 13

When you look closer to the config you’ll notice something else:
config change
For Yersinia to be able to take over the HSRP operations, it alters the config by entering a static entry to the mac address table!

Again this al there is to! To prevent this, make sure u use authetication on your HSRP interfaces as described in the following example:

First create a key-chain
key chain

 

Then configure the authentication on the vlan interface. If your are in a production network. First configure the standby unit, then the active unit. Otherwise the actions are disruptive!

 

stand auth

Now try the HSRP attack again and you’ll see it will not work this time!
stand vlan 13 auth

 

And to make it even more clear, when terminal monitor is enabled you’ll get the message depicted in the picture below
bad auth

 

 

 

Advertisements

Protect your network against CDP attacks!

As a network consultant/engineer you should be aware of network security risks. Today it is fairly simple to take down a network with the use of Kali Linux. There, it has been said: Kali Linux. This Linux distro is a hackers dream. It has all the necessary tools on board to damage a network very very hard! A hacker only needs a free outlet that is patched to a switch. Within minutes a company can be down on it’s knees!

First of all I’m writing this series of postings to point out the need for security on the network layer, not to make a hackers life easy! In this post I will describe how to use Kali Linux, but more important are the security solutions I give to prevent attacks on your network. This post will be about protecting your network against CDP attacks.

How do I test Kali, you probably guest it already when you read my earlier posts, I use GNS3 for it. Below the topology I use for testing.
topology

R1 and R2 are configured as two multilayer switches, with several (routed) vlan’s. For reference below the config of R1.

R1
!
interface FastEthernet0/0
description Trunk to R2
switchport mode trunk
!
!
interface FastEthernet0/4
switchport access vlan 11

!
!
interface Vlan10
ip address 10.0.0.252 255.255.255.0
standby 10 ip 10.0.0.254
!
interface Vlan11
ip address 172.18.100.252 255.255.255.0
standby 11 ip 172.18.100.254
!
interface Vlan12
ip address 192.168.157.252 255.255.255.0
standby 12 ip 192.168.157.254
!
interface Vlan13
ip address 192.168.80.252 255.255.255.0
standby 13 ip 192.168.80.254
!

CDP Flooding
CDP (Cisco Discovery Protocol) is a great tool when you have to make documentation of a network and most cases CDP is globally enabled on every switch en every switchport on the network. Great, but then a any given moment you check the cdp status on your switch and see this:

cdp_flood

and this:
proc_cpu

As you can see the cdp table is flooded with bogus entry’s and because of the ongoing stream of bogus cdp packets, the cpu spikes to 100%. It’s just a matter of time before the switch will reboot. Problem is, when the switch is rebooted it will be just the same because the stream of cdp packets just keeps going on.

How is this possible you think, well it’s really easy. Install Kali Linux, start the Yersinia program and click attack. Is it that easy I hear you think? Yes it’s that easy! Check it out:

Start Kali Linux:
kali

Start Yersinia
start yersinia

Click the cdp tab, click Launch Attack, choose “flooding CDP table” and click “OK”.
start attack

 

That’s it, your cdp table will be flood with bogus cdp packets. Now check your switch with the “show cdp table”, “show cdp traffic” and “show proc cpu sorted” command:
cdp_flood

proc_cpu

cdp traffic

Within two minutes my switch crashed and rebooted, so this is a real threat to the stability of your network.
To prevent this kind of attacks a couple of things can be done:

First of all, place switchports that are not in use in a dummy vlan and give them an admin down
Second, disable cdp on switchports that don’t need it. For example access ports that only contain a computer or a IP phone which don’t need the CDP protocol to function!
Third, ports that can’t be disabled, configure Port Security on them!

 

 

Howto Install Cacti on Ubuntu

Recently I wrote a blogpost about Smokeping. Although Smokeping is good in what it does, I needed some more features than available in Smokeping.
The customer for who I am setting up this monitoring needs more information like cpu usage history or memory history. After some research I got to Cacti. Cacti is an open source solution that has many possibilities like latency polling, cpu usage, memory usage and bandwidth usage. Cacti can do a lot more, but for this customer the above things are the key features.
Cacti is available for Windows and Linux. For this kind of tools I always use Linux, beacause 9 out of 10 times the tools work on Linux “out-of-the-box” and the windows versions need a lot of tweaking and tuning.
Installing Cacti on Ubuntu:
  • First update your machine –> sudo apt-get update (If you are behind a proxy server use the following command: http_proxy=http://ip-adres:port-nr apt-get update )
  • Install Cacti –> sudo apt-get install cacti
  • During the install you have to give in some password e.d., just follow the installation and everthing will be fine
  • After installing give the following cli commando: rrdtool create datafile.rrd DS:mysource:ABSOLUTE:900:0:10000000 RRA:AVERAGE:0.5:1:9600 RRA:AVERAGE:0.5:4:9600 RRA:AVERAGE:0.5:24:6000
  • Now open a browser with: http://ip-adres/cacti, follow the instructions and the installation is done
  • To actually monitor a device follow the next steps:
  • Click Console–>Devices–>Add, make sure it looks like the picture below
  • Capture
  • Click Create
  • When the screen reloads some new options are available, “Associated Graph Template” and “Associated Data Queries”, this are options to monitor several different types of devices.
  • To monitor the CPU load and Latency add “Cisco – CPU Usage” and “Unix – Ping Latency” to “Associated Graph Templates”
  • To monitor interface bandwidth add “SNMP – Interface Statistics” to “Associated Data Queries”
  • Click Save
  • Click Devices again and check the box and choose “Place on a tree” and click Go
To create the actual graph follow the next steps
  • Click new Graphs
  • Check the checkboxes of the interfaces/processes you want to monitor and click Create
  • Wait for five minutes and click graphs

 

Now you can see the graphs, but they are not filled….. Damn!
This can be resolved by following the next steps:

 

  • Open the ping.pl script: sudo nano /usr/share/cacti/site/scripts/ping.pl, the output will look like this:

 

#!/usr/bin/perl
# take care for tcp:hostname or TCP:ip@
$host = $ARGV[0];
$host =~ s/tcp:/$1/gis;
open(PROCESS, “ping -c 1 $host | grep icmp_seq | grep time |”);
$ping = <PROCESS>;
close(PROCESS);
$ping =~ m/(.*time=)(.*) (ms|usec)/;
if ($2 == “”) {
print “U”;  # avoid cacti errors, but do not fake rrdtool stats
}elsif ($3 eq “usec”) {
print $2/1000; # re-calculate in units of “ms”
}else{
print $2;
}

 

  • Change “icmp_seq” into “icmp_req” save the file and restart the server

Wait for a couple of minutes and you’ll see that the graphs are getting filled!

Install and configure Smokeping on Ubuntu 12.04 LTS

Currently I’m designing a network for a customer. To ground my design I also need some network statistics like bandwidth usage and latency in the current network.

Despite some big payed network monitoring packets, I had to install some free opensource monitoring packets to get the statistics I needed.
For latency monitoring I chose “Smokeping” based on the RRD tool and written by Tobi Oetiker & Niko Tyni.
The installation and configuration was pretty straight forward on Linux. I also tried installing it on Windows (the customer is primarily focused on Windows), but after several hours of troubleshooting I gave up and switched to Ubuntu linux.
Even though the installation was easy, I wrote a blogpost about it for my own future reference and maybe it is useful for others too.
  • First install a Linux distribution, I used Ubuntu
  • For the ease of installation, use the “sudo su” commando
  • Install the following packets: “aptitude install smokeping curl libauthen-radius-perl libnet-ldap-perl libnet-dns-perl libio-socket-ssl-perl libnet-telnet-perl libsocket6-perl libio-socket-inet6-perl apache2”
  • The smokeping configuration files can be found in “etc/smokeping/config.d”
  • Before use u need make some configuration changes:

“nano /etc/smokeping/config.d/General”

*** General ***

@include /etc/smokeping/config.d/pathnames

# Please edit this to suit your installation
owner = <name>
contact =” email@email.com”
cgiurl =” http://<your ip or dns name>/cgi-bin/smokeping.cgi”
mailhost =” smtp.email.com”
syslogfacility =” local0″
concurrentprobes =” no ”

Make sure that mailhost contains the primary MX for your email domain

“nano /etc/smokeping/config.d/Alerts”

*** Alerts ***
to = me@email.com
from = smokeping@email.com
“nano /etc/smokeping/config.d/Targets”

remark = Welcome to the SmokePing website of ‘Example Company’

<output omitted>

+ Local

menu = Local
title = Local Network

++ LocalMachine

menu = Local Machine
title = This host
host = localhost

Save your changes by using “ctrl + X”

now restart the smokeping service:

“/etc/init.d/smokeping restart”
You can reach smokeping byhttp://<ip or dns>/cgi-bin/smokeping.cgi” and the output will look like this: