SlideShare ist ein Scribd-Unternehmen logo

Layer 2 Hackery

Security B-Sides
Security B-Sides

Todor Genov ZaCon 2009 http://www.zacon.org.za/Archives/2009/slides/

TechnologieBusiness
1 von 23
Downloaden Sie, um offline zu lesen
Layer 2 hackery Todor Genov todor@subnet.co.za ZaCon 2009
Why bring up this old topic? Best practices are still being ignored. Compromise on layer 2 == Game Over ZaCon is the perfect place to rekindle awareness ZaCon 2009
Means to an end Getting the upper hand -STP trickery -DTP/VTP trickery -CAM table and DHCP abuse -ARP poisoning Using the tactical advantage -Passive sniffing -DNS spoofing -MiTM ZaCon 2009
STP Avoiding topology loops Single ROOT device in a topology BPDUs By sending crafted BPDUs an attacker can become the root bridge ZaCon 2009
ZaCon 2009
STP attack mitigation Disable STP in a loop-less topology sw1(config)#no spanning-tree vlan 1-1024 Enable bpduguard/bpdufilter on access ports sw1(config)#int Fa0/1 sw1(config-if)#spanning-tree bpdufilter or sw1(config-if)#spanning-tree bpduguard Enable root guard on known STP root ports sw1(config)#int GigabitEthernet 0/1 sw1(config-if)#spanning-tree guard root ZaCon 2009
DTP/VTP Proprietary to Cisco DTP automates trunk port negotiation VTP manages VLANs accross the switching domain
ZaCon 2009
DTP/VTP attack mitigation Disable trunk negotiation on user ports sw1(config)#int Fa0/1 sw1(config-if)#switchport mode access Explicitly specify allowed VLANs on a trunk sw1(config)#int Fa0/1 sw1(config-if)#switchport mode trunk sw1(config-if)#switchport trunk allowed vlan 3,5-7,11 Disable VTP (or at least set a domain password!) sw1(config)#vtp mode transparent or sw1(config)#vtp password T0P53KR3T ZaCon 2009
CAM flood & DHCP attacks CAM tables contain MAC-to-port mappings Switch without CAM table == HUB Fail close vs Fail open DHCP starvation (DoS) ZaCon 2009
CAM flood and DHCP starvation mitigation Port security -Static MAC addresses where possible sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security mac-address 000d.60ce.3c00 -Limit number of dynamic MAC addresses per port sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security maximum 1 sw1(config-if)#switchport port-security { protect | restrict | shutdown } ZaCon 2009
Rogue DHCP Very effective following a DHCP starvation Guess what gateway/DNS info an attacker would supply :) ZaCon 2009
DHCP snooping Blocks rogue DHCP servers sw1(config)#ip dhcp snooping sw1(config)#ip dhcp snooping information option sw1(config)#int Fa0/1 sw1(config-if)#ip dhcp snooping trust Rate-limit DHCP requests on untrusted ports sw1(config-if)#ip dhcp snooping limit 10 ZaCon 2009
ARP poisoning ARP spoofing Gratuitous ARP ZaCon 2009
ZaCon 2009
Dynamic ARP inspection Verifies IP-to-MAC bindings Requires a trusted database of such bindings -DHCP (with snooping enabled) sw1(config)#ip arp inspection vlan 2,3 -Static ACLs sw1(config)#arp access-list laptop-todor sw1(config-arp-nacl)#permit ip host 192.168.0.164 mac host 0023.1206.a634 sw1(config)#ip arp inspection filter todor-laptop vlan 2 ZaCon 2009
Things to keep in mind Virtual environments Zombie computers 802.11 networks (public or otherwise) ZaCon 2009
Using the tactical advantage Sniffing traffic -Ridiculous amounts of unencrypted data is still seen on the network -Information gathering is more than just getting auth credentials -dsniff, Wireshark, tcpdump etc. etc. etc. DNS spoofing -Technically an MiTM attack -DNSSEC does not address client <-> cache security ZaCon 2009
ZaCon 2009
ZaCon 2009
Using the tactical advantage Man in the Middle (MitM) attacks In SSL we trust Humans are often the weakest link ZaCon 2009
ZaCon 2009
References http://seanconvery.com/SEC-2002.pdf http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf http://www.yesrinia.net/ http://ettercap.sourceforge.net/ http://ettercap.sourceforge.net/ http://www.thoughtcrime.org/ http://www.cisco.com/ http://www.google.com ZaCon 2009

Empfohlen

Expl sw chapter_02_switches_part_2
Expl sw chapter_02_switches_part_2Expl sw chapter_02_switches_part_2
Expl sw chapter_02_switches_part_2
aghacrom
 
1unit2ndpart
1unit2ndpart1unit2ndpart
1unit2ndpart
prksh89
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Building your own CGN boxes with Linux
Building your own CGN boxes with LinuxBuilding your own CGN boxes with Linux
Building your own CGN boxes with Linux
Maximilan Wilhelm
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacks
Cyber Security Alliance
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco NexusРазвитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Cisco Russia
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 

Empfohlen

Expl sw chapter_02_switches_part_2
Expl sw chapter_02_switches_part_2Expl sw chapter_02_switches_part_2
Expl sw chapter_02_switches_part_2
aghacrom
 
1unit2ndpart
1unit2ndpart1unit2ndpart
1unit2ndpart
prksh89
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Building your own CGN boxes with Linux
Building your own CGN boxes with LinuxBuilding your own CGN boxes with Linux
Building your own CGN boxes with Linux
Maximilan Wilhelm
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacks
Cyber Security Alliance
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco NexusРазвитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Cisco Russia
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
Yutaka Ishizaki
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Tran Thanh Song
 
netfilter programming
netfilter programmingnetfilter programming
netfilter programming
Gopi Krishnan S
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Anne Nicolas
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricks
Jim MacLeod
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
KHNOG
 
Papers We Love - FaRM distributed transactions (Henry Robinson)
Papers We Love - FaRM distributed transactions (Henry Robinson)Papers We Love - FaRM distributed transactions (Henry Robinson)
Papers We Love - FaRM distributed transactions (Henry Robinson)
HenryRobinson
 
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
CODE BLUE
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO) UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
Naoto MATSUMOTO
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
Maximilan Wilhelm
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
abend_cve_9999_0001
 
LF_DPDK17_mediated devices: better userland IO
LF_DPDK17_mediated devices: better userland IOLF_DPDK17_mediated devices: better userland IO
LF_DPDK17_mediated devices: better userland IO
LF_DPDK
 
Embedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationEmbedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 Presentation
Manish Jaggi
 
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Maximilan Wilhelm
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Naoto MATSUMOTO
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-mod
Harry Potter
 
Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)
DH Da Lat
 
CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands
MohamedZiadi5
 

Weitere ähnliche Inhalte

Was ist angesagt?

Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Tran Thanh Song
 
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
CODE BLUE
 
LF_DPDK17_mediated devices: better userland IO
LF_DPDK17_mediated devices: better userland IOLF_DPDK17_mediated devices: better userland IO
LF_DPDK17_mediated devices: better userland IO
LF_DPDK
 

Was ist angesagt? (20)

FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
 
netfilter programming
netfilter programmingnetfilter programming
netfilter programming
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricks
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
Papers We Love - FaRM distributed transactions (Henry Robinson)
Papers We Love - FaRM distributed transactions (Henry Robinson)Papers We Love - FaRM distributed transactions (Henry Robinson)
Papers We Love - FaRM distributed transactions (Henry Robinson)
 
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO) UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
 
LF_DPDK17_mediated devices: better userland IO
LF_DPDK17_mediated devices: better userland IOLF_DPDK17_mediated devices: better userland IO
LF_DPDK17_mediated devices: better userland IO
 
Embedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationEmbedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 Presentation
 
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-mod
 

Ähnlich wie Layer 2 Hackery

Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2
christian nieto
 

Ähnlich wie Layer 2 Hackery (20)

Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)
 
CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands CCNA R&S 2 3 4 All Commands
CCNA R&S 2 3 4 All Commands
 
Nexus 1000v part ii
Nexus 1000v part iiNexus 1000v part ii
Nexus 1000v part ii
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programming
 
Understanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksUnderstanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 Attacks
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigation
 
Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your Network
 
Introduction to PROFINET - Derek Lane of Wago
Introduction to PROFINET - Derek Lane of WagoIntroduction to PROFINET - Derek Lane of Wago
Introduction to PROFINET - Derek Lane of Wago
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckh
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFi
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Demuxed 2020
Demuxed 2020Demuxed 2020
Demuxed 2020
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
Advanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast DeploymentAdvanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast Deployment
 
Seminariode Seguridad L2
Seminariode Seguridad L2Seminariode Seguridad L2
Seminariode Seguridad L2
 
How to configure frame realy
How to configure frame realyHow to configure frame realy
How to configure frame realy
 

Mehr von Security B-Sides

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Security B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
Security B-Sides
 

Mehr von Security B-Sides (20)

Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the Gold
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Exploitation
ExploitationExploitation
Exploitation
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Layer 2 Hackery

  • 1. Layer 2 hackery Todor Genov todor@subnet.co.za ZaCon 2009
  • 2. Why bring up this old topic? Best practices are still being ignored. Compromise on layer 2 == Game Over ZaCon is the perfect place to rekindle awareness ZaCon 2009
  • 3. Means to an end Getting the upper hand -STP trickery -DTP/VTP trickery -CAM table and DHCP abuse -ARP poisoning Using the tactical advantage -Passive sniffing -DNS spoofing -MiTM ZaCon 2009
  • 4. STP Avoiding topology loops Single ROOT device in a topology BPDUs By sending crafted BPDUs an attacker can become the root bridge ZaCon 2009
  • 6. STP attack mitigation Disable STP in a loop-less topology sw1(config)#no spanning-tree vlan 1-1024 Enable bpduguard/bpdufilter on access ports sw1(config)#int Fa0/1 sw1(config-if)#spanning-tree bpdufilter or sw1(config-if)#spanning-tree bpduguard Enable root guard on known STP root ports sw1(config)#int GigabitEthernet 0/1 sw1(config-if)#spanning-tree guard root ZaCon 2009
  • 7. DTP/VTP Proprietary to Cisco DTP automates trunk port negotiation VTP manages VLANs accross the switching domain
  • 9. DTP/VTP attack mitigation Disable trunk negotiation on user ports sw1(config)#int Fa0/1 sw1(config-if)#switchport mode access Explicitly specify allowed VLANs on a trunk sw1(config)#int Fa0/1 sw1(config-if)#switchport mode trunk sw1(config-if)#switchport trunk allowed vlan 3,5-7,11 Disable VTP (or at least set a domain password!) sw1(config)#vtp mode transparent or sw1(config)#vtp password T0P53KR3T ZaCon 2009
  • 10. CAM flood & DHCP attacks CAM tables contain MAC-to-port mappings Switch without CAM table == HUB Fail close vs Fail open DHCP starvation (DoS) ZaCon 2009
  • 11. CAM flood and DHCP starvation mitigation Port security -Static MAC addresses where possible sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security mac-address 000d.60ce.3c00 -Limit number of dynamic MAC addresses per port sw1(config)#int Fa0/1 sw1(config-if)#switchport port-security maximum 1 sw1(config-if)#switchport port-security { protect | restrict | shutdown } ZaCon 2009
  • 12. Rogue DHCP Very effective following a DHCP starvation Guess what gateway/DNS info an attacker would supply :) ZaCon 2009
  • 13. DHCP snooping Blocks rogue DHCP servers sw1(config)#ip dhcp snooping sw1(config)#ip dhcp snooping information option sw1(config)#int Fa0/1 sw1(config-if)#ip dhcp snooping trust Rate-limit DHCP requests on untrusted ports sw1(config-if)#ip dhcp snooping limit 10 ZaCon 2009
  • 14. ARP poisoning ARP spoofing Gratuitous ARP ZaCon 2009
  • 16. Dynamic ARP inspection Verifies IP-to-MAC bindings Requires a trusted database of such bindings -DHCP (with snooping enabled) sw1(config)#ip arp inspection vlan 2,3 -Static ACLs sw1(config)#arp access-list laptop-todor sw1(config-arp-nacl)#permit ip host 192.168.0.164 mac host 0023.1206.a634 sw1(config)#ip arp inspection filter todor-laptop vlan 2 ZaCon 2009
  • 17. Things to keep in mind Virtual environments Zombie computers 802.11 networks (public or otherwise) ZaCon 2009
  • 18. Using the tactical advantage Sniffing traffic -Ridiculous amounts of unencrypted data is still seen on the network -Information gathering is more than just getting auth credentials -dsniff, Wireshark, tcpdump etc. etc. etc. DNS spoofing -Technically an MiTM attack -DNSSEC does not address client <-> cache security ZaCon 2009
  • 21. Using the tactical advantage Man in the Middle (MitM) attacks In SSL we trust Humans are often the weakest link ZaCon 2009
  • 23. References http://seanconvery.com/SEC-2002.pdf http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf http://www.yesrinia.net/ http://ettercap.sourceforge.net/ http://ettercap.sourceforge.net/ http://www.thoughtcrime.org/ http://www.cisco.com/ http://www.google.com ZaCon 2009