SlideShare a Scribd company logo

Pentesting layer 2 protocols

Download as PPTX, PDF
Abdessamad TEMMAR
Abdessamad TEMMAR

Pentesting layer 2 protocols

Technology
1 of 20
1 PENTESTING LAYER 2 PROTOCOLS By Temmar Abdessamad temmar.abdessamad@gmail.com
2 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols 1
3 Why Worry About Layer 2 Security ? Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Physical Links MAC addresses IP addresses Initial Compromise • Application Stream POP3, IMAP, IM SSL, SSH ... Compromised • OSI model was built to allow different layers to work without the knowledge of each other • Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem • When it comes to networking ... layer 2 can be a very weak link ! • Security is only as strong as the weakest link
4 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology Playing with Layer 2 protocols2
5 LAYER 2 : EQUIPMENT, PROTOCOLS & ATTACKS Categories CDP (Cisco Discovery Protocol) VTP (VLAN Trunking Protocol) DTP (Dynamic Truncking protocol) HSRP (Hot Standby Router Protocol) DHCP (Dynamic Host Configuration Protocol) Protocols Reconnaissance Attacks : an attackers tries to learn information about the target network (devices, protocols, topology ...) ; DoS attacks : the objective is to interrupt or suspend normal network’s services functions (routing, IP addressing) Hijacking Attacks : hijack network’s traffic so the attacker will be able to sniff/intercept sensitive data (MiTM) ; Bypass Attacks : an attacker try to bypass network restriction in ordre to reach other VLAN ; Topology Attacks : the main objective is to take control of the target network and alter his topology.
6 Cisco Discovery Protocol (CDP)  Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol  Allows Cisco devices to discover each other (IP address, software version, router model, etc)  How it works : Each network entity broadcasts a CDP packet once per minute  CDP does not run over IP : it runs directly over the data link layer. Presentation Vulnerabilities Attacks Mitigation
7 Cisco Discovery Protocol (CDP)  CDP is clear text and unauthenticated  Information leak :  Software version and hardware platform  specific release with a well-known bug that’s ready to be exploited.  Auxiliary VLAN. An attacker can learn which VLAN is used by IP telephony Presentation Vulnerabilities Attacks Mitigation End Users
8 Cisco Discovery Protocol (CDP)  CDP Cache Pollution - CDP table becomes unusable because it contains a lot of false information Presentation Vulnerabilities Attacks Mitigation Network A Switch> sh cdp neighbors Port Device-ID Port-ID Platform -------- ---------------- -------------------- ------------ 2/16 2651e FastEthernet0/1 cisco 2651 2/21 inet3 FastEthernet0/0 cisco 2651 2/36 r2-7206 Ethernet2/0.1 cisco 7206VXR 2/47 00M55I1 Ethernet0 yersinia 2/47 00N55I1 Ethernet0 yersinia 2/47 00N66I1 Ethernet0 yersinia
9 Cisco Discovery Protocol (CDP)  Only enable CDP on ports to other network devices and uplinks, & disabling it to access ports  But, CDP must remain enabled on ports to IP phones  To turn off CDP : Presentation Vulnerabilities Attacks Mitigation CatOS> (enable) set cdp disable <mod>/<port> | all IOS(config)#no cdp run IOS(config-if)#no cdp enable
10 Hot Standby Router Protocol (HSRP)  It makes a group of adjacent routers appear as a single virtual router.  Each physical router has its own MAC and IP addresses, but it shares one MAC and one IP address for the virtual router.  Routers exchanges HSRP messages to elect the active router. A standby router can becomes active when  It receives no more HSRP hello messages from the active router  The active router explicitly wants to become standby Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group
11  HSRP is clear text : HSRP commits a slight information leackage by adverstising all the routers’IP addresses, authentication Data ...  There is a possibility for a standby router to immediatly take over the role of the active router :  Standby routers used their own MAC addresses as source MAC  The active router uses the virtual MAC addresses Hot Standby Router Protocol (HSRP) Presentation Vulnerabilities Attacks Mitigation
12 Hot Standby Router Protocol (HSRP)  DoS attack - an attacker send fake HSRP packet where the priority is set to the maximum value 255 & the correct value for Authentication Data, Group virtual IP address. All trafic sent to a black hole. Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.7 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Network A Network B
13 Hot Standby Router Protocol (HSRP)  Man-In-The-Middle attack – attacker can intercept, listen & modify unprotected data Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware
14 Hot Standby Router Protocol (HSRP)  The ways to mitigate these attacks rely on preventing :  Forging valid authentication data. If the attacker is unable to present the correct credentials, all other routers reject his packets.  Sending HSRP packets. The network infrastructure blocks all HSRP packets except those sent by authorized HSRP routers. Presentation Vulnerabilities Attacks Mitigation How to protect us from these attacks ? Okey ... But How ?! Using strong authentication : MD5 Key Chain to authenticate HSRP messages
15 Others Attacks This protocol gives an attacker the ability to add and remove VLAN from the network. If a switch port has been configured to send and/or listen to DTP advertisements, a hacker can easily coerce the port into becoming a trunk. Hijacking Traffic Using DHCP Rogue Servers DNS Server DHCP Server File Server ClientAttacker 10.50.72.66 Attacker replies with Fraudulent information. This include his own computer as the gateway, so all packets from clients pass through his server. Hi may I please have IP, Gateway & DNS @ ? Client sends DHCP requests packets for IP, DNS & gateway addresses IP : 10.50.72.0/24 GW :10.50.72.66 DNS : 10.50.72.66 VTP (VLAN Trunking Protocol) DTP (Dynamic Trunking Protocol) DHCP (Dynamic Host Configuration Protocol )
16 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
17 Pentesting Layer 2 - Methodology Sniffing (CDP, VTP, HSRP, DHCP ...) NoAnalyze CDP packets & pick your own IP @ Reconnaissance attacks Yes CDP packet analysis HSRP packets DHCP information Become an active router Introduce rogue DHCP server MiTM DNS Hijacking DTP protocol analysis Enable truncking mode Sniff network traffic of top layersHijacking attacks DHCP Enabled ?
18 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
19 Conclusion  According to our last pen test missions, 95 % of these attacks are successful, which prove that layer 2 security is always ignored by companies  In general we recommend :  Managing switches in as secure a manner as possible (SSH, permit lists, etc.)  Using a dedicated VLAN ID for all trunk ports. Be paranoid: do not use VLAN 1 for anything.  Setting users ports to a non trunking state.  Deploying port-security whenever possible for user ports.  Using private VLANS where appropriate to further divide L2 networks.  Disabling all unused ports and put them in an unused VLAN.  Disabling CDP whenever possible  Ensuring DHCP attack prevention (DHCP snooping)
20 REFERENCES LAN Switch Security: What Hackers Know About Your Switches Eric Vyncke, Christopher Paggen Yersinia, a framework for layer 2 attacks - Black Hat Berrueta Andres

Recommended

Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Quantum Cryptography presentation
Quantum Cryptography presentationQuantum Cryptography presentation
Quantum Cryptography presentationKalluri Madhuri
 
Network Security Tools
Network Security ToolsNetwork Security Tools
Network Security ToolsEmanuela Boroș
 
IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
Nuevas modalidades de fraude atm
Nuevas modalidades de fraude atmNuevas modalidades de fraude atm
Nuevas modalidades de fraude atmSecpro - Security Professionals
 
Ethical Hacking and Network Defense
Ethical Hacking and Network Defense Ethical Hacking and Network Defense
Ethical Hacking and Network Defense Rishab garg
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Aksum Institute of Technology(AIT, @Letsgo)
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Securitysumit saurav
 

Recommended

Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Quantum Cryptography presentation
Quantum Cryptography presentationQuantum Cryptography presentation
Quantum Cryptography presentationKalluri Madhuri
 
Network Security Tools
Network Security ToolsNetwork Security Tools
Network Security ToolsEmanuela Boroș
 
IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
Nuevas modalidades de fraude atm
Nuevas modalidades de fraude atmNuevas modalidades de fraude atm
Nuevas modalidades de fraude atmSecpro - Security Professionals
 
Ethical Hacking and Network Defense
Ethical Hacking and Network Defense Ethical Hacking and Network Defense
Ethical Hacking and Network Defense Rishab garg
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Aksum Institute of Technology(AIT, @Letsgo)
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Securitysumit saurav
 
Hacking3e ppt ch09
Hacking3e ppt ch09Hacking3e ppt ch09
Hacking3e ppt ch09Skillspire LLC
 
Chapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptxChapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptxPrinceKumar851167
 
Security challenges in IoT
Security challenges in IoTSecurity challenges in IoT
Security challenges in IoTVishnupriya T H
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Florin D. Tanasache
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
1. Introduction to Embedded Systems & IoT
1. Introduction to Embedded Systems & IoT1. Introduction to Embedded Systems & IoT
1. Introduction to Embedded Systems & IoTIEEE MIU SB
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEric Vanderburg
 
The Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approachThe Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approachDeloitte United States
 
Internet'in Yararları ve Zararları
Internet'in Yararları ve ZararlarıInternet'in Yararları ve Zararları
Internet'in Yararları ve ZararlarıSadettin
 
Cyber security awareness for students
Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for studentsAkhil Nadh PC
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networksantoniomorancardenas
 
Cyber security
Cyber securityCyber security
Cyber securityManjushree Mashal
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber TerrorismSai praveen Seva
 
Iot(security)
Iot(security)Iot(security)
Iot(security)Shreya Pohekar
 
Dss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmDss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmAbhishek Kesharwani
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarVishwadeep Badgujar
 
IP Spoofing
IP SpoofingIP Spoofing
IP SpoofingAkmal Hussain
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
Sensors, MEMS, Internet of Things
Sensors, MEMS, Internet of ThingsSensors, MEMS, Internet of Things
Sensors, MEMS, Internet of ThingsJeffrey Funk
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Protocol Security Testing best practice
Protocol Security Testing best practiceProtocol Security Testing best practice
Protocol Security Testing best practicegaoliang641
 

More Related Content

What's hot

Chapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptxChapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptxPrinceKumar851167
 
Security challenges in IoT
Security challenges in IoTSecurity challenges in IoT
Security challenges in IoTVishnupriya T H
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Florin D. Tanasache
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
1. Introduction to Embedded Systems & IoT
1. Introduction to Embedded Systems & IoT1. Introduction to Embedded Systems & IoT
1. Introduction to Embedded Systems & IoTIEEE MIU SB
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEric Vanderburg
 
The Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approachThe Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approachDeloitte United States
 
Internet'in Yararları ve Zararları
Internet'in Yararları ve ZararlarıInternet'in Yararları ve Zararları
Internet'in Yararları ve ZararlarıSadettin
 
Cyber security awareness for students
Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for studentsAkhil Nadh PC
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networksantoniomorancardenas
 
Dss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmDss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmAbhishek Kesharwani
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarVishwadeep Badgujar
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
Sensors, MEMS, Internet of Things
Sensors, MEMS, Internet of ThingsSensors, MEMS, Internet of Things
Sensors, MEMS, Internet of ThingsJeffrey Funk
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 

What's hot (20)

Hacking3e ppt ch09
Hacking3e ppt ch09Hacking3e ppt ch09
Hacking3e ppt ch09
 
Chapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptxChapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptx
 
Security challenges in IoT
Security challenges in IoTSecurity challenges in IoT
Security challenges in IoT
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
1. Introduction to Embedded Systems & IoT
1. Introduction to Embedded Systems & IoT1. Introduction to Embedded Systems & IoT
1. Introduction to Embedded Systems & IoT
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
 
The Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approachThe Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approach
 
Internet'in Yararları ve Zararları
Internet'in Yararları ve ZararlarıInternet'in Yararları ve Zararları
Internet'in Yararları ve Zararları
 
Cyber security awareness for students
Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for students
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networks
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorism
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
Dss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmDss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithm
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep Badgujar
 
IP Spoofing
IP SpoofingIP Spoofing
IP Spoofing
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
Sensors, MEMS, Internet of Things
Sensors, MEMS, Internet of ThingsSensors, MEMS, Internet of Things
Sensors, MEMS, Internet of Things
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 

Viewers also liked

Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Protocol Security Testing best practice
Protocol Security Testing best practiceProtocol Security Testing best practice
Protocol Security Testing best practicegaoliang641
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol AttacksConferencias FIST
 
Network Virtualization using Shortest Path Bridging
Network Virtualization using Shortest Path Bridging Network Virtualization using Shortest Path Bridging
Network Virtualization using Shortest Path Bridging Motty Ben Atia
 
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...rjain51
 
Ch 18 intro to network layer - section 3
Ch 18 intro to network layer - section 3Ch 18 intro to network layer - section 3
Ch 18 intro to network layer - section 3Hossam El-Deen Osama
 
Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Hossam El-Deen Osama
 
Ch 18 intro to network layer - section 4
Ch 18 intro to network layer - section 4Ch 18 intro to network layer - section 4
Ch 18 intro to network layer - section 4Hossam El-Deen Osama
 
Ch 18 intro to network layer - section 1
Ch 18 intro to network layer - section 1Ch 18 intro to network layer - section 1
Ch 18 intro to network layer - section 1Hossam El-Deen Osama
 
IEEE 802 Standard for Computer Networks
IEEE 802 Standard for Computer NetworksIEEE 802 Standard for Computer Networks
IEEE 802 Standard for Computer NetworksPradeep Kumar TS
 

Viewers also liked (15)

Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
 
Protocol Security Testing best practice
Protocol Security Testing best practiceProtocol Security Testing best practice
Protocol Security Testing best practice
 
Chapter 3 v6.0
Chapter 3 v6.0Chapter 3 v6.0
Chapter 3 v6.0
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
 
IEEE 802.1 x
IEEE 802.1 xIEEE 802.1 x
IEEE 802.1 x
 
Network Virtualization using Shortest Path Bridging
Network Virtualization using Shortest Path Bridging Network Virtualization using Shortest Path Bridging
Network Virtualization using Shortest Path Bridging
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
LAN Extension and Network Virtualization for Cloud Computing using Layer 3 Pr...
 
Ch 18 intro to network layer - section 3
Ch 18 intro to network layer - section 3Ch 18 intro to network layer - section 3
Ch 18 intro to network layer - section 3
 
Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2Ch 19 Network-layer protocols - section 2
Ch 19 Network-layer protocols - section 2
 
Ch 18 intro to network layer - section 4
Ch 18 intro to network layer - section 4Ch 18 intro to network layer - section 4
Ch 18 intro to network layer - section 4
 
Ch 18 intro to network layer - section 1
Ch 18 intro to network layer - section 1Ch 18 intro to network layer - section 1
Ch 18 intro to network layer - section 1
 
Datalinklayer tanenbaum
Datalinklayer tanenbaumDatalinklayer tanenbaum
Datalinklayer tanenbaum
 
IEEE 802 standards
IEEE 802 standardsIEEE 802 standards
IEEE 802 standards
 
IEEE 802 Standard for Computer Networks
IEEE 802 Standard for Computer NetworksIEEE 802 Standard for Computer Networks
IEEE 802 Standard for Computer Networks
 

Similar to Pentesting layer 2 protocols

Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Ccna 1 chapter 9 v4.0 answers 2011
Ccna 1 chapter 9 v4.0 answers 2011Ccna 1 chapter 9 v4.0 answers 2011
Ccna 1 chapter 9 v4.0 answers 2011Dân Chơi
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Chapter6ccna
Chapter6ccnaChapter6ccna
Chapter6ccnarobertoxe
 

Similar to Pentesting layer 2 protocols (20)

Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
6.Routing
6.Routing6.Routing
6.Routing
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Practice
PracticePractice
Practice
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
Tcp
TcpTcp
Tcp
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
Linux router
Linux routerLinux router
Linux router
 
Ccna 1 chapter 9 v4.0 answers 2011
Ccna 1 chapter 9 v4.0 answers 2011Ccna 1 chapter 9 v4.0 answers 2011
Ccna 1 chapter 9 v4.0 answers 2011
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Chapter6ccna
Chapter6ccnaChapter6ccna
Chapter6ccna
 
Chapter6ccna
Chapter6ccnaChapter6ccna
Chapter6ccna
 

Recently uploaded

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Recently uploaded (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Pentesting layer 2 protocols

  • 1. 1 PENTESTING LAYER 2 PROTOCOLS By Temmar Abdessamad temmar.abdessamad@gmail.com
  • 2. 2 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols 1
  • 3. 3 Why Worry About Layer 2 Security ? Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Physical Links MAC addresses IP addresses Initial Compromise • Application Stream POP3, IMAP, IM SSL, SSH ... Compromised • OSI model was built to allow different layers to work without the knowledge of each other • Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem • When it comes to networking ... layer 2 can be a very weak link ! • Security is only as strong as the weakest link
  • 4. 4 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology Playing with Layer 2 protocols2
  • 5. 5 LAYER 2 : EQUIPMENT, PROTOCOLS & ATTACKS Categories CDP (Cisco Discovery Protocol) VTP (VLAN Trunking Protocol) DTP (Dynamic Truncking protocol) HSRP (Hot Standby Router Protocol) DHCP (Dynamic Host Configuration Protocol) Protocols Reconnaissance Attacks : an attackers tries to learn information about the target network (devices, protocols, topology ...) ; DoS attacks : the objective is to interrupt or suspend normal network’s services functions (routing, IP addressing) Hijacking Attacks : hijack network’s traffic so the attacker will be able to sniff/intercept sensitive data (MiTM) ; Bypass Attacks : an attacker try to bypass network restriction in ordre to reach other VLAN ; Topology Attacks : the main objective is to take control of the target network and alter his topology.
  • 6. 6 Cisco Discovery Protocol (CDP)  Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol  Allows Cisco devices to discover each other (IP address, software version, router model, etc)  How it works : Each network entity broadcasts a CDP packet once per minute  CDP does not run over IP : it runs directly over the data link layer. Presentation Vulnerabilities Attacks Mitigation
  • 7. 7 Cisco Discovery Protocol (CDP)  CDP is clear text and unauthenticated  Information leak :  Software version and hardware platform  specific release with a well-known bug that’s ready to be exploited.  Auxiliary VLAN. An attacker can learn which VLAN is used by IP telephony Presentation Vulnerabilities Attacks Mitigation End Users
  • 8. 8 Cisco Discovery Protocol (CDP)  CDP Cache Pollution - CDP table becomes unusable because it contains a lot of false information Presentation Vulnerabilities Attacks Mitigation Network A Switch> sh cdp neighbors Port Device-ID Port-ID Platform -------- ---------------- -------------------- ------------ 2/16 2651e FastEthernet0/1 cisco 2651 2/21 inet3 FastEthernet0/0 cisco 2651 2/36 r2-7206 Ethernet2/0.1 cisco 7206VXR 2/47 00M55I1 Ethernet0 yersinia 2/47 00N55I1 Ethernet0 yersinia 2/47 00N66I1 Ethernet0 yersinia
  • 9. 9 Cisco Discovery Protocol (CDP)  Only enable CDP on ports to other network devices and uplinks, & disabling it to access ports  But, CDP must remain enabled on ports to IP phones  To turn off CDP : Presentation Vulnerabilities Attacks Mitigation CatOS> (enable) set cdp disable <mod>/<port> | all IOS(config)#no cdp run IOS(config-if)#no cdp enable
  • 10. 10 Hot Standby Router Protocol (HSRP)  It makes a group of adjacent routers appear as a single virtual router.  Each physical router has its own MAC and IP addresses, but it shares one MAC and one IP address for the virtual router.  Routers exchanges HSRP messages to elect the active router. A standby router can becomes active when  It receives no more HSRP hello messages from the active router  The active router explicitly wants to become standby Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group
  • 11. 11  HSRP is clear text : HSRP commits a slight information leackage by adverstising all the routers’IP addresses, authentication Data ...  There is a possibility for a standby router to immediatly take over the role of the active router :  Standby routers used their own MAC addresses as source MAC  The active router uses the virtual MAC addresses Hot Standby Router Protocol (HSRP) Presentation Vulnerabilities Attacks Mitigation
  • 12. 12 Hot Standby Router Protocol (HSRP)  DoS attack - an attacker send fake HSRP packet where the priority is set to the maximum value 255 & the correct value for Authentication Data, Group virtual IP address. All trafic sent to a black hole. Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.7 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Network A Network B
  • 13. 13 Hot Standby Router Protocol (HSRP)  Man-In-The-Middle attack – attacker can intercept, listen & modify unprotected data Presentation Vulnerabilities Attacks Mitigation Hosts with a Default Route to 192.168.0.8 Router A IP : 192.168.0.7 MAC : From Hardware Router B IP : 192.168.0.7 MAC : 000.0C07.AC01 HSRP Group Active Virtual Router IP : 192.168.0.7 MAC : 000.0C07.AC01 Router C IP : 192.168.0.7 MAC : From Hardware
  • 14. 14 Hot Standby Router Protocol (HSRP)  The ways to mitigate these attacks rely on preventing :  Forging valid authentication data. If the attacker is unable to present the correct credentials, all other routers reject his packets.  Sending HSRP packets. The network infrastructure blocks all HSRP packets except those sent by authorized HSRP routers. Presentation Vulnerabilities Attacks Mitigation How to protect us from these attacks ? Okey ... But How ?! Using strong authentication : MD5 Key Chain to authenticate HSRP messages
  • 15. 15 Others Attacks This protocol gives an attacker the ability to add and remove VLAN from the network. If a switch port has been configured to send and/or listen to DTP advertisements, a hacker can easily coerce the port into becoming a trunk. Hijacking Traffic Using DHCP Rogue Servers DNS Server DHCP Server File Server ClientAttacker 10.50.72.66 Attacker replies with Fraudulent information. This include his own computer as the gateway, so all packets from clients pass through his server. Hi may I please have IP, Gateway & DNS @ ? Client sends DHCP requests packets for IP, DNS & gateway addresses IP : 10.50.72.0/24 GW :10.50.72.66 DNS : 10.50.72.66 VTP (VLAN Trunking Protocol) DTP (Dynamic Trunking Protocol) DHCP (Dynamic Host Configuration Protocol )
  • 16. 16 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
  • 17. 17 Pentesting Layer 2 - Methodology Sniffing (CDP, VTP, HSRP, DHCP ...) NoAnalyze CDP packets & pick your own IP @ Reconnaissance attacks Yes CDP packet analysis HSRP packets DHCP information Become an active router Introduce rogue DHCP server MiTM DNS Hijacking DTP protocol analysis Enable truncking mode Sniff network traffic of top layersHijacking attacks DHCP Enabled ?
  • 18. 18 Outline 1 Why Worry About Layer 2 Security ? 4 Conclusion 3 Pentesting Layer 2 methodology 2 Playing with Layer 2 protocols
  • 19. 19 Conclusion  According to our last pen test missions, 95 % of these attacks are successful, which prove that layer 2 security is always ignored by companies  In general we recommend :  Managing switches in as secure a manner as possible (SSH, permit lists, etc.)  Using a dedicated VLAN ID for all trunk ports. Be paranoid: do not use VLAN 1 for anything.  Setting users ports to a non trunking state.  Deploying port-security whenever possible for user ports.  Using private VLANS where appropriate to further divide L2 networks.  Disabling all unused ports and put them in an unused VLAN.  Disabling CDP whenever possible  Ensuring DHCP attack prevention (DHCP snooping)
  • 20. 20 REFERENCES LAN Switch Security: What Hackers Know About Your Switches Eric Vyncke, Christopher Paggen Yersinia, a framework for layer 2 attacks - Black Hat Berrueta Andres

Editor's Notes

  1. Because CDP is mainly interesting to use between network devices and not toward end-user hosts, the best way to prevent both the DoS attacks and information leaks is to only enable CDP on ports to other network devices and uplinks while disabling it to access ports. Because of the low level of risk and the benefits of CDP in IP phone deployment, as well as for network operation and troubleshooting, it is better to leave CDP enabled on all ports. Of course, the best option is to only configure CDP on ports where it is required (such as those with an IP phone) to reduce risk exposure.