The 7 Things I Know About Cyber Security After 25 Years | April 2024
Introduction to layer 2 attacks & mitigation
1. An Introduction to Layer 2 Attacks
&
Mitigation
Rishabh Dangwal
www.TheProhack.com | Twitter @prohack
2. Agenda
Layer 2 Security - The What, Why and What Now ?
Switching Basics
Quick Knowledge Check
The Attacks & their mitigation.
ARP based
Cisco Specific
STP & VLAN Attacks
Switch Configuration Review – What to look
Question Answer session.
3. Layer 2 Security
The What, Why and What Now ?
OSI is a layered model and if one layer gets hacked, all layers are
compromised.
Layer 2 Attacks are still very much relevant today.
Poorly configured Network environments.
Information gap between Network and Security Personnel (refer
next slide).
Different architectures , same protocols; henceforth same
weaknesses.
Security is only as strong as your weakest link.
4. Switching Basics
What is a Switch exactly ?
How does it function ?
VLAN basics.
Tagged and Untagged ports (also called as edge/access and Trunk
ports).
Spanning Tree Basics.
Layer 3 Switching ?
More Layer 2 Switching Vendor specific technologies.
5. Quick Knowledge Check
Kind questions to ask to your Network & Security Admins
1. How do they handle Network Security issues?
2. Is their network segmented by VLANs ?
3. Are their networked VLANs secure by design ?
4. What is the process of IP Segment allocation ?
5. Is there a formal Change Process in place ?
6. Flooding & Spoofing Attacks
Attacks which utilize either flooding or resource starvation
ARP Poisoning
DHCP Starvation
CAM Table overflow
7. ARP Attacks
ARP Poisoning : can be easily carried out.
Stateless protocol.
NO inbuilt authentication
Limited to local network segments.
Can be escalated/exploited to MITM , SSH Interception , DOS,
session hijacking attacks.
Tools of Trade : Ettercap, Cain & Abel , Dsniff
8. DHCP Starvation
DHCP Scope exhaustion by installing a rogue DHCP server.
Spoofed MAC requests broadcast/flood network.
Resource starvation occurs which may make a rogue server more
effective.
Tools of Trade : Yersinia
9. CAM Table Overflow
Content Addressable Memory (CAM) is used in highly efficient
search based environments.
Cisco switches use CAM to make MAC & interface mapping tables.
One can flood MAC in network which can fill CAM & thereby make
a switch act like a hub.
Tools of Trade : Dsniff, Ettercap, Cain & Abel and
more..
10. Flooding & Spoofing Attacks −
Mitigation
Ensure Port Security is enabled (static ARP entries)
Enable Port Security
Enable DHCP Snooping.
Question Network admin on requirement of PARP / GARP if
present in configuration.
Dynamic Arp Inspection .
11. Cisco Specific Attacks
CDP attacks − Applicable to Cisco IOS based devices.
VTP attacks − Applicable to Cisco Switches.
DTP Attack − Applicable to Cisco IOS based devices.
HSRP Abuse − Applicable to Cisco IOS based devices.
12. Cisco − CDP Attacks
Cisco Discovery Protocol (CDP) allows Cisco Devices to
communicate with each other.
CDP communicates is unencrypted , unauthenticated & carries a
ton of information.
CDP can be exploited to
CDP DOS (Even WLCs are vulnerable)
Overflow / Pollution / Corruption of CDP Cache
Raking up power bills (POE abuse)
Tools to Use : Yersinia
13. CDP Attacks − Mitigation
Turn CDP Off.
Check with Network guys for any specific requirement of CDP
(VOIP phones/Tshoot).
All unused ports shall be shut by default.
BONUS : Different vendors have similar protocols −
Juniper / Huawei LLDP (LLDP Attack Framework)
Brocade FDP
Maipu MDSP
14. Cisco − VTP Attack
Virtual Trunking Protocol (VTP) is used by Cisco to propagate
VLAN information.
VTP uses a versioning system with a client server architecture.
Clients sync their configuration with Server to maintain current
VLAN database revision.
Attack involves DOS by sending VTP messages in the network.
Tools of Trade : Yersinia
15. VTP Attack − Mitigation
Check with admin if VTP is required, if NO, recommend them to
configure switches in transparent mode.
If Yes, check if following parameters are configured correctly
VTP password should be there and shall be md5 encrypted
(Service Password Encryption)
Non participating switches should be configured in
transparent mode.
VTP pruning should be enabled.
All unused ports shall be shut by default.
16. DTP Attack
Dynamic Trunking Protocol (DTP) negotiates port states between 2
devices.
By default an interface is negotiated to become a Trunk (Tagged)
port, hence its name.
One can send RAW DTP packets on Access interface & can make it
trunk.
Trunk interface can then be used to escalate/exploit
STP/VTP/VLAN based attacks.
Tools of Trade : Yersinia
17. DTP Attack − Mitigation
Turn of DTP by enabling no more auto-negotiation.
Refer below configuration for access (untagged) port, settings are
hardcoded , nothing is auto.
All unused ports shall be shut by default.
18. HSRP Abuse
Hot Standby Router Protocol (HSRP) is used for achieving HA
between Cisco devices.
Functions in Active/Passive mode, UDP 1985.
Uses multicast, by default password configured in plain text.
Attacker can send raw HSRP packet.
Compromise and become Active device with real or spoofed IP.
Tool to use : Yersinia
20. Spanning Tree Attacks
Invented by Dr Radia Perlman, Spanning Tree Protocol (STP) is
used for providing a loop free topology for a LAN or bridged
network.
An attacker can disrupt STP topology by
Masquerading as a rogue switch.
Introducing a real switch in network.
Spoofing Root Switch
Sending malicious BPDU’s
Claiming roles in topology
Tools of Trade : Yersinia
21. Spanning Tree Attacks − Mitigation
Enable Root Guard on Cisco Switches, Root Protection on
Juniper Switches.
Enable BPDU Guard on Cisco Switches, BPDU Protection on
Juniper Switches.
All unused ports shall be shut by default.
22. Multicast Brute force
Switch receives a number of multicast frames in rapid succession.
Frames to leak into other VLAN instead of containing it on original
VLAN.
May lead to DOS.
Rare nowadays.
23. Multicast Brute Force Attack −
Mitigation
Buy switches with better queues/buffer and memory support.
Upgrade your supervisors (4500X and above , Cisco Only).
25. VLAN Hopping
VLAN Hopping refers to emulation of a network switch & send
frames (802.1Q/ISL).
An attacker can also send double tagged frames on trunk / access
interface.
First frame will be stripped by switch and it will forward the frame
to outgoing interface.
Since the frame is having one more tag, it will be forwarded as it is
to next unintended VLAN.
Tools of Trade : Scapy, Ostinato
26. VLAN Hopping Attack − Mitigation
Disable DTP
Hardcode everything.
Unused ports shall be configured as access (untagged) ports.
Native VLAN segregation.
Management VLAN segregation.
Don’t use VLAN 1 for *anything*.
27. PVLAN Attacks
Community ports can communicate between themselves &
promiscuous ports.
This logic can be bypassed using a proxy server or a Layer 3
Device on a promiscuous port.
L3 device will overwrite destination mac on frame & then sends
frame back.
Unidirectional attack can be leveraged to a bidirectional attack by
compromising hosts.
Tools of Trade : Scapy / Ostinato
29. Bonus : SNMP Snarfing
Simple Network Management Protocol (SNMP) is used to monitor
and manage devices.
Vendor agonistic , has 3 versions, version 1.0 & version 2.0 most
commonly used.
Plain text authentication.
Community strings can be bruteforced , fuzzed & hacked.
Wreak havoc using read write community.
Tools of Trade : Ettercap, dsniff.
30. SNMP Snarfing – Mitigation
Use SNMPv3 *only*, don’t use it in backwards compatible mode.
Don’t use community strings with write access.
Be SNMP Aware, don’t let it become “Security is Not My Problem”.
31. Switch Configuration Review
What to look in a sample Switch configuration dump.
Best Practices.
Looking at the big picture.
32. Conclusion
Ensure Switches are managed in a secured manner.
Hardcode everything.
Ensure there is a Change Management process for any Network and
Security Changes.
Disable protocols which are not in use (CDP/VTP).
All unused ports should be shut by default.
Use Port-Security.
Use Root Guard/BPDU guard.
Be careful about SNMP community strings.