ECE4112 Internetwork Security

Lab: Network Devices Security

Group Number: ______
Member Names: ______

Authored By: Krunal Shah, Kulin Shah

Date Assigned:

Date Due:

Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.

Goal: This lab will introduce you to the concept of security of network devices. You will learn about vulnerabilities that exist on these devices, the backbone and lifeline of the internet, which can so easily be exploited and certain counter measures that a sys admin would take to prevent their compromise to a certain extent.

Background: The lab gives you hands on experience on hacking into routers and switches. This lab is important for a security expert in the sense that whenever a hacker tries to attack a network or a subnetwork, he first has to go through the default gateway of the network or default router in case of a subnetwork which is the entry point. If properly secured it acts like an extra barricade that must be overcome before getting in. However, most sys admin are ignorant and not aware of the vulnerabilities existent. This makes them the Achilles heel of networks in terms of security.

Summary: In the first section we will learn how to gain administrative privileges assuming physical access and in the second, obtaining it through remote access. In the third section we will implement CAM overflow of switch MAC address tables. The fourth section describes a PVLAN setup and exploit on a switch while the last section deals with a vulnerability which is on by default on switches.

Pre-lab Questions:

Q > In which format are the Cisco router and switch passwords stored?

Q > Which operating systems do Cisco routers and switches use?

Section 1: Physical access compromise

Lab Scenario: For this section of the lab you will try to gain administrative privileges to the router and switch. Once this is achieved it is possible to modify and manipulate the configuration settings. Like for the router you could modify or erase the routing table or simply bring all the interfaces down. Similarly, for a switch you could modify the mac-address tables or reconfigure VLANS to create havoc in the network. We will use the virtual XP machine and one Cisco router and switch on the playstation to carry out the attack.

For this attack we assume that the attacker has physical access to the router however does not have the knowledge of the passwords for administrative privileges. For this attack you will need a terminal emulator which will be the video interface between you (the attacker) and the router and switch console port.

1.1 Configuring Hyper – Terminal

Windows Hyper Terminal is an example of a terminal emulator. Terminals are typically synonymous with a command line shell or text terminal. A terminal window allows the user access to text terminal and all its applications such as command-line interfaces (CLI) and text user interface applications. These may be running either on the same machine or on a different one via telnet, ssh, or dial-up.

On your Windows XP machine

1). Click on programs

2). Click on Accessories

3). Select hyper terminal if available.

If it does not appear on the list of accessory programs then

1). Click on Control panel

2). Click on My Computer

3). Click on Install/Remove Programs

4). Click on Windows settings

5). Click on Communications

6). Select Hyper terminal and click apply or OK at the bottom

Enter personal information such as area code and phone number this will give a window that replicates figure 1. Select any name for the connection, select an icon, and then click OK. In the ‘Connect To’ window, change the field ‘connect using’ to COM1 or the lowest available COM port on the computer. Click OK. Configure the settings are as shown below. [9]

1) Set "Bits per second" to 9600.

2) Set "Data Bits" to 8.

3) Set "Stop Bits" to 1.

4) Set "Flow control" to none.

Click ok and ensure that the status shown in the lower left says connected. Once this is done you will need to ask the TA for the console cable which you will connect to the console port of the router and the other end to the com port of your machine. Now press enter a few times on the keyboard. You should get a prompt from the router. Once you receive this prompt, you have successfully got hyper terminal functional.

Figure1. [10]

1.2 Logging into the router

Now, using the power switch, turn the router off and then on. Send a break signal to the router within 60 seconds of the powerup. This will put the router into the ROM monitor (ROMMON) mode. The break sequence would depend on your terminal emulation program. The break signal for the HyperTerminal is (CTRL-BREAK).

Q 1.1 > What is the break signal for the Minicom terminal emulator?

  1. Now you should see the ROMMON prompt.

Rommon>

*** System received an abort due to Break Key ***

signal= 0x3, code= 0x500, context= 0x813ac158

PC = 0x802d0b60, Vector = 0x500, SP = 0x80006030

rommon 1 > confreg 0x2142

You must reset or power cycle for new config to take effect

rommon 2 > reset

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Copyright (c) 1999 by cisco Systems, Inc.

TAC:Home:SW:IOS:Specials for info

C2600 platform with 32768 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x6fdb4c

Self decompressing the image : ###############################

##############################################################

##############################################################

##############################################################

############################### [OK]

Figure2.

  1. Type confreg 0x2142 and press ENTER. This will set the router to boot, ignoring the configuration stored in NVRAM. Then type reset and press ENTER to reboot. When the router boots, it will display the following: [7]

--- System Configuration Dialog ---

  1. Skip the initial setup procedure by pressing CTRL-C.
  2. When the Router> prompt appears, type enable and press ENTER. Copy the NVRAM config file into RAM with copy start run or conf mem. Then enter the configuration mode (conf t).
  3. Whoa!!! Now you can change the passwordto whatever you want to change—for example, the enable password using the enable secret <password command.
  4. Change the configuration register back with the config-register 0x2102 command. Leave the configuration mode (CTRL-Z). Save the changes with copy run start or write mem. Reboot the router.

1.3 Hacking into the switch

For the 3550 series catalyst switches: [9]

Plug in the console cable. Set your terminal emulation program as follows:

  1. Bits per second (baud): 9600
  2. Data bits: 8
  3. Parity: None
  4. Stop bits: 1

Now, carefully follow out the following procedure

  1. Flow control: Xon/Xoff
  2. Apply flow control.
  3. Unplug the power cord.
  4. Hold down the Mode button on the left side of the front panel of the switch when plugging in the power cable.
  5. Release the Mode button after the LED above Port 1x goes out.
  6. Send the break sequence to the switch within 15 seconds after reboot instead. Initialize Flash with the flash_init command.
  7. Follow it with the load_helper command.
  8. Type in dir flash: to view the file system and see how the configuration file is called.
  9. Rename the configuration file—here's an example: rename flash:config.text flash:config.bak.
  10. Issue the boot command to reboot the switch.
  11. When the Continue with configuration dialog? [yes/no]: string is displayed, answer No.
  12. Enter the enable command at the switch prompt. Rename the configuration file with its original name using the rename flash:config.bak flash:config.text command.
  13. Copy the initial configuration back to RAM: copy flash:config.text system:running-config. Now you have a normal switch configuration and the enable prompt. You can easily modify the config—for example:
  14. Switch#conf t
  15. Switch(config)#no enable secret
  16. Switch(config)#enable secret <youareowned>
  17. Issue the write mem command to save the modified configuration file.

Q 1.2 > Does the same switch hacking process hold true for all different Cisco switches?

Q 1.3 > What are the measures a network admin can take against this type of breach in security?

Section 2:Remote access

In this section we will try to modify the ACLs of the edge router for an enterprise by gaining the remote access to the Cisco router.This is done by exploiting HTTP authentication vulnerability. In the real world, the first step for you will be to find out the website for the target.

2.1 Getting IP address of the target router:

In the above figure, we have got the IP address of Similarly, you can get the IP address of your target by using the internet databases After finding the IP address we will find the edge router of the enterprise by using the traceroute command.

But, in the lab we will be using 138.210.231.0 network as the target. So we will be tracing the IP address by typing

traceroute 138.210.231.44 on your RedHat WS4 Host.

This command will show you the entire path from your host to the enterprise network. The last hop in the traceroute output will correspond to the edge router. Our aim is to get the access this edge device.

2.2 Vulnerability scanner:

We use the vulnerability scanner “nmap” to find the operating system running and the ports opened on the edge router.

nmap –O -sT <Router IP address>

Here the –O option is used to find the operating system of the target and the -sT option is displays the ports open.

If the O.S. detected by nmap utility is Cisco IOS that indicates the target is a Cisco router. Now, in the open ports if you see port 80 is opened, http authentication vulnerability can be exploited.

Q 2.1> What are other ways through which you can determine the IOS for the router??

Vulnerability scanners typically do a great job in identifying known vulnerabilities, but can often miss significant configuration errors. Rather, generally poor system administration leadsto the compromise of more routers than software bugs. Correspondingly, a vulnerability scanner may report that everything is fine, when there are actually a couple different avenues a hacker could take in assessing the router [5].

A vulnerability that affects most Cisco router is the HTTP ConfigurationArbitrary Administrative Access Vulnerability. This particular vulnerability should be found by allvulnerability scanners, and is trivial to exploit. It often yields full remote administrative control ofthe affected router.

Open up a browser on your local host and type in the IP address of your target router in the address field and then hit enter. A window will pop up asking for the username and password click cancel. After clicking the "Cancel" button, you will enter the following URL into the address bar.

http:/<IP address>/level/$NUMBER/exec/show/config

WHERE $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.

That will take you to the start up configuration of the router.

2.3 Cracking the password:

Now, you can see the router configuration and the password of the administrator but it is in encrypted format. There are three methods a Cisco IOS uses to represent a password in a router config file [5].They are:

  • Clear Text
  • Vigenere
  • MD5

enable password passwordClear Text enable password 7 104B0718071B17 Vigenere enable secret 5 $1$yOMG$38ZIcsEmMaIjsCyQM6hya0 MD5

It's implemented using the command, "enable secret 0 password ". If the password is in clear text there the field against password is the password, for vigenerethe tool “GetPass” easily gets the password in clear text from the hashed form. But, MD5 is an irreversible technique and hence it is the most secure option [5].

The first thing we'll do is attempt to "crack" the enable password. It is represented in the form of an MD5 hash, which is said to be un-crackable. We're not going to attempt to decrypt the password, as this is not possible. Instead, we'll run a dictionary attack against it. In much the same way as John the Ripper plows through an /etc/shadow file, the very popular tool Cain and Abel is capable of conducting both brute-force and dictionary attacks on Cisco MD5 hashes. This tool is described as the Swiss Army Knife of cracking tools [5].

Q2.2> What are the other uses of Cain & Abel?

Mount the nas using the command

mount /mnt/nas4112

when prompted for password use “secure_class” and then download the folder lab from the nas.

Copy the cain and abel executable file to your XP virtual machine and install it.

To install:

1) Download and install Cain & Abel from

2) Install software and WinPcap packet capture driver

3) Reboot computer.

4) Download and install Ethereal from

5) Reboot computer.

Q2.3>How to overcome HTTP Authentication Vulnerability?

Section 3: Macof attack:

This attack is based on Content Addressable Memory (CAM) Overflow. The CAM table contains information such as MAC addresses available on physical ports with their associated VLAN parameters [6]. As CAM is very expensive, switches have limited amount of CAM. So, CAM Tables are of fixed size.

Figure4 [6]

We are aiming at flooding the CAM of the switches in order to spoof the traffic between different hosts not directly connected to us. So, first the host executes the macof attack and tries to flood the cam for both the switches. Once that is done from next time onwards any data packet will be broadcasted across all ports on the switch.

Figure5 [6]

Now, since switch has no learned route because of CAM flooding. The packet is broadcasted and the attacker can listen to the data being transmitted across the local network.

In this section, we used Macof tool. Macof can generate 155,000 MAC entries on a switch per minute. It took approximately 70 seconds to fill the CAM table [6]. For executing this attack, copy the dsniff folder from the lab folder to the root folder.

Install the tools by typing:

#tar zxvf libnet-1.0.2a.tar.gz

#cd Libnet-1.0.2a

#./configure & make & make install

#cd ..

#tar zxvf libnids-1.16.tar.gz

#cd libnids-1.16

#./configure & make & make install

#cd ..

#tar zxvf dsniff-2.3.tar.gz

#cd dsniff-2.3

#./configure & make

#make install

Ignore the generated errors. Although some of the dsniff files will not compile under Red Hat 7.2, the programs we will use will.

Now, go to the dsniff-2.3 folder and have a look at the file macof.c

Compile the file using gcc –o macof macof.c

Run the file by typing

./macof

For getting incite,the switch mac table before attack is shown below:

Figure6 [6]

After executing, the macof attack on one of the local host the mac table of the same switch is shown below:

Figure7 [6]

Q 3.1> Suggest some countermeasures against the macof attack?

Section 4: DTP attack

Q4.1 What is DTP? [11]

Dynamic Trunking Protocol (DTP), a Cisco proprietary protocol in the VLAN group, is for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (802.1Q) to be used. DTP negotiates what is called a common trunking modebetween ports on two interconnected switches and needs only a simple initial one-time configuration by a network administrator. A trunking mode on Cisco Catalyst switches can be

  • On, or permanent trunking mode The choice between 802.1q and ISL has to be entered manually.
  • Off, or permanent nontrunking mode No trunk creation is possible.
  • Desirable Trunk creation is wanted; if the other end is configured to on, desirable, or auto mode, a trunk link would be established. Unlike the on mode, the choice between 802.1q and ISL is negotiated automatically.
  • Auto, also called negotiate Trunking will be successfully negotiated, if the other end is configured to on, or desirable mode.
  • Nonnegotiate This mode is used when the other end doesn't speak DTP, since in nonnegotiate mode, DTP frames are not sent. The other end should be manually configured for trunking (on or nonnegotiate mode).

By default, trunk ports have access to all VLANs, and this presents a security issue. If an attacker can turn a port into a trunk (by default, all switch ports are nontrunking), then all the VLANs are belong to him.

4.2 Downloading the tool to carry out attack

  1. You will have to mount nas and move into the lab directory
  2. Copy yersenia-0.5.6.tar.gz into your home directory
  3. Untar the file using tar –zxvf command
  4. Move into the yersenia directory
  5. Now do ./configure
  6. Now make
  7. Now make install

4.3 Carry out the attack [7]

This attack is implemented using Yersinia—set the interface you want to use and its parameters and execute the attack using run dtp attack

4.4 Observe the attack

yersinia# show attacks

No. Protocol Attack

------

0 DTP enabling trunking

Figure8.

Watch the DTP frames being sent every 30 seconds.

That’s it! You may have succeeded in opening a trunk link. Start sniffing the bypassing data to verify the success of your attack.

Q 4.1> What is the counter measure against this form of attack?

Section 5: PVLAN attack

PVLANs [12]are a brand new concept used in a switch. Here basically each port is configured as PROTECTED thus within a single switch if you want isolation you would need multiple IP addresses to put them in different VLANs but with PVLAN you can isolate ports without the use of multiple IP’s. The 3550 Catalyst currently in our lab does not support this feature but other ones like the 3560 and 3750 Catalyst do support it.