2. Why bring up this old topic?
Best practices are still being ignored.
Compromise on layer 2 == Game Over
ZaCon is the perfect place to rekindle awareness
ZaCon 2009
3. Means to an end
Getting the upper hand
-STP trickery
-DTP/VTP trickery
-CAM table and DHCP abuse
-ARP poisoning
Using the tactical advantage
-Passive sniffing
-DNS spoofing
-MiTM
ZaCon 2009
4. STP
Avoiding topology loops
Single ROOT device in a
topology
BPDUs
By sending crafted
BPDUs an attacker can
become the root bridge
ZaCon 2009
9. DTP/VTP attack mitigation
Disable trunk negotiation on user ports
sw1(config)#int Fa0/1
sw1(config-if)#switchport mode access
Explicitly specify allowed VLANs on a trunk
sw1(config)#int Fa0/1
sw1(config-if)#switchport mode trunk
sw1(config-if)#switchport trunk allowed vlan 3,5-7,11
Disable VTP (or at least set a domain password!)
sw1(config)#vtp mode transparent
or
sw1(config)#vtp password T0P53KR3T
ZaCon 2009
10. CAM flood & DHCP attacks
CAM tables contain MAC-to-port mappings
Switch without CAM table == HUB
Fail close vs Fail open
DHCP starvation (DoS)
ZaCon 2009
11. CAM flood and DHCP
starvation mitigation
Port security
-Static MAC addresses where possible
sw1(config)#int Fa0/1
sw1(config-if)#switchport port-security mac-address 000d.60ce.3c00
-Limit number of dynamic MAC addresses per port
sw1(config)#int Fa0/1
sw1(config-if)#switchport port-security maximum 1
sw1(config-if)#switchport port-security { protect | restrict | shutdown }
ZaCon 2009
12. Rogue DHCP
Very effective following a DHCP starvation
Guess what gateway/DNS info an attacker
would supply :)
ZaCon 2009
16. Dynamic ARP inspection
Verifies IP-to-MAC bindings
Requires a trusted database of such bindings
-DHCP (with snooping enabled)
sw1(config)#ip arp inspection vlan 2,3
-Static ACLs
sw1(config)#arp access-list laptop-todor
sw1(config-arp-nacl)#permit ip host 192.168.0.164 mac host 0023.1206.a634
sw1(config)#ip arp inspection filter todor-laptop vlan 2
ZaCon 2009
17. Things to keep in mind
Virtual environments
Zombie computers
802.11 networks (public or otherwise)
ZaCon 2009
18. Using the tactical
advantage
Sniffing traffic
-Ridiculous amounts of unencrypted data is still seen on the network
-Information gathering is more than just getting auth credentials
-dsniff, Wireshark, tcpdump etc. etc. etc.
DNS spoofing
-Technically an MiTM attack
-DNSSEC does not address client <-> cache security
ZaCon 2009