SlideShare una empresa de Scribd logo

Introduction to layer 2 attacks & mitigation

Rishabh Dangwal
Rishabh Dangwal

An Introduction to layer 2 attacks & mitigation

Tecnología
1 de 34
An Introduction to Layer 2 Attacks & Mitigation Rishabh Dangwal www.TheProhack.com | Twitter @prohack
Agenda  Layer 2 Security - The What, Why and What Now ?  Switching Basics  Quick Knowledge Check  The Attacks & their mitigation.  ARP based  Cisco Specific  STP & VLAN Attacks  Switch Configuration Review – What to look  Question Answer session.
Layer 2 Security The What, Why and What Now ?  OSI is a layered model and if one layer gets hacked, all layers are compromised.  Layer 2 Attacks are still very much relevant today.  Poorly configured Network environments.  Information gap between Network and Security Personnel (refer next slide).  Different architectures , same protocols; henceforth same weaknesses.  Security is only as strong as your weakest link.
Switching Basics  What is a Switch exactly ?  How does it function ?  VLAN basics.  Tagged and Untagged ports (also called as edge/access and Trunk ports).  Spanning Tree Basics.  Layer 3 Switching ?  More Layer 2 Switching Vendor specific technologies.
Quick Knowledge Check Kind questions to ask to your Network & Security Admins 1. How do they handle Network Security issues? 2. Is their network segmented by VLANs ? 3. Are their networked VLANs secure by design ? 4. What is the process of IP Segment allocation ? 5. Is there a formal Change Process in place ?
Flooding & Spoofing Attacks Attacks which utilize either flooding or resource starvation  ARP Poisoning  DHCP Starvation  CAM Table overflow
ARP Attacks  ARP Poisoning : can be easily carried out.  Stateless protocol.  NO inbuilt authentication  Limited to local network segments.  Can be escalated/exploited to MITM , SSH Interception , DOS, session hijacking attacks.  Tools of Trade : Ettercap, Cain & Abel , Dsniff
DHCP Starvation  DHCP Scope exhaustion by installing a rogue DHCP server.  Spoofed MAC requests broadcast/flood network.  Resource starvation occurs which may make a rogue server more effective.  Tools of Trade : Yersinia
CAM Table Overflow  Content Addressable Memory (CAM) is used in highly efficient search based environments.  Cisco switches use CAM to make MAC & interface mapping tables.  One can flood MAC in network which can fill CAM & thereby make a switch act like a hub.  Tools of Trade : Dsniff, Ettercap, Cain & Abel and more..
Flooding & Spoofing Attacks − Mitigation  Ensure Port Security is enabled (static ARP entries)  Enable Port Security  Enable DHCP Snooping.  Question Network admin on requirement of PARP / GARP if present in configuration.  Dynamic Arp Inspection .
Cisco Specific Attacks  CDP attacks − Applicable to Cisco IOS based devices.  VTP attacks − Applicable to Cisco Switches.  DTP Attack − Applicable to Cisco IOS based devices.  HSRP Abuse − Applicable to Cisco IOS based devices.
Cisco − CDP Attacks  Cisco Discovery Protocol (CDP) allows Cisco Devices to communicate with each other.  CDP communicates is unencrypted , unauthenticated & carries a ton of information.  CDP can be exploited to   CDP DOS (Even WLCs are vulnerable)  Overflow / Pollution / Corruption of CDP Cache  Raking up power bills (POE abuse)  Tools to Use : Yersinia
CDP Attacks − Mitigation  Turn CDP Off.  Check with Network guys for any specific requirement of CDP (VOIP phones/Tshoot).  All unused ports shall be shut by default.  BONUS : Different vendors have similar protocols −  Juniper / Huawei LLDP (LLDP Attack Framework)  Brocade FDP  Maipu MDSP
Cisco − VTP Attack  Virtual Trunking Protocol (VTP) is used by Cisco to propagate VLAN information.  VTP uses a versioning system with a client server architecture.  Clients sync their configuration with Server to maintain current VLAN database revision.  Attack involves DOS by sending VTP messages in the network.  Tools of Trade : Yersinia
VTP Attack − Mitigation  Check with admin if VTP is required, if NO, recommend them to configure switches in transparent mode.  If Yes, check if following parameters are configured correctly   VTP password should be there and shall be md5 encrypted (Service Password Encryption)  Non participating switches should be configured in transparent mode.  VTP pruning should be enabled.  All unused ports shall be shut by default.
DTP Attack  Dynamic Trunking Protocol (DTP) negotiates port states between 2 devices.  By default an interface is negotiated to become a Trunk (Tagged) port, hence its name.  One can send RAW DTP packets on Access interface & can make it trunk.  Trunk interface can then be used to escalate/exploit STP/VTP/VLAN based attacks.  Tools of Trade : Yersinia
DTP Attack − Mitigation  Turn of DTP by enabling no more auto-negotiation.  Refer below configuration for access (untagged) port, settings are hardcoded , nothing is auto.  All unused ports shall be shut by default.
HSRP Abuse  Hot Standby Router Protocol (HSRP) is used for achieving HA between Cisco devices.  Functions in Active/Passive mode, UDP 1985.  Uses multicast, by default password configured in plain text.  Attacker can send raw HSRP packet.  Compromise and become Active device with real or spoofed IP.  Tool to use : Yersinia
HSRP Abuse − Mitigation  Use MD5 authentication.  Hardcode everything.
Spanning Tree Attacks  Invented by Dr Radia Perlman, Spanning Tree Protocol (STP) is used for providing a loop free topology for a LAN or bridged network.  An attacker can disrupt STP topology by  Masquerading as a rogue switch.  Introducing a real switch in network.  Spoofing Root Switch  Sending malicious BPDU’s  Claiming roles in topology  Tools of Trade : Yersinia
Spanning Tree Attacks − Mitigation  Enable Root Guard on Cisco Switches, Root Protection on Juniper Switches.  Enable BPDU Guard on Cisco Switches, BPDU Protection on Juniper Switches.  All unused ports shall be shut by default.
Multicast Brute force  Switch receives a number of multicast frames in rapid succession.  Frames to leak into other VLAN instead of containing it on original VLAN.  May lead to DOS.  Rare nowadays.
Multicast Brute Force Attack − Mitigation  Buy switches with better queues/buffer and memory support.  Upgrade your supervisors (4500X and above , Cisco Only).
VLAN Based Attacks • VLAN Hopping − 802.1Q abuse. • PVLAN − Bypassing Layer 2 segregation logic.
VLAN Hopping  VLAN Hopping refers to emulation of a network switch & send frames (802.1Q/ISL).  An attacker can also send double tagged frames on trunk / access interface.  First frame will be stripped by switch and it will forward the frame to outgoing interface.  Since the frame is having one more tag, it will be forwarded as it is to next unintended VLAN.  Tools of Trade : Scapy, Ostinato
VLAN Hopping Attack − Mitigation  Disable DTP  Hardcode everything.  Unused ports shall be configured as access (untagged) ports.  Native VLAN segregation.  Management VLAN segregation.  Don’t use VLAN 1 for *anything*.
PVLAN Attacks  Community ports can communicate between themselves & promiscuous ports.  This logic can be bypassed using a proxy server or a Layer 3 Device on a promiscuous port.  L3 device will overwrite destination mac on frame & then sends frame back.  Unidirectional attack can be leveraged to a bidirectional attack by compromising hosts.  Tools of Trade : Scapy / Ostinato
PVLAN Attacks – Mitigation  Configure ACL on Layer 3 device.
Bonus : SNMP Snarfing  Simple Network Management Protocol (SNMP) is used to monitor and manage devices.  Vendor agonistic , has 3 versions, version 1.0 & version 2.0 most commonly used.  Plain text authentication.  Community strings can be bruteforced , fuzzed & hacked.  Wreak havoc using read write community.  Tools of Trade : Ettercap, dsniff.
SNMP Snarfing – Mitigation  Use SNMPv3 *only*, don’t use it in backwards compatible mode.  Don’t use community strings with write access.  Be SNMP Aware, don’t let it become “Security is Not My Problem”.
Switch Configuration Review  What to look in a sample Switch configuration dump.  Best Practices.  Looking at the big picture.
Conclusion  Ensure Switches are managed in a secured manner.  Hardcode everything.  Ensure there is a Change Management process for any Network and Security Changes.  Disable protocols which are not in use (CDP/VTP).  All unused ports should be shut by default.  Use Port-Security.  Use Root Guard/BPDU guard.  Be careful about SNMP community strings.
Questions? Reach me out at admin@theprohack.com
Thank You!

Recomendados

Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram Snehi
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram SnehiVLAN Virtual Area Network ,Switch,Ethernet ,VIkram Snehi
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram SnehiMR. VIKRAM SNEHI
 
Router vs switch
Router vs switchRouter vs switch
Router vs switchIT Tech
 
Vlans and inter vlan routing
Vlans and inter vlan routingVlans and inter vlan routing
Vlans and inter vlan routingMohammedseleim
 
Layer 2 switching
Layer 2 switchingLayer 2 switching
Layer 2 switchingNetProtocol Xpert
 
Fhrp notes
Fhrp notesFhrp notes
Fhrp notesKrunal Shah
 

Recomendados

Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram Snehi
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram SnehiVLAN Virtual Area Network ,Switch,Ethernet ,VIkram Snehi
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram SnehiMR. VIKRAM SNEHI
 
Router vs switch
Router vs switchRouter vs switch
Router vs switchIT Tech
 
Vlans and inter vlan routing
Vlans and inter vlan routingVlans and inter vlan routing
Vlans and inter vlan routingMohammedseleim
 
Layer 2 switching
Layer 2 switchingLayer 2 switching
Layer 2 switchingNetProtocol Xpert
 
Fhrp notes
Fhrp notesFhrp notes
Fhrp notesKrunal Shah
 
Networking devices
Networking devicesNetworking devices
Networking devicesfrestoadi
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management ProtocolPrasenjit Gayen
 
Switch
SwitchSwitch
SwitchGaurav Juneja
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1VISHNU N
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Switches on Networking
Switches on NetworkingSwitches on Networking
Switches on NetworkingGayan Geethanjana
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyPositiveTechnologies
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)Netwax Lab
 
CCNA training 101
CCNA training 101CCNA training 101
CCNA training 101Rohan Reddy
 
Aruba WLANs 101 and design fundamentals
Aruba WLANs 101 and design fundamentalsAruba WLANs 101 and design fundamentals
Aruba WLANs 101 and design fundamentalsAruba, a Hewlett Packard Enterprise company
 
a brief overview on link aggregation ieee 802.3ad
a brief overview on link aggregation ieee 802.3ada brief overview on link aggregation ieee 802.3ad
a brief overview on link aggregation ieee 802.3adtanay_7even
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationyogendrasinghchahar
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
Link Aggregation Control Protocol
Link Aggregation Control ProtocolLink Aggregation Control Protocol
Link Aggregation Control ProtocolKashif Latif
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Securityusman19
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training PresentationRohit Singh
 
CCNA
CCNACCNA
CCNAAbhishek Parihari
 
Troubleshooting Wireless LANs with Centralized Controllers
Troubleshooting Wireless LANs with Centralized ControllersTroubleshooting Wireless LANs with Centralized Controllers
Troubleshooting Wireless LANs with Centralized ControllersCisco Mobility
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)Netwax Lab
 
Lecture 5 - Agent communication
Lecture 5 - Agent communicationLecture 5 - Agent communication
Lecture 5 - Agent communicationAntonio Moreno
 

Más contenido relacionado

La actualidad más candente

Networking devices
Networking devicesNetworking devices
Networking devicesfrestoadi
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management ProtocolPrasenjit Gayen
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1VISHNU N
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyPositiveTechnologies
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)Netwax Lab
 
CCNA training 101
CCNA training 101CCNA training 101
CCNA training 101Rohan Reddy
 
a brief overview on link aggregation ieee 802.3ad
a brief overview on link aggregation ieee 802.3ada brief overview on link aggregation ieee 802.3ad
a brief overview on link aggregation ieee 802.3adtanay_7even
 
Link Aggregation Control Protocol
Link Aggregation Control ProtocolLink Aggregation Control Protocol
Link Aggregation Control ProtocolKashif Latif
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Securityusman19
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training PresentationRohit Singh
 
Troubleshooting Wireless LANs with Centralized Controllers
Troubleshooting Wireless LANs with Centralized ControllersTroubleshooting Wireless LANs with Centralized Controllers
Troubleshooting Wireless LANs with Centralized ControllersCisco Mobility
 

La actualidad más candente (20)

Networking devices
Networking devicesNetworking devices
Networking devices
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocol
 
Switch
SwitchSwitch
Switch
 
Port Security
Port SecurityPort Security
Port Security
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
Switches on Networking
Switches on NetworkingSwitches on Networking
Switches on Networking
 
Creating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case studyCreating a fuzzer for telecom protocol 4G LTE case study
Creating a fuzzer for telecom protocol 4G LTE case study
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment Guide
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)
 
CCNA training 101
CCNA training 101CCNA training 101
CCNA training 101
 
Aruba WLANs 101 and design fundamentals
Aruba WLANs 101 and design fundamentalsAruba WLANs 101 and design fundamentals
Aruba WLANs 101 and design fundamentals
 
a brief overview on link aggregation ieee 802.3ad
a brief overview on link aggregation ieee 802.3ada brief overview on link aggregation ieee 802.3ad
a brief overview on link aggregation ieee 802.3ad
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
Link Aggregation Control Protocol
Link Aggregation Control ProtocolLink Aggregation Control Protocol
Link Aggregation Control Protocol
 
Switching and Port Security
Switching and Port Security Switching and Port Security
Switching and Port Security
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training Presentation
 
CCNA
CCNACCNA
CCNA
 
Troubleshooting Wireless LANs with Centralized Controllers
Troubleshooting Wireless LANs with Centralized ControllersTroubleshooting Wireless LANs with Centralized Controllers
Troubleshooting Wireless LANs with Centralized Controllers
 

Destacado

STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)Netwax Lab
 
Lecture 5 - Agent communication
Lecture 5 - Agent communicationLecture 5 - Agent communication
Lecture 5 - Agent communicationAntonio Moreno
 
Spanning Tree Protocol
Spanning Tree ProtocolSpanning Tree Protocol
Spanning Tree ProtocolManoj Gharate
 
Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolArash Foroughi
 
difference between hub, bridge, switch and router
difference between hub, bridge, switch and routerdifference between hub, bridge, switch and router
difference between hub, bridge, switch and routerAkmal Cikmat
 
Computer networking devices
Computer networking devicesComputer networking devices
Computer networking devicesRajesh Sadhukha
 

Destacado (6)

STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)
 
Lecture 5 - Agent communication
Lecture 5 - Agent communicationLecture 5 - Agent communication
Lecture 5 - Agent communication
 
Spanning Tree Protocol
Spanning Tree ProtocolSpanning Tree Protocol
Spanning Tree Protocol
 
Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree Protocol
 
difference between hub, bridge, switch and router
difference between hub, bridge, switch and routerdifference between hub, bridge, switch and router
difference between hub, bridge, switch and router
 
Computer networking devices
Computer networking devicesComputer networking devices
Computer networking devices
 

Similar a Introduction to layer 2 attacks & mitigation

The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoTran Thanh Song
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersNetProtocol Xpert
 
ccna presentation 2013
ccna presentation 2013ccna presentation 2013
ccna presentation 2013RoHit VashIsht
 
Examen final ccna2
Examen final ccna2Examen final ccna2
Examen final ccna2Juli Yaret
 
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Yury Chemerkin
 
PLNOG 17 - Krzysztof Wilczyński - EVPN – zwycięzca w wyścigu standardów budow...
PLNOG 17 - Krzysztof Wilczyński - EVPN – zwycięzca w wyścigu standardów budow...PLNOG 17 - Krzysztof Wilczyński - EVPN – zwycięzca w wyścigu standardów budow...
PLNOG 17 - Krzysztof Wilczyński - EVPN – zwycięzca w wyścigu standardów budow...PROIDEA
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1Chaing Ravuth
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding FirewallsLikan Patra
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesVamsi Krishna Kalavala
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view IPv6 Conference
 

Similar a Introduction to layer 2 attacks & mitigation (20)

Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 Switches
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About Firewall
 
Network & security startup
Network & security startupNetwork & security startup
Network & security startup
 
L2 Attacks.pdf
L2 Attacks.pdfL2 Attacks.pdf
L2 Attacks.pdf
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
 
Lec21 22
Lec21 22Lec21 22
Lec21 22
 
ccna presentation 2013
ccna presentation 2013ccna presentation 2013
ccna presentation 2013
 
Examen final ccna2
Examen final ccna2Examen final ccna2
Examen final ccna2
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 
CCNA 2
CCNA 2 CCNA 2
CCNA 2
 
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
Gaweł mikołajczyk. holistic identity based networking approach – an irreducib...
 
PLNOG 17 - Krzysztof Wilczyński - EVPN – zwycięzca w wyścigu standardów budow...
PLNOG 17 - Krzysztof Wilczyński - EVPN – zwycięzca w wyścigu standardów budow...PLNOG 17 - Krzysztof Wilczyński - EVPN – zwycięzca w wyścigu standardów budow...
PLNOG 17 - Krzysztof Wilczyński - EVPN – zwycięzca w wyścigu standardów budow...
 
Switching
SwitchingSwitching
Switching
 
Ccna 9
Ccna 9Ccna 9
Ccna 9
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding Firewalls
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view
 
Day4
Day4Day4
Day4
 

Más de Rishabh Dangwal

Cliffnotes on Blue Teaming
Cliffnotes on Blue TeamingCliffnotes on Blue Teaming
Cliffnotes on Blue TeamingRishabh Dangwal
 
An introduction to SwiftNET
An introduction to SwiftNETAn introduction to SwiftNET
An introduction to SwiftNETRishabh Dangwal
 
Network nags - when security fails
Network nags - when security failsNetwork nags - when security fails
Network nags - when security failsRishabh Dangwal
 
Introduction to Wan Acceleration Devices
Introduction to Wan Acceleration DevicesIntroduction to Wan Acceleration Devices
Introduction to Wan Acceleration DevicesRishabh Dangwal
 
Eigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.com
Eigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.comEigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.com
Eigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.comRishabh Dangwal
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comRishabh Dangwal
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
An introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh DangwalAn introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh DangwalRishabh Dangwal
 
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalA guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalRishabh Dangwal
 

Más de Rishabh Dangwal (9)

Cliffnotes on Blue Teaming
Cliffnotes on Blue TeamingCliffnotes on Blue Teaming
Cliffnotes on Blue Teaming
 
An introduction to SwiftNET
An introduction to SwiftNETAn introduction to SwiftNET
An introduction to SwiftNET
 
Network nags - when security fails
Network nags - when security failsNetwork nags - when security fails
Network nags - when security fails
 
Introduction to Wan Acceleration Devices
Introduction to Wan Acceleration DevicesIntroduction to Wan Acceleration Devices
Introduction to Wan Acceleration Devices
 
Eigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.com
Eigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.comEigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.com
Eigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.com
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
An introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh DangwalAn introduction to Digital Security - Rishabh Dangwal
An introduction to Digital Security - Rishabh Dangwal
 
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalA guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
 

Último

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Último (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Introduction to layer 2 attacks & mitigation

  • 1. An Introduction to Layer 2 Attacks & Mitigation Rishabh Dangwal www.TheProhack.com | Twitter @prohack
  • 2. Agenda  Layer 2 Security - The What, Why and What Now ?  Switching Basics  Quick Knowledge Check  The Attacks & their mitigation.  ARP based  Cisco Specific  STP & VLAN Attacks  Switch Configuration Review – What to look  Question Answer session.
  • 3. Layer 2 Security The What, Why and What Now ?  OSI is a layered model and if one layer gets hacked, all layers are compromised.  Layer 2 Attacks are still very much relevant today.  Poorly configured Network environments.  Information gap between Network and Security Personnel (refer next slide).  Different architectures , same protocols; henceforth same weaknesses.  Security is only as strong as your weakest link.
  • 4. Switching Basics  What is a Switch exactly ?  How does it function ?  VLAN basics.  Tagged and Untagged ports (also called as edge/access and Trunk ports).  Spanning Tree Basics.  Layer 3 Switching ?  More Layer 2 Switching Vendor specific technologies.
  • 5. Quick Knowledge Check Kind questions to ask to your Network & Security Admins 1. How do they handle Network Security issues? 2. Is their network segmented by VLANs ? 3. Are their networked VLANs secure by design ? 4. What is the process of IP Segment allocation ? 5. Is there a formal Change Process in place ?
  • 6. Flooding & Spoofing Attacks Attacks which utilize either flooding or resource starvation  ARP Poisoning  DHCP Starvation  CAM Table overflow
  • 7. ARP Attacks  ARP Poisoning : can be easily carried out.  Stateless protocol.  NO inbuilt authentication  Limited to local network segments.  Can be escalated/exploited to MITM , SSH Interception , DOS, session hijacking attacks.  Tools of Trade : Ettercap, Cain & Abel , Dsniff
  • 8. DHCP Starvation  DHCP Scope exhaustion by installing a rogue DHCP server.  Spoofed MAC requests broadcast/flood network.  Resource starvation occurs which may make a rogue server more effective.  Tools of Trade : Yersinia
  • 9. CAM Table Overflow  Content Addressable Memory (CAM) is used in highly efficient search based environments.  Cisco switches use CAM to make MAC & interface mapping tables.  One can flood MAC in network which can fill CAM & thereby make a switch act like a hub.  Tools of Trade : Dsniff, Ettercap, Cain & Abel and more..
  • 10. Flooding & Spoofing Attacks − Mitigation  Ensure Port Security is enabled (static ARP entries)  Enable Port Security  Enable DHCP Snooping.  Question Network admin on requirement of PARP / GARP if present in configuration.  Dynamic Arp Inspection .
  • 11. Cisco Specific Attacks  CDP attacks − Applicable to Cisco IOS based devices.  VTP attacks − Applicable to Cisco Switches.  DTP Attack − Applicable to Cisco IOS based devices.  HSRP Abuse − Applicable to Cisco IOS based devices.
  • 12. Cisco − CDP Attacks  Cisco Discovery Protocol (CDP) allows Cisco Devices to communicate with each other.  CDP communicates is unencrypted , unauthenticated & carries a ton of information.  CDP can be exploited to   CDP DOS (Even WLCs are vulnerable)  Overflow / Pollution / Corruption of CDP Cache  Raking up power bills (POE abuse)  Tools to Use : Yersinia
  • 13. CDP Attacks − Mitigation  Turn CDP Off.  Check with Network guys for any specific requirement of CDP (VOIP phones/Tshoot).  All unused ports shall be shut by default.  BONUS : Different vendors have similar protocols −  Juniper / Huawei LLDP (LLDP Attack Framework)  Brocade FDP  Maipu MDSP
  • 14. Cisco − VTP Attack  Virtual Trunking Protocol (VTP) is used by Cisco to propagate VLAN information.  VTP uses a versioning system with a client server architecture.  Clients sync their configuration with Server to maintain current VLAN database revision.  Attack involves DOS by sending VTP messages in the network.  Tools of Trade : Yersinia
  • 15. VTP Attack − Mitigation  Check with admin if VTP is required, if NO, recommend them to configure switches in transparent mode.  If Yes, check if following parameters are configured correctly   VTP password should be there and shall be md5 encrypted (Service Password Encryption)  Non participating switches should be configured in transparent mode.  VTP pruning should be enabled.  All unused ports shall be shut by default.
  • 16. DTP Attack  Dynamic Trunking Protocol (DTP) negotiates port states between 2 devices.  By default an interface is negotiated to become a Trunk (Tagged) port, hence its name.  One can send RAW DTP packets on Access interface & can make it trunk.  Trunk interface can then be used to escalate/exploit STP/VTP/VLAN based attacks.  Tools of Trade : Yersinia
  • 17. DTP Attack − Mitigation  Turn of DTP by enabling no more auto-negotiation.  Refer below configuration for access (untagged) port, settings are hardcoded , nothing is auto.  All unused ports shall be shut by default.
  • 18. HSRP Abuse  Hot Standby Router Protocol (HSRP) is used for achieving HA between Cisco devices.  Functions in Active/Passive mode, UDP 1985.  Uses multicast, by default password configured in plain text.  Attacker can send raw HSRP packet.  Compromise and become Active device with real or spoofed IP.  Tool to use : Yersinia
  • 19. HSRP Abuse − Mitigation  Use MD5 authentication.  Hardcode everything.
  • 20. Spanning Tree Attacks  Invented by Dr Radia Perlman, Spanning Tree Protocol (STP) is used for providing a loop free topology for a LAN or bridged network.  An attacker can disrupt STP topology by  Masquerading as a rogue switch.  Introducing a real switch in network.  Spoofing Root Switch  Sending malicious BPDU’s  Claiming roles in topology  Tools of Trade : Yersinia
  • 21. Spanning Tree Attacks − Mitigation  Enable Root Guard on Cisco Switches, Root Protection on Juniper Switches.  Enable BPDU Guard on Cisco Switches, BPDU Protection on Juniper Switches.  All unused ports shall be shut by default.
  • 22. Multicast Brute force  Switch receives a number of multicast frames in rapid succession.  Frames to leak into other VLAN instead of containing it on original VLAN.  May lead to DOS.  Rare nowadays.
  • 23. Multicast Brute Force Attack − Mitigation  Buy switches with better queues/buffer and memory support.  Upgrade your supervisors (4500X and above , Cisco Only).
  • 24. VLAN Based Attacks • VLAN Hopping − 802.1Q abuse. • PVLAN − Bypassing Layer 2 segregation logic.
  • 25. VLAN Hopping  VLAN Hopping refers to emulation of a network switch & send frames (802.1Q/ISL).  An attacker can also send double tagged frames on trunk / access interface.  First frame will be stripped by switch and it will forward the frame to outgoing interface.  Since the frame is having one more tag, it will be forwarded as it is to next unintended VLAN.  Tools of Trade : Scapy, Ostinato
  • 26. VLAN Hopping Attack − Mitigation  Disable DTP  Hardcode everything.  Unused ports shall be configured as access (untagged) ports.  Native VLAN segregation.  Management VLAN segregation.  Don’t use VLAN 1 for *anything*.
  • 27. PVLAN Attacks  Community ports can communicate between themselves & promiscuous ports.  This logic can be bypassed using a proxy server or a Layer 3 Device on a promiscuous port.  L3 device will overwrite destination mac on frame & then sends frame back.  Unidirectional attack can be leveraged to a bidirectional attack by compromising hosts.  Tools of Trade : Scapy / Ostinato
  • 28. PVLAN Attacks – Mitigation  Configure ACL on Layer 3 device.
  • 29. Bonus : SNMP Snarfing  Simple Network Management Protocol (SNMP) is used to monitor and manage devices.  Vendor agonistic , has 3 versions, version 1.0 & version 2.0 most commonly used.  Plain text authentication.  Community strings can be bruteforced , fuzzed & hacked.  Wreak havoc using read write community.  Tools of Trade : Ettercap, dsniff.
  • 30. SNMP Snarfing – Mitigation  Use SNMPv3 *only*, don’t use it in backwards compatible mode.  Don’t use community strings with write access.  Be SNMP Aware, don’t let it become “Security is Not My Problem”.
  • 31. Switch Configuration Review  What to look in a sample Switch configuration dump.  Best Practices.  Looking at the big picture.
  • 32. Conclusion  Ensure Switches are managed in a secured manner.  Hardcode everything.  Ensure there is a Change Management process for any Network and Security Changes.  Disable protocols which are not in use (CDP/VTP).  All unused ports should be shut by default.  Use Port-Security.  Use Root Guard/BPDU guard.  Be careful about SNMP community strings.
  • 33. Questions? Reach me out at admin@theprohack.com