Neutering Ettercap in Cisco Switched Networks

Neutering Ettercap in Cisco Switched

Networks

For fun and Profit

What’s With the Title? (AKA Scope)

How the protocols function under normal and malicious circumstances

Ettercap’s Capabilities for Protocol AbuseDHCP Spoofing - ARP PoisoningICMP Redirects - Port Stealing

Countermeasures to defend against these kind of abuses

2

What’s With the Title? (AKA Scope)

Configuring Countermeasures for CiscoIOS

Best Practices for implementation

This is for CISCO NETWORKS ONLY!(sorry Juniper)

3

Why Protocol Abuse Works

The Protocols are OLD! Created during a more friendly time in networking.

Were not created with authentication measures or security in mind

Engineers were focused on transmitting data without errors, not who was sending it or what was being sent.

4

5

Lets spoof some DHCP!You can trust me, I’m a nice DHCP Server.

;)

DHCP Spoofing – Function

Dynamic Host Configuration Protocol(DHCP), permits host connected to a Local Area

Network(LAN) segment to be dynamically assigned parameters necessary for the host to

send and receive data over a network. The exchange of DHCP information is sent as a

'broadcast', which means that any host on the LAN segment will receive a copy of the DHCP

exchange.

6


Normally, a host would ignore this exchange, but Ettercap has a feature built in to intercept and quickly reply to these

DHCP messages before the authentic DHCP server can reply. This will cause

the host to continue the exchange with the Ettercap and ignore the authenticate

server.7


The main purpose of this is to tell the host to use the Ettercap machine as its 'Default

Gateway', the address it will forward data destined for off the network. This will allow

for a 'Half-Duplex' MitM, meaning the attacker will only see half of the exchange, as the

return packets will not be seen by the attacker unless combined with tunneling techniques.

8


9Normal DHCP


10Normal DHCP


11Normal DHCP


12Normal DHCP


13

EVE

Ettercap DHCP


14

EVE

Ettercap DHCP


15

EVE

Ettercap DHCP

DHCP Spoofing – Countermeasures

To combat not only Ettercap, but all rogue DHCP Servers, the ‘IP DHCP Snooping’ process will be enabled.

Available on both Layer2&3 switches, DHCP Snooping applies a

two pronged approach.

16


IP DHCP Snooping only allows authentic DHCP servers to be able to reply to

transactions. Rogue servers that send replies to DHCP request will have the

reply packet dropped by the switch and a log message will be generated. The

DHCP Transaction will still be visible to all host on the LAN segment, but replies are strictly policed using 'Trusted Interfaces'.

17


DHCP replies received on a Trusted Interface(Switch port) are forwarded

automatically, however, all ports on the switch will be Untrusted by default.

Only ports leading to Gateway Routers and/or other DHCP Snooping enabled

switches should be set to Trusted.

18


IMPORTANT NOTE:Unless your DHCP server supports Option 82

tagging, you must disable it! Cisco switches by default will tag snooped DHCP

transactions with Option 82 information before forwarding. This will more than likely cause the DHCP server to ignore the request,

creating an inadvertent DoS situation.

19

DHCP Spoofing – Configuration• Enable IP DHCP Snooping process– Switch(config)# ip dhcp snooping

• Define which VLAN's to be Snooped– Switch(config)# ip dhcp snooping vlan <VLAN_RANGE>• Ie. 1,2,3-5,8-10,23,25-50

• Disable DHCP Option 82 tagging– Switch(config)# no ip dhcp snooping information option

20

DHCP Spoofing – Configuration

• Trust Gateway/Inter-Switch Links– Switch(config)# int fa0/1– Switch(config-if)# ip dhcp snooping trust

• Create a DHCP Binding Database– Switch(config)# ip dhcp snooping database <URL>• Best Practice is to store this DB in Switch Flash Memory

• Re-DHCP all host on the LAN segment to populate the DHCP Binding DB

21


Bonus!• To prevent DHCP Starvation Attacks,

set a DHCP packet-per-second limit on untrusted interfaces– Switch(config-if)# int range fa0/2-24– Switch(config-if)# ip dhcp snooping limit rate

<#_OF_DHCP_PPS>• 3 DHCP Packets-Per-Second is a best practice

22

Won’t some one think of the child.. Er… ARPs?!

23

All your ARPS are belongs to us!

ARP Poisoning - Function

Address Resolution Protocol(ARP), allows host to communicate over a LAN

segment with each other. Networks are defined by their physical(Layer2), and

logical(Layer3) design, or topology. It is normal for the two topologies to be

completely different, and ARP allows for a mapping between the two.

24


This is important due to the fact of how switches and routers forward data.

Switches forward data primarily based on the physical topology, where as

Routers forward based solely on the logical topology. If layer 2 can be

controlled, so can every other OSI Layer above it.

25


By producing falsified ARP broadcast, Ettercap can convince both host and

Routers alike to forward all of their traffic through the attacker's host physical

address. Ettercap will basically trick all or some of the host on the LAN, that its

physical address is equal to the victim's logical address.

26


This is very powerful, as it creates a Full-Duplex MitM, in that both sent and

received data will be seen by the attacker. Particularly powerful

functionality of Ettercap is the ability to intercept negotiation of encryption parameters for SSH and SSL tunnels,

allowing the attacker to read the encrypted data in plain text.

27


28

Normal ARPsA

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

MAC: 1111.1111.1111

MAC: dddd.dddd.dddd

What is the server’s MAC address?


29

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

MAC: 1111.1111.1111

MAC: dddd.dddd.dddd

Normal ARPs

What is the server’s MAC address?


30

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

MAC: 1111.1111.1111

MAC: dddd.dddd.dddd

Normal ARPs

The Server is @ dddd.dddd.dddd


31

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

MAC: 1111.1111.1111

MAC: dddd.dddd.dddd

Normal ARPs

The Server is @ dddd.dddd.dddd


32

Normal Traffic FlowA

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

MAC: 1111.1111.1111

MAC: dddd.dddd.dddd


33

EVE

Poisoned ARPsA

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

MAC: 1111.1111.1111

MAC: dddd.dddd.dddd

All Host are @ 1111.1111.1111


34

EVE

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

MAC: 1111.1111.1111

MAC: dddd.dddd.dddd

Poisoned ARPs

All Host are @ 1111.1111.1111


35

EVE

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

MAC: 1111.1111.1111

MAC: dddd.dddd.dddd

Hairpin Traffic Flow

ARP Poisoning - Countermeasures

Cisco Switches, both layer2 & layer3, support a process called 'Dynamic

ARP Inspection'(DAI). The DAI process works in tandem with DHCP Snooping. DHCP Snooping builds an

internal database of Layer2-to-3 mappings, the very thing ARP is used

to determine. 36


Since the switch has seen the entire DHCP transaction, and knows which of its switch ports the request came

from, it is able to track these bindings to indentify false ARP

broadcast and kill them before they propagate to other host.

37


Every Invalid ARP Reply will be dropped by the switch and generates a log message. ARP Request will still be allowed to propagate as normal, since they need to reach their target

to elicit a reply.

38


Only ARP Replies are being policed, and must pass inspection of the first

receiving switch, which will then place it in a 'trust-zone' of clean

ARPs. DAI places all interfaces in an untrusted state by default, meaning

ARP replies received on that interface must be validated.

39


Router/Inter-switch Links connected only to other DAI enabled switches should be trusted(ARP Access-List is a more secure option for routers).

Host that have static network assignments, will have a static

binding set on the switch they are directly connected too.

40

ARP Poisoning - Configuration

• Enable DAI Process on appropriate VLANs– Switch(config)#ip arp inspection <VLAN_RANGE>

• Trust links connected ONLY to Routers & other DAI enabled switches– Switch(config)# int fa0/1– Switch(config-if)# ip arp inspection trust

• Set a ARP PPS limit on untrusted interfaces– Switch(config)# int range fa0/2-24– Switch(config-if)# ip arp inspection limit rate

<#_OF_ARP_PPS> 41

ARP Poisoning - Configuration

• Define static bindings for non-DHCP host– Switch(config)#arp access-list <ARP_ACL_NAME>– Switch(config-acl)# permit ip host <HOST_IP> mac

host <HOST_MAC> [log]• ie. permit ip host 192.168.1.1 mac host 1111.1111.1111 log

• [REPEAT 'permit' STATEMENT FOREACH STATICLY ASSIGNED

HOST]• Switch(config-acl)# exit

42


• Apply ARP ACL to DAI process– Switch(config)# ip arp inspection filter

<ARP_ACL_NAME> vlan <VLAN_RANGE> [static]• ARPs matched in the ARP ACL 'permit' statements

will not be checked against the DHCP snooping database. Use the 'static' keyword with caution, as the ACL is checked before the DHCP Snooping Database. When 'static' is set, if no match is found in the ARP ACL, the ARP Reply will be considered invalid without checking the DHCP Snooping Database!

43

ICMP; Networking Ballistic Missiles!

44

Break Out the SPF 9000!

ICMP Redirects - Function

The Internet Control Message Protocol(ICMP) is in reality a small suite of protocols used to pass network information between nodes.

ICMP is more or less a legacy protocol, in that most of its functionality has been replaced

and improved upon by other protocols. However, host operating systems still process most, if not all, ICMP request in the spirit of

backwards compatibility.

45

ICMP Redirects - Function

ICMP Redirects were used to notify routers/host about better pathways to reach specific

networks. Ettercap can send these Redirects to host on a LAN telling them to forward traffic for other networks to the Attacker instead of their default gateway. This is a very simple

Half-Duplex MitM by itself, but can be combined with techniques to gleen host

information& become Full-Duplex.

46

ICMP Redirects – Function

47

EVEReach server.com

via EVE’s IP Address


48

EVEReach server.com

via EVE’s IP Address


49

EVE

ICMP Redirects - Countermeasures

VLAN Access-Control Lists(VACLs), can be configured on Layer3 switches to police traffic

passing within a VLAN. Unlike traditional ACLs, VLANs do not understand the concept of

'inbound' or 'outbound', so they are applied with the use of a ‘VLAN access-map'. VLAN

Access-maps can reference ACLs to determine protocols that can be allowed or denied on

the VLAN segment.

50

ICMP Redirects – Configuration

• !Define Extended ACL!– The 'permit' statement does not mean ICMP

redirects will be permitted, but that the VLAN access-map is allowed to act upon packets that match it.• Switch(config)#ip access-list extended <ACL_NAME>• Switch(config-acl)# permit icmp any any redirect

51


• !Define the VLAN access-map!

– Best practice Sequencing is to initially use increments of 10 to allow for future adjustments; lower sequence numbers are evaluated first.• Switch(config)# vlan access-map <VAM_NAME> <SEQ_#>• Switch(config-access-map)# match ip address <ACL_NAME>• Switch(config-access-map)# action drop• Switch(config-access-map)# vlan access-map <VAM_NAME> <SEQ_#>• Switch(config-access-map)# action forward• Switch(config-access-map)# exit

52


• !Apply VACL filter to the VLAN(s)!

–Switch(config)# vlan filter <VAM_NAME> vlan-list <VLAN_RANGE>

53

Thou Shall Not Port Steal!

54

I promise to bring it right back!

Port Stealing - Function

Port Stealing is not the best term to describe this particular MitM. This

method of Ettercap abuses how switches build their Layer2

forwarding table. When data is sent from a host, it is tagged with

Destination and Sender addresses. 55


Switches will note the Sender Layer2 address and associate it will the port it was recieved on.

In this way, the switch maps Layer2 to Layer1 addresses so it can forward data as quickly as

possible.56

Switch CAM Table

aaaa.aaaa.aaaa @ Port1

dddd.dddd.dddd @ Port2

1111.1111.1111 @ Port3


57

Normal Traffic Flow

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.ccccMAC: 1111.1111.1111

MAC: dddd.dddd.dddd


58

EVE

A

B

CMAC: 1111.1111.1111

MAC: dddd.dddd.dddd

Senders MAC:aaaa.aaaa.aaaa

Switch CAM Table



1111.1111.1111 @ Port3

Alterted Traffic Flow

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb

MAC: cccc.cccc.cccc

Switch CAM Table

1111.1111.1111 @ Port3




59

EVE

Normal Traffic Flow

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb


MAC: dddd.dddd.dddd

Switch CAM Table

1111.1111.1111 @ Port1



Senders MAC:1111.1111.1111

Switch CAM Table

1111.1111.1111 @ Port3




60

EVE

Normal Traffic Flow

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb


MAC: dddd.dddd.dddd

UnKnown Unicast become Broadcast

Switch CAM Table

1111.1111.1111 @ Port3




61

EVE

Normal Traffic Flow

A

B

C

MAC: aaaa.aaaa.aaaa

MAC: bbbb.bbbb.bbbb


MAC: dddd.dddd.dddd

Switch CAM Table

1111.1111.1111 @ Port3



Port Stealing - Countermeasures

With modern day fast & gigabit Ethernet standards, and improved switching hardware,

this particular MitM is the least effective of Ettercap's arsenal, and it also the easiest to defend against. Using Cisco port-security, forged Layer 2 sender data can trigger a

number of responses, including up to completely disabling an interface. The

parameters for Cisco port-security will vary depending on network requirements.

62

Port Stealing - Configuration

• Select the range of host ports– Switch(config)# int range fa0/2-24– Switch(config-if)# switchport host

‘switchport host’ is an IOS macro that will place the interface in access mode, enable Spanning-tree poftfast, and disable etherchannel. To use Cisco port-security though, you only need the 'switchport mode access‘ command.

63


• Enable Cisco Port-Security– Switch(config-if)# switchport port-security

• Define Maximum # of MAC Addresses permitted on the interface– Switch(config-if)# switchport port-security maximum <#>• Two is recommended for networks w/ VOIP phones

64


• Define port-security response–All will drop offending frames. Protect does not

generate a log message. Restrict generates a log message. Shutdown generates a log message and disables the interface!

Switch(config-if)# switchport port-security violation Restrict

65


• Define host MAC address or allow dynamic learning with 'sticky‘

– Switch(config-if)# switchport port-security mac-address [<H.H.H>|sticky]

66

Conclusion

67

Y’all play nice now.

Conclusion

While Ettercap is not the only program to perform DHCP Spoofing, ARP Poisoning, ICMP Redirect, & Port Stealing MitMs, it is one of the most popular. Keeping vigilant and understanding threats facing networks are fundamental for network security

officers. Understanding the functions of Ettercap and similar tools can give administrators new

insight to reassessing security measures.

68

Documents

Neutering Ettercap in Cisco Switched Networks