Presentation(PPT)

Router Skullduggery

The Utility of Network Devices for Attack and

DefenseChris DavisHivercon 2003

Contents

1.1. Philosophical PreliminariesPhilosophical Preliminaries

2.2. Network Devices as AttackersNetwork Devices as Attackers

3.3. Network Devices as DefendersNetwork Devices as Defenders

4.4. JitneyJitney

5.5. CountermeasuresCountermeasures

Chris DavisChris Davis

Hivercon 2003Hivercon 2003

Router Skullduggery: Router Skullduggery:

The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense

1.1 Medieval Security





Viral epidemicsDetermination of

risk is unscientific

Users can be fools

1.2 Understanding Risk

Risk is a function of the Risk is a function of the likelihoodlikelihood of a given of a given threat-source’sthreat-source’s exercising a particular exercising a particular potential potential vulnerabilityvulnerability, and the resulting , and the resulting impact impact of that adverse event on the of that adverse event on the organizationorganization

NIST SP 800-30, Risk Management Guide for Information Technology SystemsNIST SP 800-30, Risk Management Guide for Information Technology Systems





1.3 Reducing Risk





Internet

Application

Database

Eth

ern

et

Inherent risk is the risk of a system in the absence of mitigating controls.

Risk is reduced through the implementation of mitigating controls.

The amount by which risk is reduced is determined by the control’s effectiveness against known vulnerabilities.

Firewall

allow any to any

InternetFirewall

Eth

erne

t

Application

FirewallMinicomputer

1.4 Control EffectivenessA control’s effectiveness is measured by its A control’s effectiveness is measured by its

ability to reduce an attack’sability to reduce an attack’s probability probability of successof success..

An attack’s probability of success is based An attack’s probability of success is based uponupon– Cost (cracking strong encryption)Cost (cracking strong encryption)– Time (brute-force password guessing)Time (brute-force password guessing)– Visibility (Internet-accessible tcp/139)Visibility (Internet-accessible tcp/139)– Prerequisite knowledge (obfuscation)Prerequisite knowledge (obfuscation)





2.1 Skullduggery

skullduggery skullduggery (n. see also Scots (n. see also Scots sculduddery)sculduddery) 1. a devious device 1. a devious device or trick, 2. underhanded or or trick, 2. underhanded or unscrupulous behavior.unscrupulous behavior.

Merriam-Webster Online DictionaryMerriam-Webster Online Dictionary

((http://www.m-w.com))





http://www.m-w.com/

2.2 Brief History of Attacks Part IARP PoisoningARP Poisoning

Target:Target: Network switches. Network switches.

Operating Layer: Operating Layer: EthernetEthernet

Method:Method: Falsified ARP packets are frequently broadcasted to the local Falsified ARP packets are frequently broadcasted to the local network, thereby causing hosts to send packets to the attack host.network, thereby causing hosts to send packets to the attack host.

Effect:Effect: The attacking host can read and modify data. The attacking host can read and modify data.

Tools:Tools: dsniff, Ettercap, Cain dsniff, Ettercap, Cain





LimitationsLimitationsViewpoint:Viewpoint: Local Local

Necessary Precision:Necessary Precision: Low Low

Detectability:Detectability: High High

Bandwidth:Bandwidth: Moderate – High Moderate – High

Latency:Latency: Moderate Moderate

2.3 Brief History of Attacks Part IIRoute ManipulationRoute Manipulation

Target:Target: Network routers. Network routers.

Operating Layer:Operating Layer: TCP/IP TCP/IP

Method:Method: The route table is modified to redirect packets through the The route table is modified to redirect packets through the attack host.attack host.

Effect:Effect: The attacking host can read and modify data. The attacking host can read and modify data.

Tools:Tools: VIPPR, IRPAS, RPAK, Policy Routing, IP Tunneling (GRE / IPIP) VIPPR, IRPAS, RPAK, Policy Routing, IP Tunneling (GRE / IPIP)





LimitationsLimitationsViewpoint:Viewpoint: Local / Remote Local / Remote

Necessary Precision:Necessary Precision: ModerateModerate

Detectability:Detectability: High High

Bandwidth:Bandwidth: High High

Latency:Latency: High High

2.4 Traffic Detectionrouter# conf t

router(config)# access-list 101 permit tcp any any

router(config)# exit

router# debug ip packet 101 detail

router# no debug ip packet 101 detail

Initialize logging

Confmode

Exit Confmode

Start Detection

Stop Detection





3w0d: IP: s=172.24.221.131 (Ethernet0), d=172.24.221.193 (Ethernet0), len 41, rcvd 33w0d: TCP src=36836, dst=23, seq=1517999349, ack=1908502442, win=12320 ACK PSH3w0d: IP: s=172.24.221.193 (local), d=172.24.221.131 (Ethernet0), len 41, sending3w0d: TCP src=23, dst=36836, seq=1908502442, ack=1517999350, win=3929 ACK PSH3w0d: IP: s=172.24.221.131 (Ethernet0), d=172.24.221.193 (Ethernet0), len 40, rcvd 33w0d: TCP src=36836, dst=23, seq=1517999350, ack=1908502443, win=12320 ACK

2.5 Sniffing via Syslog





router# conf t

router(config)# logging trap debuggingrouter(config)# logging facility local6router(config)# logging <syslog server>

router(config)# access-list 101 permit icmp any any echo echo-reply


router# debug ip packet 101 dump

router# no debug ip packet 101 dump

Initialize logging

Configuration Mode

Set ACLs

Exit ConfmodeStart Sniffing

Stop Sniffing

2.6 Sniffing on a Cisco (Ethernet)





router# router# debug ip packet <ACL> dumpdebug ip packet <ACL> dump

2w3d: IP: s=172.24.221.193 (local), d=172.24.221.10 (Ethernet0), 2w3d: IP: s=172.24.221.193 (local), d=172.24.221.10 (Ethernet0), len 84, sendinglen 84, sending

00607060: 0010 7B385DF6 ..{8]v00607060: 0010 7B385DF6 ..{8]v00607070: 020006E3 66BA0800 45000054 00004000 ...cf:[email protected]: 020006E3 66BA0800 45000054 00004000 ...cf:[email protected]: FF0168AB AC18DDC1 AC18DD0A 0000EB86 ..h+,.]A,.]...k.00607080: FF0168AB AC18DDC1 AC18DD0A 0000EB86 ..h+,.]A,.]...k.00607090: 950A0100 F4A6963F FA840E00 08090A0B ....t&.?z.......00607090: 950A0100 F4A6963F FA840E00 08090A0B ....t&.?z.......006070A0: 0C0D0E0F 10111213 14151617 18191A1B ................006070A0: 0C0D0E0F 10111213 14151617 18191A1B ................006070B0: 1C1D1E1F 20212223 24252627 28292A2B .... !"#$%&'()*+006070B0: 1C1D1E1F 20212223 24252627 28292A2B .... !"#$%&'()*+006070C0: 2C2D2E2F 30313233 34353637 86 ,-./01234567.006070C0: 2C2D2E2F 30313233 34353637 86 ,-./01234567.

2.7 Sniffing on a Cisco (Token-Ring)router# router# debug ip packet <ACL> dumpdebug ip packet <ACL> dump

2w3d: IP: s=10.20.40.1 (Virtual-TokenRing0), d=10.20.40.1 2w3d: IP: s=10.20.40.1 (Virtual-TokenRing0), d=10.20.40.1 (Virtual-TokenRing0), len 100, rcvd 3(Virtual-TokenRing0), len 100, rcvd 3

00630620: 0040 40000000 00074000 .@@[email protected]: 0040 40000000 00074000 .@@.....@.

00630630: 00000007 AAAA0300 00000800 45000064 ....**......E..d00630630: 00000007 AAAA0300 00000800 45000064 ....**......E..d

00630640: 00630000 FF01570C 0A142801 0A142801 .c....W...(...(.00630640: 00630000 FF01570C 0A142801 0A142801 .c....W...(...(.

00630650: 0000F0AF 21B52663 00000000 57E5F59C ..p/!5&c....Weu.00630650: 0000F0AF 21B52663 00000000 57E5F59C ..p/!5&c....Weu.

00630660: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M00630660: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M




006306A0: 20006306A0: 20





2.8 Passive Firewall Ruleset Enumeration

Method:Method: Track any of the following: Track any of the following:•Successful TCP handshakesSuccessful TCP handshakes•Matching ingress and egress UDP trafficMatching ingress and egress UDP traffic•ICMP packets (and their associated ICMP packets (and their associated

responses)responses)

•IP protocolsIP protocols

Effect:Effect: The attacking host can passively The attacking host can passively

determine a good portion of the firewall’s determine a good portion of the firewall’s

ruleset.ruleset.

Detectability:Detectability: Very low Very low





2.9 Firewall State Table Determination

Method:Method: Track the following Track the following•Source and destination IP addressesSource and destination IP addresses•TCP header data: flags, sequence TCP header data: flags, sequence numbers,numbers,

window sizes, source and destination window sizes, source and destination portsports

•UDP source and destination portsUDP source and destination ports•ICMP types and codesICMP types and codes

Effect:Effect: The attacking host can determine The attacking host can determine thethe

active connections permitted by theactive connections permitted by the

firewall, including internally originatedfirewall, including internally originated

traffic.traffic.

Detectability:Detectability: Very low Very low





2.10 Stealthy Network Mapping





Method:Method:• Reroute any valid connection through theReroute any valid connection through the

attacking host using IP tunneling andattacking host using IP tunneling and

policy routing.policy routing.• Initially set the TTL on any ingress packetInitially set the TTL on any ingress packet

to one and send to the destination host.to one and send to the destination host.• Sniff any ICMP type 11 (time exceeded)Sniff any ICMP type 11 (time exceeded)

messages destined for the client host,messages destined for the client host,

increment the TTL, and resend.increment the TTL, and resend.• Once the destination responds, Once the destination responds,

shutdown the tunnel.shutdown the tunnel.

Effect:Effect: The attacking host can map the internal The attacking host can map the internal

network using authorized connections.network using authorized connections.

Detectability:Detectability: Low Low

2.11 Packet Injection







policy routing.policy routing.• Modify packet contents as needed forModify packet contents as needed for

either the client or server.either the client or server.• Teardown tunnel when done.Teardown tunnel when done.

Effect:Effect: The attacking host can replace The attacking host can replace

data with false information or maliciousdata with false information or malicious

code.code.

Detectability:Detectability: Moderate Moderate

2.12 Connection Hijacking







policy routing.policy routing.• Track session parameters.Track session parameters.• Block client access at the router orBlock client access at the router or

attack host.attack host.• Using last-known good sessionUsing last-known good session

parameters, continue the connectionparameters, continue the connection

with the destination host.with the destination host.

Effect:Effect: The attacking host can take complete The attacking host can take complete

control of a connection.control of a connection.

Detectability:Detectability: Moderate - High Moderate - High

2.13 Sniffing via Telnet





router# conf t

router(config)# logging monitor debugging

router(config)# access-list 101 permit icmp any any echo echo-reply

router(config)# service nagle


router# terminal monitor

router# debug ip packet 101 dump

router# no debug ip packet 101 dump

Configuration ModeTerminal

MonitoringSet

ACLs

Exit Confmode

Start sniffingStop Sniffing

Terminal Monitoring

Telnet Efficiency

2.14 Blocked Tunnels





Limitations: The border firewall blocks GRE (47) and IPIP (94) protocols, thereby preventing simple route manipulation attacks.

Target: Internal routers.

Method: Sniff packets on internal router by dumping packets to the terminal.

Effect: Traffic on internal networks can be sniffed directly or via compromised hosts.

Detectability: Moderate

2.15 Remote Switch Sniffing





Limitations: Router security prevents compromise.

Target: Network switches.

Method: Sniff packets on switch by dumping packets to the terminal.

Effect: Traffic on internal networks can be sniffed directly or via compromised hosts.

Detectability: Moderate

2.16 Switch Sniffing





00:20:08: IP: s=169.254.151.9 (VLAN1), d=169.254.255.255, len 246, rcvd 100:20:08: IP: s=169.254.151.9 (VLAN1), d=169.254.255.255, len 246, rcvd 17004FF50: FFFF ..7004FF50: FFFF ..7004FF60: FFFFFFFF 00096B86 FFB60800 450000F6 ......k..6..E..v7004FF60: FFFFFFFF 00096B86 FFB60800 450000F6 ......k..6..E..v7004FF70: 050C0000 801149E5 A9FE9709 A9FEFFFF ......Ie)~..)~..7004FF70: 050C0000 801149E5 A9FE9709 A9FEFFFF ......Ie)~..)~..7004FF80: 008A008A 00E2069E 110E80CD A9FE9709 .....b.....M)~..7004FF80: 008A008A 00E2069E 110E80CD A9FE9709 .....b.....M)~..7004FF90: 008A00CC 00002046 41454945 4D455046 ...L.. FAEIEMEPF7004FF90: 008A00CC 00002046 41454945 4D455046 ...L.. FAEIEMEPF7004FFA0: 44464443 41434143 41434143 41434143 DFDCACACACACACAC7004FFA0: 44464443 41434143 41434143 41434143 DFDCACACACACACAC7004FFB0: 41434143 41434100 20464845 50464345 ACACACA. FHEPFCE7004FFB0: 41434143 41434100 20464845 50464345 ACACACA. FHEPFCE7004FFC0: 4C454846 43455046 46464143 41434143 LEHFCEPFFFACACAC7004FFC0: 4C454846 43455046 46464143 41434143 LEHFCEPFFFACACAC7004FFD0: 41434143 41434142 4E00FF53 4D422500 ACACACABN..SMB%.7004FFD0: 41434143 41434142 4E00FF53 4D422500 ACACACABN..SMB%.7004FFE0: 00000000 00000000 00000000 00000000 ................7004FFE0: 00000000 00000000 00000000 00000000 ................7004FFF0: 00000000 00000000 00001100 00320000 .............2..7004FFF0: 00000000 00000000 00001100 00320000 .............2..70050000: 00000000 000000E8 03000000 00000000 .......h........70050000: 00000000 000000E8 03000000 00000000 .......h........70050010: 00320056 00030001 00000002 0043005C .2.V.........C.\70050010: 00320056 00030001 00000002 0043005C .2.V.........C.\70050020: 4D41494C 534C4F54 5C42524F 57534500 MAILSLOT\BROWSE.70050020: 4D41494C 534C4F54 5C42524F 57534500 MAILSLOT\BROWSE.70050030: 010080FC 0A005048 4C4F5353 00006600 ...|..PHLOSS..f.70050030: 010080FC 0A005048 4C4F5353 00006600 ...|..PHLOSS..f.70050040: 74000000 35000501 03120100 0F0155AA t...5.........U*70050040: 74000000 35000501 03120100 0F0155AA t...5.........U*70050050: 476F6F64 206F7261 6C206879 6765696E Good oral hygein70050050: 476F6F64 206F7261 6C206879 6765696E Good oral hygein70050060: 65002070050060: 650020 e. e.

3.1 Poor Man’s NIDS





Applicability:Applicability: Small remote networks Small remote networks where it is cost-prohibitive to install a where it is cost-prohibitive to install a dedicated NIDS sensor.dedicated NIDS sensor.

Method:Method: Sniff all traffic matching the Sniff all traffic matching the ‘default deny’ rule on the border router.‘default deny’ rule on the border router.

Security BenefitSecurity Benefit An attacker’s initial An attacker’s initial attempts will be caught by a NIDS sensor.attempts will be caught by a NIDS sensor.

Bandwidth Consumption:Bandwidth Consumption: 2*(Attack 2*(Attack Traffic)Traffic)

Effectiveness:Effectiveness: Will only provide early Will only provide early waning signs such as port scans, waning signs such as port scans, traceroutes.traceroutes.

Increasing Effectiveness:Increasing Effectiveness: Dynamically Dynamically reroute traffic through NIDS based on reroute traffic through NIDS based on early warning signs.early warning signs.

Limitations:Limitations: Cannot inspect authorized Cannot inspect authorized traffic.traffic.

3.2 Backtracking DoS





Applicability: Bandwith-consumption DoS attacks.

Method: Start with the routers nearest to the DoS target. Reroute DoS target traffic to an analysis host using GRE or IPIP tunnels. Determine which router forwards the most DoS traffic, then proceed to analyze the next hop beyond that router. Continue until the source of the attack is determined.

Security Benefit: The DoS source network can be identified and traffic flow can be blocked. Normal operations can thereby resume.

Effectiveness: Depends on analysis engine implementation. Theoretically, the DoS source could be identified within minutes.Limitations: Does not identify DoS traffic.

3.3 Attack Reciprocation





Applicability: Targeted attacks.

Method: Once an attack is identified, reroute the attacker through the reciprocating host. Provide bogus data to the attacker, possibly even malicious code that the attacker may execute.

Security Benefit: Valuable information about the attacker can be captured for the purposes of investigation.

Effectiveness: Depends on the effort given to make reciprocation transparent to the attacker. This type of response should is only feasible for very high criticality systems.Limitations: Depends heavily on the ability to identify active attacks and the creativity of the reciprocating security team.

4.1 Jitney





5.1 Management Interface Exposure

Block Unauthorized Block Unauthorized ConnectionsConnectionsDeny access to management Deny access to management interfaces at the border and at interfaces at the border and at any access point (router, switch, any access point (router, switch, firewall, etc).firewall, etc).





Block All ConnectionsBlock All ConnectionsOnly allow network management Only allow network management connections via a terminal server.connections via a terminal server.

5.2 Protecting Data

Encrypt Sensitive Encrypt Sensitive TrafficTraffic

What more needs be said?What more needs be said?





5.3 Wishful Thinking

Signed ConfigurationsSigned ConfigurationsHigher TrustHigher Trust

Strong AuthenticationStrong Authentication

PKI integration (inter-ISP traffic PKI integration (inter-ISP traffic control?)control?)





Reduced IOS BuildsReduced IOS BuildsExcludes debugging functionalityExcludes debugging functionality

Cisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-IO-L-NODEBUG),

Version 12.0(9), RELEASE SOFTWARE (fc1)Copyright (c) 1986-2000 by cisco Systems, Inc.Compiled Mon 24-Jan-04 23:45 by bettylImage text-base: 0x030325B0, data-base: 0x00001000

Linkshttp://www.giac.org/practical/Joshua_Wright_GCIH.zip

http://www.phenoelit.de/tools/

http://www.phrack.org/show.php?p=56&a=10





http://www.giac.org/practical/Joshua_Wright_GCIH.zip

http://www.giac.org/practical/Joshua_Wright_GCIH.zip

http://www.phenoelit.de/tools/




Documents

Presentation(PPT)