Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The authentication, management and routing protocols that run your network
Dave Ahmad <da@securityfocus.com> Jeremy Rauch <jrauch@securityfocus.com>
Topics
Overview
Basic
protocol flaws Network allocation flaws Routing protocol flaws Authentication flaws Network Management and other fun flaws Application of attacks
The Network
DMZ
Host Host
Host
Host Hub
Internet
Firewall
Router Switch
Printer Host
Radius Server
The Network
DMZ
Host Host
Host
Host Hub
Router
Switch
Printer
Host
Radius Server
The Network
Host
Host
Host
Host Hub
Router
Switch
Printer
Host
Radius Server
The Network
Hub
Router
Switch
Printer
Radius Server
Overview
Network
Infrastructure
Overview
Does
simplify network design and machine deployment access control Getting from A to B The network RUNS on these
Authentication
Routing
Other stuff
Overview
Impacts
Attacking protocols can allow for hijacking, spoofing and impersonation control network devices elevate access change network flow hide connections sniffing and more
Basic Protocols
Security
ARP
Address
Resolution Protocol
Used for mapping network IP addresses to physical (in the case of ethernet, MAC) interface addresses. Broadcast at the link layer.
of Authentication
Arp replies are typically accepted and cached without concern for origin when received.
ARP replies
When an ARP who-is is broadcast on the wire, anyone can reply and be mapped to the associated network address.
Gratuitous
ARP replies
ARP replies without requests can be sent out and cached, diverting traffic from the compromised network address to the attacker.
ARP Attacks
Replace
ARP Attacks
ARP
Cache Overpopulation
Sending too many gratuitous ARP replies flushing the target ARP cache in some implementations.
Reach cache maximum, can cause devices like switches to re-enter learning mode
DHCP
Dynamic
Popular amongst pc users for ease of installation and configuration UDP transport To broadcast, from 0.0.0.0
ACL capabilities
DHCP Attacks
Get
all addresses
Denial Of Service Reply to requests with compromised host set as router or nameserver
Deregister
hosts
DHCP Fixes
Authentication
ISC is adding authentication in their 3.1 implementation Others have implemented proprietary authentication mechanisms
Dont
Gateway Protocols
IGP
RIPv1 RIPv2
OSPF
BGP
RIP
Routing
Information Protocol
Widely used distance-vector IGP (Interior Gateway Protocol) within autonomous systems.
attack.
Method Authentication
Cleartext MD5
Authentication recommended in RFC 2453 RIPv2 Specifications Key/KeyID Digest Based Authentication described in RFC 2082.
RIP Attacks
Forging
RIP messages
Spoofing source address and sending invalid routes, altering traffic flow.
Traffic Hijacking Traffic Monitoring
RIP Solutions
Disabling
RIPv1 and using RIPv2 with MD5 authentication. Enabling MD5 based authentication for RIPv2 Disabling RIP completely and using OSPF with MD5 authentication as interior gateway protocol. OSPF is the suggested IGP.
OSPF
OSPF
Lack of Authentication
Commonly a default setting, clear-text password included in OSPF message used to authenticate peers.
Type
OSPF Attacks
Forging
OSPF messages
Can be somewhat difficult but theoretically possible if no authentication required or cleartext password obtained.
OSPF Solution
Enable
BGP
BGP,
Successor to EGP, the Exterior Gateway Protocol. Used primarily for connecting autonomous systems.
Mechanism Authentication
lack of authentication
In some operating systems/network devices supporting BGP, authentication may not be used by default.
Default
Communication occurs on TCP port 179. Vulnerable to TCP Security Problems such as Syn flood, sequence number prediction.
Denial of Service Advertisement of Invalid Routes
TCP
Reliable, sequenced control protocol. Trusts Initial Sequence Number (ISN) generation If ISN generation is weak, vulnerable to ipspoofing/hijack attacks. Vulnerable to attacks affecting TCP, ie, Syn Flood
Denial of Service
BGP Attacks
Sending
Possible if the ISN generation on the target is weak. No sequencing in BGP other than TCP sequence Must be authenticated (if authentication req)
Hijacking
Denial of Service
Syn flooding port 179
attack
properly authenticated, a malicious UPDATE can alter the outward flow of network traffic for an entire AS.
Routes for address space not belonging to the BGP speaker can be advertised and stored in tables.
BGP Source
If a router supporting BGP is compromised, it is certainly possibly to begin advertising invalid routes with little to stop it. This can divert the traffic from other AS routers who trust the routes advertised by the compromised one. Traffic can be intercepted, hijacked or monitored.
BGP Solutions
Enable
md5 authentication Limit access to the service (TCP port 179) Configure route filters
is a means for verification and granting of access Problems range from denial of service to active and passive attacks leading to total compromise
gain access elevate access
Authentication Mechanisms
Radius
TACACS, NIS/NIS+ LDAP
XTACACS, TACACS+
RADIUS
Remote
Service RFC 2138 & 2139 Used to authenticate users Off-machine/device authentication
Central authentication server called a NAS Popular implementations from Livingston and Merit
Radius Flaws
Gaining
Radius Flaws...
Passive
attack
Knowledge of a user password will allow attack if sniffing is possible Request-Access uses user password + authenticator + shared secret
md5(authenticator + shared secret) ^ user pass obtain md5 by ^ userpass brute force dictionary attack with known authenticator
Radius Flaws...
Replay
Predictable authenticator
If authenticator can be predicted, replay attacks become easier and more effective
System??
Old protocol developed by BBN for Milnet
Similar
in concept to RADIUS
& XTACACS
UDP Transport
spoof RESPONSE messages from server trivially
TACACS+
TCP
Transport
and Encryption
Information Service Originally from Sun Popular scheme for distributing password, name service, etc RPC based transport
vulnerabilities in implementations
quick search for NIS and NIS+ vulnerabilities resulted in over a dozen individual problems
NIS+
LDAP
Lightweight
Directory Access Protocol Operates on distinguished name (DN) and attribute pairs or collections
LDAP Flaws
New
and relatively untested Unfamiliar Default ACLs are typically poor Authentication mechanisms still not fully implemented
CA based authentication still only part there
DoS
attacks
SNMP
Simple
The most popular network management protocol Hosts, firewalls, routers, switchesUPS, power strips, ATM cards -- ubiquitous
One
Mechanism
Disclosure
Based
Unreliable - packets may or may not be received Easily forged - trivial to forge source of packets
Based
Based
defaults
default password tivoli openview community snmp snmpd system and on and on...
public private write all private monitor manager security admin lan
flaws additional hazards by introducing action invocation objects collects extensive info on subnet packet captures
SNMP Fixes
Disable
ACL
it
It Read-Only
Printers Flaws
Actually
a very large potential problem Laundering of hacking spoils bounce attacks Denial of service
Printer flaws...
Many
Printer flaws...
Denial
of Service
smurf
Service denied
poor tcp/ip implementations
crash easily
Printer fixes?
Disable
Example applications
Defeat
sniffing
Race hosts on ARP replies reply to ARPs with broadcast address overpopulate caches
some switches will flush their caches
Examples
Defeating
router access
Obtain auth protocol key via brute force Extract passwords on the wire Just plain old sniff
What to do?
Maintain
Crypto is good
But crypto fails without good policy
Disable
unneeded services
What to do...
Disable
Questions?
Dave Ahmad <da@securityfocus.com Jeremy Rauch <jrauch@securityfocus.com>