Network Infrastructure Insecurity

The authentication, management and routing protocols that run your network
Dave Ahmad <da@securityfocus.com> Jeremy Rauch <jrauch@securityfocus.com>

Topics
Overview
Basic

protocol flaws Network allocation flaws Routing protocol flaws Authentication flaws Network Management and other fun flaws Application of attacks

The Network
DMZ
Host Host

Host

Host Hub

Internet
Firewall
Router Switch
Printer Host

Radius Server

The Network
DMZ
Host Host

Host

Host Hub

Router

Switch
Printer

Host

Radius Server

The Network

Host

Host

Host

Host Hub

Router

Switch
Printer

Host

Radius Server

The Network

Hub

Router

Switch
Printer

Radius Server

Overview
Network

Infrastructure

The building blocks of a network

basic network protocols network management authentication routing other random things
switches, hubs printers routers

Overview
Does

this stuff matter?

Absolutely - the network depends on these

Basic protocols - obvious network management & allocation

simplify network design and machine deployment access control Getting from A to B The network RUNS on these

Authentication

Routing

Other stuff

Overview
Impacts

Attacking protocols can allow for hijacking, spoofing and impersonation control network devices elevate access change network flow hide connections sniffing and more

Basic Protocols
Security

at the IP layer discussed over and

over Security at the link layer ignored

ARP
Address

Resolution Protocol

Used for mapping network IP addresses to physical (in the case of ethernet, MAC) interface addresses. Broadcast at the link layer.

ARP Security Flaws

Lack

of Authentication Limited Table Entries

ARP caches can be overpopulated and flushed

ARP Authentication Flaws

Lack

of Authentication

Arp replies are typically accepted and cached without concern for origin when received.

No method to distinguish between legitimate and illegitimate messages

ARP Lack of Authentication

Invalid

ARP replies

When an ARP who-is is broadcast on the wire, anyone can reply and be mapped to the associated network address.
Gratuitous

ARP replies

ARP replies without requests can be sent out and cached, diverting traffic from the compromised network address to the attacker.

ARP Attacks
Replace

entries in arp caches for existing addresses

Denial of Service

Reply to requests with compromised host address as router or nameserver.

Non-blind traffic hijacking

Exploitation of host-based trusts.

ARP Attacks
ARP

Cache Overpopulation

Sending too many gratuitous ARP replies flushing the target ARP cache in some implementations.
Reach cache maximum, can cause devices like switches to re-enter learning mode

DHCP
Dynamic

Host Configuration Protocol

Popular amongst pc users for ease of installation and configuration UDP transport To broadcast, from 0.0.0.0

DHCP Security Problems

Unauthenticated

Anyone can request an address

Undirected

Anyone can respond

Limited

ACL capabilities

Limit addresses per mac

DHCP Attacks
Get

all addresses

Denial Of Service Reply to requests with compromised host set as router or nameserver
Deregister

hosts

hijack ips, connections

DHCP Fixes
Authentication

ISC is adding authentication in their 3.1 implementation Others have implemented proprietary authentication mechanisms
Dont

allow dynamic assignment of DNS servers or routers

Statically define these

Gateway Protocols
IGP

RIPv1 RIPv2

OSPF
BGP

RIP
Routing

Information Protocol

Widely used distance-vector IGP (Interior Gateway Protocol) within autonomous systems.

Exists in two forms, Version 1 and the backwards compatible Version 2.

RIPv1

is extremely vulnerable to serious

attack.

RIP Security Flaws

Transport

Method Authentication

RIP Transport Method Flaws

Based

on UDP, utilizing port 520 for sending and receiving messages.

UDP is unreliable, no sequencing of packets. Easy to send arbitrary data to target . Since sequencing is not a concern, forging source address can be very effective.

May be able to receive data from anywhere on the internet.

RIP Authentication Flaws

Lack

of any authentication in RIPv1

Cleartext MD5

Authentication recommended in RFC 2453 RIPv2 Specifications Key/KeyID Digest Based Authentication described in RFC 2082.

RIP Attacks
Forging

RIP messages

Spoofing source address and sending invalid routes, altering traffic flow.
Traffic Hijacking Traffic Monitoring

Redirecting traffic from trusted to untrusted.

Obtaining Cleartext RIPv2 "password" when sent across network.

Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with consequences listed above.

RIP Solutions
Disabling

RIPv1 and using RIPv2 with MD5 authentication. Enabling MD5 based authentication for RIPv2 Disabling RIP completely and using OSPF with MD5 authentication as interior gateway protocol. OSPF is the suggested IGP.

OSPF
OSPF

- Open Shortest Path First

Link-State Interior Gateway Protocol. In wide use within autonomous systems.

OSPF is the recommended IGP, intended as a replacement for RIP.

OSPF Security Flaws

Authentication

OSPF Authentication Flaws

Default

Lack of Authentication

By default in some implementations, OSPF authentication may be off.

Cleartext

"simple password" Authentication

Commonly a default setting, clear-text password included in OSPF message used to authenticate peers.
Type

of authentication determined by "CODE" field in the OSPF message header.

OSPF Attacks
Forging

OSPF messages

Can be somewhat difficult but theoretically possible if no authentication required or cleartext password obtained.

OSPF Solution
Enable

MD5 Authentication in OSPF implementation.

BGP
BGP,

The Border Gateway Protocol

Successor to EGP, the Exterior Gateway Protocol. Used primarily for connecting autonomous systems.

BGP Security Flaws

Transport

Mechanism Authentication

BGP Authentication Flaws

Default

lack of authentication

In some operating systems/network devices supporting BGP, authentication may not be used by default.
Default

"simple password" cleartext

Password sent in cleartext across the network by default.

BGP Transport Mechanism Flaws

BGP

uses TCP transport.

Communication occurs on TCP port 179. Vulnerable to TCP Security Problems such as Syn flood, sequence number prediction.
Denial of Service Advertisement of Invalid Routes

BGP Transport Method Flaws

Uses

TCP

Reliable, sequenced control protocol. Trusts Initial Sequence Number (ISN) generation If ISN generation is weak, vulnerable to ipspoofing/hijack attacks. Vulnerable to attacks affecting TCP, ie, Syn Flood
Denial of Service

BGP Attacks
Sending

forged UPDATEs to AS Gateways

Possible if the ISN generation on the target is weak. No sequencing in BGP other than TCP sequence Must be authenticated (if authentication req)
Hijacking

BGP connection between peers

If password is known or no-authentication

Denial of Service
Syn flooding port 179

BGP Attacks (cont)

Dictionary

attack

Simple-Password Authentication (cleartext password) vulnerable to a basic dictionary attack.

If

properly authenticated, a malicious UPDATE can alter the outward flow of network traffic for an entire AS.
Routes for address space not belonging to the BGP speaker can be advertised and stored in tables.

BGP Attacks (Cont.)

Compromised

BGP Source

If a router supporting BGP is compromised, it is certainly possibly to begin advertising invalid routes with little to stop it. This can divert the traffic from other AS routers who trust the routes advertised by the compromised one. Traffic can be intercepted, hijacked or monitored.

BGP Solutions
Enable

md5 authentication Limit access to the service (TCP port 179) Configure route filters

Authentication Flaw Overview

Authentication

is a means for verification and granting of access Problems range from denial of service to active and passive attacks leading to total compromise
gain access elevate access

Authentication Mechanisms
Radius
TACACS, NIS/NIS+ LDAP

XTACACS, TACACS+

RADIUS
Remote

Authentication Dial In User

Service RFC 2138 & 2139 Used to authenticate users Off-machine/device authentication
Central authentication server called a NAS Popular implementations from Livingston and Merit

Radius Security Model

UDP

Based transport Each packet contains an authenticator

Access-Requests
md5(secret + authenticator) ^ user password

Access-Reject & Access-Accept

md5(Code + ID + Length + Request-Auth + Attributes + Secret)

Radius Flaws
Gaining

the shared secret

Send Access-Request with all known values

Authenticator = 0 User-Password = 0 Code = Access-Request ID = 0, length = known, Attributes = none Reply will come back with the following

md5(1 + 0 + length + 0 + 0 + Secret)

radbrute.tar.gz

Dictionary attack for Secret

Radius Flaws...
Passive

attack

Knowledge of a user password will allow attack if sniffing is possible Request-Access uses user password + authenticator + shared secret
md5(authenticator + shared secret) ^ user pass obtain md5 by ^ userpass brute force dictionary attack with known authenticator

Radius Flaws...
Replay

Radius servers must not reuse authenticator

if authenticator isnt cryptographically random, repeat authentications until an authenticator is reused, and replay server Request-Accept

Failure limits and logging limit the effectivity

Predictable authenticator

If authenticator can be predicted, replay attacks become easier and more effective

TACACS, XTACACS and TACACS+

Terminal

Access Controller Access Control

System??
Old protocol developed by BBN for Milnet
Similar

in concept to RADIUS

Central authentication server moves authentication off device or host

RFC

1492, Internet Draft The TACACS+ Protocol

TACACS, etc Flaws

TACACS

& XTACACS

UDP Transport
spoof RESPONSE messages from server trivially

Cleartext authentication normal

User names and password sent exposed

MD5 in newer implementations

Good way to crack passwords online

Easy, fast way to grind for accounts with bad passwords

TACACS+
TCP

Transport

Doesnt suffer from easy spoofing; may be hijackable

Authentication

and Encryption

May be possible to conduct attacks similar to RADIUS

Defaults

and failure modes may pose problems

tacacs-server last-resort succeed

NIS and NIS+

Network

Information Service Originally from Sun Popular scheme for distributing password, name service, etc RPC based transport

NIS and NIS+ Flaws

NIS

transports in plaintext NIS is only protected by a domainname

easily guessed
Many

vulnerabilities in implementations

quick search for NIS and NIS+ vulnerabilities resulted in over a dozen individual problems
NIS+

is sufficiently complex to install that no one uses it

NIS and NIS+ Solutions

Run

NIS+ if at all possible Investigate alternatives like LDAP

LDAP
Lightweight

Directory Access Protocol Operates on distinguished name (DN) and attribute pairs or collections

LDAP Flaws
New

and relatively untested Unfamiliar Default ACLs are typically poor Authentication mechanisms still not fully implemented
CA based authentication still only part there
DoS

attacks

Flood with requests

Network Management and Other Fun Flaws

SNMP
printers

SNMP
Simple

Network Management Protocol

The most popular network management protocol Hosts, firewalls, routers, switchesUPS, power strips, ATM cards -- ubiquitous
One

of the single biggest security nightmares on networks today

SNMPv1 Security Flaws

Transport

Mechanism

Data manipulation Denial of Service Replay

Authentication

Host Based Community Based

Information

Disclosure

SNMP Transport Mechanism Flaws

UDP

Based

Unreliable - packets may or may not be received Easily forged - trivial to forge source of packets

SNMP Authentication Flaws

Host

Based

Fails due to UDP transport DNS cache poisoning

Community

Based

Cleartext community Community name prediction/brute forcing Default communities

SNMP Popular Defaults

Popular

defaults
default password tivoli openview community snmp snmpd system and on and on...

public private write all private monitor manager security admin lan

SNMPv1 Information Disclosure

Routing

tables Network topology Network traffic patterns Filter rules

RMON and RMON2 Security

SNMPv1s

flaws additional hazards by introducing action invocation objects collects extensive info on subnet packet captures

SNMP Fixes
Disable
ACL

it

It Read-Only

Printers Flaws
Actually

a very large potential problem Laundering of hacking spoils bounce attacks Denial of service

Printer flaws...
Many

printers have FTP servers

Allow anonymous access

store as much data as memory or disk space in the printer - great place to store hacking tools, sniffer logs, and other stolen things

Most are poor implementations

easily used in more complex attacks
ftp bounce Berkeley lpd flaws

Printer flaws...
Denial

of Service

Used as a tool to conduct DoS

most love to respond to broadcast pings

smurf

Service denied
poor tcp/ip implementations

crash easily

poor service implementation

SNMP ftp

Printer fixes?
Disable

everything you can

Example applications
Defeat

sniffing

Race hosts on ARP replies reply to ARPs with broadcast address overpopulate caches
some switches will flush their caches

alter routing on the host you want to sniff

Examples
Defeating

things like SSH

Alter routing Create SSH proxy

Client will note key mismatch, but who ever pays attention?
Gaining

router access

Obtain auth protocol key via brute force Extract passwords on the wire Just plain old sniff

What to do?
Maintain

good perimeter defenses

At least you only have to trust your employees

Use

cryptographically secure transports

Crypto is good
But crypto fails without good policy

Disable

unneeded services

Not using SNMP?

What to do...
Disable

things like routed on hosts

99% of the time, static routes work fine on end machines

Use

the strongest authentication methods possible

Long keys, strong crypto

Questions?
Dave Ahmad <da@securityfocus.com Jeremy Rauch <jrauch@securityfocus.com>