Follow:

Latest articles in ‘Cisco’

  1. 'Networking' topic logo

    DHCP exploitation guide

    Published: Mon 30 October 2017 in Cookbook.
    A step-by-step guide to practical DHCP exploitation and protection.

    DHCP allows devices to automatically get their network configuration when bringing up a network interface (typically when booting).

    This configuration usually includes, among other thing, the IP address attributed to the device, the DNS domain name and the IP address of the default router, of the DNS server and of the NetBIOS name server.

    This configuration, is allocated to the device only for a given time: the lease time. Lease time may vary largely depending on the environment requirements. It is typical to find values ranging from a few dozen of minutes to a few weeks. When half of the lease time expired, the device starts to try get in touch with the DHCP server to renew the lease.

    Clients initially asking for the attribution of an IP address start by broadcasting a DHCP DISCOVER message.

    A typical DHCP exchange is as follow:

    Typical DHCP exchange

    1. DISCOVER: The client without IP address configured …

    Continue
  2. 'Networking' topic logo

    MAC address table overflow

    Published: Wed 25 October 2017 in Cookbook.
    A step-by-step guide to practical MAC address table overflow exploitation and protection.

    The main practical difference between a legacy hub and a switch is that the switch will do its best to forward ethernet frames only on the port allowing to reach the recipient, it won’t blindly forward everything everywhere as as a dumb hub would do.

    To achieve this, upon reception of a frame the switch stores the senders MAC address associated to its input port in an internal memory, usually implemented as a CAM table. Thanks to this information, would a packet have the same address as recipient, the switch will now forward this packet only to this port and not the other ones.

    I already wrote a more focused article on MAC table overflow within the context of GNS3 simulated environments, which resulted in patch being submitted upstream and initiated the development of the macof.py tool. The original article is available here.

    In this article I detailed …

    Continue
  3. 'Networking' topic logo

    Spanning Tree Protocol exploitation

    Published: Mon 16 October 2017 in Cookbook.
    How an attacker can take advantage of STP, and how to prevent this.

    As we saw in the previous post, Wireshark revealed us the presence of STP messages.

    The Spanning Tree Protocol is used to detect topology loops and build the most efficient forwarding path between interconnected switches. Topology loops are not a mistake but a way to add redundancy to a topology. Would a link break, the STP protocol detects it and recalculate a new most efficient tree.

    In sane networks, access ports should not deliver STP messages to end-devices, but this is not the default and, as Wireshark told us, not the case in our lab. This lets the attacker the possibility to simulate a topology change by sending maliciously crafted STP messages.

    For this lab we will need at least the User_1 and Server_1 devices to be available:

    STP lab topology

    Warning

    The support of STP in the IOU images I tested was very buggy, STP port state was ignored and frames systematically …

    Continue
  4. 'Networking' topic logo

    Practical network layer 2 exploitation: passive reconnaissance

    Published: Thu 12 October 2017 in Cookbook.
    Network layer 2 practical offensive and defensive security: listen and learn from network's white noise.

    This post is part of a series about practical network layer 2 exploitation.

    Now is the time to change your network administrator hat for the attacker one. Your own, known network now becomes an unfamiliar target.

    Before rushing and banging against the nearest devices, it may wiser to just stand back and listen.

    On switched networks, users are somewhat isolated from each other thanks to the separation of collision domains. All that remain is some kind white noise… but this white noise in itself can bring invaluable information to an attacker!

    In particular we will see how, simply by passively listening to this white noise, an attacker will be able to detect several weaknesses affecting the network and plan his next steps.

    In this lab no interaction will occur with either the Admins or the Servers VLANs, the User_1 workstation will be required only for the DHCP Discover messages part …

    Continue
  5. 'Networking' topic logo

    Practical network layer 2 exploitation: introduction

    Published: Tue 10 October 2017 in Cookbook.
    Network layer 2 practical offensive and defensive security: setting-up the lab.

    This post initiates a series demonstrating network layer 2 exploitation and protection techniques from practical point-of-view.

    This series will rely on the following topology (click to enlarge):

    Layer 2 exploitation lab topology

    This topology is composed of three VLANs:

    • Users (VLAN 1) and Admins (VLAN 2) both contain end-user workstations, they are isolated from each other.
    • Both can access machines located in Servers (VLAN 3).

    The attacker is connected to the Users VLAN.

    In this series we will see how the attacker can leverage various layer 2 configuration weaknesses to disrupt the network, hop from one VLAN to another, and intercept users communication, independently of their location in the topology.

    We will limit ourselves to basic techniques as an attempt to demonstrate that pwning a insufficiently secured network doesn’t involve any high technology or knowledge. When appropriate we will also see how the attacks can be generalized to other real-life scenarios.

    Creating the topology …

    Continue
  6. 'Windows' topic logo

    How to configure Windows as a NTP server & enable IOS NTP client

    Published: Fri 06 October 2017 in Cookbook.
    A step-by-step guide to setup and troubleshoot NTP on Windows and Cisco IOS-based devices.

    NTP allows to synchronize the clock of various devices to a common reference.

    In this how-to, we will configure a Windows Server as a NTP server and a Cisco IOS-based router to act as a NTP client. We will also see how to configure the router so it can itself serve as server to other devices, thus acting as an NTP relay.

    NTP how-to topology

    Windows (NTP server)

    Windows does not ship with any NTP server by default. In fact, Windows’ W32Time service implements SNTP instead, which is not compatible with NTP clients (see here).

    Meinberg NTP is a commonly used alternative to get a proper NTP server on Windows, and is the one we will use in this how-to.

    Before installing it, check that the following settings are correct:

    • The IP configuration (192.168.0.100 in my case)
    • Check the current time (08h15 in my case, but who cares?)

    Once …

    Continue
  7. 'Windows' topic logo

    How to configure Windows as a SCEP server & Cisco ASA enrollment

    Published: Thu 05 October 2017 in Cookbook.
    A step-by-step guide to configure SCEP on Windows and Cisco ASA appliances.

    SCEP is a protocol supported by several manufacturers, including Microsoft and Cisco, and designed to make certificate issuance easier in particular in large-scale environments.

    It proceeds in a few steps:

    1. The SCEP server issues a one-time password (the “challenge password”), transmitted out-of-band to the client.
    2. The client generates a key pair, and sends the certificate signing request to the SCEP server along with the one-time password.
    3. The SCEP server validates the client certificate data (in this how-to the validation will be manual), signs it and makes the signed certificate available to the client.
    4. The client regularly pull the SCEP server until its signed certificate becomes available. The client can then fetch the signed certificate and install it.

    Here we will setup a Windows Server as SCEP server, and use a Cisco ASA as SCEP client.

    SCEP how-to topology

    The topology above mentions Windows 2016, but any other Windows server will do. This how-to …

    Continue
  8. cisco_ccna_security picture

    Cisco CCNA Security certification review

    Published: Fri 01 September 2017 in Opinions.
    Facts, advices and personal impressions on the Cisco CCNA Security certification.

    The five Ws

    • What: CCNA Security is a technical certification about general network security in a professional context. It describes the typical threats potentially affecting such networks then various Cisco technologies allowing to mitigate them. This covers the networking devices themselves, but also the data both in transit and at rest and end-user devices both corporate ones and personal one (BYOD).

    • When: Obtaining this certification requires to have at least the CCENT certification (I recommend having a CCNA Routing & Switching, though).

      Note

      While the CCENT or CCNA R&S is a prerequisite to be granted the CCNA Security certification, they are not technically required to take the exam.

      If for some reasons it suits you, Cisco allows you to take the CCNA Security exam before having obtained a CCENT or CCNA R&S. If you pass the exam, you will be granted the CCNA Security certification once you get your …

    Continue
  9. 'Cisco' topic logo

    How to install Cisco Adaptative Security Appliance (ASA) in GNS3

    Published: Mon 28 August 2017 in Cookbook.
    A step-by-step guide to get legacy ASA images and ASAv up-and-running a virtual lab.

    The Cisco Adaptative Security Appliance (ASA) is Cisco’s main firewall and network security product. It mainly provides firewall and VPN services, but its native features can be enhanced with the addition of FirePOWER NGIDS services on top of it.

    Note

    Even when used on top of an ASA in the same appliance, the FirePOWER NGIDS is never really merged within the ASA but stays a separate module. For instance, the ASA and the FirePOWER each have their own separate CLI shell, each with their own different syntax and logic. In fact FirePOWER is not a Cisco development but has been acquired when Cisco merged with SourceFire, hence the (personal) feeling of an “alien” product plugged into the ASA.

    For CCNA Security students, while you must know ASA and be comfortable with its usage, as for now you only need to know what FirePOWER is and why it is used …

    Continue
  10. 'Cisco' topic logo

    How to install Cisco Configuration Professional (CCP) in GNS3

    Published: Mon 28 August 2017 in Cookbook.
    Updated: Thu 23 November 2017 (Added details on the Java version to use.)
    A step-by-step guide to get the infamous CCP 2.x (Cisco SDM) up-and-running in a virtual lab.

    The Cisco Configuration Professional (CCP) is a graphical interface allowing to quickly and easily configure, monitor and troubleshoot Cisco IOS-based devices. It does exactly the same thing as one could do using IOS command-line, but using more convenient graphical tools and optional wizards for multi-steps configuration, including operations involving several devices like setting-up a tunnel.

    It comes in two versions:

    • CCP 2.x, also known as Router and Security Device Manager Software (SDM), it is the little brother of ASDM used to configure ASA firewalls. This is a desktop application, the GUI is installed locally on the user’s host.

    • CCP “Express” 3.x: this version is deployed on the Cisco devices themselves and leverage devices’ HTTP port to embed a web configuration interface. CCP Express already existed in the 2.x generation, at that time two flavors were available: the “end-user” one with reduced functionalities (the end-result was …

    Continue

Pages: 1 2

Popular tags see all

Website

Author

Follow