Section 1: Network Fundamentals

There must be an understanding of fundamental number conversions and math that occurs in networking before moving on to more advanced topics involving headers.

Common Formats

Message Formatting Method and Terminology

Protocols and Interfaces

Encapsulation and Decapsulation

Importance of the OSI Model

Other than the OSI or TCP/IP models, it’s also important to understand the organizations that have been developing Internet and Networking Standards.

(End of Basics Review)

The physical layer is responsible for providing the following:

Refer to the previous web request conversation and discuss what is being performed at the physical layer at the receiving end. The data is received over the physical media at the destination device NIC. The device performs it’s signal conversion to format the data into bits that will be read by the data-link layer.

Data link layer is unique because it has the function to communicate in "logical" and "physical". To accommodate this the functionality of this layer is divided into two logical sub-layers. An upper sub-layer, LLC, to interact with the network layer above and a lower sub-layer, MAC, to interact with the physical layer.

Discuss importance of data link layer and common data link protocols to include PPP, HDLC, Frame-Relay, Wireless, Ethernet, etc. Focus will be on Ethernet due to its prevalence.* *C

Discuss importance of data link layer and common data link protocols to include PPP, HDLC, Frame-Relay, Wireless, Ethernet, etc. Focus will be on Ethernet due to its prevalence.

Discuss Ethernet frame construction (This should include an untagged frame and a tagged frame)

MAC spoofing

A malicious actor can use this to "pretend" to be a legitimate user or networking device. This is done by using drivers or software tools to alter the vendor assigned MAC address. An attacker can either mask his MAC address or pretend to have the MAC address of a legitimate device on the network.

802.1Q is used to add a "tag" to identify to the receiving switch/router as to what VLAN the frame is being sent from. This tag is an additional 4 bytes of data that is appended between the Source MAC address and Ethertype field. This in essence increases the size of the frame header from its original 18 bytes to 22 bytes. The Ethertype field is "shoved over" from byte offset [12] to byte offset [16]. This tag is only applied across Trunk links. The switch/router is responsible to add this 4-byte tag when sending over any trunk links and to remove the tag when needing to send over an Access port. For example, prior to sending to a PC or printer.

Demo of ICMP messages over VLAN trunk links from www.cloudshark.org

Describe address resolution protocol (ARP) and why it is important to Layer 2/3 (Show an ARP table on a host. Discuss when ARP is used for forwarding traffic, versus when traffic is sent to a default gateway).

The Address Resolution Protocol (ARP) is a Layer 2 protocol of the OSI model. It is used for discovering the Layer 2 or data link layer address (MAC address or even DLCI (Data Link Connection Identifier for a Frame Relay virtual circuit)), associated with a given Layer 3 or network layer address such as an IPv4 address. This mapping is critical in the operation of IPv4. ARP was defined in 1982 by RFC 826 which is Internet Standard STD 37. It has a wide range of various Operation Codes (op) to determine what type of ARP is being utilized. These codes are provided by IANA.

In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP) and ARP is not used.

ARP - To resolve the L2 (MAC) address when only the L3 (IPv4) address is known.

RARP - To resolve the L3 (IPv4) address when only the L2 (MAC) is known. (This protocol has been deprecated since the widespread use of protocols like BOOTP and DHCP.)

Proxy ARP - A device (router) answers the ARP queries for IP address that is on a different network. The ARP proxy see the ARP request and determines that the target Network address is not on the local network segment and is aware of how to reach the destination network. The proxy will offer its own MAC address in response to the request. Typically this device is the network gateway and is responsible to forward traffic for other networks.

ARP Cache - is a collection of Layer 2 to Layer 3 address mappings discovered utilizing the ARP request/response process. When a host needs to send a packet both the L2 and L3 addresses are needed. The host will look in this table to determine if it already knows both the L2 and L3 addresses. If the target is not in the table then a ARP request is initiated. The ARP cache can be populated statically but mostly its done dynamically. This cache can be exploited by attackers with the aim to poison the cache with incorrect information to either perform a DoS or MitM.

Demo the arp cache of a linux host. arp -a

Demo ARP with wireshark. ARP storm PCAP from wiki.wireshark.org

Address Resolution Protocol (ARP) attack

When ARP was developed security was not as much of an issue. Over time it was discovered that many protocols could be used in un-intended ways. Typically a host will broadcast an ARP request over the network and expects only the intended host to respond. Gratuitous ARP on the other hand is another method that a host can announce itself to the network. All other hosts believe the message and will add this entry into their ARP cache. These are the legitimate uses of ARP but malicious actors can use the open, unencrypted, and unverified nature of the protocol to their own ends.

An attacker can broadcast a gratuitous ARP, announcing itself as the networks default gateway. It will use the legitimate default gateway’s IP address but will use it’s own MAC address. All hosts on the network will assume this information to be true and update their ARP caches. This in essence will poison everyone’s ARP cache. All hosts on the network will now send all traffic to other networks to the attackers computer. The Attacker will forward all traffic to the legitimate gateway but now the attacker is included in the hosts communication.

This process creates a Layer 2 Man in the Middle.

Proxy ARP and Security Concerns:

Typically a PC will issue an ARP request to get the unknown MAC address of a device when its IP address is known. If the device is on the same network then that device will respond with ARP Reply. If the device happens to be on a different network, the router will respond with its own MAC address. The router responds because it will see that the destination IP address is on a different network and it knows how to get there from its routing tables. The router will resond to the ARP request with its own MAC to tell the host to send all the communication to itself to get to the remote destination. The host will update its ARP cache to reflect the router (default gateway) to be used to reach remote destinations. This is called a Proxy ARP.

An attacker can intercept ARP requests for a gateway and respond with its own MAC address resulting in a Man in the Middle attack.

Get more information in RFC 826, 5227, 5494

Resources for further reading:
http://computernetworkingsimplified.in/data-link-layer/components-data-link-layer-llc-mac/

RFC 826: https://tools.ietf.org/html/rfc826

RFC 5227: https://tools.ietf.org/html/rfc5227

RFC 5495: https://tools.ietf.org/html/rfc5494

DEMO Use Wireshark to demo layer 2. Show the Ethernet II and ARP header breakdown.

Need to enable ip forwarding for ipv4 to have Bob act as a router.

Tools are already installed but just in case:

Syntax:

On Bob you will need 5 windows:

Describe IPv4 Packet Structures

Demo IPv4 header from Wireshark. Capture any traffic to show header.

Options Field

The options field is seldom used. Typically, without options, the IHL will only equal 5. If options are used then the header length will be greater than 5 (i.e. from 6 to 15). This means that options field is present and must be considered.

Strict source routing option is where every hop of the traffic is pre-decided and is placed in the IPv4 Options field. Routers must use the information in this field over any routing table information they may have. This can potentially be used to forward packets around security devices such as firewalls and IPS.

Loose Source Routing option is a bit more flexible than strict source routing. It will include a list of various hops that the packet must traverse. But this does not specify each and every hop.

Both of these options can create security concerns and is recommended that routers block packets containing these options unless they are essential for the network operation.

Discuss the fragmentation process. Demo using Wireshark. Send a ping 10.2.0.2 -s 15000 and capture the results.

ICMP Fragmented pcap from www.Cloudshark.org

Reference: fragmentation and packet headers

IP fragment overlapping

IP fragment overlapping exploit happens when two or more packet fragments have fragment offsets that indicate that they overlap each other.

Example: a MTU of 1500 will have a offset of 185. 1500 MTU - 20 Bytes of IP header = 1480 Bytes. Each IP packet will include up to 1480 bytes of fragment information. To determine the offset value, this will be divided by 8 and will equal 185. So the first fragment will have the MF=1 and offset =185. The second fragment will increment the offset by 185 each time. So the second fragment offset will be 185, the third will be 370, the fourth 555, the fifth is 740 and so fourth. Each packet will have 1480bytes of data.

In an overlap attack such as the teardrop attack, the offsets will not be sequential in chunks of 185 as it should. The offset could be changed to something like 175. This would mean that 80 bytes of the first fragment will be overwritten by the second fragment and so fourth. The resulting information will be much different than if each packet was examined individually.

This form of attack is successful if the attacker is aware of the host computers and networking equipment on the victim’s network. This is because different equipment types perform different process in order to reconstruct the fragmented packets. Armed with this knowledge, the attacker can craft his attack to reconstruct the fragmented packets in a more proprietary way to avoid detection. Using this process fragments can avoid detection by firewalls and IDS/IPS devices. This is because when they reconstruct the message using their reconstruction processes it will not see the intended information.

Teardrop Attack

In a Teardrop attack, the attacker will use overlapping packets as well as additional random data. When constructed properly, the random data portions will be overwritten and result in the malicious payload. Although firewalls and IDS/IPS devices may not detect this payload.

This is a form of denial-of-service (DoS) attack that uses fragmented packets to bypass firewalls to a target a victim’s machine. The victim’s computer receiving the packets won’t be able reconstruct the packet properly due to a bug in TCP/IP fragmentation reassembly process, the packets will overlap each another, thus crashing the victim’s network device. Typically only older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63 are vulnerable to this attack.

Teardrop pcap from wiki.wireshark.org

IPv6 inherently does not support fragmentation. Routers in the traffic path will not fragment any IPv6 packets. In fact any packets received with a larger size than its supported MTU will be dropped and an ICMPv6 Type 2 "packet too big" message will be sent to the source. This is essentially like having the DF bit set to ON in an IPv4 packet. So any needed fragmentation will have to be done by the source node.

The source node will conduct a process called Path MTU Discovery (PMTU). The source node will send MTU discovery packets to the destination and waits to receive any ICMPv6 Type 2 "packet too big" message. If it does, it knows it needs to decrease the packet size. The minimum safe IPv6 MTU size is 1280 bytes and will guarantee delivery based on packet size but will increase the amount of needed packets to be sent.

Fragmentation was removed in IPv6 for several reasons. Many debated that fragmentation was inefficient. Any lost fragment makes the entire original packet unusable. This is because there is no way to identify the missing fragment that needs to be resent. So the entire packet needs to be resent and possibly re-fragmented. Additionally the security concerns of fragmentation overlapping attacks is another reason to remove fragmentation altogether.

RFC 4291 IP Version 6 Addressing Architecture

Example IPv6 pcap from www.cloudshark.org

What are some differences between IPv4 and IPv6 headers?

What fields in the IPv4 header would you look at first when looking for anomalous traffic/transactions?

(RFC 6437 IPV6 Flow Label)

What purpose does the "helper protocol" ICMP provide?

Discuss ICMP protocol for both IPv4 and IPv6. Cover some common uses of ICMP to include ping, traceroute, Time exceeded, MSS adjust etc.

Demo ping and traceroute with Wireshark to any external website.

Common ICMP attacks

Reference: icmp-attacks

Fire-walking Using traceroute and TTLs to map out a network. Using traceroute with TCP and UDP protocols an attacker could map the open ports on a firewall.

Over-sized ICMP informational messages These over-sized ICMP packets can cause a system to crash. Typically packets should not be greater than 65,535 bytes in size and anything greater would violate link::https://tools.ietf.org/html/rfc791[RFC 791]. Systems would not know how to process these packets and most likley would crash. The Ping-of-Death is one example of this. Attackers could use tools like hping2 to craft these packets.

ICMP Router Discovery Messages In link::https://tools.ietf.org/html/rfc1256[RFC 1256], PCs could send "router solicitation" messages to discover who the router is on the network. An attaker could intercept these messages and send a spoofed "Router Advertisement" message adverising themselves as the router.

Security concern with ICMP redirects:

Routers use ICMP redirect messages to inform hosts that a better route is available for a particular destination is available through another router on the same network. Hosts can only be assigned one IP address as its default gateway but the network could have more than one router to lead to remote networks. If the default gateway receives a packet on an interface, and through its routing table lookup it determines that the next hop router towards that network is out the same interface that the packet was received, it will forward the packet to the next hop and send the ICMP redirect message back to the host. The host will update its internal routing tables for that specific destination address.

An attacker can use ICMP redirects to perform a Layer 3 man in the middle attack. If the attacker can intercept a message they can send an ICMP redirect back to the victim to tell it to route traffic through the attacker rather than the router.

Note: ICMP redirects are disabled by default if Hot Standby Router Protocol (HSRP) is configured on the interface.

SMURF Attack concern:

SMURF attack is a form of amplification attack where an attacker can send very few packets and it will generate a lot of packets. The attack works by sending an ICMP echo requests (PING) using a spoofed source address to a directed broadcast address of a network. This PING will reach all hosts on the network who will then respond back to the spoofed IP address. All the hosts responding will create alot of traffic and overload the victim’s device causing a DoS.

Security Concern using IP Unreachable messages to map a network

By default, routers will send a ICMP unreachable message back to the source if it drops a packet for whatever reason. This action can be used by attackers to map out the network topology

The goal of the Zero Configuration Networking (Zeroconf) is to enable networking in the absence of configuration and administration. Zero configuration networking is required for environments where administration is impractical or impossible, such as in the home or small office, embedded systems 'plugged together' such as systems connected to a switch or hub.

DHCP pcap from wiki.wireshark.org

Demo pcap from blog.webernetz.net

Advantage For typical home networks this is very useful. Users with little to no networking experience can easily setup their home networks with little to no intervention. All their IP addresses, netmasks and gateways on all their devices will auto configure themselves.

Disadvantages On an enterprise network with specific address, netmask and other configurations is not feasible to use this option as it may be to simplistic. Enterprise networks tend to opt for more presise controls for their networks. Additionally if zero configuration was allowed it could lead to users connecting unauthorized devices onto a secure network with no oversight.

Get more information in RFC 791, 1349, 2474, 6864

DEMO Use Wireshark to demo layer 3. Show the IPv4 and IPv6 headers and ICMP to include PING and TIME EXCEEDED.

DEMO Configure the Net1 and Net2 with an IPv6 address. Open Wireshark and have the Net1 ping the Net2 at its IPv6 address. View the Wireshark details showing the Neighbor Solicitation message to request the Net2 MAC address and its response back to Net1 Solicited node multicast address.

The TCP header contains a field for flags. What are normal combinations of flags?

Collection of Exceptionally Unskilled Attackers Pester Real Security Folks

Coach Explained to the University of Alaska to Play Really Snowy Football

TCP is a connection oriented protocol and therefore is divided into one of 3 phases.

DEMO TCP with tcpdump. Open wireshark and capture traffic while you browse to www.espn.com Optionally you can use this PCAP.

What is the RFC recommended response to illegal flag combinations?

When and why are illegal flag combinations or TCP options used?

What are some attributes that UDP does not have, which make it a protocol better suited for certain applications like VoIP, Streaming Media or DNS?

What makes UDP scans difficult to use?

Get more information in RFC 768

Identify well-known port range and how they are used (0-1023). Ensure you discuss privilege required for a OS to bind a well-known port. Compare and discuss ephemeral ports and their use in communications.

(Well Known ports)

DEMO Use Wireshark to demo layer 4. Show the TCP and UDP headers.

DEMO Use the netstat command to show established connections and sockets.

FTP
Published in RFC 959, File Transfer Protocol is a standard network protocol that is used for file transfer between a client and a server. Authentication is performed via a username and password, but can also be disabled in favor of anonymous mode if the FTP server is configured for it. The drawback with FTP is that all communication is clear text, including the initial authentication.

FTP has two modes of operation, Active and Passive:

SSH Protocol
SSH is an open protocol with many different implementations. Examples include PuTTy, Solaris Secure Shell, Bitvise, and OpenSSH. OpenSSH is the open source implementation that is most common and the focus of this course as it is widely found in Linux and Unix. Support for Windows was introduced when OpenSSH was ported to run in Windows Power Shell in 2015. It is included in Windows 10 as of 2018, though it must be enabled in settings.

History of the protocol and implementations:

Due to the way SSH was created it has many implementations and therefore is open to vulnerabilities across those different implementations. This course will focus mainly on the OpenSSH implementation._#
SSH was developed in 1995 after a password sniffing attack occurred at the University of Technology in Finland. A researcher at the university created SSH1 for himself, which rapidly gained popularity with over 20,000 users by the end of 1995. The creator also founded the SSH Communications Security Corp (SCS) to maintain and develop SSH. That same year, an IETF was drafted describing operation of the SSH1 software and assigned a working group (SECSH). The group submitted a draft for SSH-2.0 in February 1997 which was then released by SCS as a software product with a restrictive license. Due to restrictions many people continued to use SSH1 until OpenSSH was released. OpenSSH came from the OpenBSD project and is based on the last free release of SSH, 1.2.12, but due to the open source community it has been updated regularly and ported to many platforms.

Usage and features:
SSH was initially created to replace insecure rsh suite of Unix programs. The syntax and user interface is identical. These service included the following:

login programs such as telnet, remote login (rlogin), and rsh (remote shell). Though the initial use was logging into and running remote terminal sessions, capabilities were expanded to replace FTP (file transfer protocol) and RCP (remote copy protocol) with SFTP and SCP respectively.

SSH Protocol
SSH is an open protocol with many different implementations. Examples include PuTTy, Solaris Secure Shell, Bitvise, and OpenSSH. OpenSSH is the open source implementation that is most common and the focus of this course as it is widely found in Linux and Unix. Support for Windows was introduced when OpenSSH was ported to run in Windows Power Shell in 2015. It is included in Windows 10 as of 2018, though it must be enabled in settings.

Usage and features:
SSH was initially created to replace insecure rsh suite of Unix programs. The syntax and user interface is identical. These service included the following:

login programs such as telnet, remote login (rlogin), and rsh (remote shell). Though the initial use was logging into and running remote terminal sessions, capabilities were expanded to replace FTP (file transfer protocol) and RCP (remote copy protocol) with SFTP and SCP respectively.

Components of SSH Architecture
In order for ssh to work properly between a client and server, several components are required:

Defined in RFC4251, there are three major protocols are run on top of TCP to facilitate an SSH Connection:

SSH Protocol Components (not shown in slides)

Authentication

There are several methods used by SSH for authentication, the following are the most common implementations:

Password Authentication Debug Demo

What makes traffic capture possible?

Berkeley Packet Filters were conceived in 1992 as a way to provide a way for filtering packets from kernel to userspace. It consists of bytecode that is injected from userspace to the kernel. In recent years it has been re-written as the eBPF virtual machine that closely resembles the previous BPF functions, yet allows for 64 bit registers and for increasing the number of registers from two to ten. This allows the BPF to take advantage of modern hardware.

How do BPF’s work?

Kernel API

TCPDump opens a network tap by requesting a SOCK_RAW socket and after setsockopt calls a filter is set with the SO_ATTACH_FILTER option:

The BPF Filter is then ran against all received packets on a network interface and those that match filtering criteria are passed on to the network tap file descriptor.

Basically, TCPDump asks the kernel to execute a BPF program that works within the kernel context.

BPF Virtual Machine
The BPF machine consists of an accumulator, an index register, a scratch memory store, and an implicit program counter. There is a small set of arithmetic, logical, and jump instructions given in a BPF program written in bytecode.

TCPDump filtering with BPF’s:

Demonstrate a simple BPF to explain bytecode:

This reads as follows:

What field does the jeq point to?
Ethertype

TCPDump filtering with BPF’s and bit-masking:
BPF’s in conjunction with TCPDump, operators, and bitmasking make for an extremely powerful traffic filtering and parsing tool.

What happens if you need to filter down to a field that is smaller than a byte?

Use bit masking.

IP header version and IP header length field.

IP header fragmentation and fragmentation offset field.

TCP header flags field.

SYNTAX

Example:
tcpdump 'ether[12:2] = 0x0800 && (tcp[2:2] != 22 || tcp[2:2] != 23)'

The BPF doesn’t work because values larger than the ip version number of 4 that have a value higher than 5 in the internet header length will be filtered as well.

What was the common issue with all of the filters that complicates the process of looking at the header length field?
The presence of the IP version field.

Since the IP version field is causing issues, it must be excluded.
A masking condition is applied with an "&" symbol and will look like the following:

To filter down to the bit(s) and not just the byte.

All designated bit values must be set; no others can be set

All designated bits must be set; all others may be set

At least one of the designated bits must be set to not equal 0; all others may be set

Least Exclusive:
Selects any packet that has ACK or FIN set and also have any other flag set.

References:

libpcap: An Architecture and Optimization Methodology for Packet Capture
An intro to using eBPF to filter packets in the Linux kernel
Practical tcpdump Examples
BPF - the forgotten bytecode
TCPDump Advanced Filters

A Layer 2 Ethernet switch uses the destination MAC addresses to make forwarding decisions. It is completely unaware of the protocol being carried in the data portion of the frame, such as an IPv4 packet. The switch makes its forwarding decisions based only on the Layer 2 Ethernet MAC addresses.

CAM Table Overflow/Media Access Control (MAC) Attack

This attack focuses on the Content Addressable Memory (CAM) table that stores the MAC addresses on a physical port along. Each VLAN will have its own CAM tables. CAM tables have a fixed memory size and this is what makes them a target for attack. Similar to a buffer overflow attack, the goal is to fill the switches table with "learned" MAC addresses and see what happens. The attacker sits on a one port and generates a vast number of "spoofed" MAC entries. When the CAM table is full, all additional MACs will not be learned and will default to "open". This means that traffic without a CAM entry will be sent out on all ports of the VLAN in question. Traffic with a CAM entry won’t be affected, but neighbor switches could be. Depending on the switch in question, this type of attack can be mitigated.

CAM Table Overflow script

Utilizing tcpdump or wireshark you can demonstrate how this attack looks.

Network without VLANs

In normal operation, when a switch receives a broadcast frame on one of its ports, it forwards the frame out all other ports except the port where the broadcast was received. On a switch with only 1 vlan configured (vlan 1 by default) all ports belong to same broadcast domain.

Network with VLANs

When VLANs are implemented on a switch, the transmission of unicast, multicast, and broadcast traffic from a host in a particular VLAN are restricted to the devices that are in that VLAN only.

A network with VLANs has to identify a way to pass frame traffic from its vlan to other devices belonging to the same vlan across several switches. To prevent vlans from blending with other vlans a separate data path must be used to pass vlan traffic from switch to switch. Thus a separate cable is used for each vlan to pass vlan traffic from switch to switch. In a large network, with many vlans, this will quickly become unscalable.

Trunk links were developed to allow all vlans to traverse 1 link instead of 2 or more individual links. Switches use the Ethernet frame header information to forward frames but the standard Ethernet frame header does not contain information about the VLAN to which the frame belongs; thus, when Ethernet frames are placed on a trunk, information about the VLANs to which they belong is added. This process, called tagging, is accomplished by using the IEEE 802.1Q header, specified in the IEEE 802.1Q standard. The 802.1Q header includes a 4-byte tag inserted within the original Ethernet frame header, specifying the VLAN to which the frame belongs. The "tag" includes a new Type Field set to [0x8100] to specify its a tagged frame. The original type field remains the same only it is just shoved from byte [12:2] to [16:2].

When the switch receives a frame on a port configured in access mode and assigned a VLAN, the switch will then determine what interface to send the frame out. If the outgoing interface happens to be a trunk port, the switch inserts the VLAN tag in the frame header, recalculates the Frame Check Sequence (FCS), and sends the tagged frame out of that trunk port. Inversely, when a switch receives a tagged frame from a trunk link and it determines that the outgoing interface is an access port, the switch will remove the vlan tag and the FCS is recalculated again. The Type field is also reverted back to its original value. The 4-byte tag is removed and the Type field reverts back to its original location at [12:2].

All the "tagging" processes are completely transparent to the "user" and is handled by the intermediary network devices.

Demo of ICMP messages over VLAN trunk links from www.cloudshark.org

IEEE 802.1ad is an Ethernet networking standard informally known as "Q-in-Q". The was added as an amendment to IEEE standard IEEE 802.1Q-1998. This technique was commonly used for provider bridging or tagging. A service provider could tag all-ready tagged user frames across a service providers network and then strip it off at the other end. This is a form of tunneling.

This technique allowed the ability to insert more than one 4 byte tag into the frame. Each additional tag is inserted before the previous tag. The tags are then removed in reverse order. The first tag will be the typical 0x8100 Ethertype and include the user provided VLAN ID. Each additional tag will use 0x88A8 (standard) or 0x9100 (non-standard) Ethertype and include the provider’s VLAN ID.

IEEE 802.1ad was created for the following reasons:

Demo the 801.1ad headers in a PCAP 802.1ad pcap from www.cloudshark.org

VLAN hopping Attack

VLAN hopping is an exploit method of attacking networked devices on separate virtual LAN (VLAN) without traversing a router or other Layer 3 device. The concept behind VLAN hopping attacks is for the attacker on one VLAN to gain access to traffic on other VLANs that would normally not be accessible. Keep in mind that VLAN hopping is typically a one-way attack. It will not be possible to get any response from the target device unless methods are setup on the target to respond with similar vlan hopping methods.

There are two primary methods of VLAN hopping:

In this attack, an attacking host imitates a trunking switch by crafting DTP packets in order to form a trunk link with the switch. With a trunk link formed the attacker can then use tagging and trunking protocols such as ISL or 802.1q. Traffic for all VLANs is then accessible to the attacking host.

This attack works if the attacker knows what the "native VLAN" that is used on your organization. Typically VLAN 1 is used. All VLANs will be "tagged" with its corresponding VLAN. The Native VLAN however is intended for local network communication and is not tagged. Thus anything tagged for the native VLAN will be stripped off. The attacker will insert 2 tags into their frames. The first tag will be for the Native VLAN and the second tag will be for whatever VLAN he is trying to access. Upon receipt the switch will then remove the Native VLAN tag and will leave the second VLAN tag in tact.

Scapy Script to demonstrate vlan Hoping

You are able to execute this and see the result in tcpdump or wireshark.

We previously mentioned that there is no TTL at Layer 2 to eventually kill a frame that never reaches its destination. This will result in frames endlessly circulating a L2 infrastructure and eventually bringing down the network. This can be caused by simply adding redundant links in your network architecture that could allow frames to potentially circulate.

Spanning Tree Protocol (STP) was developed to resolve this issue . STP is a Layer 2 protocol that builds a loop-free logical topology for Ethernet networks in a network that physically has loops. The basic function of STP is to prevent switching loops and the broadcast storms that can result. Spanning tree allows a network design to include physical "backup links" to provide fault tolerance if the active link fails.

STP works by creating "tree" within a network of connected layer-2 switches, and disable any links that are not part of this tree. The root of the tree determined by electing a Root Bridge and all the other switches are the branches. This essentially leaves only a single active path between any two network switches. STP is based on the algorithm invented by Radia Perlman.

STP operates by flooding Bridge Protocol Data Units (BPDUs) to all other switches in the network. These BPDUs are used to:

After the election of the Root Bridge, all BPDUs will come from the root only and each switch will forward these BPDUs out their Trunk ports. This ensures that all switches know that the root is still active.

IEEE introduced Rapid Spanning Tree Protocol (RSTP) as 802.1w in 2001. RSTP allowed ports to transition from blocking to forwarding in about 10 seconds.

Cisco developed their own proprietary versions of STP:

Juniper develop VLAN Spanning Tree Protocol (VSTP) to communicate with Cisco’s PVST and PVST+ implementations.

In 2005, IEEE developed Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1s.

Demo PVST+ in a pcap from www.cloudshark.org

Spanning-Tree Attack

The attack vector is a form of Denial of Service. Its goal is to disrupt the switch’s spanning-tree process, destabilize their CAM tables and hold the network in a repetitive state of reelecting the root bridge. This is possible because there is no authentication mechanism built into the STP and it’s BPDU packets.

One way is to repeatedly send Topology Change Notification (TCN) messages to disrupt the system’s current understanding of the network. This will force renegotiation of the Root Bridge, resulting in a DoS attack.

Another option is for the attacker to try to become the root bridge. This can be done by sending specially crafted BPDUs. Once this is accomplished it is possible for the attacker to see packets that are sent through them. This requires the attacker to stay connected to two switches, running bridging software, so that they can continue to send the BPDU to advertise themselves as the root bridge.

Both attacks require that the attacker be physically connected to the network.

The industry standard of 802.1D there is only 1 spanning tree instance no matter how many vlans are running on the network. So to attack STP will effect every vlan in the network. However Cisco’s proprietary STP called PVST and PVST+, there is a spanning tree instance for each vlan in the network. So to attack one will not effect the others. Each vlan spanning tree instance would need to be attacked for a full network DoS.

Ethernet frames do not have a time to live (TTL) field as the IPv4 and IPv6 packet headers do. Because of this there is no mechanism to block continued propagation of frames on a Layer 2 switched network. It is possible for frames to propagate between switches endlessly. This can result in MAC database instability and can cause broadcast frames to forward endlessly causing broadcast storms and will bring down any network.

Issues in a switched network

In a switched network with physical loops Spanning-Tree is crucial else your whole network can be brought down with broadcasts. Without physical loops spanning-tree can be disabled to conserve a little bandwidth and CPU processing.

Demonstration of CDP and LLDP messages from www.cloudshark.org.

Cisco Discovery Protocol (CDP) Attack

Due to the nature of how CDP works, it can be easily used by malicious actors to map out your network infrastructure. It also shares alot of device information that an attacker can use in preparation of an attack. The information like IP addresses, router models, software versions and so on can be sensitive for your organization. All information is sent in clear text and unauthenticated. Any attacker sniffing the network is able to see this information and is possible to impersonate (spoof) another device.

The Dynamic Trunking Protocol (DTP) is a Cisco proprietary Layer 2 protocol. Its purpose is to dynamically negotiate trunking on a link between two switches running VLANS. It can also negotiate the type of trunking protocol to be used on the link (802.1q or ISL). DTP works by exchanging small DTP frames between two supporting devices to negotiate the link parameters.

DTP Attack

DTP attack relates to the VLAN hopping attack discussed earlier. Attackers can craft their own DTP frames in order to negotiate a trunk link between their device and the switchport. This trunking connection would allow the attacker to communicate with all VLANs on the switch and to inject traffic into whatever VLAN they desire. Typically the trunk like will not be "pruned" or allowed VLANs specified so this connection will allow the attacker access to all VLANs on that switch.

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the whole local area network. VLAN Trunk Protocol (VTP) was developed to help reduces the administration of creating VLANs all all switches within a switched network. To do this, VTP sends VLAN information to all the switches in a VTP domain.

VTP advertisements are sent over all trunk links. VTP messages advertise the following on its trunk ports:

There are three versions of VTP, namely version 1, version 2, version 3.

VTP Issue

VTP uses the configuration revision number to determine what is the most "up to date" VLAN information. Each time the server makes an update it will send a VTP message with a higher revision number. The other switches will see that the message revision number is higher than what they have recorded so they will adopt the information in the message believing it to be more current.

The concern is that if you add a new switch to the current VTP domain that has a higher VTP revision number. This could be because it was previously on another VTP domain and was not properly erased. Once connected, that switch will not accept any VTP messages from the server since its revision number is higher. But when that switch sends its own VTP message advertising what it believes the current revision number is all the other switches will see that it has a higher revision number and will cause all switches to dump all its information and request the information from the new switch. This in effect will bring down your entire VLAN infrastructure.

Additionally an attacker can use this same process to perform a Denial of Service on your VTP switched network. The attacker can craft their own VTP message and send it over the network. This will cause all the switches in the VTP domain to flush all their VLAN information.

Must be configured manually, normally on access ports. The default behavior for port security is violation mode SHUTDOWN and maximum mac address of 1. Any violation will cause the port to err-disable and must be manually shutdown and no shutdown to bring the port back operational after correcting the original issue.

Ideally 802.1X would be prefered over Port Security being able to authenticate to AAA server(s) for network access.

The primary functions of a router are to:

Similar to switches where it builds a CAM table built of MAC address to determine how to forward frames towards the destination, the router builds routing tables on where (and how) to forward packets. The router builds the table including information such as network address, CIDR, Next hop address and exit interface. The table includes routes to what it determines is the "best route" to the destination network. When a packet enters a router it will be decapsulated. The frame is stripped on and it will examine the destination address in the packet. Using this address it looks to find the "best match" in the routing table. Once the best match is determined it will use the next hop address and exit interface. It will re-encapsulate the packet into the appropriate frame for the exiting interface network and send it out.

It is possible for a router to receive a packet encapsulated in one type frame, and then resend the packet out an interface using a different type frame encapsulation. As an example, the router can receive an IPv4 packet encapsulated in an Ethernet II frame from a LAN and then forward the packet out a WAN interface encapsulated in a Point-to-Point Protocol (PPP) frame. The frame encapsulation depends on the type of interface used on the router and the type of media to which it connects. The different data link technologies that a router can connect to include Ethernet, PPP, Frame Relay, DSL, cable, and wireless (802.11, Bluetooth, etc.).

Best Route = Longest Match

Routers compares the destination address in the incoming packet to its entries in the routing table. It matches the address (bit by bit) to all the table entries and looks for the longest bit match it can find. Starting at the far left, it compares the bits up to the amounts of bits in the CIDR mask. (i.e. a /12 mask will match 12 bits and a /24 will match 24 bits.)

Since the IP packet only contains the IP address and not the subnetmask, the router does not know what network the address belongs to. So this matching process tries to narrow down the address to a list of "known" networks.

Once a route with the most matched bits is found, it will forward the packet to the next-hop ip address in the table entry and re-encapsulate the packet into a new frame appropriate for the exiting interface.

Security Concern with the router lookup process

The IPv4 protocol has an options field in it’s header and it is possible to add source routing information to specify the specific path for traffic to take regardless of what is in the routing table. This can assist attackers to manipulate the flow of traffic to possibly bypass some network security devices.

Typically an IPv4 packet does not include options and can easily be scanned for should anyone add any using BPF filters.

ip[0] & 0x0f > 5

Routed protocol is a protocol that allows data to be routed. These protocols provide an addressing scheme and sub-netting. The addressing scheme identifies the individual host and the network to which it belongs. Each host address bust be unique. All hosts on an internetwork must use the services of a routed protocol to communicate.

Routing Protocol are used by routers communicate routing information with each other. Unless all routes are manually entered into the router, the router needs to learn from other routers about the networks that they know. They use this shared information to populate their routing tables so that they can make better decisions when forwarding routed protocols such as IPv4.

Routing protocols are broken down to 2 types:

Not all routing protocols support all "routed" protocols. If you are running more than one then its possible that you may have to run additional routing protocols to ensure that those routes are advertised.

Redundancy on networks are critical should a fault occur. One limitation on user PC’s is that you can only configure one default gateway. Should this device fail the users cannot get out of their local network. Even if 2 or more routers are configured for redundancy, each interface will have a different IP address and both cannot be configured on users. FHRP provides a mechanism to provide alternate default gateways in switched networks where two or more routers are connected to the same network.

FHRP works by assigning a virtual router to 2 or more gateway routers. This works by configuring a FHRP protocol on all participating gateway interfaces to share a "floating IP" address and MAC. Each interface will have its unique IP assigned to the interface but all will share this floating IP and MAC.

Several types of FHRPs were developed:

HSRP Attack:

Routers must exchange HSRP hello packets at the default interval of three seconds. Packets are sent using the multicast address of 224.0.0.2 (the "all routers" IPv4 multicast address). Since multicasts are flooded over the network similar to Broadcasts, they can be intercepted by any host with layer two connectivity and can inspect the HSRP parameters.

To usurp the active router, the attacker only needs to inject false HSRP hellos claiming the active role with a higher priority.

Administrative Distance

The router can learn about remote networks form many different sources. As it can only put the "Best Route" from only the "Best Source" it needs to determine which source is the most trustworthy. The router will learn of directly connected routes, static routes, and routes from many different routing protocols. The router needs to determine that if a network is learned from more than one of these methods, which will it put in the routing table.

Routers uses an abstract administrative distance (AD) concept to determine the best source route to install into the IP routing table. The AD represents the "trustworthiness" of the route; the lower the AD, the more trustworthy the route source.

Metric

Routing protocols can learn of 2 or more routes to the same destination network. To determine which one is the "shortest", routing protocol uses metrics to determine the best path to a destination network. Routing protocols each uses different factors as its metrics to determine the best/shortest routes.

Some of the most common metrics that routing protocols can use are:

Classful vs Classless

Routing protocols are either Classful or Classless. Classful routing protocols do not send subnet mask information with their routing updates. Classless routing protocols do include subnet mask information with the routing updates.

Classless routing protocols support VLSM and CIDR; classful protocols do not.

Most modern networks no longer use classful IP addressing or Classful routing (RIP and IGRP). Classless routing protocols like RIPv2, EIGRP, OSPF, and IS-IS include the subnet mask information in their routing updates.

IPv6 routing protocols are all considered classless.

Static routes are manually configured on each router by a network administrator to route traffic for every specific remote network. This is common for small networks with few routes to the outside the network but becomes cumbersome on larger networks. They also provide security for some larger networks as all traffic takes predetermined routes.

Static routing provides some advantages over dynamic routing, including:

Static routing has the following disadvantages:

Routing protocols allow routers to dynamically exchange routing information to build routing tables. If 2 or more routers share the same protocol they can communicate with each other. The purpose of dynamic routing protocols includes:

Dynamic routing provides some advantages over static routing, including:

Dynamic routing has the following disadvantages:

Routing Protocol Security Issues

The issue with routing protocols is that they inherently trust neighbors running the same routing protocol. This means that an attacker can "inject" fake or falsified routing updates into the network to either direct traffic to his system or to cause a DOS.

KEY: Protocol: Routing protocol name Type: either interior or exterior routing protocol Convergence: How fast they are to share routing information throughout the intranet. Class: either link state or distance vector AD: Administrative distance. Trustworthiness of the information source. Higher is more trustworthy. Classless: Does it support CIDR? Algorithm: How it computes the "best path" to the destination network using its metrics. Transport Type: How is sends it update over the network. Routing updates: Destination address it uses to send updates to neighbor routers supporting the same protocol.

Interior Gateway Protocols (IGP): Routing protocols that are used within an AS. Referred to as intra-AS routing. Organizations and service providers IGPs on their internal networks. IGPs include RIP, EIGRP, OSPF, and IS-IS.

Exterior Gateway Protocols (EGP): Used primarily for routing between autonomous systems. Referred to as inter-AS routing. Service providers and large companies will interconnect their AS using an EGP. The Border Gateway Protocol (BGP) is the only currently viable EGP and is the official routing protocol used by the Internet.

https://www.vskills.in/certification/tutorial/basic-network-support/routing-protocol-igp-and-egp-and-algorithms/

Within the Internet, an autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the Internet.

Each administrative entity is assigned a 32-bit number to uniquely identify itself to everyone on the internet.

AS numbers are assigned in blocks by the Internet Assigned Numbers Authority (IANA) to regional Internet registries (RIRs). The appropriate RIR then assigns AS numbers to entities within its designated area from the block assigned by the IANA. Entities wishing to receive an ASN must complete the application process of their local RIR and be approved before being assigned an ASN. Current IANA ASN assignments to RIRs can be found on the IANA website.

Reference:

https://www.iana.org/numbers

https://www.iana.org/assignments/as-numbers/as-numbers.xhtml

Distance Vector protocols are simplistic in their operation. They share entire routing tables with their directly connected neighbors and from these shared tables they determine two factors:

A router using a distance vector routing protocol will not have complete knowledge of the network or the entire path to a remote network. Distance vector protocols is typically called "routing by rumor". This means they only know what their directly connected neighbors tell them.

There are four distance vector IPv4 IGPs:

Compared to distance vector routing protocols, a router configured with a link-state routing protocol can create a complete view of the network. This is built by gathering information from all of the other routers to build a network topology.

Link state routing protocols tend to flood the network with Link state Advertisements (LSAs). Each router receives these updates and begins to build a map of the entire network. It will use its algorithms to compute the best routes from this map to all remote networks. After this is done no periodic updates are sent unless there is a change in the topology.

Link-state protocols work best in situations where:

There are two link-state IPv4 IGPs:

BGP is one of only 2 Exterior Gateway Routing Protocols (EGP) created. The other called simply Exterior Gateway Protocol (EGP) was developed in 1982 by Eric C Rosen and David Mills and specified in RFC 827. It was a simple protocol that was eventually made obsolete by BGP version 4 published in RFC 4271.

BGP operates differently compared to IGP protocols. Rather than automatically advertising all internal networks, BGP is configured to specify the precise network and CIDR it will advertise. Instead of making best path selection based of metrics, it uses "paths" (which is loosly similar to hops used by RIP), network policies, or rule-sets. This makes BGP one of the most complicated routing protocols to configure. Where simple configuration errors with an IGP will have an impact on traffic within your network. Whereas a misconfiguration with BGP could have broad ramifications on the traffic routing throughout the entire world.

Reference: Wikipedia BGP link

Each individual organization has the ability to enforce the policies within their networks. However, there is no one governing organization that can enforce the internet. Each individual network is privately owned and controlled in various countries throughout the world. Each county is governed by their own rules, regulations and laws. To allow for the explosive growth of the Internet, it operated on a "trust" model. This means that ISPs were allowed to connect and share their network information with the rest of the world and were trusted that they would "play nice" with others. There was no way to realistically prevent intentional or accidental advertising of networks that the organization does not own.

BGP Hijacking works by:

Reference: Cloudfare

Ultimately it is difficult to defend against. Each ISP can only control their own advertisements and not what is advertised from other ISPs. There are some implementation to help guard against it but each has its own challenges.

References:

https://www.cloudflare.com/learning/security/glossary/bgp-hijacking/

https://en.wikipedia.org/wiki/BGP_hijacking

http://www.bgplookingglass.com/ - Database of 1150 BGP Looking glass servers from various AS. This identifies how that ISP sees the path to a specific Internet address. This is a means to determine if any ISPs may have been compromised with false routing information.

http://www.bgplookingglass.com/list-of-autonomous-system-numbers - List of AS #'s and owners

Below is a list of several examples of BGP Hijacking.

Goto: https://www.whatismyip.com/ to get your IP address.

Goto: https://stat.ripe.net/ and paste in your IP address. It will tell you that it is part of a broader advertised address prefix. Select the choice of the broader prefix.

You can go through all the details on the main IP "At a Glance" tab. This can map out (by percentage) where various IP address blocks are located.

Click the "Routing" tab on the left side. Scroll down to the BGPlay window. It will give you a message that says "This query includes more nodes/events than normal. Rendering this graph may cause your browser to become temporarily unresponsive. Do you wish to continue?" Click "Yes".

BGPlay will show you the AS that is advertising the address and paths of other up/down stream AS#'s that it is advertising to. Optionally you can goto https://stat.ripe.net/special/bgplay to display this view.

This site will take you to a top level site to view each of each of Assigned Numbers Authority (IANA)'s regional Internet registries (RIRs) BGP map. This will graphically display the peer relationships of AS’s. APNIC BGP Map. From this map you can demo the same AS that you found from above and it will show its peer relationships.

Extra:

Ping any major DNS address to resolve the IP address (i.e. www.cisco.com, www.dell.com, us.army.mil, etc) and use the previous steps to portray that ip address within BGP.

This link will take you to a list of "active" ASes and prefixes in the past 14 days for demo purposes. http://bgpupdates.potaroo.net/instability/bgpupd.html

References:

Use this site for a list of all Autonomous System numbers with their owners: http://www.bgplookingglass.com/list-of-autonomous-system-numbers