preface
Building zero-trust network is naturally inseparable from network access (NAC), which involves some security tests of the switch, so there is this article “Common LAN Attacks from the switch security configuration”.
Switch Security Configuration
As mentioned in the title of this article, the common LAN attacks are based on switch security configurations. According to the “H3C Switch Security Hardening Manual” and “Security Configuration Guide” provided by THE OFFICIAL H3C, it can be seen from these two manuals that the switch supports a lot of security configurations, which have basically covered all kinds of LAN attacks that we are familiar with. Here are a few typical attacks to demonstrate.
Arp deception
1, electronic books (white hat) 2, security factory internal video 3, 100 SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit 7, emergency response notes 8, network security learning route
The principle of
Each host has an ARP cache table, which records the mapping between IP addresses and MAC addresses. LAN data transmission depends on MAC addresses. ARP cache table mechanism has a flaw, that is, when the request host after receiving the ARP reply packet, not to test whether oneself to the other party of the host to send ARP request packet, this returns the IP address of the packet directly save into the corresponding relationship between the MAC address of ARP cache table, if the same original IP corresponding relation, the original will be replaced.
Then the attacker can send malicious broadcast messages to tell the target that I am a certain host and poison the ARP cache table of the target host, which is ARP spoofing.
tool
arpspoof
Ettercap
bettercap
Arp attack scenarios are as follows:
The principle of ARP disconnection attack is as follows: Poison the ARP cache table of the target host to deceive the gateway address;
The principle of man-in-the-middle sniffing is as follows: The target host and gateway are bidirectional spoofing and need to cooperate with the routing and forwarding function.
Against presentation
Here, we use BetterCap to demonstrate ARP attacks.
Attacker: 192.168.6.3
Goal: 192.168.6.5
1. Enable BetterCap. If the machine has multiple network cards, you need to specify the corresponding network cards. The specific command is as follows:
sudo ./bettercap -caplet http-ui -iface en0
Success is achieved if the following information is displayed
The account password can be found in http-ui.cap
2. Host detection:
Go to the LAN TAB and start host probing.
You can also run the following command on the terminal to enable the function
3. Enable ARP spoofing
Go to the Advanced TAB to start arp spoofing, as shown below.
By default, it spoofs the entire LAN host. We configure it as needed. Configure the target IP and turn on FullDuplex to spoofy and gateway (both ways).
Then go back to the LAN TAB and look at the little icon to see that the configuration is successful.
And finally, let’s look at the effect
As shown above, the attack succeeds. The gateway MAC address in the ARP table of the target machine is changed to that of the attacker.
The same is true for routing tables on switches.
The packet capture result is as follows.
Arp spoofing defense
Let’s take a look at how the switch protects against this attack.
Look through the official manual and find the following:
After simple configuration, the desired effect is achieved.
system-view
arp check enable
arp user-ip-conflict record enable
Copy the code
To defend against ARP attacks, the following configurations are displayed:
system-view
arp check enable
# arp spoof
arp user-ip-conflict record enable
# arp flood
arp source-suppression enable
arp source-suppression limit 100
arp resolving-route enable
arp resolving-route probe-count 5
arp resolving-route probe-interval 3
arp valid-check enable
arp active-ack enable
Copy the codeDNS cheat
The principle of
It is used with ARP spoofing. After ARP spoofing succeeds, it sniffs out the DNS request packet sent by the peer party, analyzes the packet and obtains the ID and port number. After receiving the DNS reply packet, the peer party finds that the ID and port number are correct. That is, the domain name and corresponding IP address in the returned packet are stored in the DNS cache table, and then discarded when the real DNS reply packet is returned.
tool
Ettercap
bettercap
The primary use of DNS spoofing is for phishing.
Against presentation
Let’s use BetterCap again:
The ARP spoofing function was configured and enabled.
Configuring DNS Spoofing
For demonstration purposes, we set up a Kali web server that will be used for DNS spoofing.
Then configure DNS spoofing, here with blog to demonstrate, let the domain name resolution to 192.168.6.3, is also the previous configuration of kali.
We then initiate a DNS query on the spoofed host and see that it meets our expectations.
Wireshark is used to filter the DNS reply packet.
Bettercap for more modules, please go to the official documentation.
www.bettercap.org/modules/
The most common ARP attacks are the two shown above, in addition to some attacks such as ARP flooding, because the operation is relatively simple, do not demonstrate here. The following tools can be used to test:
Github.com/davidgfnet/…
Github.com/EmreOvunc/A…
DHCP Flood
The principle of
The attack source sends a large number of DHCP request packets to the DHCP server, occupying large CPU resources and exhausting the address space of the DHCP server, preventing legitimate DHCP clients from obtaining IP addresses.
tool
Yersinia is mainly used here for demonstration:
Github.com/kamorin/DHC…
Github.com/tomac/yersi…
Yersinia introduction
Yersinia is an attack tool for layer 2 switch networks. Its functions include:
Attacks against the following network protocols are supported:
Spanning Tree Protocol (STP)
Cisco Discovery Protocol (CDP)
Dynamic Relay Protocol (DTP)
Dynamic Host Configuration Protocol (DHCP)
Hot Standby Router Protocol (HSRP)
802.1 q
802.1 x
Inter-switch Link Protocol (ISL)
VLAN Relay Protocol (VTP)
Against presentation
1. Start the device in graphical mode
yersinia -G
2. Configure and enable DHCP attacks
Before starting, take a look at the IP usage of DHCP. You can see that everything is ok.
Go back to kali to start the configuration and switch to the DHCP TAB. It can be seen that four modes are supported. We only need to select the one that supports DOS to launch DHCP Flood attacks.
After Kali launched the attack, go to the switch and look at the usage of the IP pool. As shown in the following figure, many IP addresses have been used. In this attack, the DHCP IP address pool is fully occupied, so that other clients cannot obtain IP addresses properly.
DHCP Attack Defense
Configure the maximum number of DHCP Flood attack detection packets to 2. DHCP flood-protection threshold 2 9000 # Set the aging time of DHCP flood attack entries to 90 seconds. DHCP flood-protection aging-time 90 # Configure the DHCP SnoopingCopy the codeThe last
These xP-era technologies are no longer usable today, and they are rarely used in combat. Times have changed.