Exploiting First Hop Protocols to Own the Network - Paul Coggin

so I'm Paul Kagura from Huntsville Alabama I'm a full school network I just had me back in 94 got into routers and 97 they do pen testing doing network consulting 19 bank so I got into network secure consulting in 99 if you if you've been through suffered through my previous presentation - I liked old war stories that's my inspiration for my presentations are gonna see Thank You Grover I'm not going creepiest live for them in their honor

so let's get started here what would I get into if this conversation is later - security problems and Brezina out there everyone's focused on the upper layer to the other side model ever give the web apps burps we miss Floyd which is already good tools it needs to be done but what we're going to do audits looking at networks or binding I'm seen any way that it later - there is a ton of low-hanging fruit this being this and all you have to do is go in and open up wireshark you'll find there's almost a dozen bar Melanesians lot of Mercat ones there big public as those over the negation three different consulting firms came in and implemented three

different manufactures partly three huge different networks and all three of those numbers three different fingers free for consultants people maybe all had more eight cat ones that discovered the parlor was really bad was big inspiration for this presentation when he's the gas were doing Gaza the intestine osep saying Microsoft you need the service they had them all have experience wearing out the other layers in this I'm all web systems OS altar built look totally hey miss low-hanging fruit it was available later too I mean I personally need to cope with that mark shot almost 44 never exactly sees editor so I'm gonna make sure you guys that are out there contested issue you're identifying these

later two problems if you're out there to figure since I didn't make sure you work on this later too here's here's the strategy to don't think about the control point the management playing is that data point it's both money being the device-to-device communication router is pumping routers switches popular switches Howard one of those protocols how if you put your strategy for security isn't even management plan how are you security the management was in vain and out automated even aggressive sage recipe be or use internal service user switches how was that how was all being secured from the management plan in lockout override relationships within the data plane of the usual attitude which is typically the user traffic with everybody's

focusing on but I want you to think about their control planning management plane either strategy look at it man and out of the band good for every layer give us a model like your layer one you know what's going on with wireless how could you go in Tagalog how does it trouble review management it's over the network man for system is very good for you maybe the optical network if you're gonna large optical network up to you switches you're out of the senator so they're here computer supposed school stuff these are poisons everybody focused on Daisy rooms we can't fix a date thirty-year it's pretty bad everybody think of other systems pilots from windows PI's we have grass patch

you there's there regularly not new scanning their their web apps got all that automated if you go in there Toby this is the and presently to where you can go ahead you're not going into our poison art basically if you want to resolve you want to go to connection up here is your network you're going to have to consult your IP address and MAC address especially we have a broadcast and very owns that is that racism responded might well you can go into an are posted by sending gratuitous ours unsolicited are poisoning the art cache of the network so the tractor for me to be pretty to you this is some really old school so

the art was great early years ago in most of the networks you can go in at home you can put your laptop using this you're not gonna be a powerful image with the latest a zero because they're all of the are Potter walls thanks all the log now but you're going to take a turn around do a man and Bill tag I'm gonna throw your whole new delivery because there never is not block on and here's an example but what it would look like using something like Cain and Abel if I go to do this to a customer then we're going to use a cable because you control demonstrative PowerPoint that's what the I think of the day you have to

do is you guys are doing honking this is this slide is in honor of a gap we rather get out of it no matter how many times the Kami they're doing this is age they'll be sure in the new terminus is in curtain two if you're in that they're doing artist go could run his art poisoning history and then go in totally and there were exactly tell them that you think that one of their systems is hung up moderately accidentally policy how one have somebody only teen you have it of have attenuating something fired up there and then you may need your back text your traffic is watching their replays what if they can do day to day

you will trigger their reflex a lot of times would you find these little too straight to tell them that but that's a reflex I think I did this to someone I had kid never ever broken a person trophy to art wasn't Canyon able to the network guy this one over total method mutants box she's dope element no hopping day before the day before when he was getting to do by the auditors law SSH but you know a big side go fixes well I've got in regard inspection in or out resources function you may pressure you got where school know something that but what but least once you here without going when I was doing consulting once

you're get probably in doings in response and somebody is eating pop with a girl needs I don't at least once or twice a year repeating this you need to go into those if you've got these making switches got the feature during the knobs there to lock this down go and lock down that trust relationship and don't let the busy in user accident or just these spoof of the DHCP server and setting up a man in the military by advertising themselves as the default gateway and what typically happens how you're going to discover that this attack is happening to you is that the the whoever it is it's far enough to go PCP server they don't really understand

network even hacking they haven't published right a job either a little happen they'll calls of denial service because they forgot to turn on my people T so they'll hang out the back gate with you try to redirect it to them and then they forget the older to traffic that will trigger hours or gonna try to scan something a bit but it never got started to keep some cops whatever and then definition and maybe track them down who's ready to be served so you're going to go through this again sometimes make sure your eternal not before to do this is everybody who's busted otherwise otherwise if they turtle not be forwarding they'd never get covered because they're not modern

for roadies and these big of DCP I come from a background I'll spit me to be years building telco service advisors Bagram home ESL cable one and one thing we had to do the cable service provider these provide the ability for law enforcement coming into a wiretap you when law enforcement comes in and they won't show that they served with a warrant they can tap your network maybe I ought to be traffic they don't trust apply if it did need to be private you better be encrypted just like to be looking at it because everybody by putting in a lot of goods so here's what so here's really something I want you to do a trade if

you work with grout marina they work you're doing DCP ordered we're going to network where personalities they're totally against ucz because they want to be able to to try to ground user more easily here's the solution part in search of all the leads they called opportunity to sue when when the bad show up with a warrant and they want to know who has as I use this we could go back into the laws and tell at what time someone that didn't compute requests and trace them all the way back to the individual physical interfaces that come on through the network that's how this works is when you're going to send DHCP requests room wherever you get into the

network whether you come in tomorrow that's part of the home cable what happened when you come in it's gonna inject into that DCP request header it's going to inject into the chassis name and physical interfaces your comment on the network and then if you have an easy server that supports opportunity to log in you will it will walk that so not only do you have a magnetic as IP there's nothing now you have a physical name of the chassis of the say that the SLD slab will receive a little termination system to see key is what however the cable network you know what visit no they were attached you over them to your face and so that way the

fans can go kicking the rock over to just put the thing different is is from the enterprise side a lot of us Enterprise PC don't know about this option etudes the new version of Arkansas's EGD search support option a to you used to probably like Linux DCP server or go get more commercial robust easy so you get that chain to be Microsoft's DCP server support option 18 ounces up you guys we managed to help tracing back home here's some more old school stuff it's out there spanning tree watch you just go back to that control plane why why should your eat you to be seeing your network device right there sitting there VLANs and they want to be certain

way or your enterprise efficient applications why would they need to be seeing network NEBOSH traffic try to confirm your valid or distraction from your solutions with a switch to switch Protocol router to router protocol there's no reason for did to see that here's one here that they should not say you spanked sure if you go back to your home network or if you're out doing consulting and autos you should pull that water showing up see what you're seeing identify the protocols or they like it seems like this pantry no it's because illiterate users are running this way it's why they do what they do you see that visit you can see it you can either

actively interact and you might be manipulating people in this endeavor and what you're going to say typically if you're in system there were none of those schools Cisco that you'll see a span tree protocol the screw head wire which was he frames it was he praying 30 seconds PSM are typically by the above did was he a priority default higher than 32 citizen yet the lowest priority is what becomes what they called a root root bridge on the network where he can go and tackle a the spanning tree algorithm and determine into the path through the network but there's no reason for the user to see they took a good luck luck you guys probably turn on

an important file or disable stain sriyani and user access or to disable that but but in case you don't if you don't do that what somebody can do is they could come in and plug in wonderful wonder someone goes and it blows in any one of these my pop and they got two days there is two different places on the network maybe there you go we didn't do got a man you the middle Atlanta - I personally received this type of the time it's theoretically possible there definite because you'd have to know a lot more about the the targets network to be is yourself buddy did you hear the switches that typically see is one lady

to the network and they denial-of-service when this is attack what most of time this penetrating type it's not someone that's doing it on purpose because a other pair of intestines not gonna do this on purpose because this would be bad form you're probably also denial of services that you should stop engaging in your project man you appreciate that you shall do the clock stops and you feel them that's a negative is somebody then you gotta find someone to put your time after that date so you typically don't do this indie game is gonna be typically but you don't see where this is a package won't happen it's going to be a word a user is going

to bring in a rolling device say you're sweet / rather /xs orange like totally think they picked up somewhere they're gonna plug in your showroom on that first previous like that priority of 3270 wonder if they plug in their toaster oven router access points which Internet of Things Bob you know it's a switch from spam treat it has a local property he doesn't hear that you've paid a couple hundred thousand dollars from some deep tear through systems needs your guys his clothes because you have a security of network $80 switch switch they got on ebay information all your tribe has got a little stain free protocol in Suika treasure I personally see a large manufacturing operation did

knocked out because of that very large operation and they're been around like he's not God and then they're calling this pregnant consultants to help troubleshoot the network it's pretty regular dissolves but it showed that this is old-school stuff why are we paid all this money for the more expensive Maggie's blankie lives take your bigger cooler why are we painted with all that if we're not gonna turn to use the because the clause so need to be looking the suit like like said on the Cisco guys why don't I go with your sister but I didn't mean for you to do on your Cisco stuff you tournament quarterfinals it use you so this should be sending

city to see any spank spank your cocoa but going to turn on the regards so that your heart set who's going to be your group switches in the network and also is that up eating you daughter so that if the user starts sitting BTU pranks on the network that it will shut that court back and then they can call to help Dennis and then they can explain why they're introducing Spain jury protocol and the network don't think me because it could be that maybe that maybe you've got some kids that's going to bars and open and bought my hacker book and he's made he's discovered to a college or city maybe he's introducing their single

he uses you're sitting at the NSA a p.m. or good Taliban's CD in introduced TPP you phrase if you haven't played with your symptoms our city is pure evil there to be tormented Network caters only dude if you have a sign yet most engaging could you're thinking will also incur you so here is another problem we said there is a protocol called dynamic trunking protocol against default I saw a gentleman really nice guy I was there doing network other gentleman was not every word on the network was there's some compliance often had these human ever a guy had switches big as that go back they're gonna be tall chassis top of the lines we network

because he had deep all cities get here something they ended up losing the job even though I fix the difficult while I was there so I'm in this case that's over he was half on negotiations they don't order speed and duplex and he's introducing all kinds of stars in here he was killing his connections to the Edgewater it's a movement we saw because he had a boss said so here's another example of Meatballs this going to get you high it is Sidon leaving only dynamic trunking so that you switch ports automatically negotiated why would you eat users kind of like the spanning tree well I was needing usually c-span free protocol when they're not freaking

switch savings the same thing here why does your user seems being able to negotiate the trunking immediate multiplex and uterus dealings to get themselves into say the server be laying the boy stealing a baby through video surveillance VLAN your Internet of Things deal and there's my persecutors of that females that's segmentation but if you love document under protocol I'm gonna jump into all those security man is possible again our friend you're sitting in can crap package really to you if you're not into snappy and rolling around the tool because going down but you're seeing you've got that use power and you jump into two other people and start influences and so we want to make sure

that we lock this down so here's another think about it they need to do VLAN hopping and again our friend Virginia will do this for you where we might be we've got show people in our users these are safe are they in VLAN TN for example but we we know that the good stuff is hidden behind 48 work we've got to do sir as pissed off he knows he's about to be fired it evils to disrupt say manufacturing operations well it could be real easy that they could go with a double tag an Ethernet frame you spike it down the wire that's which switches gonna seat then this one strip off that first frame and

they just will have that second second base I can feel I'm tired you can go and baby drop it into another villain save me one more year and sit on the hall this way now I would do some of those narratives that we're getting you together you're real careful issues at your rules behavior because if you mess it up if you start causing Adult Swim comedy my my my goal is always to never make the help us live soon as you sign the contract to go do from AP test you have not got off the elevator in your car yet when the printer runs out of Hungary get your some things as a publicly traded company we feel that he

just got the contracts I mean even playing in them did we start like true story the thinner things we should be awkward things that you may not go and execute but we need to go because it still needs to be fixed there's another problem and I kept blowing up the cam table I would never do this very engagement that you need to go home and auditor switches to make sure that you're protected against this for looking for good fittings make sure that the number of knives for access port they're going to meet more than one tip especially today they're gonna be more than one MAC addresses virtual machines you may have whatever IP phones things like that that are plugged answer

but there's no reason to have nothing back that recipe will pull up the cam table of the switch so we want to go and lock that down you know somebody starts trying to you pull up the camp and we want to be too alert to that now here's an old-school problem you guys do you're working in an environment Cisco if you're not to be ready to go about it because this will bite you this is a VLAN trunking protocol you haven't done networking you've been hit by this one so nobody most of all what I was kind of a program in dealings which is what you do is you'll be doing in Crete specify the switches trouble your server you

figure out which ones are gonna be your clients and you might have a case what you have one is a transparent until we create all your P lands on the server on the switch at your server and they would propagate out to your client switches no way you can program the network on one place another transparent what's happening to transparent needs is staying alone you can set up a truncated pasture VLANs across from switch the switch but you're going on the program each individual transparent switch they just works really great things cool except for the problem most people go and use patterns like Cisco Saints running or nothing all on this Ridge which leads to this nice little problem

every time I go and talk to people at conferences and things they tell you salami somebody comes each other and they got run out of this so what you got to look for if what's going to happen and I say this since I was working as a consultant says nothing I've seen a lot it's kind of like EGP crossing here I'm gonna see this is my phone call they're on top of me evading the resume because I don't back up others know about nobody's hiring nobody decomposed I've rebuilt our network so that's why I'm here is this research we have all their dealings their documentation we know they they spilt they still cook on that napkin and

a the network problem with a piece of steak zone that's a because that's what's up today their domains here in pipeline is a they got their large number of large operations in somebody decides to go and buy some great market equipment or they got some equipment is setting in the lab this being used and they need to add switch points for a new project what I they gonna put take this new switch plug it in network they loved their be TP domain and their password is all in default this guy may be sitting a lot of what happened it's been it has a newer version of the ETP database they go plug this bad boy in is because it's got a

newer version of the database in which super dr. Ridley he set all the defaults wishes to be a server this little sink up is gonna override your behind database they help desk lie so a lot of you never met the CEO you'll be the CEO

because this is what we need so what we need to do is very simple you guys that have wanted a gun to do that are working with these devices you're going to do your show run do to show starts you need to remember that the router switch could be your switch good day is not where the VLANs are creating the Senate so you go to believe that be lame dad Bob make that go away and change the passwords about to run out of town so we're gonna do this group is broadcast over is it Holly overlooked all the network guys are over the network for broadcast over there was a nuclear plant very close to where I

live here my is that on the news they had an emergency shutdown a few years ago because what appeared to be some kind of hardware failure on the network which to be equates to broadcasting again I'm about the fancy lights we need to be turning on the broadcast omen broadcast multicast forms locking never go whoever's doing the other things to make sure this is our network station I've been getting knocked out by a bad NIC card you guys see a whole lot Stu you plug it you open up are charging this is low-hanging fruit you see in the HSR P the VRT that we've done this is where you got to grab we were saying I'm

heartbeat between each other want to grab these photos Heather picks up well well here's what you're going to see you're gonna see these two rather talk with each other and you're gonna see the password and declare typically like Cisco even though they could do like md5 they will not they were there have no authentication or clear text did you not think don't think it's just as a HSR be Cisco pump PRPs all the - I saw this on the Brocade each you to permit would be RP so what we could do with your import another packets we could import those packets into this tool a philosophical so you guys are into scampi if you're one of those encouraging or something

would be dirty download capsule and coalesce all export package you can go in and India the people to rebuild and checksum and fire on the network this is a cool little tool and now you're a router you're out here freaking out but remember what the gates you think I don't remember a lot of people otherwise you're going to be dropping traffic in a bit but then v6 everybody's a lot of people running these things and they say they're not but they really are you can go and look at 86'd evil or just type in ipv6 and filter a lobby t6 traveler you can you're gonna be seeing about solicitations we're looking for our router so they learn

a BBC IP address you can pick you could go in to start a clock router this is one replacement man there's no longer our positive 90 v6 this is your replacement for our poison doing spooking the robber in your land so you give a little facsimile of getting our poison is gone but they've got the without eb6 we've got a difficult discovery spoofing we can do because we're gonna be sent out the discovery I don't feel any try to discover d6 period but it's all because it's multicast we don't have a broadcast about UC to have multicast so we could go and never discovery protocol the tools I would look at new instead of me or the King

Nate will go to capital will or years ago HR on that equal cloaca Charlie's really good and the DMZ stuff did you learn to look into a look at the probably limousine plays would be lame access to this lot down these DMZ those trust relationships if you're gonna network or switches you've got a politician can't deal with to go that's a hard to fire going to look at maybe NSX implement NSX intersect is really good your number paper structure doesn't support segmentation locking down on the layer to 33 and giving them a monitoring I'll wrap over to this with monitoring you got to get visualization on the network I ready to put taps in place

what if somebody hacks and network infrastructure what are the browser switch gotta go to the room here a large enough network where you need separation of duties put in network house to try to got abandoned me because I'm taking the router god I don't about it you don't secure you guys in my network anybody hope it made the route for the attack super big ball apologies you put it in and out of a nipple to monitor okay so here's some references words is where I learned everything in Oh ray The Lancet spirit of the ebon about read secures right over time apparently that's how the questions we have a microphone because if you're going to be on the screen here

and please repeat questions pretty important I'll throw one out I guess you only have one Wow so this is all very enterprise-e um which is good how this is translate to say when the folks are going on to AWS or any other cause of ironmans in your virtual private networks and the traffic is past conceptually it was similar fashion how do you see that the lessons learned here can translate to the world where there is no physical work well I personally do not delegate it is I'm going to I'm going to buy the service I'm going to have some kind of management plane that I can be used to go in and lock down my

trust relationship did you imagine a that you can do it by virtual firewall etc lockdown there are undoubtedly dazzling you should be too I would recommend you're going to build a traffic matrix of trust relationships so you can lock that down depending on what the cloud vendor is you know I'd have no traffic [Music]

[Applause]