Part III: Protocol Exploitation in Cisco Networking Environments

Chapter List

Chapter 12: Spanning Tree, VLANs, EAP-LEAP, and CDP
Chapter 13: HSRP, GRE, Firewalls, and VPN Penetration
Chapter 14: Routing Protocols Exploitation
image from book
CASE STUDY: THE FLYING OSPF HELL

It was five in the afternoon when David got his first complaint about the connection difficulties from one of the users. At first, he wanted to ignore it, head home, and deal with it the next morning. The working day was over and the last thing David wanted was to investigate yet another user complaint that was probably linked to the incorrect settings of that guy's browser, or that was caused by him attempting to connect to one of those dodgy web sites banned by the egress content filtering lists. But then the complaints started to flood in. Something was terribly wrong. David pinged a few hosts , both outside and on the intranet. The packet delay was apparently tripled and packet loss reached 40 to 50 percent of all ICMP pings sent. Then he ran traceroute a couple of times, and every time it showed that instead of going across the main OC-3 ATM pipe, the traffic went across a backup 802.11 point-to-point link that was normally dead. Why was this happening?

Kevin, a devoted wardriver who never missed a hacking opportunity, sat in a beer garden of the Lunar Eclipse pub, when he spotted what looked like a microwave dish on the roof of a gray building across a high fence. Sitting in a pub, sipping a cold pint of ale, and hacking away over someone's unprotected pipe was an opportunity he couldn't miss .

The next time he visited the pub, Kevin brought his laptop and a spare battery and a Prism chipset 802.11 client card. He asked his mate to buy a round of stout, and while he was away, Kevin fired up Kismet and immediately spotted GOV-P2P ESSID. Fascinating! This must be it! The link was protected by WEP, but WEP wasn't a problem, not for more than a year anyway. Kevin sniffed the link for 5 minutes and couldn't see much traffic going through. He looked at the MAC addresses of bypassing packets and saw several addresses that were part of the multicast reserved range (00:00:5e:00:00:00 to 00:00:5e:ff:ff:ff). One of them looked like a CDP address, and another three translated to 224.0.0.5, 224.0.0.6, and 224.0.0.9. Cisco CDP, OSPF, and RIPv2! Wow! This network was far from being the average home user WLAN and was definitely worth having a go at! With such an amount of bypassing traffic, passive sniffing for cracking WEP the traditional way was useless. Kevin launched Aircrack and in about 30 minutes caught the first ARP, suitable for a malicious traffic reinjection attack. It took another 30 minutes of bombarding the network with injected packets while sipping Murphy's with crisps until the cracked WEP key finally fell into his hands. Kevin supplied it to the Kismet configuration file for instant traffic decryption, restarted the tool, and held his breath .

The result was clearly worth the effort! There were CDP frames showing Cisco Aironet 1200 access points on both sides of the link. These access points were directly plugged into Cisco 6500 Catalyst switches without any VLANs and firewalls separating the wired and wireless networks. Both switches supported routing, with one being a designated router for the OSPF routing domain and another being a backup designated router. Both were positioned in the OSPF area 0the backbone! To make things even more interesting, it appeared that fat ATM pipes, perhaps OC-3, were coming out of these switches oncracked WEP key finally fell into his hands. Kevin supplied it to the Kismet configuration file for instant traffic decryption, restarted the tool, and held his breath. The result was clearly worth the effort! There were CDP frames showing Cisco Aironet 1200 access points on both sides of the link. These access points were directly plugged into Cisco 6500 Catalyst switches without any VLANs and firewalls separating the wired and wireless networks. Both switches supported routing, with one being a designated router for the OSPF routing domain and another being a backup designated router. Both were positioned in the OSPF area 0the backbone! To make things even more interesting, it appeared that fat ATM pipes, perhaps OC-3, were coming out of these switches on the wired side. Must be the Cisco FlexWAN modules!

After analysing the bypassing traffic and building an approximate map of the discovered network, Kevin shut down his laptop, changed the battery, booted up, and associated with the link. There was no MAC address filtering and things looked really good. The RIPv2 was running with plaintext authentication in use. Redirecting traffic via RIP was easy, but, he thought, why go for a smaller fish when I can catch a much larger one? OSPF also used plaintext authentication, and Kevin felt it was his lucky day. He configured and fired up a good old Zebra to become a part of the OSPF domainthat was easy. Kevin launched tcpdump , enabled packet forwarding on his laptop, changed the OSPF priority of his rogue router to the maximum value of 255, and set the cost of the router interface to the optimal, much better value than the cost of interfaces advertised by other routers. It worked! Streams of redirected traffic filled up the tcpdump output console. Of course, watching it in Ethereal was more fun. It was time to dump all this fanciful traffic for further analysis at home, after spending some time brushing up his Ethereal filters scripting skills. Perhaps trying out Ettercap and Dsniff on this network was also a worthy idea. This was a major victory, one to keep quietly to himself and use when the need arose.

David logged onto the Catalyst 6500 to which the access point was connected and started to enter show and debug commands for both RIP and OSPF running on the multilayer switch. RIP was fine. The same could not be said about his more advanced link state counterpart , however. Commands like show ip ospf neighbor detail were showing a new OSPF peer. This peer had become a designated router of area 0. It was advertising a link with a gigabit range bandwidth OSPF cost equivalentdespite clearly being somewhere on a wireless network! To add insult to injury , this clearly wasn't a Cisco device. It didn't send out any CDP frames and its MAC address had an OUI not belonging to those numbers registered by Cisco. The Catalyst logs were showing the SPF recalculation that took place about an hour ago, when the strange router had joined the routing domain and proclaimed its priority as the highest and interface cost as the best. Dave looked out of the window. Among the casual beer lovers on the benches near the Lunar Eclipse was a guy with a laptop and what appeared to be a wireless client card sticking out of it. He looked like a student and was clearly taken by something happening on his laptop screen.

Kevin saw the doors of the gray building opening and a tall, bearded man wearing glasses rushing toward him. Without a second thought, Kevin grabbed the laptop, jumped on his scooter , and sped away. The network was returning to its normal state.

In the end, David decided not to share the incident with management to avoid getting into serious trouble. He blamed a hardware fault on the network outages when sending back a response to the users' complaints. David was pressing to implement MD5 authentication and maximum priority setting for the designated router for quite a long time. He couldn't change it by himself, since only a few devices running OSPF on a vast network were under his direct responsibility and control, and all such devices on the network had to have the same authentication scheme and shared secret key. David also didn't know much about wireless, and the link was a responsibility of an external company that did the installation as well as configuration and troubleshooting of wireless access points. He decided to raise all these issues at his next meeting with management and push them to order a legitimate wireless security audit to demonstrate that the link could be abused by crackers. Then the company responsible for the link could be pushed to do something about its security, or simply booted out to be replaced by a more skilled one.

David also wanted to persuade management to buy firewall switch modules (FWSM) for both Catalysts and use them to firewall the damn wireless link out for good. Meanwhile, since management wheels rotated slowly and in an unpredictable manner, the network couldn't stay vulnerable. David turned off the Cisco Aironet access point, hoping that the backup link wouldn't be needed soon. Besides, if the other side of the link got hacked, it wasn't his business. Now David had to call the system administrator on the other side and make up reasons for the shutdown of the access point on his side: Its hardware failed? A strong wind damaged an antenna? Perhaps, perhaps, perhaps

No one has seen Kevin in the Lunar Eclipse ever since.

image from book
 


Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net