lptv4 module 20 router and switches penetration testing_norestriction
Post on 08-Nov-2014
149 Views
Preview:
DESCRIPTION
TRANSCRIPT
ECSA/LPT
EC CouncilEC-Council Module XX
Router and Switches Penetration Testing
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
Router Testing Issues
T t f i fi ti f tTest for misconfigurations of routers.
Test for router product specific vulnerabilities (example: IOS vulnerabilities in Cisco routers).
A compromise on a routing device compromises entire network t ffitraffic.
Without direct compromise to routing device, it can be used to compromise the entire networkcompromise the entire network.
Routing devices are used to direct network traffic, and any one router can be used to manipulate network traffic.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
router can be used to manipulate network traffic.
Need for Router Testing
Y ill d t d t d t it ith You will need to assess end-to-end router security with target knowledge and/or without target knowledge.
Router testing is needed to provide a single point reference for router security assessment and countermeasures for identified weaknesses.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
General Requirements
Understand organization’s network environmentg
Understand router placement in network architecture
Understand traffic managed by router
U d d ffi d h h Understand traffic passed through router
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Technical Requirements
Knowledge of basics of routingg g
Knowledge of routing protocols for routing protocol attacksg g p g p
Specific technical requirements are given in each test case
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Try to Compromise the Router
Try to crack the password of the router
Try to access the router using HTTP and attempt brute forcing
Check for SNMP insecuritiesCheck for SNMP insecurities
Check for VTY/TTY access insecurities
Test for TFTP insecurities
Test for router console port insecuritiesTest for router console port insecurities
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Router Penetration TestingTesting
1 • Identify the router hostname
2 • Port scan the router
3 • Identify the router operating system and its version3
4 • Identify protocols running at the router
5 • Test for package leakage at the router
6 • Test for router misconfigurations
7 • Test for VTY/TTY connections
• Test for router running modes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8 • Test for router running modes
Steps for Router Penetration Testing (cont’d)Testing (cont d)
9 • Test for SNMP capabilities
10 • Test for TFTP connections
11 • Test if Finger is running on the router11 g g
12 • Test for CDP protocol running on the router
13 • Test for NTP protocol
14 • Test for access to router console port4
15 • Test for loose and strict source routing
Test for IP spoofing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
16 • Test for IP spoofing
Steps for Router Penetration Testing (cont’d)Testing (cont d)
17 • Test for IP handling bugs
T ARP k18 • Test ARP attacks
19 • Test for routing protocol assessment
i20 • RIP testing
21 • Test for OSPF protocol
22 • Test BGP Protocol
23 • Test for EIGRP protocol
24 • Test router denial of service attacks
25 • Test the router’s HTTP capabilities
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
26 • Test through an HSRP attack
Step 1: Identify the Router HostnameHostname
If the router is registered with DNS, a reverse query on theIf the router is registered with DNS, a reverse query on therouter’s IP address will give the DNS name of the router.This DNS name might be the same as the hostname.
Di l k h t
Tools:
• Dig, nslookup, host
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Port Scan the Router
Scan for the router’s default services
Port Service Protocol
Scan for the router s default services.
Port Service Protocol23 Telnet TCP
80 HTTP TCP
161 SNMP UDP
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Identify the Router Operating System and its VersionOperating System and its Version
If you know the router’s operating system and its version, id tif th l biliti i th d iidentify the vulnerabilities in the device:
• Example: Cisco router model 2500 and IOS version 11.2
Tool:
• # nmap –sS –O –sV <router ip address>
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps 4/5: Identify Protocols Running/Testing for Package Leakage at
th R t
Step 4: Identify the router protocols i t th t
the Router
• Example: CDP• RIP
running at the router:
• RIP• RIPv/v2• OSPF• IGMP • IGMP
Step 5: Test for package leakage at the router:
• A Cisco router discloses its identity while connecting on port 1999 (TCP)
router:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• It gives RST in the response and “cisco” in payload
Step 6: Test for Router MisconfigurationsMisconfigurations
Check for router misconfigurationsCheck for router misconfigurations.
An attacker can easily gain access to the system if the routery g yis misconfigured.
Check whether the default SNMP community stringCheck whether the default SNMP community string“public” is changed at the router .
di i l • Router Auditing Tool (http://www.cisecurity.org) for Cisco routersTool:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Test for VTY/TTY ConnectionsConnections
T t t t th t i th l tTry to connect to the router using the console port.
You should have physical access to the router to try this.
VTY/TTY connections are used to attach a terminal directly into the router.
In the default configuration of a router, no security is applied to the console port
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
applied to the console port.
The Process to Get Access to the RouterRouter
Try standard ports for Telnet, SSH, and rlogin.
Try the other ports found with the port scan.
If a modem is connected to the device:
• Try dialing into the router• Try dialing into the router.
If unsuccessful, try to bring up the terminal window (dial up setting):
•telnet <Device IP address> <Standard/High Port>•ssh <Device IP address> <standard/high port>
The minimum expected result is a login prompt, if the router is not
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
secured, terminal access will be possible.
Step 8: Test for Router Running ModesModes
Routers are configured for many different modes. oute s a e co gu ed o a y d e e t odes.
Common modes are “user mode” and “privilege modes”.p g
In user mode, the router displays the hostname followed by ‘>’., p y y
Example of user mode access:
• TargetRouter>• Collect the password hash and decrypt it; CAIN can be used
to decrypt it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Privilege Mode Attacks
Commands in user mode are limited. Enable mode is also known i il d das privileged mode.
To access enable mode type the following:To access enable mode type the following:
•TargetRouter>enable
You have fully compromised the router if the password is not configured, and you get following prompt:
T tR t #• TargetRouter#
If the router prompts you for the password, perform brute-force password attacks
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
password attacks.
Step 9: Test for SNMP CapabilitiesCapabilities
SNMP is a protocol used to manage routers using management stations such as HP OpenView and IBM Tivoli.
Check for SNMP version installed on the machine:
• Example: snmp v1 is insecure and the password is sent as cleartext
You can run a tool like snmpsniff to extract the password from the network when someone connects to the device using snmp
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
someone connects to the device using snmp.
SNMP “Community String”
SNMP protocol runs on port 161.p p
Try to login using the default community string as “public”.y g g y g p
If that does not work, then try brute-force by dictionary attacks.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 10: Test for TFTP ConnectionsConnections
Trivial File Transport Protocol (TFTP) uses UDP for d f d i i i l l hi h data transfer and it is a connectionless protocol, which doesn’t support authentication.
TFTP is a limited FTP service with no authentication.
It is commonly used by routers, switches and other devices to connect to a TFTP server during Firmware upgrade.pg
On a lot of routers, TFTP is used to fetch and push configuration files to these routers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
configuration files to these routers.
TFTP Testing
Try to sniff TFTP traffic from the wireTry to sniff TFTP traffic from the wire.
Try to retrieve the router configuration file using tftp
C:\tftp <tftp server> get <devicename> cfg
Try to retrieve the router configuration file using tftpcommands.
C:\tftp <tftp server> get <devicename>.cfg
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 11: Test if Finger is Running on the RouterRunning on the Router
Finger services expose system user on port 79 Finger services expose system user on port 79 TCP/UDP by default.
Verify if finger service is running on the router.
#finger -l @router-ip-address
#finger -l Hroot@Hrouter-ip-address
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: Test for CDP Protocol Running on the RouterRunning on the Router
Cisco Discovery Protocol (CDP) is a layer 2 protocol used by Cisco routers to discover each other on the same link (segment)routers to discover each other on the same link (segment).
The CDP protocol is used to manage Cisco networks across the organization.
Using CDP Cisco routers sends out the following messages.
• Device ID (hostname).Port ID (port information about the sender)
These include:
• Port ID (port information about the sender).• Operating system platform.• IOS software version being used.• Capabilities of the router.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Capabilities of the router.• Network IP address.
Step 12: Test for CDP Protocol Running on the Router (cont’d)Running on the Router (cont d)
Cisco routers send these messages out every 30 seconds.
The CDP protocol send these information to a special MAC address (01:00:0C:CC:CC:CC) and are received from every Cisco router in the same segment.
CDP is enabled by default on Cisco routers.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How to Test CDP Protocol?
Use a “cdp sniffer” command to find information of the pCisco Discovery Protocol (CDP).
Di bl CDP if it i t i dDisable CDP if it is not required.
The #no cdp run command:The #no cdp run command:
• Disables CDP globally.
The #no cdp enable command:
• Disables CDP on an interface (interface command).
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: Test for NTP Protocol
The Network Time Protocol (NTP) is often used on border routers d i i bl d b d f land it is enabled by default.
A lot of companies use the border router to synchronize internal servers.
A potential attacker can corrupt time if enabled.A potential attacker can corrupt time if enabled.
Try to synchronize the router.Try to synchronize the router.
Command:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
•#Ntpdate <ip address of router>
Step 14: Test for Access to Router Console PortRouter Console Port
If physical access is possible towards the router, then an attacker ld f thi t tcould perform this test.
Connecting a laptop with a serial cable to the router’s console Connecting a laptop with a serial cable to the router s console port and check if the attacker can gain access.
h lThis is an important test since most console access on routers is not protected by any password.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 15: Test for Loose and Strict Source Routing Source Routing
The path of packet (Outbound and return) is defined in packet itself. It is of two types:
• Loose source routing.• Strict source routing.
p yp
• Some hops (routing device) in the path are defined and rest of host as usual.
Loose source routing:
• Every hop (routing device) in the path is defined, from start to end.
Strict source routing:
Examples:Use the ping utility with the source routing options (on Windows):
C >ping j <hosts> (for loose)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
C:>ping –j <hosts> (for loose)C:>ping –k <hosts> (for strict source routing)
Steps 16 and 17: Test for IP Spoofing/IP Handling BugsSpoofing/IP Handling Bugs
Test for IP spoofing:
• By using IP spoofing, an attacker can spoof by assuming someone’s identity.O th t k t ith th i t l dd i • On the router, a packet with the internal address is originating from considered spoofed IP packet.
• ACLs are used on the router, if no access control lists are
d th it ld b ibl t f IP fiused then it would be possible to perform IP spoofing.
Test for IP handling bugs:
• ICMP redirects allow an attacker to manipulate host and can specify a new gateway for specific networks.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: Test ARP Attacks
In switched networks, packets are switched based on MAC addressesd h t diff t t k h i 8 bit h i l ddand every host on different network has unique 48 bit physical address.
ARP requests are sent as broadcast frames.
Test to determine if ARP spoofing is possible against this router.
Attempt a man-in-the-middle attack against the router.
• Ettercap
ARP cache poisoning tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
p• arpspoof
Step 19: Test for Routing Protocol AssessmentProtocol Assessment
Many routing protocols have weak or no Many routing protocols have weak or no authentication.
• Example: RIP v1• Example: RIP v1
An attacker can easily send a spoofed packet and manipulate routing tablesand manipulate routing tables.
Check to determine if authentication is enabled on these protocols and attempt to inject RIP packets into the network.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 20: RIP Testing
There are 2 versions of RIP:There are 2 versions of RIP:
• RIP protocol v1.• RIP protocol v2• RIP protocol v2.
RIP version1 does not support authentication of routing updates and hence the routing updates can be easily sniffed.
RIP version 2 supports both plain text and MD5 authentication.
Tools such as L0pht crack and John the Ripper can brute-force and crack RIPv2 authentication.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
and crack RIPv2 authentication.
Step 21: Test for OSPF Protocol
Open Shortest Path First (OSPF) supports two forms of th ti ti authentication:
• Plain text. • MD5.5.
Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication.
Hash gathering and password cracking tool in case hashing by MD5 is used. Both the routers use the same secret key, which is being used for generating the hash and appended to the messageused for generating the hash and appended to the message.
A dictionary attack along with a brute-force attack is used for cracking the password so that the message can be read and routing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
updates can be modified.
OSPF Example
(config)# router ospf 1(config-router)# network 192.1.0.0 0 0 255 255 10.0.255.255 area 1(config-router)# area 1 authentication message-digest(config-router)# exit(config)# int eth0/0(config-if)# ip ospf message-digest-key 1(config if)# ip ospf message digest key 1 md5 UFDSEGG321-JH3
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 22: Test BGP Protocol
BGP is external routing protocol which is used to i t b t diff t t s communicate between different autonomous
systems.
A BGP i b hij k d d i t i f A BGP session can be hijacked and incorrect info about the routing tables could be injected with hijacked session.
Session hijacking is easy for someone who can predict the TCP sequence number for the TCP session the BGP protocol runs oversession the BGP protocol runs over.
Try to hijack BGP sessions using tools such as Hunt
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
and T-sight.
Step 23: Test for EIGRP Protocol
EIGRP is a proprietary routing protocol of Cisco Systems.
EIGRP authentication works similar to RIP v2.
EIGRP authentication supports only the MD5 encryption.
T t b t f EIGRP th ti ti b i di ti Try to brute-force EIGRP authentication by using dictionary attacks.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 24: Test Router Denial of Service AttacksService Attacks
• An attacker sends a single packet of small stream of packets to target that formed in a way not anticipated by the developers of target machine
Malformed packet attack:
developers of target machine.
• These attacks occur when the attacker • These attacks occur when the attacker sends too many packets to the destination and which the destination cannot process for (e.g syn attacks).
Packet flood attacks:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 25: Test Router’s HTTP CapabilitiesCapabilities
The new routers can by managed using a web browserThe new routers can by managed using a web browser.
Possibly web server might be running at the router (not y g g (necessarily port 80 but some other port like 5644).
Check for the presence of web server by connecting using a Check for the presence of web server by connecting using a web browser.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 26: Test Through HSRP AttackAttack
Send packets with high priority so that the active router network l dslows down.
Forward all the incoming packets to the correct destination.g p
Test whether traffic sent via HSRP group is forwarded to your IP addressaddress.
A man-in-the-middle attack is established as all the traffic is forwarded to the targeted IP.forwarded to the targeted IP.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Router Testing Report
Document all your router testing findings in the penetration y g g ptesting report.
R t t ti i t di t k d t b ti t Router testing is a tedious task and you must be patient since the traffic recorded is huge.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Testing Switches
1 • Testing address of cache size
2 • Data integrity and error checking test
3 • Testing for back-to-back frame capacity
4 • Testing for frame loss
5 • Testing for latency 5
6 • Testing for throughput
7 • Test for frame error filtering7 g
8 • Fully meshed test
• Stateless QoS functional test
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
9 • Stateless QoS functional test
Steps for Testing Switches (cont’d)(cont d)
10 • Spanning tree network convergence performance test
11 • OSPF performance test
12 • Test for VLAN hopping12
13 • Test for MAC table flooding
• Testing for ARP attack14 • Testing for ARP attack
15 • Check for VTP attack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Testing Address Cache SizeSize
Send the frames of half of the size of the initial user-specified table isize.
Then send generic frames at a specified frame rate. g p
If switch is able to handle all of the addresses, increase frame rate.
Repeat the above steps until frame loss or flooding is detected.
Use tools such as Ixia's IxScriptMate to automate the above process.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Data Integrity and Error Checking TestChecking Test
Check the switch ability to forward frames under certain traffic rates without corrupting the payload.
F t itt d ith d fi d d t tt Frames are transmitted with a predefined data pattern.
Verify whether the switch forwards the frames properly.
C l l t th b f d th b f d t Calculate the number of sequence errors and the number of data errors.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Testing for Back-to-Back Frame CapacityBack Frame Capacity
The back-to-back value is the number of frames in the longest burst that th it h ill h dl ith t th l f fthe switch will handle without the loss of any frames.
Send a burst of frames with minimum inter-frame gaps to the switch d h b f f f d d b h i hand count the number of frames forwarded by the switch.
If the count of transmitted frames is equal to the number of frames forwarded the length of the burst is increased and the test is rerun.
If the number of forwarded frames is less than the number transmitted, ,the length of the burst is reduced and the test is rerun.
The trial length must be 2 seconds and should be repeated 50 times with
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The trial length must be 2 seconds and should be repeated 50 times with the average of the recorded values being reported.
Step 4: Testing for Frame Loss
Send a specific number of frames at a specific rate through the p p gswitch to be tested and count the frames that are transmitted by the switch.
The frame loss rate at each point is calculated using the following equation:
• ( ( input_count - output_count ) * 100 ) / input_count
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Testing for Latency
Send a stream of frames through the switch at the determined rate to a specific destination at the duration of 120 secondspecific destination at the duration of 120 second.
Provide a identifying tag in one frame after 60 seconds.
Record the time at which this frame is fully transmitted (timestamp A).
Record the time at which the tagged frame was received by receiver (timestamp B).
The latency is timestamp B minus timestamp A.
Repeat the test for 20 times with the reported value being the average of the
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Repeat the test for 20 times with the reported value being the average of the recorded values.
Step 6: Testing for Throughput
Send a specific number of frames at a specific rate through the Send a specific number of frames at a specific rate through the switch and then count the frames that are transmitted by the switch.
If the count of offered frames is equal to the count of received frames, the fewer frames are received than were transmitted, the
t f th ff d t i d d d th t t i rate of the offered stream is reduced and the test is rerun.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Test for Frame Error FilteringFiltering
Check if the switch correctly filters illegal f h
• Undersized frames.O i d f
frames, such as:
• Oversized frames.• Frames with CRC errors.• Fragmented frames.• Alignment errors• Alignment errors.• Dribble errors.
• Ixia's IxScriptMate
Tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Ixia s IxScriptMate
Step 8: Fully Meshed Test
Check the total number of IP frames that the switch can Check the total number of IP frames that the switch can handle when it receives frames on all its ports.
Each port in the test sends frames to all other ports in an evenly distributed, round-robin type fashion at a specific
d fi d tuser-defined rate.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Stateless QoS Functional TestFunctional Test
Measure the baseline performance of the switch:
• With QoS.• Without QoS.
p
Inject stateless traffic into the network.
Check the latency and the packet loss on the egress traffic port.
Measure and record:
• When QoS is disabled on the switch.• When QoS with IP Precedence classifying and marking are enabled
th it h
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
on the switch.
Step 10: Spanning Tree Network Convergence Performance TestConvergence Performance Test
Measure:
• Network convergence based on the handling of topology changes notifications. Configuration BDPUs as well as traffic switchover • Configuration BDPUs, as well as traffic switchover.
Check the switch spanning tree convergence performance.p g g p
Check for any changes in path cost to root changes.
Check if the bridge link slows down.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 11: OSPF Performance Test
Set the defined routes and a topology p gy
Test the no-drop throughput and latency
Execute the test either with OSPFv2 or OSPFv3 protocols
Measures the OSPF performance and scalability of a switch
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: Test for VLAN Hopping
Spoof your computer to appear as another switch.p y p pp
Send a fake DTP negotiate message announcing that you like to be a trunk.
Check whether the real switch turn on 802.1Q trunk.
Check all traffic for all VLANs sent to your computer.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: Test for MAC Table FloodingFlooding
Use the macof tool for flooding the content addressable gmemory (CAM) with random MAC address.
Check whether all ports are flooded.
Check whether you can sniff in a switched environment.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: Testing for ARP Attack
Send a spoofed Address Resolution Protocol reply toward another host.Send a spoofed Address Resolution Protocol reply toward another host.
Check the MAC address of another host.
Associate your MAC address with host MAC address on the MAC address table of the switch.
Check the all the frames which are being send to the host address.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 15: Check for VTP Attack
Eliminate all the VLANs by using VTP (VLAN Trunking Protocol).y g ( g )
Check whether you are on the same VLAN as the every other user.
Change your IP to be on the same network on which the other users are present.
Check whether you can attack on the host.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
The need for router testing is to provide single point reference for d f d f drouter security assessment and countermeasures for identified
weaknesses.
Vulnerabilities of the device can be known if the router’s operating system and its version are known.
Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication.devices do not support the more secure MD5 authentication.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
top related