lptv4 module 20 router and switches penetration testing_norestriction

63
ECSA/LPT EC Council EC-Council Module XX Router and Switches Penetration Testing

Upload: mahmoud-eladawi

Post on 08-Nov-2014

149 views

Category:

Documents


7 download

DESCRIPTION

LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

TRANSCRIPT

Page 1: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

ECSA/LPT

EC CouncilEC-Council Module XX

Router and Switches Penetration Testing

Page 2: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Page 3: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Communication Penetration Testing

gPenetration Testing

Penetration Testing

Page 4: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Router Testing Issues

T t f i fi ti f tTest for misconfigurations of routers.

Test for router product specific vulnerabilities (example: IOS vulnerabilities in Cisco routers).

A compromise on a routing device compromises entire network t ffitraffic.

Without direct compromise to routing device, it can be used to compromise the entire networkcompromise the entire network.

Routing devices are used to direct network traffic, and any one router can be used to manipulate network traffic.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

router can be used to manipulate network traffic.

Page 5: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Need for Router Testing

Y ill d t d t d t it ith You will need to assess end-to-end router security with target knowledge and/or without target knowledge.

Router testing is needed to provide a single point reference for router security assessment and countermeasures for identified weaknesses.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 6: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

General Requirements

Understand organization’s network environmentg

Understand router placement in network architecture

Understand traffic managed by router

U d d ffi d h h Understand traffic passed through router

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 7: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Technical Requirements

Knowledge of basics of routingg g

Knowledge of routing protocols for routing protocol attacksg g p g p

Specific technical requirements are given in each test case

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 8: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Try to Compromise the Router

Try to crack the password of the router

Try to access the router using HTTP and attempt brute forcing

Check for SNMP insecuritiesCheck for SNMP insecurities

Check for VTY/TTY access insecurities

Test for TFTP insecurities

Test for router console port insecuritiesTest for router console port insecurities

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 9: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Steps for Router Penetration TestingTesting

1 • Identify the router hostname

2 • Port scan the router

3 • Identify the router operating system and its version3

4 • Identify protocols running at the router

5 • Test for package leakage at the router

6 • Test for router misconfigurations

7 • Test for VTY/TTY connections

• Test for router running modes

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

8 • Test for router running modes

Page 10: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Steps for Router Penetration Testing (cont’d)Testing (cont d)

9 • Test for SNMP capabilities

10 • Test for TFTP connections

11 • Test if Finger is running on the router11 g g

12 • Test for CDP protocol running on the router

13 • Test for NTP protocol

14 • Test for access to router console port4

15 • Test for loose and strict source routing

Test for IP spoofing

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

16 • Test for IP spoofing

Page 11: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Steps for Router Penetration Testing (cont’d)Testing (cont d)

17 • Test for IP handling bugs

T ARP k18 • Test ARP attacks

19 • Test for routing protocol assessment

i20 • RIP testing

21 • Test for OSPF protocol

22 • Test BGP Protocol

23 • Test for EIGRP protocol

24 • Test router denial of service attacks

25 • Test the router’s HTTP capabilities

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

26 • Test through an HSRP attack

Page 12: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 1: Identify the Router HostnameHostname

If the router is registered with DNS, a reverse query on theIf the router is registered with DNS, a reverse query on therouter’s IP address will give the DNS name of the router.This DNS name might be the same as the hostname.

Di l k h t

Tools:

• Dig, nslookup, host

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 13: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 2: Port Scan the Router

Scan for the router’s default services

Port Service Protocol

Scan for the router s default services.

Port Service Protocol23 Telnet TCP

80 HTTP TCP

161 SNMP UDP

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 14: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 3: Identify the Router Operating System and its VersionOperating System and its Version

If you know the router’s operating system and its version, id tif th l biliti i th d iidentify the vulnerabilities in the device:

• Example: Cisco router model 2500 and IOS version 11.2

Tool:

• # nmap –sS –O –sV <router ip address>

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 15: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Steps 4/5: Identify Protocols Running/Testing for Package Leakage at

th R t

Step 4: Identify the router protocols i t th t

the Router

• Example: CDP• RIP

running at the router:

• RIP• RIPv/v2• OSPF• IGMP • IGMP

Step 5: Test for package leakage at the router:

• A Cisco router discloses its identity while connecting on port 1999 (TCP)

router:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

• It gives RST in the response and “cisco” in payload

Page 16: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 6: Test for Router MisconfigurationsMisconfigurations

Check for router misconfigurationsCheck for router misconfigurations.

An attacker can easily gain access to the system if the routery g yis misconfigured.

Check whether the default SNMP community stringCheck whether the default SNMP community string“public” is changed at the router .

di i l • Router Auditing Tool (http://www.cisecurity.org) for Cisco routersTool:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 17: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 7: Test for VTY/TTY ConnectionsConnections

T t t t th t i th l tTry to connect to the router using the console port.

You should have physical access to the router to try this.

VTY/TTY connections are used to attach a terminal directly into the router.

In the default configuration of a router, no security is applied to the console port

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

applied to the console port.

Page 18: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

The Process to Get Access to the RouterRouter

Try standard ports for Telnet, SSH, and rlogin.

Try the other ports found with the port scan.

If a modem is connected to the device:

• Try dialing into the router• Try dialing into the router.

If unsuccessful, try to bring up the terminal window (dial up setting):

•telnet <Device IP address> <Standard/High Port>•ssh <Device IP address> <standard/high port>

The minimum expected result is a login prompt, if the router is not

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

secured, terminal access will be possible.

Page 19: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 8: Test for Router Running ModesModes

Routers are configured for many different modes. oute s a e co gu ed o a y d e e t odes.

Common modes are “user mode” and “privilege modes”.p g

In user mode, the router displays the hostname followed by ‘>’., p y y

Example of user mode access:

• TargetRouter>• Collect the password hash and decrypt it; CAIN can be used

to decrypt it

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 20: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Privilege Mode Attacks

Commands in user mode are limited. Enable mode is also known i il d das privileged mode.

To access enable mode type the following:To access enable mode type the following:

•TargetRouter>enable

You have fully compromised the router if the password is not configured, and you get following prompt:

T tR t #• TargetRouter#

If the router prompts you for the password, perform brute-force password attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

password attacks.

Page 21: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 9: Test for SNMP CapabilitiesCapabilities

SNMP is a protocol used to manage routers using management stations such as HP OpenView and IBM Tivoli.

Check for SNMP version installed on the machine:

• Example: snmp v1 is insecure and the password is sent as cleartext

You can run a tool like snmpsniff to extract the password from the network when someone connects to the device using snmp

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

someone connects to the device using snmp.

Page 22: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

SNMP “Community String”

SNMP protocol runs on port 161.p p

Try to login using the default community string as “public”.y g g y g p

If that does not work, then try brute-force by dictionary attacks.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 23: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 10: Test for TFTP ConnectionsConnections

Trivial File Transport Protocol (TFTP) uses UDP for d f d i i i l l hi h data transfer and it is a connectionless protocol, which doesn’t support authentication.

TFTP is a limited FTP service with no authentication.

It is commonly used by routers, switches and other devices to connect to a TFTP server during Firmware upgrade.pg

On a lot of routers, TFTP is used to fetch and push configuration files to these routers

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

configuration files to these routers.

Page 24: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

TFTP Testing

Try to sniff TFTP traffic from the wireTry to sniff TFTP traffic from the wire.

Try to retrieve the router configuration file using tftp

C:\tftp <tftp server> get <devicename> cfg

Try to retrieve the router configuration file using tftpcommands.

C:\tftp <tftp server> get <devicename>.cfg

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 25: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 11: Test if Finger is Running on the RouterRunning on the Router

Finger services expose system user on port 79 Finger services expose system user on port 79 TCP/UDP by default.

Verify if finger service is running on the router.

#finger -l @router-ip-address

#finger -l Hroot@Hrouter-ip-address

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 26: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 12: Test for CDP Protocol Running on the RouterRunning on the Router

Cisco Discovery Protocol (CDP) is a layer 2 protocol used by Cisco routers to discover each other on the same link (segment)routers to discover each other on the same link (segment).

The CDP protocol is used to manage Cisco networks across the organization.

Using CDP Cisco routers sends out the following messages.

• Device ID (hostname).Port ID (port information about the sender)

These include:

• Port ID (port information about the sender).• Operating system platform.• IOS software version being used.• Capabilities of the router.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Capabilities of the router.• Network IP address.

Page 27: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 12: Test for CDP Protocol Running on the Router (cont’d)Running on the Router (cont d)

Cisco routers send these messages out every 30 seconds.

The CDP protocol send these information to a special MAC address (01:00:0C:CC:CC:CC) and are received from every Cisco router in the same segment.

CDP is enabled by default on Cisco routers.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 28: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

How to Test CDP Protocol?

Use a “cdp sniffer” command to find information of the pCisco Discovery Protocol (CDP).

Di bl CDP if it i t i dDisable CDP if it is not required.

The #no cdp run command:The #no cdp run command:

• Disables CDP globally.

The #no cdp enable command:

• Disables CDP on an interface (interface command).

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 29: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 13: Test for NTP Protocol

The Network Time Protocol (NTP) is often used on border routers d i i bl d b d f land it is enabled by default.

A lot of companies use the border router to synchronize internal servers.

A potential attacker can corrupt time if enabled.A potential attacker can corrupt time if enabled.

Try to synchronize the router.Try to synchronize the router.

Command:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

•#Ntpdate <ip address of router>

Page 30: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 14: Test for Access to Router Console PortRouter Console Port

If physical access is possible towards the router, then an attacker ld f thi t tcould perform this test.

Connecting a laptop with a serial cable to the router’s console Connecting a laptop with a serial cable to the router s console port and check if the attacker can gain access.

h lThis is an important test since most console access on routers is not protected by any password.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 31: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 15: Test for Loose and Strict Source Routing Source Routing

The path of packet (Outbound and return) is defined in packet itself. It is of two types:

• Loose source routing.• Strict source routing.

p yp

• Some hops (routing device) in the path are defined and rest of host as usual.

Loose source routing:

• Every hop (routing device) in the path is defined, from start to end.

Strict source routing:

Examples:Use the ping utility with the source routing options (on Windows):

C >ping j <hosts> (for loose)

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

C:>ping –j <hosts> (for loose)C:>ping –k <hosts> (for strict source routing)

Page 32: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Steps 16 and 17: Test for IP Spoofing/IP Handling BugsSpoofing/IP Handling Bugs

Test for IP spoofing:

• By using IP spoofing, an attacker can spoof by assuming someone’s identity.O th t k t ith th i t l dd i • On the router, a packet with the internal address is originating from considered spoofed IP packet.

• ACLs are used on the router, if no access control lists are

d th it ld b ibl t f IP fiused then it would be possible to perform IP spoofing.

Test for IP handling bugs:

• ICMP redirects allow an attacker to manipulate host and can specify a new gateway for specific networks.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 33: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 18: Test ARP Attacks

In switched networks, packets are switched based on MAC addressesd h t diff t t k h i 8 bit h i l ddand every host on different network has unique 48 bit physical address.

ARP requests are sent as broadcast frames.

Test to determine if ARP spoofing is possible against this router.

Attempt a man-in-the-middle attack against the router.

• Ettercap

ARP cache poisoning tools:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

p• arpspoof

Page 34: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 19: Test for Routing Protocol AssessmentProtocol Assessment

Many routing protocols have weak or no Many routing protocols have weak or no authentication.

• Example: RIP v1• Example: RIP v1

An attacker can easily send a spoofed packet and manipulate routing tablesand manipulate routing tables.

Check to determine if authentication is enabled on these protocols and attempt to inject RIP packets into the network.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 35: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 20: RIP Testing

There are 2 versions of RIP:There are 2 versions of RIP:

• RIP protocol v1.• RIP protocol v2• RIP protocol v2.

RIP version1 does not support authentication of routing updates and hence the routing updates can be easily sniffed.

RIP version 2 supports both plain text and MD5 authentication.

Tools such as L0pht crack and John the Ripper can brute-force and crack RIPv2 authentication.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

and crack RIPv2 authentication.

Page 36: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 21: Test for OSPF Protocol

Open Shortest Path First (OSPF) supports two forms of th ti ti authentication:

• Plain text. • MD5.5.

Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication.

Hash gathering and password cracking tool in case hashing by MD5 is used. Both the routers use the same secret key, which is being used for generating the hash and appended to the messageused for generating the hash and appended to the message.

A dictionary attack along with a brute-force attack is used for cracking the password so that the message can be read and routing

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

updates can be modified.

Page 37: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

OSPF Example

(config)# router ospf 1(config-router)# network 192.1.0.0 0 0 255 255 10.0.255.255 area 1(config-router)# area 1 authentication message-digest(config-router)# exit(config)# int eth0/0(config-if)# ip ospf message-digest-key 1(config if)# ip ospf message digest key 1 md5 UFDSEGG321-JH3

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 38: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 22: Test BGP Protocol

BGP is external routing protocol which is used to i t b t diff t t s communicate between different autonomous

systems.

A BGP i b hij k d d i t i f A BGP session can be hijacked and incorrect info about the routing tables could be injected with hijacked session.

Session hijacking is easy for someone who can predict the TCP sequence number for the TCP session the BGP protocol runs oversession the BGP protocol runs over.

Try to hijack BGP sessions using tools such as Hunt

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

and T-sight.

Page 39: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 23: Test for EIGRP Protocol

EIGRP is a proprietary routing protocol of Cisco Systems.

EIGRP authentication works similar to RIP v2.

EIGRP authentication supports only the MD5 encryption.

T t b t f EIGRP th ti ti b i di ti Try to brute-force EIGRP authentication by using dictionary attacks.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 40: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 24: Test Router Denial of Service AttacksService Attacks

• An attacker sends a single packet of small stream of packets to target that formed in a way not anticipated by the developers of target machine

Malformed packet attack:

developers of target machine.

• These attacks occur when the attacker • These attacks occur when the attacker sends too many packets to the destination and which the destination cannot process for (e.g syn attacks).

Packet flood attacks:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 41: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 25: Test Router’s HTTP CapabilitiesCapabilities

The new routers can by managed using a web browserThe new routers can by managed using a web browser.

Possibly web server might be running at the router (not y g g (necessarily port 80 but some other port like 5644).

Check for the presence of web server by connecting using a Check for the presence of web server by connecting using a web browser.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 42: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 26: Test Through HSRP AttackAttack

Send packets with high priority so that the active router network l dslows down.

Forward all the incoming packets to the correct destination.g p

Test whether traffic sent via HSRP group is forwarded to your IP addressaddress.

A man-in-the-middle attack is established as all the traffic is forwarded to the targeted IP.forwarded to the targeted IP.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 43: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Router Testing Report

Document all your router testing findings in the penetration y g g ptesting report.

R t t ti i t di t k d t b ti t Router testing is a tedious task and you must be patient since the traffic recorded is huge.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 44: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Steps for Testing Switches

1 • Testing address of cache size

2 • Data integrity and error checking test

3 • Testing for back-to-back frame capacity

4 • Testing for frame loss

5 • Testing for latency 5

6 • Testing for throughput

7 • Test for frame error filtering7 g

8 • Fully meshed test

• Stateless QoS functional test

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

9 • Stateless QoS functional test

Page 45: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Steps for Testing Switches (cont’d)(cont d)

10 • Spanning tree network convergence performance test

11 • OSPF performance test

12 • Test for VLAN hopping12

13 • Test for MAC table flooding

• Testing for ARP attack14 • Testing for ARP attack

15 • Check for VTP attack

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 46: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 1: Testing Address Cache SizeSize

Send the frames of half of the size of the initial user-specified table isize.

Then send generic frames at a specified frame rate. g p

If switch is able to handle all of the addresses, increase frame rate.

Repeat the above steps until frame loss or flooding is detected.

Use tools such as Ixia's IxScriptMate to automate the above process.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 47: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 2: Data Integrity and Error Checking TestChecking Test

Check the switch ability to forward frames under certain traffic rates without corrupting the payload.

F t itt d ith d fi d d t tt Frames are transmitted with a predefined data pattern.

Verify whether the switch forwards the frames properly.

C l l t th b f d th b f d t Calculate the number of sequence errors and the number of data errors.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 48: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 3: Testing for Back-to-Back Frame CapacityBack Frame Capacity

The back-to-back value is the number of frames in the longest burst that th it h ill h dl ith t th l f fthe switch will handle without the loss of any frames.

Send a burst of frames with minimum inter-frame gaps to the switch d h b f f f d d b h i hand count the number of frames forwarded by the switch.

If the count of transmitted frames is equal to the number of frames forwarded the length of the burst is increased and the test is rerun.

If the number of forwarded frames is less than the number transmitted, ,the length of the burst is reduced and the test is rerun.

The trial length must be 2 seconds and should be repeated 50 times with

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

The trial length must be 2 seconds and should be repeated 50 times with the average of the recorded values being reported.

Page 49: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 4: Testing for Frame Loss

Send a specific number of frames at a specific rate through the p p gswitch to be tested and count the frames that are transmitted by the switch.

The frame loss rate at each point is calculated using the following equation:

• ( ( input_count - output_count ) * 100 ) / input_count

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 50: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 5: Testing for Latency

Send a stream of frames through the switch at the determined rate to a specific destination at the duration of 120 secondspecific destination at the duration of 120 second.

Provide a identifying tag in one frame after 60 seconds.

Record the time at which this frame is fully transmitted (timestamp A).

Record the time at which the tagged frame was received by receiver (timestamp B).

The latency is timestamp B minus timestamp A.

Repeat the test for 20 times with the reported value being the average of the

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Repeat the test for 20 times with the reported value being the average of the recorded values.

Page 51: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 6: Testing for Throughput

Send a specific number of frames at a specific rate through the Send a specific number of frames at a specific rate through the switch and then count the frames that are transmitted by the switch.

If the count of offered frames is equal to the count of received frames, the fewer frames are received than were transmitted, the

t f th ff d t i d d d th t t i rate of the offered stream is reduced and the test is rerun.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 52: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 7: Test for Frame Error FilteringFiltering

Check if the switch correctly filters illegal f h

• Undersized frames.O i d f

frames, such as:

• Oversized frames.• Frames with CRC errors.• Fragmented frames.• Alignment errors• Alignment errors.• Dribble errors.

• Ixia's IxScriptMate

Tools:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

• Ixia s IxScriptMate

Page 53: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 8: Fully Meshed Test

Check the total number of IP frames that the switch can Check the total number of IP frames that the switch can handle when it receives frames on all its ports.

Each port in the test sends frames to all other ports in an evenly distributed, round-robin type fashion at a specific

d fi d tuser-defined rate.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 54: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 9: Stateless QoS Functional TestFunctional Test

Measure the baseline performance of the switch:

• With QoS.• Without QoS.

p

Inject stateless traffic into the network.

Check the latency and the packet loss on the egress traffic port.

Measure and record:

• When QoS is disabled on the switch.• When QoS with IP Precedence classifying and marking are enabled

th it h

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

on the switch.

Page 55: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 10: Spanning Tree Network Convergence Performance TestConvergence Performance Test

Measure:

• Network convergence based on the handling of topology changes notifications. Configuration BDPUs as well as traffic switchover • Configuration BDPUs, as well as traffic switchover.

Check the switch spanning tree convergence performance.p g g p

Check for any changes in path cost to root changes.

Check if the bridge link slows down.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 56: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 11: OSPF Performance Test

Set the defined routes and a topology p gy

Test the no-drop throughput and latency

Execute the test either with OSPFv2 or OSPFv3 protocols

Measures the OSPF performance and scalability of a switch

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 57: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 12: Test for VLAN Hopping

Spoof your computer to appear as another switch.p y p pp

Send a fake DTP negotiate message announcing that you like to be a trunk.

Check whether the real switch turn on 802.1Q trunk.

Check all traffic for all VLANs sent to your computer.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 58: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 13: Test for MAC Table FloodingFlooding

Use the macof tool for flooding the content addressable gmemory (CAM) with random MAC address.

Check whether all ports are flooded.

Check whether you can sniff in a switched environment.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 59: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 14: Testing for ARP Attack

Send a spoofed Address Resolution Protocol reply toward another host.Send a spoofed Address Resolution Protocol reply toward another host.

Check the MAC address of another host.

Associate your MAC address with host MAC address on the MAC address table of the switch.

Check the all the frames which are being send to the host address.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 60: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Step 15: Check for VTP Attack

Eliminate all the VLANs by using VTP (VLAN Trunking Protocol).y g ( g )

Check whether you are on the same VLAN as the every other user.

Change your IP to be on the same network on which the other users are present.

Check whether you can attack on the host.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 61: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

Summary

The need for router testing is to provide single point reference for d f d f drouter security assessment and countermeasures for identified

weaknesses.

Vulnerabilities of the device can be known if the router’s operating system and its version are known.

Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication.devices do not support the more secure MD5 authentication.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 62: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 63: LPTv4 Module 20 Router and Switches Penetration Testing_NoRestriction

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited