IT LOGBOOK

martes, 18 de septiembre de 2012

Configurando AAA en un router

1. Las funciones y la importancia de AAA.

Autenticación: comprueba que los usuarios y administradores sean quienes dicen ser.
Autorización: después de la autenticar al usuario o al administrador, decide a qué recursos puede acceder o qué operaciones puede realizar.
Registro (Accounting and Auditing): guarda el instante temporal en el que se efectuan las operaciones y acceden a los recursos.

2. Los tres métodos para implementar AAA.

Los usuarios pueden acceder a la LAN de la empresa a través de marcación (NAS) o través de una VPN (router, ASA). Los administradores pueden acceder a los dispositivos de red a través del puerto consola, el puerto auxiliar o las vty.

Todas estas formas de acceso pueden ser implementadas con AAA de forma local o en BBDD remotas. Con BBDD remotas podemos centralizar la gestión de AAA de varios dispositivos de red.
Los tres métodos de implementar AAA son:

Localmente: en un router o un NAS.
En un ACS (Access Control Server) de Cisco por software: instalado en un Microsoft Windows Server permitiendo la comunicación con routers y NAS.
En un ACS de Cisco por hardware: servidor hardware dedicado que permite la comunicación con routers y NAS.

3. Métodos de autenticación remota.

Existen dos métodos para autenticar usuarios remotos; autenticación local o remota.

Autenticación local

Consiste en autenticar directamente en el router o el NAS los nombres de usuario y su contraseñas. Esta recomendado para pequeñas redes y no requiere BBDD externas.
La autenticación funciona de la siguiente manera; el usuario solicita autenticarse, el router (o NAS) solicita el nombre de usuario y la contraseña, el usuario responde, el router comprueba los datos, acepta o deniega el acceso y comunica el veredicto al usuario.

Autenticación remota

El problema de la autenticación local es la escalabilidad. Uno o varios ACS (por software o hardware) pueden gestionar toda la autenticación de todos los dispositivos de red. La comunicación entre estos dispositivos y los ACS utilizan los siguientes protocolos: TACACS+ o RADIUS.

La autenticación funciona de la siguiente manera; el usuario solicita autenticarse, el router (o NAS) solicita el nombre de usuario y la contraseña, el usuario responde, el router reenvía los datos al ACS, el ACS comprueba los datos y acepta o deniega el acceso, finalmente el ACS comunica el veredicto al router y este al usuario.

4. Los protocolos TACACS+ y RADIUS.

El ACS de Cisco soporta los protocolos TACACS+ y RADIUS. TACACS+ es más seguro pero RADIUS tiene mejor Accounting y una mejor interfaz de programación.
El ACS permite gestionar los siguientes accesos:

Marcación contra un router o un NAS.
Puertos consola, puertos auxiliares y vtys de dispositivos de red.
ASAs (Adaptative Security Appliance).
Concentradores VPN serie 300 (sólo RADIUS).
Algunas tarjetas de testigo (token cards) y servidores

5. Los niveles de seguridad de los métodos de autenticación.

Sin usuario y contraseña: un atacante sólo debería encontrar el dispositivo y tratar de acceder al mismo. Una manera de asegurarlo sería que el servicio escuchará un puerto diferente.
Con usuario y contraseña y sin caducidad: el administrador decide cuando cambiar la contraseña. Este método es vulnerable a ataques de repetición, fuerza bruta, robo y inspección de los paquetes.
Con usuario y contraseña y con caducidad: cada x tiempo el administrador es forzado a cambiar su contraseña. Este método tiene las mismas vulnerabilidades pero el tiempo para comprometer el equipo por fuerza bruta es menor.
OTPs: es más seguro que los anteriores ya que la contraseña enviada solo tiene validez una vez, es decir, en el momento de ser interceptada por el atacante la contraseña caduca. S/Key es una implementación de OTP que genera un listado de contraseñas a partir de una palabra secreta.
Tarjetas de testigo por software y por hardware: está basado en la autenticación de doble factor; algo que el usuario tiene (token card) y algo que el usuario sabe (token card PIN). Existen dos tipos: basados en tiempo; F(clave_criptográfica,PIN) = OTP o basados en desafíos; F(desafío,clave_criptográfica) = OTP.

6. Protocolos de autenticación PPP.

PPP soporta autenticación PAP, CHAP y MS-CHAP.
PAP utiliza un intercambio de dos vías; el autenticador solicita las credenciales y el usuario las envía en texto claro. El intercambio se produce después de establecer el enlace PPP.
CHAP utiliza un intercambio de tres vías; después de establecer el enlace, el autenticador envía un desafío al dispositivo del usuario, este responde con un hash; F(desafío,palabra_secreta) = hash, el autenticador comprueba que el hash recibido coincida con su hash calculado. Este intercambio de tres vías se repite periodicamente (controlado por el autenticador) durante la comunicación y evita ataques de repetición.
MS-CHAP es la versión CHAP de Microsoft.

7. Configurar AAA en un router.

Primero, habilitamos el modelo AAA, añadimos un usuario local y definimos que la autenticación de acceso remoto sea local.

Router(config)#aaa new-model
Router(config)#username tracker secret ccsp
Router(config)#aaa authentication login default local

Ahora no tenemos problemas para acceder de nuevo al router o NAS en el caso de perder la comunicación (SSH).

Después, definimos los métodos de autenticación para login (acceso al router), ppp y enable (acceso al nivel privilegiado) y los aplicamos a nivel de línea o interfaz:

Router(config)#aaa authentication login default enable
Router(config)#enable secret cisco
Router(config)#aaa authentication login consola local
Router(config)#line console 0
Router(config-line)#login authentication consola
Router(config)#aaa authentication login vty line
Router(config)#line vty 0 4
Router(config-line)#password 123telnet
Router(config-line)#login authentication vty
Router(config-line)#end
Router#exit
Router con0 is now available
Press RETURN to get started.
User Access Verification
Username: tracker
Password: ccsp
Router>

R1#Router
Trying Router (192.168.0.1)... Open
User Access Verification
Password: 123telnet
Router>enable
Password: cisco
Router#

En los comandos de arriba, hemos definido que para acceder al router se tiene que utilizar por defecto (default) la contraseña 'enable secret', que para acceder por consola se tiene que utilizar un nombre de usuario y contraseña locales (tracker:ccsp) y para acceder por telnet necesitamos la contraseña en línea 123telnet. Las listas de autenticación particulas (consola y vty) cuando se aplican a líneas (vty, console, aux) o interfaces tiene preferencia sobre la autenticación por defecto (default).

Ahora definimos una lista de autenticación PPP por defecto (default) y una particular (marcacion) que aplicamos:

Router(config)#aaa authentication ppp default local
Router(config)#aaa authentication ppp marcacion group tacacs+ local-case
Router(config)#interface serial 0/0
Router(config-if)#ppp authentication chap marcacion

Arriba hemos definido que la autenticación PPP por defecto sea local y que la autenticación PPP particular (marcación) sea con TACACS+ y si falla sea local teniendo en cuenta mayúsculas/minúsculas.

Finalmente definiremos que la autenticación enable por defecto mire primero el grupo RADIUS y luego la contraseña 'enable secret':

Router(config)#aaa authentication enable default group radius enable

Ahora veremos unos ejemplos de autorización y registro (accounting):

Router(config)#aaa authorization commands 15 default local
Router(config)#aaa authorization network netop local
Router(config)#aaa accounting commands 15 default stop-only group tacacs+

El primero comando autoriza localmente la ejecución de los comandos de nivel 15 utilizando la lista por defecto (default). El segundo autoriza localmente algunos servicios de red utilizando una lista particular (netop). El tercero registra remotamente los comandos de nivel 15 utilizando TACACS+ para la lista por defecto.

8. Solucionar problemas AAA en un router.

Router#debug aaa authentication
Router#debug aaa authorization
Router#debug aaa accounting

9. Configurar AAA utilizando Cisco SDM.
AAA también puede ser configurado desde SDM. Para ello utilizamos el comando

aaa new-model

y elegimos en el SDM 'Tareas Adicionales > AAA'. Aparecerá un pantalla para listar, editar y borrar métodos de autenticación en el router.

jueves, 6 de septiembre de 2012

Proceso de configuración de ACL

El proceso de creación de una ACL se lleva a cabo creando la lista y posteriormente asociándola a una interfaz entrante o saliente.
Configuración de ACL estándar

Router(config)#access-list[1-99][permit|deny][dirección de origen][mascara comodín]

Donde:

1-99 Identifica el rango y la lista.

Permit|deny indica si esta entrada permitirá o bloqueará el tráfico a partir de la dirección especificada.

Dirección de origen identifica la dirección IP de origen.

Mascara comodín o wildcard identifica los bits del campo de la dirección que serán comprobados.

La mascara predeterminada es 0.0.0.0 (coincidencia de todos los bits).
Asociación de la lista a una interfaz

Router(config-if)#ip access-group[nº de lista de acceso][in|out]

Donde:

Número de lista de acceso indica el número de lista de acceso que será aplicada a esa interfaz.

In|out selecciona si la lista de acceso se aplicará como filtro de entrada o de salida.
Ejemplo de una ACL estándar denegando una red:

Router#configure terminal
Router(config)#access-list 10 deny 192.168.1.0 0.0.0.0
Router(config)#access-list 10 permit any
Router(config)#interface serial 0
Router(config-if)#ip access-group 10 in

Se ha denegado al host 192.168.1.0 y luego se ha permitido a cualquier origen,
Posteriormente se asocio la ACL a la interfaz Serial 0.
Configuración de ACL extendida

El proceso de configuración de una ACL IP extendida es el siguiente:

Router(config)#access-list[100-199][permit|deny][protocol][dirección de origen][mascara comodín][dirección de destino][mascara de destino][puerto][establisehed][log]
100-199 identifica el rango y número de lista
Permit|deny: indica si la entrada permitirá o bloqueara la dirección especificada.
Protocolo: como por ejemplo IP, TCP, UDP, ICMP

Dirección origen y destino: identifican direcciones IP de origen y destino.

Mascara wildcard origen y mascara destino: Son las mascaras comodín. Las 0 indican las posiciones que deben coincidir, y los 1 las “que no importan”.

Puerto

opcional) puede ser por ejemplo: lt (menor que), gt (mayor que), eq (igual a), o neq (distinto que) y un número de puerto de protocolo correspondiente.

Establisehed: (opcional) Se usa solo para TCP de entrada. Esto permite que él rafico TCP pase si el paquete utiliza una conexión ya establecida (por ejemplo posee un conjunto de bits ACK)

Log: (opcional) Envía un mensaje de registro a la consola a un servidor syslog determinado.

Algunos de los números de puertos más conocidos:

20 Datos del protocolo FTP
21 FTP
23 Telnet
25 SMTP
69 TFTP
53 DNS

Asociación de la lista a una interfaz

Router(config-if)#ip access-group[nº de lista de acceso][in|out]

Donde:

Número de lista de acceso indica el número de lista de acceso que será aplicada a esa interfaz.

In|out selecciona si la lista de acceso se aplicará como filtro de entrada o de salida.

Ejemplo de una ACL Extendida denegando un host hacia el puerto 80 de una red:

Router(config)#access-list 120 deny tcp host 204.204.10.1 any eq 80
Router(config)#access-list 120 permit ip any any
Router(config)#interface serial 1
Router(config-if)#ip access-group 120 in

Se ha denegado al host 204.204.10.1, (identificándolo con la abreviatura “host”) hacia el puerto 80 de cualquier red de destino (usando el termino any). Posteriormente se permite todo trafico IP. Esta ACL se asocio a la interfaz Serial 1 como entrante.
Aplicación de una ACL a la linea de telnet

Para evitar intrusiones no deseadas en las conexiones de telnet se puede crear una
lista de acceso estándar y asociarla a la Line VTY. El proceso de creación se lleva a cabo como una ACL estándar denegando o permitiendo un origen hacia esa interfaz. El modo de asociar la ACL a la Línea de telnet es el siguiente:

router(config)#line vty 0 4
router(config-line)#access-class[Nº de lista de acceso][in|out]

Como eliminar las listas de acceso

Desde el modo interfaz donde se aplico la lista:

Router(config-if)#no ip access-group[Nº de lista de acceso]

Desde el modo global elimine la ACL

router(config)#no access-list[Nº de lista de acceso]

Fuente Original

martes, 4 de septiembre de 2012

The Official Ubuntu Server Book 2nd Edition Jul 2010

Un interesante libro.

Prentice Hall The Official Ubuntu Server Book 2nd Edition Jul 2010

Packet Tracer Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH

Operations

Topology Diagram

Addressing Table

Learning Objectives

 Configure routers as NTP clients.

 Configure routers to update the hardware clock using NTP.

 Configure routers to log messages to the syslog server.

 Configure routers to timestamp log messages.

 Configure local users.

 Configure VTY lines to accept SSH connections only.

 Configure RSA key pair on SSH server.

 Verify SSH connectivity from PC client and router client.

Introduction

The network topology shows three routers. You will configure NTP and Syslog on all routers. You will configure SSH on R3.

Network Time Protocol (NTP) allows routers on the network to synchronize their time settings with an NTP

server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings and Syslog messages generated can be analyzed more easily. This can help when

troubleshooting issues with network problems and attacks. When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or to a publicly available NTP server on the Internet.

The NTP Server is the master NTP server in this lab. You will configure the routers to allow the software clock to be synchronized by NTP to the time server. Also, you will configure the routers to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift) and the software clock and hardware clock may become out of synchronization with each other.

The Syslog Server will provide message logging in this lab. You will configure the routers to identify the remote host (Syslog server) that will receive logging messages.

You will need to configure timestamp service for logging on the routers. Displaying the correct time and date in Syslog messages is vital when using Syslog to monitor a network. If the correct time and date of a message is not known, it can be difficult to determine what network event caused the message.

R2 is an ISP connected to two remote networks: R1 and R3. The local administrator at R3 can perform most router configurations and troubleshooting; however, since R3 is a managed router, the ISP needs access to R3 for occasional troubleshooting or updates. To provide this access in a secure manner, the administrators have agreed to use Secure Shell (SSH).

You use the CLI to configure the router to be managed securely using SSH instead of Telnet. SSH is a network protocol that establishes a secure terminal emulation connection to a router or other networking device. SSH encrypts all information that passes over the network link and provides authentication of the remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network professionals.

The servers have been pre-configured for NTP and Syslog services respectively. NTP will not require

authentication. The routers have been pre-configured with the following:

Enable password: ciscoenpa55
Password for vty lines: ciscovtypa55
Static routing

Task 1: Configure routers as NTP Clients.

Step 1. Test Connectivity

Ping from PC-C to R3.
Ping from R2 to R3.
Telnet from PC-C to R3. Exit the Telnet session.
Telnet from R2 to R3. Exit the Telnet Session.

Step 2. Configure R1, R2 and R3 as NTP clients.

Verify client configuration using the command show ntp status.

Step 3. Configure routers to update hardware clock.

Configure R1, R2 and R3 to periodically update the hardware clock with the time learned from NTP.

Verify that the hardware clock was updated using the command show clock.

Step 4. Configure routers to timestamp log messages.

Configure timestamp service for logging on the routers. Step 0.

Task 2: Configure routers to log messages to the Syslog Server.

Step 1. Configure the routers to identify the remote host (Syslog Server) that will receive logging

messages.

The router console will display a message that logging has started.

Step 2. Verify logging configuration using the command show logging.

Step 3. Examine logs of the Syslog server. Step 0.

From the Config tab of the Syslog server’s dialogue box, select the Syslog services button. Observe the

logging messages received from the routers.

Note: Log messages can be generated on the server by executing commands on the router. For example,

entering and exiting global configuration mode will generate an informational configuration message

Task 3: Configure R3 to support SSH connections.

Step 1. Configure a domain name.

Configure a domain name of ccnasecurity.com on R3.

Step 2. Configure users for login from the SSH client on R3.

Create a user ID of SSHadmin with the highest possible privilege level and a secret password of

ciscosshpa55.

Step 3. Configure the incoming VTY lines on R3.

Use the local user accounts for mandatory login and validation. Accept only SSH connections.

Step 4. Erase existing key pairs on R3.

Any existing RSA key pairs should be erased on the router

Note: If no keys exist, you might receive this message: % No Signature RSA Keys found in configuration.

Step 5. Generate the RSA encryption key pair for R3.

The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA

keys with a modulus of 1024. The default is 512, and the range is from 360 to 2048.

R3(config)# crypto key generate rsa [Enter]

The name for the keys will be: R3.ccnasecurity.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]:1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Note: The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those used in

the lab.

Step 6. Verify the SSH configuration.

Use the show ip ssh command to see the current settings. Verify that the authentication timeout and retries

are at their default values of 120 and 3.

Step 7. Configure SSH timeouts and authentication parameters.

The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the timeout

to 90 seconds, the number of authentication retries to 2, and the version to 2.

Issue the show ip ssh command again to confirm that the values have been changed.

Step 8. Attempt to connect to R3 via Telnet from PC-C.

Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via Telnet.

PC> telnet 192.168.3.1

This connection should fail, since R3 has been configured to accept only SSH connections on the virtual

terminal lines.

Step 9. Connect to R3 using SSH on PC-C.

Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via SSH. When prompted for the password, enter the password configured for the administrator

ciscosshpa55.

PC> ssh –l SSHadmin 192.168.3.1

Step 10. Connect to R3 using SSH on R2.

In order to troubleshoot and maintain the R3 router, the administrator at the ISP must use SSH to access the

router CLI. From the CLI of R2, enter the command to connect to R3 via SSH version 2 using the SSHadmin user account. When prompted for the password, enter the password configured for the administrator: ciscosshpa55.

R2# ssh –v 2 –l SSHadmin 10.2.2.1

Step 11. Check results.

Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.

PDF

PKA

Securing against arp poisoning

Securing against arp poisoning

You might be asking, “So what if arpspoof is flooding the network with ARP reply messages?” Well, some operating systems record the information they see in an ARP reply, even if they did not send an initial ARP request.

The reason operating systems do this is to cut down on the level of ARP traffic on your network. If your operating system did not use this opportunistic ARP caching, then each host would have to send their own ARP packets to discover other machines. Rather than flood the LAN with redundant traffic, many operating systems cache that information inside their own ARP table when they see an ARP reply. By sending ARP Reply messages for all IP addresses with your interface as the destination MAC, arpspoof is able to redirect traffic to its own sniffing interface.

Fighting effectively against ARP poisoning with efficiency is not an easy task because the ARP protocol provides no ability to establish the authenticity of the source of incoming packets.

Here are some ways to protect your machines against arp spoofing.

1. STATIC ARP

2. SURVEILLANCE TOOLS

3. PORT SECURITY

4. CONCLUSION

1. STATIC ARP

Static ARPing means that you manually configure IP to MAC mappings.

Windows Machine

C:\Documents and Settings\administrator>arp -s 192.168.1.1 11-22-33-44-11-11

See your ARP cache table:

C:\Documents and Settings\administrator>arp -a

Interface : 192.168.1.2 --- 0x2

Internet Address
192.168.1.1
192.168.1.100

Physical Address
11-22-33-44-11-11
11-22-33-44-99-99

Type
static
dynamic

Linux machine

#arp -s 192.168.1.1 11:22:33:44:11:11

See your ARP cache table:

#arp

Address
192.168.1.1

HWtype
ether

HWaddress
11:22:33:44:11:11

Flags Mask
CM

Iface
eth0

Cisco router

router#configure terminal
router(config)#arp 192.168.1.2 1122.3344.5566 ARPA

The creation of static IP-MAC address mappings will prevent ARP poisoning but has two big disadvantages:

- -	This will generate a lot of extra work for the administrator and is not applicable in an environment where the users have to move with their laptops. This will not prevent other types of ARP attacks such as port stealing.

2. SURVEILLANCE TOOLS

Arpwatch

Arpwatch is a tool to monitor the ARP activity on a network and particularly when a change occurrs in the MAC address - IP address associations. For this reason, it can be helpful to detect ARP attacks such as ARP spoofing and can alert the administrator by mail in case of suspicious ARP activities (referred to as a flip-flop in Arpwatch).

#apt-get install arpwatch

By default, Arpwatch sends its logs in the /var/log/syslog file, you can use the "tail /var/log/syslog" command to check the logs in real time.
The configuration is stored in the /etc/arpwatch.conf file.

Ettercap

Install Ettercap in graphical mode.

#apt-get install ettercap-gtk

Launch Ettercap in graphical mode.

#ettercap -G

Sniff -> Unified sniffing...

Plugins -> Manage the plugins

Click on the arp_corp plugin to activate it.

Start -> Start Sniffing

Snort IDS

A Intrusion Detection System such as the Snort IDS can detect ARP abnormal activities and send a mail to inform the administrator.

3. PORT SECURITY

Port-security is security functionality available on some high-end switches.

It will allow only devices with certain MAC addresses to connect to the switch ports, and in case a machine is not authorized, the switch can take actions such as alerting the administrator with a SNMP trap or shutting down the faulty port immediately.

Below is an example with a Cisco switch where its first port (FastEthernet 0/1) is configured with port-security.

The switch port will accept only one unique MAC address and this MAC address will be the first seen by the switch port (sticky keyword). If the switch port sees another MAC address on its first port it will immediately it shut down the port.

Switch# configure terminal
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown

After the switch configuration, we plug a device with MAC address 1122.3344.5566 on the FastEthernet 0/1 port, which will accept no other MAC address.

Switch# show port-security

Secure Port   MaxSecureAddr   CurrentAddr   SecurityViolation   Security Action
                         (Count)          (Count)            (Count)
---------------------------------------------------------------------------
   Fa1/0/1               1                    1                    0          Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272

Switch# show port-security interface FastEthernet 0/1

Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count

:
:
:
:
:
:
:
:
:
:
:
:

Enabled
Secure-up
Shutdown
0 mins
Absolute
Disabled
1
1
0
1
1122.3344.5566:1
0

Switch#show port-security address

          Secure Mac Address Table
----------------------------------------------------------------------------
Vlan    Mac Address        Type                  Ports            Remaining Age
                                                                              (mins)
----    -----------          ----                    -----          -------------
1        1122.3344.5566    SecureSticky        Fa0/1              -
----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272

We unplug our current device (MAC: 1122.3344.5566) and plug another device (MAC: 1122.3344.9999). As seen below, the switch will shut down its first port and put it in the err-disabled status.

Switch# show port-security interface FastEthernet 0/1

:
:
:
:
:
:
:
:
:
:
:
:

Enabled
Secure-down
Shutdown
0 mins
Absolute
Disabled
1
1
0
1
1122.3344.9999:1
0

Switch#show logging

00:06:28:

00:06:28

00:06:29:

00:06:30:

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MACaddress 1122.3344.9999 on port FastEthernet0/1.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

Switch#show interfaces status | include 0/1

Port
-------
Fa0/1

Name
------------------

Status
------------
err-disabled

Vlan
--------
1

Duplex
------
auto

Speed
-------
auto

Type
----
10/100BaseTX

If you want to reactivate the port in the err-disabled state, use the following commands:

Switch# configure terminal
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

The port-security activation will not prevent ARP spoofing but the possibility for the pirate to get connected to the network.

4. CONCLUSION

The suggestions below provide help by either preventing the pirate from connecting to the network or by checking your network.

· Network restriction with port security

· 802.1x protocol where a machine is authorized on the network only if it is accepted by an authentication server such as a RADIUS.

· Network surveillance with tools such as IDS.

Original File

Accessing SSL encrypted traffic (MITM attack with Backtrack 5)

Accessing SSL encrypted traffic (MITM attack with Backtrack 5)

Step 1: First you need to setup ip forwarding using fragrouter. Open a terminal and type the command.

Command: fragrouter -B1

This is to forward packets between the client and its gateway while spoofing. Minimize the terminal.

Step 2: Now you need to “arp spoof” the client. Open a new terminal and type the command.

Command: arpspoof -t [target ip] [default gateway ip]

example : arpspoof -t 192.168.1.7 192.168.1.1

Minimize the terminal.

Step 3: Now you need to set up “DNS spoofing”. Open a new terminal and type the command.

Command: dnsspoof

Minimize the terminal.

Now all the DNS requests from the client will be redirected to the MITM.

Step 4: Now you need to set up a proxy for these DNS requests. Open a new terminal and type the command.

Command: webmitm -d

NOTE: If you are starting Webmitm for the first time, it will create a fake SSL certificate and private key. Answer the questions it asks with false information and you should get the message “webmitm relaying transparently".

Minimize the terminal.

Step 5: Now you need to capture the traffic using wireshark.

Command: applications ->backtrack -> information gathering ->network analysis ->network traffic analysis ->wireshark

Step 6: In wireshark select :

Command: capture -> interfaces -> start (click start button for eth0)

The DNS has been spoofed so you can see that an nslookup for Gmail in the client computer will show the MITM attacker's ip :

When the client accesses Gmail, the following happens:

1. The client opens "Gmail.com" in a browser.
2. This will be redirected to webmitm, which will issue the “Gmail page” with a fake ssl certificate.
3. The client will log into "Gmail" using his credentials.
4. All the traffic will be captured by wireshark.

Step 7: Stop the wireshark capture and save the captured traffic to a file. Save it in the root folder to make it easier.

In the root folder there will be another file called "webmitm.crt" which is the fake ssl certificate generated by webmitm.

Now you have captured ssl packets from the network traffic and the fake ssl certificate.

Step 8: Now you need to decrypt the captured packets. Open a new terminal and type the command.

Command: ssldump -r test -k webmitm.crt -d > finaloutput

NOTE:

• test is the file containing the packets captured with wireshark
• webmitm.crt is the fake SSL certificate
• finaloutput is the file that will contain the decrypted output

Step 9: Now you can view the decrypted packets. Open a new terminal and type the command.

Command: cat finaloutput | grep Email

Highlighted above are the decrypted username and password.

Definitons & Tools:

1.) SSL :
Quote:Secure Sockets Layer, a computing protocol that ensures the security of data sent via the Internet by using encryption . With SSL, client and server computers exchange public keys, allowing them to encode and decode their communication. So any attacker tries to sniff traffic between them will only get encrypted garbage values... the web servers which use SSL are denoted by HTTPS ...

2.) ARP :
Quote:Address Resolution Protocol is a network layer protocol used to convert an IP address into a physical address such as an Ethernet address( MAC address ). A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.

3.)DNS :
Quote:Domain Name System is a database system that translates a domain name into an IP address. for example if you type gmail.com in your browser , your DNS will reply with gmail's ip so that,your router can connect to gmail's server using its IP....for better understanding type -->" nslookup " in your cmd or konsole and then type "gmail.com" ,you will see your DNS replies you with gmail's ip addresses .

4.)ARP Spoofing :
Quote:ARP spoofing is a technique in which a host in a LAN can "poison" the ARP table of another host by forging fake ARP requests and replies , causing it to send packets to the wrong destination. The attacker can modify the traffic in the network such a way that it will redirect all traffic to go through it. ARP Spoofing will allow an attacker to sniff data frames.

5)DNS Spoofing :
Quote:DNS spoofing is similar to arp spoofing ,it is based on the presentation of false or fake DNS information to the slave in a response to their DNS request and as a result forcing them to visit a site which is not the real one.

6.) MITM :
Quote:Man in the middle attack means intercepting a communication between two systems ,both ARP Spoofing and DNS
Spoofing are types of MITM attack..

7.)IP forwarding :
Quote:IP forwarding enables one host to sit on two LANs and to act as a gateway forwarding IP packets from one LAN to another.

TooLs :-

1.) fragrouter - tool used to for ip forwarding between slave and its destination host.

2.) arpspoof - to arp spoof slave machine and its host

3.) dnsspoof - to dns spoof slave machine and its host

4.) webmitm - its a tool which transparently proxies and sniffs HTTP / HTTPS traffic redirected by dnsspoof, capturing most "secure" SSL-encrypted webmail logins and form submissions...

5.) wireshark - it is a network protocol analyzer . here its used to capture ssl encrypted traffic between slave and webmitm...

6.) ssldump - decrypts ssl packets using private key