Bypassing Port Security

On cisco switch there is a feature called port security, how port security works?
port security will only allows specific mac addresses that already connect to switchport, if the mac didn’t match, frame that sent by host through that switchport would be drop. To know more and good understanding about this, I strongly recommended to learn OSI Layers and TCP/IP first before jumping to this material.

There is 3 port security action or usually we called it violation, there is Shutdown, Restrict, and Protect. But now I will choose Restrict, because we can get notification when foreign mac address trying to connect, and why not shutdown? that’s the critical one, find out yourself.

Okay, let’s begin. In this post I’m using DracOs linux as my pentesting equipment. What is DracOs? DracOs is the first pentest linux distribution in Indonesia that build from LFS. Very light and powerful.

And this is our pentest LAB. Remember port-security in this lab only implemented on IOU2 interface e0/0 with 3 maximum mac addresses for IOU3 e0/0, PC1 e0 and PC2 e0.

1

First thing that you need to do is bring up your interface card. Now let’s start to thinking how to get information that can we use from authorized user without IP while we’re blocked by swithport?.

Network Scaning? No,You can’t because you don’t have IP address to do that yet. 😛

2.png

Okay and here is my config on e0/0 switchport, and you will see violation occured after bring up your interface. But why? because my device is not match with port-security rules and everytime you give power to any interface, that interface will automatically send out ARP broadcast to all ports and finding some friend in their network but sadly my frames got droped by portsec. lol.

3

I setup my Router as DHCP server, the reason why I set it up is, I need ARP and DHCP Acknowledgement from authorized user, And I just want to make it like in real world with prefix /29

4

Okay, now from the client side, I’m requesting DHCP from PC1 to the server while I’m sniffing my own DracOs interface and looking for an ARP broadcast from authorized user, and gotcha, now I’ve got some information here.

5

As you can see from Layer 2, now we’ve got authorized mac-address and now we know what IP network that authorized user get from DHCP server. Now what?

6.png

Make sure your interface card still up and working well, then assign IP address within the same network as the information above, and I will make it to prefix /24 why? because we won’t get IP from DHCP Server, and I’m just gonna make it static with /24 because we don’t know what mask that DHCP srv use, And logically I can cover it up by using /24 just because it makes sense by using “C” Class. Can we do that? Absolutely yes.

7.png

But, just assigned IP to our interface is not enough, it doesn’t mean we can do ping to Router, because PortSec is matching with layer 2, we need to use mac address of authorized user to bypass this feature by manipulating it. Change your mac address with authorized user mac, then congratulation now you bypassing it and welcome to the network. 🙂

8.png

Just looking at my arp tables after doing ping, and scanning my whole network and what I’ve got is just 2 host up, do you know why? because I have the same mac address with one of authorized user that has IP 172.16.0.2 and MAC 00:50:79:66:68:00, and I’m replacing him. 🙂

9.png

DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)

 

Uncovering Hidden SSID

Here we go again, still on the attacking side. maybe when you go to whatever public places you will find some wifi access right? but some people decided to hide their SSID for some security reason, and usually they think that only hiding SSID and left it without password encyption is secure enough for not being access by unauthorized user. And I will show you how to be an unauthorized user for dat situation. B)

Let’s  begin. Now I just setup my Access Point with hidden SSID, Then I boot up my kali, get into my system, First check your wireless card, and from the information below i’ve got “wlan0” as my wireless interface.

1.png

 

Then you need to turn your wireless interface into monitoring mode with command below, after that check your interface again to make sure that now you have similar information like this. But, on my device it says “wlan0mon” or whatever appear with monitoring function usually it will be “mon0” by default.

2.png

 

Then run this command “airodump-ng wlan0mon”  Then you’ll feel like an hax0r on movies lol :v

From this we can specify which AP to attack, as you can see, we’ve got bssid, channel, type encyption, and essid from our AP target. And there is a station information too, from that info you can monitor how many people using your network. to make it more specific you need to run this command. for more read the manual usage.

3.png

And this is what should appear on your terminal after insert that command, some of you would say why you blocked all the mac address that appears? Because I do it in real life, not virtual anymore, it could be privacy by the person who has that mac address, so I’m sorry for that. But why there is nobody connected? Because I don’t connect any device yet to my AP, and to see the change, and understanding the flow I highly recommended to stop your monitoring for a while, because now we’re trying to connect :p4.png

Connecting to AP test with my phone

5

6

 

Then let’s take a look to our terminal again and run the monitor. Tadaaa, That station is my phone.7.png

How can I get my SSID? We need to do something evil here, now we’re going to cut off the connection between AP and my phone. O really? can we do that? even we’re not connected yet? Ofcourse, why not :p

Run this evil command, once again for understanding how this command works just learn from the manual tools, because I’m not gonna discuss it here. Okay, what I’m going to tell you is, This attack called Deauthentication Attack, that will makes station cutted off from AP. And this type of attack is very hard to prevent. Why? find it yourself.

8.png

After you launch the deauth attack you better to keep monitoring that AP to see the changes, because usually client will do reauthenticate and gives us information about dat SSID :p

And this is what happen to my phone, my phone just disconnected from my AP by me, lol.

9

And meanwhile we get back to our monitor, boom, I’ve got the SSID.

10.png

And that’s it, now I can connect to that network with SSID Nabil-Abdat, I do this for pentesting only. Don’t try this at home public place.

DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)

 

 

 

 

 

CDP Flooding

Yo wassup guys, back again with me, and still with yersinia.

Today, I’d like to share something cool (again), and that thing is Flooding the Cisco Router. Why Cisco?

CDP is one of cisco proprietary protocol (only in cisco), Why do I care? Cisco is using this protocol to recognize another cisco device, and that’s my explaination in nutshell. For more search it yourself.

Okay, this is our LAB

1
Analyze your IP with ifconfig, after that do the scan with nmap to your network address, keep the result scan, because nmap will gives us information about our mac address target (cisco device)

2.png

And this is my cdp configuration on my R1, and I’m just gonna make it more specific with these command, and shows you cdp neighbors before attack launched.

3

Because you’re the attacker, all you need to do is insert this command to your terminal. And boom let’s see what happen. for understanding this command please check yersinia manual.

4.png

And yeah, congratulation, now your cisco router in trouble, your router is getting confuse because our DoS attack, and sometimes when you try to ping to your device it will not reply for a while. Now your cisco router have a lot of neighbor, at least your router not alone anymore :p Welcome to the neighborhood!

5.png

DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)

DHCP Starvation

tl

Okay, what can we do with yersinia? I think yersinia is powerful tool that we can use to do Denial of Service (DoS) attack, especially againts Cisco Routers. Because there are so many kind of attack like taking over HSRP standby, VTP update, be the king of STP Root Bridge or even CDP neighbors and your router will act like cisco device.

So, today I’d like to share something cool (I think) “DHCP Starvation” even maybe you can find another tutorial (maybe better) on anoter site. And this is my way to get it done. Let’s see how it goes.

The first thing that you need to make sure is ONLY do it LOCALLY (Your own DHCP server). I mean DWYOR I’m not responsible with your action with this because “I was raised by ethics” so, have fun.

You can use any particular pentet OS, but now I’m using Kali Linux as my pentest OS

Check your IP that you get from your server with this command

1

Then give it a try to your luck, ping the first useable IP address on /28 subnet

2

And luckily, the gateway is the first useable IP. What if it’s not? Just do the scan with dat command. Is it necessaary to scan the network? absolutely yes. And as you can see, what I’ve got here just my IP and my gateway, because I do it virtually, And look at the information that nmap gives us, yes, The MAC Address of my gateway. What should we do now?

3.png

Now collecting all information that you need to start the attack with yersinia, like Src mac, dst mac, what interface, and attacking method. for more read yersinia manual by yourself. Press enter and have some coffee.

4

And after the attack, your router may lil bit confuse, and as you can see, that’s what will happen to your router, all lease are gone to the wrong person and that is you.

 

DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)