EIGRP MD5 Authentication

eigrpmd5

Ketika ngebahas authentication, udah pastilah tujuannya untuk mengamakan, dan kali ini kita akan mengamankan traffic routing protocol EIGRP menggunakan md5.
EIGRP sendiri hanya mensupport authentication md5, dan tidak support clear text authentication, lagian juga lebih secure md5 kan, secara md5 one-way encryption haha.

Namun pada IOS versi 15.(0) keatas, kita bisa menggunakan tipe authentication eigrp yang lebih secure lagi yaitu menggunakan HMAC-SHA yang mana hanya bisa diterapkan pada eigrp multi-AF atau biasa disebut named mode.

Oke langsung saja, addressing standar idn

[IDN-R1]
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
 ip address 12.12.12.1 255.255.255.0
!

[IDN-R2]
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
 ip address 12.12.12.2 255.255.255.0
!

Konfigurasikan eigrp

R1

IDN-R1(config-if)#router eigrp 12
IDN-R1(config-router)#network 1.1.1.1 0.0.0.0    
IDN-R1(config-router)#network 12.12.12.0 0.0.0.255
IDN-R1(config-router)#no auto-summary

R2

IDN-R2(config)#router eigrp 12
IDN-R2(config-router)#network 2.2.2.2 0.0.0.0
IDN-R2(config-router)#network 12.12.12.0 0.0.0.255
IDN-R2(config-router)#no auto-summary

Oke, kalo udah adjacency skrg buat key chain

Aturannya begini:
Nama key chain boleh bebas
Key id harus sama
Algorithm md5 (optional)
Key-string, disinilah password kita pastikan harus sama di kedua routernya

Key chain R1

IDN-R1(config)#key chain satu
IDN-R1(config-keychain)#key 12
IDN-R1(config-keychain-key)#cryptographic-algorithm md5
IDN-R1(config-keychain-key)#key-string nabeel

Kemudian terapkan authentication pada interface e0/0

IDN-R1(config)#int e0/0
IDN-R1(config-if)#ip authentication mode eigrp 12 md5
IDN-R1(config-if)#ip authentication key-chain eigrp 12 satu

Karena kita udah pake authentication di R1 sedangkan R2 belum pake, adjacency bakal down

*Nov 13 01:38:50.421: %DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.2 (Ethernet0/0) is down: authentication mode changed

Buat key chain di R2

IDN-R2(config)#key chain dua
IDN-R2(config-keychain)#key 12
IDN-R2(config-keychain-key)#cryptographic-algorithm md5
IDN-R2(config-keychain-key)#key-string nabeel

Pasang key-chain di interface e0/0

IDN-R2(config-if)#ip authentication mode eigrp 12 md5
IDN-R2(config-if)#ip authentication key-chain eigrp 12 dua

Akan muncul pesan neighbor up

*Nov 13 01:44:48.382: %DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.1 (Ethernet0/0) is up: new adjacency

Itu artinya authentication udah jalan, router bisa saling kenal lagi.

Cek tabel routing R1

IDN-R1(config)#do sh ip route 
      1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback0
      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/409600] via 12.12.12.2, 00:00:27, Ethernet0/0
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.12.12.0/24 is directly connected, Ethernet0/0
L        12.12.12.1/32 is directly connected, Ethernet0/0

Pastikan bisa ping dari ujung ke ujung

IDN-R1(config)#do ping 2.2.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/6 ms

Namun apasih sbnernya yg terjadi di dalam authentication itu?

Nih, hasil capture di wireshark

diggest

Terlihat ada angka-angka ga jelas itu kan, ya emang ga jelas kan tujuannya gitu wkwk.
Btw, angka-angka itu berupa hash yg di pertukarkan oleh kedua router itu, dan hash itu ga bisa dikembalikan ke clear text lagi. adapun caranya harus di brute force dan memakan waktu yg sangat lama, at least udah aman lah haha.

Apa yang terjadi kalo sama-sama menerapkan md5 authentication tapi key-stringnya berbeda? yuk kita coba!

Rubah key-string pada R2

IDN-R2(config)#key chain dua
IDN-R2(config-keychain)#key 12
IDN-R2(config-keychain-key)#key-string handsome

Akan terdapat pesan seperti ini yang menandakan auth failure

*Nov 13 01:56:31.433: %DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.1 (Ethernet0/0) is down: Auth failure

Jika dilakukan debugging akan seperti ini

IDN-R2#debug eigrp packets 
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
IDN-R2#
*Nov 13 02:56:09.998: EIGRP: pkt key id = 12, authentication mismatch
*Nov 13 02:56:09.998: EIGRP: Et0/0: ignored packet from 12.12.12.1, opcode = 5 (invalid authentication)
*Nov 13 02:56:10.522: EIGRP: Sending HELLO on Et0/0 - paklen 60
*Nov 13 02:56:10.522:   AS 12, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

Auth mismatch haha, so key-string harus sama ya (iyalah password)

Oke sekian dulu, happy config guys.

Bypassing Port Security

On cisco switch there is a feature called port security, how port security works?
port security will only allows specific mac addresses that already connect to switchport, if the mac didn’t match, frame that sent by host through that switchport would be drop. To know more and good understanding about this, I strongly recommended to learn OSI Layers and TCP/IP first before jumping to this material.

There is 3 port security action or usually we called it violation, there is Shutdown, Restrict, and Protect. But now I will choose Restrict, because we can get notification when foreign mac address trying to connect, and why not shutdown? that’s the critical one, find out yourself.

Okay, let’s begin. In this post I’m using DracOs linux as my pentesting equipment. What is DracOs? DracOs is the first pentest linux distribution in Indonesia that build from LFS. Very light and powerful.

And this is our pentest LAB. Remember port-security in this lab only implemented on IOU2 interface e0/0 with 3 maximum mac addresses for IOU3 e0/0, PC1 e0 and PC2 e0.

1

First thing that you need to do is bring up your interface card. Now let’s start to thinking how to get information that can we use from authorized user without IP while we’re blocked by swithport?.

Network Scaning? No,You can’t because you don’t have IP address to do that yet. 😛

2.png

Okay and here is my config on e0/0 switchport, and you will see violation occured after bring up your interface. But why? because my device is not match with port-security rules and everytime you give power to any interface, that interface will automatically send out ARP broadcast to all ports and finding some friend in their network but sadly my frames got droped by portsec. lol.

3

I setup my Router as DHCP server, the reason why I set it up is, I need ARP and DHCP Acknowledgement from authorized user, And I just want to make it like in real world with prefix /29

4

Okay, now from the client side, I’m requesting DHCP from PC1 to the server while I’m sniffing my own DracOs interface and looking for an ARP broadcast from authorized user, and gotcha, now I’ve got some information here.

5

As you can see from Layer 2, now we’ve got authorized mac-address and now we know what IP network that authorized user get from DHCP server. Now what?

6.png

Make sure your interface card still up and working well, then assign IP address within the same network as the information above, and I will make it to prefix /24 why? because we won’t get IP from DHCP Server, and I’m just gonna make it static with /24 because we don’t know what mask that DHCP srv use, And logically I can cover it up by using /24 just because it makes sense by using “C” Class. Can we do that? Absolutely yes.

7.png

But, just assigned IP to our interface is not enough, it doesn’t mean we can do ping to Router, because PortSec is matching with layer 2, we need to use mac address of authorized user to bypass this feature by manipulating it. Change your mac address with authorized user mac, then congratulation now you bypassing it and welcome to the network. 🙂

8.png

Just looking at my arp tables after doing ping, and scanning my whole network and what I’ve got is just 2 host up, do you know why? because I have the same mac address with one of authorized user that has IP 172.16.0.2 and MAC 00:50:79:66:68:00, and I’m replacing him. 🙂

9.png

DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)

 

Uncovering Hidden SSID

Here we go again, still on the attacking side. maybe when you go to whatever public places you will find some wifi access right? but some people decided to hide their SSID for some security reason, and usually they think that only hiding SSID and left it without password encyption is secure enough for not being access by unauthorized user. And I will show you how to be an unauthorized user for dat situation. B)

Let’s  begin. Now I just setup my Access Point with hidden SSID, Then I boot up my kali, get into my system, First check your wireless card, and from the information below i’ve got “wlan0” as my wireless interface.

1.png

 

Then you need to turn your wireless interface into monitoring mode with command below, after that check your interface again to make sure that now you have similar information like this. But, on my device it says “wlan0mon” or whatever appear with monitoring function usually it will be “mon0” by default.

2.png

 

Then run this command “airodump-ng wlan0mon”  Then you’ll feel like an hax0r on movies lol :v

From this we can specify which AP to attack, as you can see, we’ve got bssid, channel, type encyption, and essid from our AP target. And there is a station information too, from that info you can monitor how many people using your network. to make it more specific you need to run this command. for more read the manual usage.

3.png

And this is what should appear on your terminal after insert that command, some of you would say why you blocked all the mac address that appears? Because I do it in real life, not virtual anymore, it could be privacy by the person who has that mac address, so I’m sorry for that. But why there is nobody connected? Because I don’t connect any device yet to my AP, and to see the change, and understanding the flow I highly recommended to stop your monitoring for a while, because now we’re trying to connect :p4.png

Connecting to AP test with my phone

5

6

 

Then let’s take a look to our terminal again and run the monitor. Tadaaa, That station is my phone.7.png

How can I get my SSID? We need to do something evil here, now we’re going to cut off the connection between AP and my phone. O really? can we do that? even we’re not connected yet? Ofcourse, why not :p

Run this evil command, once again for understanding how this command works just learn from the manual tools, because I’m not gonna discuss it here. Okay, what I’m going to tell you is, This attack called Deauthentication Attack, that will makes station cutted off from AP. And this type of attack is very hard to prevent. Why? find it yourself.

8.png

After you launch the deauth attack you better to keep monitoring that AP to see the changes, because usually client will do reauthenticate and gives us information about dat SSID :p

And this is what happen to my phone, my phone just disconnected from my AP by me, lol.

9

And meanwhile we get back to our monitor, boom, I’ve got the SSID.

10.png

And that’s it, now I can connect to that network with SSID Nabil-Abdat, I do this for pentesting only. Don’t try this at home public place.

DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)

 

 

 

 

 

CDP Flooding

Yo wassup guys, back again with me, and still with yersinia.

Today, I’d like to share something cool (again), and that thing is Flooding the Cisco Router. Why Cisco?

CDP is one of cisco proprietary protocol (only in cisco), Why do I care? Cisco is using this protocol to recognize another cisco device, and that’s my explaination in nutshell. For more search it yourself.

Okay, this is our LAB

1
Analyze your IP with ifconfig, after that do the scan with nmap to your network address, keep the result scan, because nmap will gives us information about our mac address target (cisco device)

2.png

And this is my cdp configuration on my R1, and I’m just gonna make it more specific with these command, and shows you cdp neighbors before attack launched.

3

Because you’re the attacker, all you need to do is insert this command to your terminal. And boom let’s see what happen. for understanding this command please check yersinia manual.

4.png

And yeah, congratulation, now your cisco router in trouble, your router is getting confuse because our DoS attack, and sometimes when you try to ping to your device it will not reply for a while. Now your cisco router have a lot of neighbor, at least your router not alone anymore :p Welcome to the neighborhood!

5.png

DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)

DHCP Starvation

tl

Okay, what can we do with yersinia? I think yersinia is powerful tool that we can use to do Denial of Service (DoS) attack, especially againts Cisco Routers. Because there are so many kind of attack like taking over HSRP standby, VTP update, be the king of STP Root Bridge or even CDP neighbors and your router will act like cisco device.

So, today I’d like to share something cool (I think) “DHCP Starvation” even maybe you can find another tutorial (maybe better) on anoter site. And this is my way to get it done. Let’s see how it goes.

The first thing that you need to make sure is ONLY do it LOCALLY (Your own DHCP server). I mean DWYOR I’m not responsible with your action with this because “I was raised by ethics” so, have fun.

You can use any particular pentet OS, but now I’m using Kali Linux as my pentest OS

Check your IP that you get from your server with this command

1

Then give it a try to your luck, ping the first useable IP address on /28 subnet

2

And luckily, the gateway is the first useable IP. What if it’s not? Just do the scan with dat command. Is it necessaary to scan the network? absolutely yes. And as you can see, what I’ve got here just my IP and my gateway, because I do it virtually, And look at the information that nmap gives us, yes, The MAC Address of my gateway. What should we do now?

3.png

Now collecting all information that you need to start the attack with yersinia, like Src mac, dst mac, what interface, and attacking method. for more read yersinia manual by yourself. Press enter and have some coffee.

4

And after the attack, your router may lil bit confuse, and as you can see, that’s what will happen to your router, all lease are gone to the wrong person and that is you.

 

DWYOR, I’m not responsible with your action. Please, Do it wisely for pentesting concern only (DO IT LOCALLY)