Security
Disclaimer: All tests were conducted in a simulated environment using GNS3 version 2.2.46. The switch image was “Vios_l2-ADVENTERPRISEK9-M - 15.2(20200924:215240)”. The router image was “VIOS-ADVENTERPRISEK9-M - 15.9(3)M6”. The sole purpose was to continue my learning.
To detect security gaps in the design, I simulated being a threat actor attacking the intranet by using Kali Linux version 2024.1. After that, I proceeded to mitigate and remediate the vulnerabilities found.
As an employee connected to the LAN, I used reconnaissance tools to scan the network for relevant information. First, I used WireShark v4.2.3 to observe the traffic on the link. I could identify the protocols in use: STP, VRRP, CDP, DHCP, ARP, and DTP. The attached image shows the information found.
After Wireshark, I used NMAP v7.92 to scan the network segment for devices and found two Cisco routers. The attached image shows the information found.
Using Yersinia to exploit the CDP ( Cisco discovery protocol). I got the information from the connected switch, which was identified as B-01-SW01, and the management IP address was 10.0.11.20. As shown in the following image.
Working with DTP (Dynamic trunking protocol) and the same software, I negotiated a trunk interface between the virtual machine Kali and the switch. Then, I analyzed the link with Wireshark to map out the whole network. It displayed 17 VLANs and their respective STP root bridges. By examining the frames closely, I could see that the MAC addresses of the root bridges change between the first and last VLANs. See the image below.
The CDP data showed that VLAN 11 is the management network for the switches. Therefore, I created a virtual interface with VLAN ID 11 on the VM. I configured it to get an address dynamically to gather information about IP addressing services. I found in the communication a DHCP server and noted that routers 10.0.11.253 and 10.0.11.254 act as DHCP Relay Agents, showing that the server is on another network. Finally, I used NMAP on the IP 172.22.32.5 of the DHCP server, but it did not respond because there was no route to it. Then, I moved to the DNS server to collect more information. By doing a traceroute, I saw that the last IP was similar to the one Wireshark found for the DHCP server. The following image illustrates this.
I concluded that there might be more devices in that IP range. A subsequent NMAP scan revealed three servers on the segment. The following image shows the information obtained by NMAP
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -O 1.1.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 10:26 EDT
Nmap scan report for 1.1.2.1
Host is up (0.072s latency).
All 1000 scanned ports on 1.1.2.1 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: router|specialized|switch
Running: Cisco IOS 12.X
OS CPE: cpe:/h:cisco:c1812 cpe:/h:cisco:c3640 cpe:/h:cisco:c3700 cpe:/o:cisco:ios:12.4 cpe:/o:cisco:ios:12.1 cpe:/h:cis>
OS details: Cisco 1812, 3640, or 3700 router (IOS 12.4), Cisco DOCSIS cable modem termination server (IOS 12.1), Cisco >
Nmap scan report for 1.1.2.2
Host is up (0.074s latency).
All 1000 scanned ports on 1.1.2.2 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: router|specialized|switch
Running: Cisco IOS 12.X
OS CPE: cpe:/h:cisco:c1812 cpe:/h:cisco:c3640 cpe:/h:cisco:c3700 cpe:/o:cisco:ios:12.4 cpe:/o:cisco:ios:12.1 cpe:/h:cis>
OS details: Cisco 1812, 3640, or 3700 router (IOS 12.4), Cisco DOCSIS cable modem termination server (IOS 12.1), Cisco >
Nmap scan report for 1.1.2.3
Host is up (0.052s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
Aggressive OS guesses: Cisco IOS 12.4 or IOS-XE 15.3 (98%), Cisco 860 or 870 router (IOS 12.4) (97%), Cisco 1841 router>
No exact OS matches for host (test conditions non-ideal).
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (3 hosts up) scanned in 64.21 seconds
Progressing with the inspection, I used the NMAP Vuln script to gather information on known router vulnerabilities. The table below shows that the SSH service uses a weak Diffie-Hellman group and there might be a vulnerability with the HTTP protocol.
With VLANs 11 and 100 on the trunk, I created a NAT in iptables. This configuration directs all traffic from VLAN 11 to VLAN 100. Then, I used Ettercap to set up a rogue DHCP server on VLAN 11 with a different IP address and performed a man-in-the-middle (MitM) attack. The internal and external communications of victim machines are passed through the VM since Kali is the gateway. If I had used the same IP address as VLAN 11, I would only see traffic going to other networks because internal communications are resolved at layer 2. Finally, I captured an SSH session in a MitM attack between a client and the main router of that network, B-00-SW01. The following image shows the captured session.
To conclude, intercepting all communications from a device made me realize the importance of cybersecurity. After that, I proceeded to mitigate and remediate the vulnerabilities found. If you want see all the tests conducted, tools used, and more, click here! For the file containing the SSH session capture, click here!
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script Vuln 10.0.11.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 05:33 EDT
Nmap scan report for 10.0.11.1
Host is up (0.035s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-method-tamper:
| VULNERABLE:
| Authentication bypass by HTTP verb tampering
| State: VULNERABLE (Exploitable)
| This web server contains password protected resources vulnerable to authentication bypass
| vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
| common HTTP methods and in misconfigured .htaccess files.
|
| Extra information:
|
| URIs suspected to be vulnerable to HTTP verb tampering:
| / [POST]
|
| References:
| http://www.imperva.com/resources/glossary/http_verb_tampering.html
| http://capec.mitre.org/data/definitions/274.html
| http://www.mkit.com.ar/labs/htexploit/
|_ https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
443/tcp open https
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
| http-method-tamper:
| VULNERABLE:
| Authentication bypass by HTTP verb tampering
| State: VULNERABLE (Exploitable)
| This web server contains password protected resources vulnerable to authentication bypass
| vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
| common HTTP methods and in misconfigured .htaccess files.
|
| Extra information:
|
| URIs suspected to be vulnerable to HTTP verb tampering:
| / [POST]
|
| References:
| http://www.imperva.com/resources/glossary/http_verb_tampering.html
| http://capec.mitre.org/data/definitions/274.html
| http://www.mkit.com.ar/labs/htexploit/
|_ https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:00:5E:00:01:74 (Icann, Iana Department)
Nmap done: 1 IP address (1 host up) scanned in 390.58 seconds