Keamanan Jaringan

Tim Dosen Pengajar Keamanan

Program Studi Teknik Informatika

Departemen Teknik Informatika
Contents
5. Local Network Discovery
a. Data Link Protocols Security Assessment
• 802.3 Ethernet
• 802.1Q VLAN
• 802.1X PNAC
b. Local IP Protocols Security Assessment
• Dynamic Host Configuration Protocol (DHCP)
• Internal Routing Protocols
• Local name resolution protocols (LLMNR, NBT-NS, and mDNS)
c. Local Network Attack Countermeasures
Chapter 5

Local Network Discovery

Data Link Protocols Security Assessment
Data Link Protocols

• IEEE 802.X protocol family is widely

used as the underlying physical and
data link layer format
• 802.1: Extensions
• 802.3 : Ethernet
• 802.11: WiFi
• Alongside open IEEE protocols, we
also have proprietary protocols e.x.
from Cisco
• This section discusses the security
assessment on several data link
protocols
802.3 Ethernet
• IEEE 802.3 is a set of protocols that define Ethernet-based networks
• Each network adapter is identified with unique 48-bit MAC address
(used in 802.11 WiFi too)
• By default, network adapter only process data frame destined to it.
This MAC filter can be removed in promiscuous mode.
• Ethernet is susceptible to passive and active attack
• Passive network sniffing
• ARP cache poisoning
• CAM table overflow
802.3 Ethernet Vulnerabilities
• Passive network sniffing

• ARP cache poisoning

• CAM table overflow

Passive network sniffing

• Capture frame/packet received

by network adapter
• Tools: wireshark, tshark, tcpdump
• Depends on network devices
• Hub broadcasts any frame to all
connected hosts
• Switch directs frame to a port
associated with an address. Only
broadcast specific frame
• WiFi access point always broadcast
frame
ARP Cache Poisioning
• ARP is used within local networks to
map IPv4 addresses to underlying
MAC addresses
• ARP who-has message is
broadcast to the network
• The destination host responds
using an ARP is-at reply,
providing its MAC and IP
addresses
• ARP is vulnerable to poisoning since it
is stateless and lacks authentication
• Attacker his MAC address into the
ARP caches of victim systems
Content Addressable Memory (CAM) Table Overflow

• Ethernet switches use CAM tables to map

MAC address and VLAN assignments to
individual ports

• Attacker can flood a switch with random

frames and packets, resulting in a CAM table
overflow

• Unable to map inbound frames to their

destinations, the switch will fail-open and
broadcast them to all ports (becoming a hub)
802.1Q VLAN
• VLANs are used within enterprises to segment
networks and create individual broadcast
domains

• Benefit: reducing unnecessary broadcast of

traffic, 802.1Q tagging limits the scope of ARP
cache poisoning and other local attacks

• Administrators define arbitrary VLAN ID values

(0–4095), which are used to tag Ethernet
frames and establish network segments
802.1Q VLAN Vulnerabilities
• Dynamic trunk abuse to compromise VLANs and data (switch
spoofing)

• Double-tagging frames to send data to other VLANs

• Layer 3 bypass of private VLAN port isolation10

Abusing Dynamic Trunking

• In hardened environments, your port will

have a static assignment, constraining
you to a specific VLAN

• Many switches support the Dynamic

Trunking Protocol (DTP) by default

• Attacker can abuse to emulate a switch

and receive traffic across all VLANs
(trunking on local port)
Attacking specific VLANs
• Armed with VLAN and IP address values, you can configure virtual
interfaces to attack each network.

• Attack the systems within the VLAN at Layer 2 (e.g., ARP cache
poisoning and MITM), and then Layer 3 (e.g., port scanning and
testing of exposed services)
Local IP Protocols
Local IP Protocols
• Any set of protocols for network discovery and configuration services
over IPv4 and IPv6

• Examples
• Dynamic Host Configuration Protocol (DHCP)
• Preboot Execution Environment (PXE)
• Local name resolution protocols (LLMNR, NBT-NS, and mDNS)
• Web Proxy Auto-Discovery (WPAD)
• Internal routing protocols (e.g., HSRP, VRRP, EIGRP, and OSPF)
• IPv6 network discovery protocols
DHCP

• DHCP is used to auto-

configure host and provide
details including IP address,
subnet, and default gateway

• DHCP vulnerabilities
• Rogue DHCP server
Rogue DHCP server

• Attacker pretending as DHCP

server

• Answering with wrong IP,

gateway or DNS server
configuration
LLMNR, NBT-NS, and mDNS
• Several protocol for local naming service without DNS server
• Link-Local Multicast Name Resolution (LLMNR)
• Net‐BIOS Name Service (NBT-NS)
• Multicast DNS (mDNS) for Apple and Linux zero-config

• These protocols are unauthenticated and broadcast messages over

UDP; thus, attackers can exploit them to direct users to malicious
services.
LLMNR/NBT-NS poisoning

• Responder channels clients to rogue

services (e.g., SMB) upon replying to UDP
quer‐ ies broadcast via port 137 (NBT-NS),
5353 (mDNS), and 5355 (LLMNR)

• Victims authenticate with services using

hashes that can be cracked and replayed
Internal Routing Protocols
Internal Routing Protocols
• Set of protocols for routing within internal autonomous system:
• Routing Information Protocol (RIP)
• Enhanced Interior Gateway Routing Protocol (EIGRP)

• Common vulnerabilities: router impersonation

RIP and EIGRP

• RIP and EIGRP utilizes UDP

broadcast diagram
• Authentication is not enabled by
default
• RIPv2 utilized MDH auth
• RIPng no auth
• EIGRP can be run with or without
auth
• Prone to packets injection to
manipulate routing configuration
Local Network Attack Countermeasures
Generic data link attack mitigations
• Set switch ports to access mode and disable dynamic trunking
• Establish VLANs to prevent untrusted users from securing Layer 2
access to sensitive systems, such as servers and workstations used by
IT operations staff
• Disable unused Ethernet ports and place them in a quarantine VLAN
• Always use a dedicated VLAN ID for trunk ports
• Avoid using the default VLAN ID value “1” when possible
• Use private VLAN (port isolation) features when possible, to prevent
client systems from interacting with one another
Network and application layer countermeasures
• Disable IPv6 if it is not explicitly required to prevent overlay network
attacks
• Disable ICMP redirect support to mitigate against MITM62
• Disable multicast name resolution and NetBIOS over TCP/IP in Windows
• Disable mDNS/Bounjour/zero-configuration functionality within Apple
OS X and Linux
• Establish ACLs on ports that do not use isolation so that private VLAN
attacks (routing traffic via a gateway to an isolated port) are not effective
• Use HSTS within your web applications to mitigate against MITM attacks
that downgrade HTTPS to HTTP (e.g., sslstrip)
802.1X attacks clients mitigation
• Always validate the X.509 certificate of the authenticator

• Specify the CN values of valid authenticators (RADIUS servers)

• Fail-safe by not prompting the end user on security exceptions

Discussion
References
1. Chris McNab, Network Security Assessment, 2016, O'Reilly Media