 Wow, I wasn't expecting so many people to come today. So hi everyone, my name is Kevin Figueroa. I've been in the computer security industry for seven years now. I've consulted at numerous financial institutions and different media companies. So our talk today is going to be on VLAN and Layer 2 Attacks and why are they still relevant today. I'm going to hand it over to my brother right now so he can introduce himself. Hi, my name is Mark Figueroa. I'm the founder and senior security consultant at MEF Consulting. You can check out my bio on defconn.org. Thanks for coming. So the reason why we chose to do this research was because many small and mid-sized businesses are still using older type of equipment and also because misconfigurations. But this slide right here shows that there was a report last year by CSI and FBI Survey Report that showed there was 19 different attacks that estimated at $66.9 million. Out of those 19 different attacks, nine of those attacks could possibly be of Layer 2. So on this slide, this is the type of equipment we used. We used 3,600 routers, 2,600 routers, 2,900 catalyst switches, 3,505 catalyst switch, 4,006 catalyst switch, and some Wi-Fi equipment. I will go through the different type of attacks that we went through. But as for the tools that we use, I'll give a brief rundown of the name of the tools and what they do. SCAPI is a packet generating program, really, really good packet generating program. It has many other functionalities, but we chose to use it as for doing packet generation. Yesenia is an attack tool to attack different type of protocols against the network. Mac OF sends random Mac generation to a different type of switches. We also used TCP dump and ethereal, aka Wireshark, to do our packet sniffing, and Cane and Able to capture username and passwords. We also used EtherCAP in order to do our ARP spoofing. So on this slide right here is a portion of our little lab. So over here, these are 2,600 Cisco routers. We have 2,900 catalyst switches, and this big one down here is the 4,006 catalyst switch. A lot of this equipment we got an astonishingly from dumpster diving and also some loaners that we got from different companies. But I'm going to pass it over to my brother so he could explain exactly how we got all this equipment. So the first thing, 90% of our equipment was given to us by Fortune 500 companies. When looking for equipment, you want to look from within your company. Make sure you're best friends with your knock team, your network manager, because they're the ones who usually throw away their equipment. Craigslist is another great way to get equipment. On there, they have a link called curbside, which they advertise that they're going to put equipment like routers, switches, and servers out on the street at a certain time. And you can go over there and just pick it up. Another thing what I like about Craigslist is the pigs firewall that I purchased was only $100. And the thing was, I went to the gentleman's house, told him to boot it up, run some configs on it, reboot. If you go to eBay, you view pictures. And then when they send it to you, like I bought a switch, it came to me shattered. So never again, almost forgot. If you want to see the rest of our lab, you could go to securityresearchlab.name.com. It has all of our equipment, from pigs firewalls, to routers, to servers, everything. It's layer two attacks out of date. Some people say no, some people say yes. When my brother came to me with this research, I was like, why are we even looking at layer two attacks? It's about four years old. I don't want to look at this. Let's look for zero days and on new vulnerabilities that come out. And he's like, wait, wait one second, man. Just look at the research I presented. And then I see these small and mid-sized companies that are still vulnerable to these attacks. Well, many of us have heard by now that an attack occurred in the beginning of June against Metasploit.com. And our poison attack redirected traffic to a known Chinese website right over here, right here. So when you went to Metasploit.com, it redirected to somewhere.com, which then pointed and gave an example here showing. And the detest slogan says it best. Impossible is nothing. When you are a target, you will be attacked. And that's why we have right here Metasploit.com being a target. The problem is that lately more and more security teams focus on the current threat and the older styles of attacks are being pushed to the back burner and being overlooked. And every month, there's new vulnerabilities, as you guys know, that come out every month from Firefox, Microsoft, everything. So back to the basics, architects. Skillful hack is like, well, both to machines and to people. Social engineering involves tactics like posing as a company employee. Lying to machines involve lots of different techniques. Art poisoning is an effective way to intercept SNF, hijack, DOS network connections. It is the most effective way of hijacking sessions because it allows the attacker to see incoming and outgoing communication, as you're going to see in later slides coming up. But I wanted to make a point that on slide, on bullet point three here, H.D. Moore stated that the other 250 servers of the ISP that was hosting the other 250 servers were still vulnerable after Metasploit fixed their issues. So it's two things. Either they didn't care about the other 250 servers or they just said those other 250 servers can be attacked. Either way, I wouldn't host my website with them. So here you see a simple diagram of arch-proofing. Corporate executives and managers still think that this attack can't happen to them until they're on the front cover of the Wall Street Journal or any other media outlet like Security Focus and then they say, oh, shit, I should have did it. I should have fixed it. But by then, it's too late. You're already on the unemployment line and you're looking for a new job. Now, you could easily perform this attack with EaterCap. The attacker will spoof server B, server A when he sends traffic over to the attacker, the attacker will intercept it and then redirect the traffic over back to server B. Now, all right, the fun begins. Arch Attack demo. Most people could show this easily with EaterCap, but since we're in Las Vegas, the show capital of the world, we're gonna perform this and simulate this attack and perform this live. So we need to volunteer in the audience, preferably a girl. Yeah. And especially that likes money because that's what we're doing here. We're giving away money. Nobody wants money and not. Come up. All right, we got a brave soldier. We got a brave one here. It's all right. What's your name? Lisa. Lisa, we have Lisa. All right, so remember that last diagram we did? The last diagram, she is server B. I am server A. And this gentleman right here is the evil one. He's the attacker. So I have some confidential data, $10, that's it. And I'm gonna transfer it over to her. Here you go. Reach that. Oh, he just arped spoofed you. He snatched your tag. Ooh, man, you gonna let him do that? But you know what he's gonna do? He's gonna be nice because he's gonna redirect and forward the traffic. Forward the traffic and give her $5. All right, so now I'm gonna send the $100 your way. The big money. And this is gonna have all the credit cards from HR, all the information, social security numbers, all the important stuff. So now you can have this. Oh. Oh. Real quick, real quick. Couldn't get it. Couldn't get it. And he's gonna switch the traffic and forward it on to you. Can I have that one? Negative, negative. At the Crab Table tonight. So give a round of applause. You get some money. Thank you. So how do we mitigate these risks? Non-changing ARP entries, please don't waste your time. It's unmanageable, two-time consuming. DHCP snooping, we cover it on some later slides. But ARP watch, it's an open source software that monitors a network for ARP activity. It generates a log of IP address, MAC address pairings, along with a timestamp, when the pairing was seen on the network. And plus it's free. And if it's free, it's all me. So switches maintain a list called CAM Tables that maps individual MAC addresses on the network to a physical port on the switch. This enables it to only send data out the physical port where the recipient computer is located. In a typical MAC flooding attack, the switch is flooded in packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside on the switch to store the MAC addresses in the CAM Tables. And this is where you see right here, the yellow is the CAM Tables. Now, the result of the attack causes the switch to go into a state called failed open, which you can see incoming and outgoing traffic and is broadcasted to all ports instead of the correct port. And here you see a regular switch sending data from P1 to P2. And on the right hand side, you see where the attacker sends the traffic on, floods the CAM Tables, and now when P1 sends data over to P2, the attacker as well gets it as well. So, I chose Mac-O-F. Oh, I'm sorry, Kev. We chose Mac-O-F. To flood the switch with random MAC addresses, causing the switch to fail open in repeated mode. This is when you should be running your sniffer. Now, this attack is as easy as opening up a terminal, typing in Mac-O-F, and then you start flooding the network with those packets. The result of the last slide caused the switch to bleed out, in which all incoming packets are broadcasted onto the switch, as with the hub. Such different programs like Wireshark and the one that we used can enable, capture sensitive data from other computers like unencrypted passwords, emails, instant messaging conversations, which would not be accessible if the switch was operating normally. Now, the mitigation of Mac flooding and CAM Tables is the same as ARP attack. So, more advanced switches, such as Nortel or Cisco, gives you the opportunity to set up protection against the attack, limiting the MAC addresses to a dedicated port. You can also set up a policy that if the MAC address appears on the network and shuts it down, the fault is to shut down the port, write a log, and email the admin. Now, it's up to the admin to do what he needs to do to mitigate the issue. Now, the DHCP starvation attacks works by broadcasting DHCP requests with spoof MAC addresses. This is easily achieved with programs like Yersenia or Gobler. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers. Here you see Yersenia broadcast DHCP requests with spoof MAC addresses to exhaust the DHCP server IP pool. And you could just launch the attack, hit a radio button that comes up, and then you see the request being sent on the network. It's as easy as point and click. So, here you see the result of the DHCP starvation attack. The Microsoft DHCP server crashes and the attacker can implement the rogue server and then route all the traffic through the attacker. And this is scary because if this happens at two o'clock in the morning, you're gonna have to restart this service, and I don't know an admin at two in the morning that's dedicated to go on, log in, and restart the service. So, DHCP demo time. Now, like we said, we're in Vegas and we're not gonna do this on screen. We're gonna make everybody a participant here. So, we're gonna be the DHCP servers. The chips that we got from the Riviera are the IP addresses. So, you guys gotta request them. But I see this guy right here. I see them requesting. Who's requesting? Okay, hold on, hold on, just request them. Raise your hand. Oh, but I see this guy Maximus over here. Don't worry about that. So, we got this guy Maximus here, this hacker right here. He decides to open up Yersenia, and he's gonna run a DHCP starvation attack. Now, when he raises his hand, the DHCP starvation attack's gonna start occurring. So, raise your hand. So, now, he just ran the attack. There's no more IP addresses. We don't got no more IP addresses here. But, as you can see, my brother's walking on stage, and he is the rogue server. So, he's handing out IP addresses right now. And now, who wants to request more IP addresses? Well, he's supplying them. You ran out? All right. Every up, every up, we only got 50 minutes, man. All right, so, now, what we're gonna do, everybody who received the chip, the $100 chips we was just giving out. No, the other ones, those are Riviera chips. We just gave our $100 chips right now. Let me get your money, come up and get your money, seriously. The people that I gave out the chips, anybody want your real money? Anybody want real money? The first set of chips was real. The $100 chips, come up and get your money. Now, look at the attack works, right? He's the rogue server. The fourth gateway is over here, fellas. Yep. So all the chips, that's exactly what happens. The rogue server, DHCP snooping monitors and restricts DHCP requests. And again, if you guys got the capital, make sure you buy better switches and better equipment, pony up the cash. So, the most obvious risks associated with CDP is information leakage. CDP communicates amongst one another via clear text and unauthenticated. By claiming to be a phone, an attacker can reserve some electrical power, denying other valid devices from receiving power from the switch. Another CDP attack that is still relevant is a vulnerability in Cisco iOS 12.1 and 12.2, which handles CDP announcements. You can consume all the device memory, available memory, by sending large amounts of CDP neighbor announcements to the device. So here, we ran a test. On this attack, we were running Cisco iOS version 12.0 and it was vulnerable to the Nala service attack. While residing on the same network segment as the targeted device, we flooded the device with CDP neighbor announcements to consume all available memory and cause the device to crash. And here, you see the memory allocation over and over and this is when we ran the attack up here. Now, we had to restart that switch for it to start working again. Now, not much could be said about CDP attack except turn the shit off. If you don't need it, turn it off. The question arises is why CDP is enabled on a network on the first place. IP phones are very popular in today's network so CDP is used to order in order to determine the actual power of the device. I know it uses skinny as well. So, STP attack. The idea of STP attack is to fold a network composed of several switches by forcing all switches to fold packets to the attacker machine. In order to do this, the attacker must send a BPDU packet advertising the root bridge to the switch where the attacker is connected to. Here are some of the attacks that you could run on STP. Now, here you see Ysenia sending a configuration BPDU DOS attack and also you could use Ysenia to claim the root row, which is up here, this radio button here. Once you run the root attack, Ysenia sends a BPDU every two seconds with the same priority as the current root bridge but with slightly numerically lower MAC addresses which ensures victory in the root bridge election process. STP mitigation, you can disable STP. STP is not needed in a loop-free network. Another thing is you can enable root guard. The root guard feature ensures that the port on which root guard is enabled is a designated port. And here are some of the examples that you could run on a Cisco switch. So, thanks guys, I'ma turn it over to my brother, Kevin Lascope. So, the next attack that we're gonna speak about is multi-casting and brute force. Now, once again, I know that newer switches prevent this from happening, but like I said at the beginning of the slide, these attacks were meant for older switches, like 3,600s and 2,600s. So, the way this attack works is by sending a storm of layer two multi-casting frames out to the switch. One of the things that we noticed the most once we did this was of course a denial of service attack, but it also leaked other frames into other VLANs. So, one of the ways that we know to combat this is of course, upgrade your equipment, but due to the fact that the economy is so bad, there isn't a lot of budgets for companies in order to wanna go and do these upgrades, so they suffer the consequences. Another thing is to make sure that you put ingress filters on your VLANs to try to prevent leakage going into those other type of VLANs. The next attack that we tried out was the VLAN Trunking Protocols, VTP. As we know that VTP is a proprietary Cisco protocol, and it was meant to make administrators life a hell of a lot easier, but at the same time that it made their life easier, it made us hackers a lot easier to break into their network using this type of attack. As my brother explained, and you've seen in the earlier slides, that Yesenia is a point and click program. My mother's right here in the front, I can easily show her how to run this attack. One of the things that I liked about Yesenia is how I could easily add a VLAN onto a switch by using this type of protocol. Now I know that most of yous are wondering, why is Donald Trump's picture at a hacker conference? Who said that? Come up here, right now! You see, I was going to come out and give you money for that. Nice answer, but because he used me as a bitch, you know, that's totally cool, have a seat, man. So once again, yeah, if you use this type of protocol, chances are, and you get attacked using this protocol, chances are your boss is going to come in and say you're fired, you know? But if you do have to use this protocol, make sure that you use MD5 hashes and also in combination with a password, so it makes it a bit more difficult for that attack to happen. So these next three attacks that I'm going to get into is private VLAN, VLAN hoppings, and 802.1Q packets, encapsulation tags. Well, private VLANs were made for isolating traffic in between different VLANs. Now, if traffic was being sent from one VLAN to another, via switch, from switch to switch, and there was a router in the middle, of course that traffic is going to be passed over through layer three. So putting that aside for one second, I just want to speak about Scapi. A couple of months ago, a friend of mine introduced me to this program. I really got addicted to this program. And the reason why I got so addicted to this program is because it is so powerful in order to generate your own type of packets and manipulate your own packets the way you feel. So at the same time, a couple of months ago, as I got introduced to this, I had a client. And I was browsing the internet, I came across this picture and I was like, wow, this is the way the client is pretty much set up. So down in Lower Manhattan, they had a pop, and in midtown Manhattan, they had their central office. And they had satellite offices throughout the United States. So they asked me to come in and check out configurations, do some pen testing and stuff. So what I did was I jacked a laptop into this switch right here. Of course there's a firewall, but I wasn't going to do any graphics on it. So I jacked into this switch right here and used Wireshark and also TCP dump and snort. And as I started capturing traffic, I started capturing 802.1Q packets. Now, how many people are here use Wireshark? Okay, so you know if you capture a packet on 802.1Q, you click that little down and it's gonna show you the VLAN ID numbers. So using Scapi, you can start manipulating your packet to do other things. And I'll show you later on in the next slide. So first, in order to mitigate this type of attack, the best thing to do is set up access list correctly. God knows how many times access lists are misconfigured and it's very, very important to set those up. So the next piece is the VLAN hopping portion of this. Of course in order to do VLAN hopping, you would need to know the VLAN ID. And again, using Scapi, you can easily set up Scapi to do 802.1Q packets inside one packet. So going back to that other picture that I showed you, I'll just try to break it down a little bit. This was the switch that I jacked in through. This was me and I started capturing information about HR, their DMZ and other different type of departments. So I was really, really curious if this VLAN hopping stuff was gonna work. So I was like, okay, let me go and use Scapi. Lo and behold, I got into HR and a lot of HR information. I was able to view a lot of HR information, a lot of accounting information and stuff that I should have never been able to see. The way to mitigate this type of stuff is make sure you disable your trunk ports. Auto-trunking, sorry, excuse me. Disable auto-trunking. And also, sorry, I'm getting a little nervous now, I don't know why. Also make sure that any ports that are not used on a switch disable them. Because if not, you're gonna, and you have, say if you have auto-trunking enabled and there's a port that's not being used, they can easily switch that trunk port over to that port not being used and there goes your miscommunication and misconfiguration and you can do really bad things to it. So the last piece to this three part was the double encapsulation. Like I said before, all VLANs carry that VLAN number and VLAN ID. So most of the information about the VLAN is inside that 802.1Q packet. That also ensures that information going from one VLAN to another isn't dropped or lost and knows the exact direction in which way it's going. So right here is a little diagram of me using Scapi, I wanted to put more commands and stuff but I didn't wanna trip a lot of time. So over here was where I was at. This is a packet and I decided to put these two 802.1Q packets. So right here was the original VLAN and this was a VLAN that I spoofed. So as you can see, I went, I sent out this traffic, these two, a packet with two 802.1Q packets. It wind up going over to this switch. The switch strips the first 802.1Q packet, sends it off to the second switch and the second switch believes that that came from the first switch. So then it let me bypass and that's how I was able to attack the HR department and stuff. So a good way to ensure that this type of attack doesn't happen is ensure that native VLANs aren't assigned to any ports. Another way is to force all traffic to carry only one 802.1Q packet. This last attack is the VNPS VQP. Now I don't know why people still use this. This makes a network really, really easy to go and attack it and the reason why it makes it quite easy is because the information being passed to the VNPS server is over UDP and clear text. So of course, if you're running any SNiffer programs and stuff, you're totally able to see the information and launch different type of attacks from here and one of the ways that VNPS sends over the information is by VQP. So a good way to mitigate this type of attack is take your VQP and make sure it's on an out of bandwidth, out of band basis or don't use it at all. And if you do have to use it, that means you have the resources and the budget in order to monitor this stuff to prevent different type of attacks from happening. So last but not least is our conclusion to this. There are a lot of different ways in order to go and prevent these type of attacks from happening. But most importantly and I want to all use to keep in mind is that I know these attacks are dating back to 1999 and 2000 but if they're dating back to those dates, then why are they still happening today? Especially to different ISP companies and things that everyone's seen out in the news. So one of the good ways to go and prevent and which is really important is this bullet point right here. Make sure that you take your SNMP and take the community string and make sure that that is like a route password. You want to protect that because I see that a lot of different type of attacks could happen using this. So in conclusion, I'm going to hand it over to my brother and let him close up any comments or anything that he wanted to say. You're going to miss a big announcement about a party but go ahead, it's all right. It's okay, you'll be back. But we launched a website around two or three weeks ago called the Security Research Lab and it's basically for the community. It's almost a social networking site only for security. Having videos, pictures or updated content and it's just for like us man. And I want everybody, I invite everybody to go up, sign up and the first thousandth person is going to get a real big chunk of money, not this dollar stuff. So that's a prize we've given out. Another thing on our website, you could definitely take a look at the presentation, update it and my brother put out, what is it, 200 page paper? 105 page paper. We're going to post that up on that website as well and you could definitely email us at MAF Consultant or K&T and any questions or we could take this to the breakout room. I'm not too sure, but Kev, do you have any more? Not at all, does anybody have any questions? Oh by the way, wait, wait, whoa, whoa, whoa, whoa, whoa. Pan house party tonight. All right, Pan house party. My boy here, we flew him down from New York, DJ G Boulder Pro. So we have a DJ, we got the DJ equipment, a lot of liquor. I know you have a lot of chicks over there that do. Make sure you invite all your girls, exactly, make sure you invite all of them. Hello? Gentlemen, I have their hand raised. You said you had a question? Ha ha ha ha, uh, yeah. Thanks. Listen, the guy that's saying curse is my man, my mother's here, man, calm down with your language. If not, you could wait for me afterwards, you know. Easy killer. But also pertaining back to the DMZ stuff, yeah, quite easy and stuff. All right. Any other questions? No. See you at the Pan house.