Monday 5 October 2015

DHCP Starvation (DOS Attack - Penetration Testing) - Example Demonstration with Kali


DHCP Starvation is an attack that works by broadcasting vast numbers of DHCP requests with spoofed MAC addresses simultaneously.



I had showed my topology in the above snap, As you can see I have a router that acts as the DHCP server and a Kali linux 2.0 machine which is connected to the same network. The same steps can be followed to hack a Windows or a Linux DHCP server also. This is how my router's DHCP binding looks before the attempt,

Router (Before Attack)

R1#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
R1#

I used yersinia tool to perform the attack, this yersinia comes in built to your Kali operating system. Open terminal, type 'yersinia -G' and press enter.



Click on 'Launch Attack'. Select the tab 'DHCP' and check the second box 'sending DISCOVER packet' and press OK. Within seconds, hundreds of DHCP requests will be sent and the router will be busy handling all our requests and won't be able to handle IP addresses to genuine users. Below logs are taken after the attack,

Router (After Attack)

R1#sh ip dhcp binding 
% The DHCP database could not be locked. Please retry the command later.
R1#
Router couldn't respond, I had taken the below output after 10 mins.

R1#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
120.0.0.4           3669.9348.85d1          Mar 01 2002 12:20 AM    Automatic
120.0.0.5           7add.b556.f179          Mar 01 2002 12:20 AM    Automatic
120.0.0.6           347b.0c74.8013          Mar 01 2002 12:20 AM    Automatic
120.0.0.7           f976.c10d.205f          Mar 01 2002 12:20 AM    Automatic
120.0.0.8           b2de.b66b.5b30          Mar 01 2002 12:20 AM    Automatic
120.0.0.9           32cd.4b14.c1f7          Mar 01 2002 12:20 AM    Automatic
120.0.0.10          d0fd.bd17.a548          Mar 01 2002 12:20 AM    Automatic
120.0.0.11          e4be.180a.3fbd          Mar 01 2002 12:20 AM    Automatic
120.0.0.12          559b.e206.ffd0          Mar 01 2002 12:20 AM    Automatic
120.0.0.13          4e64.0231.a81d          Mar 01 2002 12:20 AM    Automatic
120.0.0.14          ac61.c36b.8931          Mar 01 2002 12:21 AM    Automatic
120.0.0.15          763d.5c2f.0d07          Mar 01 2002 12:21 AM    Automatic
120.0.0.16          d738.1831.3ffa          Mar 01 2002 12:21 AM    Automatic
120.0.0.17          0f64.dc31.3bfd          Mar 01 2002 12:21 AM    Automatic
120.0.0.18          beae.bf51.f15b          Mar 01 2002 12:21 AM    Automatic
120.0.0.19          b511.3b23.4732          Mar 01 2002 12:21 AM    Automatic
120.0.0.20          e682.902a.2069          Mar 01 2002 12:21 AM    Automatic
120.0.0.21          d253.6658.b71c          Mar 01 2002 12:21 AM    Automatic
120.0.0.22          11ed.8f0f.f330          Mar 01 2002 12:21 AM    Automatic
 --More-- 

As you can see, all the IPs are assigned to Kali's duplicate DHCP requests. To stop the attack, click on 'List attackts' and Cancel all attacks.

Mitigation

To secure our network from this attack, we have two options.

1) DHCP Snooping
2) Port Security

Cisco IOS Mitigation

To enable DHCP Snooping on a Cisco IOS switch, follow these steps:

switch(config)# ip dhcp snooping
!Enables DHCP Snooping globally!
switch(config)# ip dhcp snooping vlan <vlan_id> {,<vlan_id>}
!Enables DHCP Snooping for Specific VLANs!
switch(config-if)# ip dhcp snooping trust
!Sets the interface to trusted state; can then pass DHCP replies!
switch(config-if)# ip dhcp snooping limit rate <rate>
!Sets rate limit for DHCP Snooping!

To know more about DHCP snooping, visit http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Cisco CatOS Mitigation

To mitigate DHCP Starvation attacks with port security on CatOS, use the following:

set port security 5/1 enable
set port security 5/1 port max 1
set port security 5/1 violation restrict
set port security 5/1 age 2
set port security 5/1 timer-type inactivity


Kali 2.0 Post Installation Tips | Kali - GNS3 - Xming | Virtual Ethical hacking Setup


Last month I had posted how to install kali on Vmware workstation, this will be the third post in my Kali linux tutorial series. Here in this post, I will be discussing the recommended post installation tips. Below are the few tips which will be covered in this post,

Installing Vmware tools on Kali 2.0

To install Vmware tools, open terminal and paste below commands one by one, make sure that you have internet connection.

apt-get update

apt-get install -y linux-headers-$(uname -r)

apt-get install open-vm-toolbox

Once you have executed the above commands, reboot your kali machine.

Resolving apt-get repository issues

If for some reason you chose “no” when asked “use a network mirror” during your Kali installation, you may be missing some entries in your /etc/apt/sources.list file.

If that's the case, Add below 4 lines to your sources.list file,

deb http://http.kali.org/kali sana main non-free contrib

deb http://security.kali.org/kali-security sana/updates main contrib non-free
deb-src http://http.kali.org/kali sana main non-free contrib

deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

This will solve your problem with the repositories.

Checking for latest updates

Execute the below commands to update your Kali linux.

apt-get update
apt-get dist-upgrade

Network settings in Kali

You can use ifconfig command to set the IP address and Gateway for your Kali, but these settings will not available after a reboot. If you want permanent network settings, you have to edit '/etc/network/interfaces' file. Here is a sample,

iface eth0 inet static
address 1.1.1.1
mask 255.0.0.0
network 1.0.0.0
gateway 1.1.1.2
dns-nameserver 1.1.1.3

allow-hotplug eth0

Enabling SSH 

To enable SSH on your kali, you have to edit '/etc/ssh/sshd_config' file. Add ListenAddress, make sure to remove the # in the beginning,

ListenAddress 1.1.1.1

Also add # in the below line,

#PermitRootLogin without-password

Start the SSH service by using below commands,
/etc/init.d/ssh start
update-rc.d -f ssh defaults

To Unmute Audio

apt-get install alsa-utils -y

Kali with GNS3 - Simulate network Attacks

I am network engineer, I like playing with networking stuffs. I have GNS3 already installed in my machine. Also by integrating GNS3 and Kali linux, I can simulate various network attacks. I recommend you to install GNS3 as well. Once you have GNS3 installed, connect your router to the VMware adapter of your Kali VM.



Make sure that your router and Kali are pinging each other. You can refer the snapshots below, to get an idea.

Xming

Xming is an application that allows you to display X programs, in your putty. You can download Xming from http://sourceforge.net/projects/xming/. For example, if you want to execute a graphical program on a SSH session, you can use this. I highly recommend to install this as well. Once you have installed Xming in your windows machine, Change the putty settings so that it forwards X11 settings to your Xming application.


Ethical Hacking - Cisco HSRP with Kali linux - Example Demonstration and Security precautions


The Hot Swappable Router Protocol (HSRP) is a way to build redundancy into your network by allowing two or more routers to continuously test each other for connectivity, and take over if a router fails.As multiple routers can participate in the HSRP group, there has to be an election to determine who's the primary router.

This HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group. If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router.
In this post, we are going to make our Kali machine a HSRP participant and to become the active router by setting the highest priority to it. Yersinia tool (in built in Kali) helps us to perform this test with ease. For more information on HSRP, please refer RFC 2281

Yersinia

Yersinia is a layer 2- attack toolkit designed to take advantage of weaknesses in various network protocols. One of these protocols is HSRP, with yersinia you can perform below attacks on a HSRP environment.

<0> NONDOS attack sending raw HSRP packet
<1> NONDOS attack becoming ACTIVE router
<2> NONDOS attack becoming ACTIVE router (MITM)

These options are self explanatory, We are going with option 1 in this post.

Hacking HSRP with Kali (or) Backtrack

As illustrated in the snap below, I have crated a simple GNS3 topolgy with 2 HSRP enabled routers and a Kali linux machine which is connected to the same network.

And below are some of the outputs that are taken from the routers. As you can see R1 is acting as the HSRP active router with a priority value of 110 and R2 is the standby router.

Router 1: (Before Attempt)

R1#sh standby br
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    110 P Active  local           120.0.0.12      120.0.0.13
R1#sh standby fastEthernet 0/0
FastEthernet0/0 - Group 1
  State is Active
    2 state changes, last state change 00:07:31
  Virtual IP address is 120.0.0.13
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.300 secs
  Preemption enabled
  Active router is local
  Standby router is 120.0.0.12, priority 100 (expires in 7.452 sec)
  Priority 110 (configured 110)
  Group name is "hsrp-Fa0/0-1" (default)

Router 2: (Before Attempt)

R2#sh standby br
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    100   Standby 120.0.0.11      local           120.0.0.13
R2#sh stand fa0/0
FastEthernet0/0 - Group 1
  State is Standby
    1 state change, last state change 00:07:09
  Virtual IP address is 120.0.0.13
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.096 secs
  Preemption disabled
  Active router is 120.0.0.11, priority 110 (expires in 9.960 sec)
  Standby router is local
  Priority 100 (default 100)
  Group name is "hsrp-Fa0/0-1" (default)

Let's begin,

Open Terminal window in your Kali machine. Type the below command and press enter,

yersinia -G

This opens the yerginia tool in a Graphical window, the same task can be performed by using interactive text based window also (yersinia -I). In this particular post, we'll go with -G.


Click on 'Launch Attack', Select the HSRP tab.

Note: If you have multiple network adapters in your Kali box, you may have to ensure which interface is selected by default (Click on Edit Interfaces).

As we have already mentioned this gives us three options, we'll go with option 2. Check Option 2 (becoming ACTIVE router), and press OK. A window would appear, you can enter and IP and press OK. This doesn't have to be on same subnet. You can enter any.


That's it, within seconds you'll see your routers becoming standby, your Kali will takeover and become the blackhole in your network.

Below are some of the logs taken after the attack,

Router 1 (After):

R1#
*Mar  1 00:12:43.567: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
R1#sh standby br              
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    110 P Standby 1.1.1.1         local           120.0.0.13

Router 2 (After):

R2#
*Mar  1 00:12:33.587: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Listen
R2#sh standby br    
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    100   Listen  1.1.1.1         120.0.0.11      120.0.0.13

Mitigation:

You have two options to prevent these kind of attacks,

1) Use an ACL to drop HSRP messages from unknown IPs
2) Use HSRP Authentication

To enable HSRP authentication with a MD5 key-chain, enter the following configuration:

(config)# key chain <NAME>
(config-keychain)# key <ID_number>
(config-keychain-key)# key-string <passphrase>
(config-if)# standby 1 authentication md5 key-chain <NAME>

This has to be configured on all HSRP participants, Now when the attacker performs this attack, you'll see below logs on your routers.

%HSRP-4-BADAUTH: Bad authentication from 192.168.0.22, group 1, remote state Active

Access Control Lists (ACLs), are also recommended to mitigate these attacks. By only allowing certain IP addresses to access 224.0.0.2 or 224.0.0.12, it becomes much harder for the attacker to pull off a successful strike. To enable an ACL that sets up these restrictions, use the following:

(config)# interface <interface>
(config-if)# ip access-group 101 in
(config-if)# access-list 101 permit udp host <ip> host 224.0.0.2 eq 1985
(config-if)# access-list 101 deny udp any any eq 1985
(config-if)# access-list 101 permit ip any any

Note: Replace <ip> with a valid host IP address. This line should be used for each router that participates in the HSRP process.
Note: 1985 is the UDP port number that HSRP runs on.

I hope this post is helpful, let me know if you have any queries through comments section.

Monday 24 August 2015

How to install Regional languages in Windows 10 - Tamil | Hindi


This post will let you know how to install Tamil or any other regional language that you use in your Windows 10 machine. In Windows 7, I was able to view Tamil fonts in Chrome, IE and in other in-built apps. But after upgrading to Windows 10, I could not view these Tamil fonts in any of my apps. I did a little search, found a fix and I am going to share it to my fellow Tamil folks!

Before I start, Let me tell you why it's not working in Windows 10. Windows 7 had some pre-installed Tamil fonts like Latha and Vijaya by default. But in Windows 10, these fonts had been moved to a pack called "Supplemental Tamil Fonts" which is marked as a Optional feature. So enabling this optional feature, will help us to get our language back.

Follow the below instructions to enable Tamil letters on Windows 10,

Click the Start button.
Click Settings.

In Settings, click Time & language.


Click Region & language.


All regional fonts to your country will be listed, If Tamil is not included in your languages, click the "+" icon next to Add a language.

Scroll to find Tamil, then click on it to add it to your language list.

That's it! You should be able to read your Tamil articles. :)



[Fix] Your Installation CD-ROM couldn’t be mounted | Kali Installation Error


Kali linux 2.0 is a Penetration testing Distro from Kali Team. Earlier I had posted two articles on how to install Kali (Sana) using both GUI (Live-CD) and Traditional method. But later I tried to install Kali through USB and I received this error during the installation process. "Your Installation CD-ROM couldn’t be mounted.
This is probably means that the CD-ROM was not in the drive. If so you can insert and try it again." I googled and found that it is a known bug and can be resolve easily. To known more about this bug, check https://bugs.kali.org/view.php?id=1260.



Sunday 23 August 2015

How to upgrade Cisco CUCM - Step by Step guide


In my last post, I showed how to install CUCM 8.x on Vmware. After the successful installation of 8.0.2, I planned to migrate my 8.0.2 CUCM to 9.1.2 and recorded the steps involved in the upgradation. This post will help you understand how to Migrate CUCM from version 8.0.2 to 9.1.2. Before we proceed with the migration process, I want you to make record your IPT configurations and CUCM server settings. This might help you to verify the settings after the CUCM upgrade. So, make a note of following information.

• IP addresses, hostnames, gateways, domain names, DNS servers, NTP servers, and SMTP information
• Administrator, cluster security, and Certificate Trust List (CTL) security token passwords
• Server versions and time zones
• All services running on each server and the associated activation status
• Call Detail Record server configuration and any additional information
• LDAP information and access details
• SNMP information

In addition to the above, you must determine the registration counts by using the RTMT or the Unified Communications Manager device count summary. For each node, record the number of each device type that is displayed. For example, record the number of each type of registered IP phone, gateway, and each FXS, FXO, T1CAS, PRI, MOH, MTP, CFB, or XCODE device resource.

CUCM Upgrade Recommendations

If you have Cisco support for your Unified setup, Make sure that you consult with Cisco TAC team before proceeding with the Migration process.

Before migrating your production environment, try to emulate the upgradation setup in a lab to avoid last minute issues.

Perform a Disaster Recovery System (DRS) backup up of your entire cluster before each upgrade. Upgrading without a current backup can result in lost data, lost node configuration, or disruption to services if there are complications during the upgrade process.

Determine if the versions of the devices and applications in use in your organization—such as endpoints, gateways, voicemail, presence, or other applications—are supported by Unified Communications Manager Release 9.1(x), You can refer the below link to know more about the compatible devices. http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/unified/communications/system/versions/IPTMtrix.html

Pre-Upgradation Procedures

Follow the below steps to reduce the downtime during upgradation process.

To shorten the upgrade time, delete or purge Call Detail Records (CDRs) or log files that you no longer need.

Use the Cisco Unified Communications Manager License Count Utility to generate a license report and save it in CSV format. To download the utility and its documentation, see http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/upgrade/uct/CUCM_BK_UCT_Admin_Guide_chapter_010.html

Extend the database replication timeout value so that subscriber servers have sufficient time to request replication.

Since we are going to upgrade from 8.0.2 to 9.1.2, this is going to be a Refresh upgrade. Hence installing a COP file becomes mandatory. You can download the COP file from this link, http://software.cisco.com/download/navigator.html?mdfid=268439621&flowid=37562
COP file would be in below format, ciscocm.cup.refresh.upgrade_v<latest_version>.cop

Cisco recommends to upgrade the Publisher first, Also you can register all your IP phones in Subscriber to avoid downtime for IP phones.

CUCM Upgradation Process

Follow the below steps to upgrade from CUCM version 8.x to 9.1.2.

Step 1: Sign in to Cisco Unified OS Administration Page. Click on the Navigation drop down menu and select Cisco Unified OS Administration and login with your credentials.



Step 2: Installing COP file, Remember only Refresh Upgrade (Version 6.0 till 8.5.1 to 9.1.2) requires the installation of COP file. If you are running 8.6 or a higher version (Standard Upgrade), you can skip this step.

To install COP file, Go to Software Upgrades > Install/Upgrade


Select Remote Filesystem and enter your FTP or SFTP server details where you have your COP file stored. And click Next.


Cisco ASA 8.4 on GNS3 - Step By Step Guide


Cisco ASA stands for Adaptive Security Appliance.In brief, It is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It can be used as a security solution for both small and large networks. This post is applicable for adding any versions of Cisco ASA 8.2,8.3,8.4 on GNS3.

Before we begin.,Please make sure that you have below items in your machine.

1.Download & Install GNS3
http://www.gns3.net/download

2.Cisco ASA 8.4 ISO image(valid)
http://www.mediafire.com/download.php?ssadit26tl3llms
or
https://rapidshare.com/files/2538881267/asa.zip

Now Let's assume that, you have installed GNS3 on your machine.

Steps to be Followed,
Step 1:- Download the ASA image & Extract them. Copy the extracted image & Paste them to GNS3 Images Directory.

Ex: C:\Users\<user name>\GNS3\images\

Step 2:-  Open GNS3 --> go to edit---> Preferrence ----> QEMU---> QEMU VMs

Step 3:- Click New ---->Select QEMU VM type ---> ASA 8.4(2) ----> Next Button.




                                              
Step 4:-  Give whatever name you want to assign to ASA.