lab 3: networking and router hardening - napier40001507/csn11111/lab3.pdf · network security...

Network Security Networking & Router Hardening – Rich Macfarlane 1

Lab 3: Networking and Router Hardening Rich Macfarlane 2013

2.1 Details

Aim: The aim of this lab is to further introduce the GNS3 network simulator, cover some basic

networking, investigate some network device security vulnerabilities, and perform further

device hardening on Cisco routers.

2.2 Activities

2.2.1 Overview of GNS3 Network Simulator GUI

The GUI for GNS3 is shown in Figure 1, and is divided into four panes by default. The panes can be resized, and opened and closed using the view menu. The pane on the left shows the available network device types which can be added to the network topology. Other custom device types can be added if necessary. The pane on the right is a topology summary. The middle top pane is the network topology workspace, where the topology can be built graphically. The middle bottom pane is the Dynagen console pane, and is the CLI for the Dynamips simulator.

Figure 1 – GNS3 Network Simulator GUI


The GNU3 toolbar is explained in Figure 2 below.

Figure 2 - GNS Toolbar

2.2.2 Create a Network with two Routers

Run the GNS3 Network Simulator, as Administrator, by Right Click>Run as Administrator on

the GNS3 executable.

The New Project dialog should be shown. If not select the File>New Project menu option.

Click the save NVRAMs, and Export router configuration check boxes, as shown below. This is

important, as it allows the device configurations to be saved, along with the topology.

Otherwise the configurations are lost when the project is closed. The project is saved to the

Projects directory, which can be configured from the Edit>Preferences menu. Click OK to

create the project.

Open the Edit>Preferences window and set up the General>directories, and test Dynamips via

Dynamips>Test, if necessary.

Set up the Router IOS Image from Edit>IOS Images... if necessary (download Router Image

also). Remember to remove the Base Config.

Drag two routers onto the topology panel as shown below.


Add the Routers Network Interfaces

Right click each router and select Configure. Under the Slots tab, add 2 FastEthernet adapters.

Click the Add a Link button, and select Manual as shown below.

Connect the two routers with a virtual cable, by clicking on R1 and selecting the fa0/0

interface (fast Ethernet slot 0/port 0), and then click on R2 and select fa0/0. Click the Add a

Link button (which currently is a red cross) to finish connecting devices. Now click the Show

Interface Names button, as shown below.

The panel on the right is now populated. If a panel is not visible, select it from the View menu,

as shown below. Toggle off the link button and you can move the labels around.


To boot all Routers, the Start All button on the toolbar can be used (green play button). The links should turn green.

To open a Console Window for every device, click the toolbar Console button. Press the Enter

key until there is a response from the router, and once the router OSs boot enter no to the initial configuration questions once the routers boot.

2.2.3 Host System Performance Monitoring

It is extremely important to monitor the performance of the host system, and reconfigure the

idlepc value for the device being used, if necessary.

Run the Windows Task Manager using CTRL+SHIFT+ESC (or the Linux System monitor). If the

CPU usage is up at more then 50%, the idlePC value may need to be recalculated. Right click

the Router and select Idle PC. Select the best value, and check the CPU usage, and it should

have reduced.

It is a good idea to keep the Task Manager open and monitor the host system performance

while using GNS3, maybe just hiding most of it off to the side of the visible screen, as shown

below.

When a Cisco IOS is running, it can consume up to 100% of CPU resources, if an idlepc

value is not set. This can cause your system to become sluggish and will prevent building

more complex topologies. However, if an idlepc value is set, CPU usage can be reduced

dramatically (less thean 30% ideally). The IOS is put into a sleep state when it is not in use and

is woken only when it is necessary.


2.2.4 Basic Router Configuration

To assist with the cisco network device CLI commands see:

http://www.cisco.com/en/US/docs/ios/preface/usingios.html

The routers are in User Exec Command Mode, with the Router> prompt. Change to Privilege

Command Mode in both routers.

Q: What signifies that we are in the privileged mode?

Change to Global Configuration Command Mode in both routers.

Q: What signifies that we are in the privileged mode?

Using the hostname command change the hostname of the first router to R1, and the second

to R2 (check the title of the console window to check which router you are connected to).

Check the hostnames have been changed by reviewing the running configuration on each

router.

2.2.5 Saving Cisco Configurations and GNS3 Topology

Cisco Configurations

The running configuration of a Cisco device will be lost when the device is rebooted, as it is stored in RAM. To save changes made to the configuration, it must be copied to the startup configuration which is stored in NVRAM.

Check the current startup configuration:

R1# show startup-config

Q: What is in the startup config?

Use the following command to save the changes to the startup-config to NVRAM, which is not lost when the device reboots.

R1# copy running-config startup-config

Acknowledge the destination, by pressing RETURN, which then copies the current configuration into NVRAM, as shown below

http://www.cisco.com/en/US/docs/ios/preface/usingios.html


Check the current startup configuration now:

R1# show startup-config

Q: What is in the startup config?

Saving GNS3 Topologies and Device Configurations

When using GNS3, an extra step is needed to save the configuration changes. As the devices are virtual, the copy command must be followed by a File>Save in GNS3. This saves the NVRAM, and exports the configurations to the Projects directory. Otherwise when the GNS3 project is closed, the NVRAM and configuration files are lost. If this fails you can export the configurations manually using File>Import/Export.

Try copying the running-config to startup-config and saving the project. Then use Windows explorer to view the GNS3 Projects directory. View the .cfg files with a text editor to check the router configurations have been saved (the hostnames should be R1 and R2 rather then Router), as shown below.

Make sure you are familiar with this process, and remember to save your work frequently!

Q: Have the running configuration files been saved correctly?

If not, see Rich!

2.2.6 Networking Configuration

Configure the 192.168.10.0/24 network between the two routers. Note: Normally we would

apply security to the devices before networking configurations, but the device security will be

examined in more detail in the next section.

Configure R1 Fast Ethernet Network Adapter

Assign IP Address to the fa0/0 to be able to communicate with R2, using the description

command to add documentation.

R1(config)# interface fa0/0


R1(config-if)# description INT TO THE 192.168.10.0/24 NETWORK

R1(config-if)# ip address 192.168.10.1 255.255.255.0

The no shutdown command, is needed to start the interface for communication

R1(config-if)# no shutdown

R1(config-if)# exit

R1(config)#

The interfaces state should change from DOWN to UP.

*Sep 14 10:41:13.843: %LINK-3-UPDOWN: Interface FastEthernet0/0,

changed state to up

To view the current interface states, use the show ip interface command, as shown

below.

R1# show ip interface brief

Using the Command History Feature The command history feature saves, in a command

history buffer, the commands that you enter during a session. The default number of saved

commands is 10. To recall history commands from the history buffer use the Up Arrow Key for older

commands, and the Down Arrow Key for newer commands. The show history command lists the

most recent command entered.

Use the Up Arrow, to run an earlier command.

Configure R2 Fast Ethernet Network Adapter

Assign a different IP Address on the same network and enable the interface.


R1(config-if)# description INT TO THE 192.168.10.0/24 NETWORK



R1(config-if)# exit

R1(config)#

Check the current interface states, and view the running configuration.

Test Connectivity between the R1 and R2 Devices

From R1 use the ping command to test connectivity to the 192.168.10.0/24 network, and

the R2 router. The ping command uses ICMP packets and can be used to check if a device

exists, and is responding. Check the local interface is configured correctly:

R1(config)# ping 192.168.10.1


and then the R2 interface.

R1(config)# ping 192.168.10.2

The output from the ping commands should look something like the following:

Similarly, from R2 use the ping command to test connectivity to R1.

Q: Were the ping commands successful?

If not seek assistance.

Once connectivity has been tested successfully, save R1 and R2 running configurations to the

routers NVRAM, and then save the GNS3 project. Check the configurations have been saved to

the host machine.

2.2.7 Add your Host Machine to the Virtual Network – via a Lookback Interface

There are several ways to incorporate hosts/servers into the GNS3 topology. A virtual PC

simulator, a Virtual Machine (VM), or the host computer itself can be connected as a host

system. In the following example the Host machine will be connected to the GNS3 topology

via a Lookpback Interface.

Configure a Loopback Interface to Connect to Virtual Tolopogy

Check if a loopback network adapter is installed from the Networking and Sharing Centre

dialog (Networking dialog in previous versions of Windows).Check the interfaces from the

Network Connections Window (click Change Adapter Settings) as shown below:


If a loopback network adapter is not installed, a Loopback interface will need to be added on

the local computer (if a Loopback exists, skip to configuration section).

In Windows 7 run hdwwiz from the start prompt or cmd line, or use the Add Hardware wizard

from the Control Panel, (or in other versions of windows click the windows start button ,

and type add hardware).

Select Install the hardware manually, as shown below.

Choose Network Adapters in the list and click Next, as shown below.

Choose Microsoft as the manufacturer and then Microsoft Loopback Adapter as the network

adapter. Finish the wizard.


Configure the Loopback Network Adapter

Select Network Connections (Change Adapter Settings) from the Networking and Sharing

Centre dialog (Networking dialog in previous versions of Windows) as shown below.

You may wish to rename the new Local Area Connection as something like “MS Loopback

Interface”, as shown below.

Right click the loopback interface, and set the network layer IP Addressing to the

192.168.2.0/24, as shown in the below. Click OK, to save the changes.

This loopback has an IP Address on the same TCP/IP network as the routers in GNS3!

Open a Windows command line window, using the Windows Start button and running cmd.

Use the Windows CLI netsh command to check the host systems interfaces and their state, as

shown below.

netsh interface show interface


Add the Host System to the Topology

In GNS3, if you do not have a Host Node, create one using select Edit>Symbol Manager menu

option, and the Symbol Manager window should launch, as shown below.

Click the computer symbol under Available symbols, then click right arrow button between

the windows. This will move the symbol into the Customized nodes column. In the Name box,

type computer. Use the drop-down arrow to change the type to Cloud. Click the Apply button.

Then click OK. In the GNS3 Nodes Types column, you should now see a computer icon.

Drag a computer onto the topology workspace pane, as shown below.


Right Click>Configure the computer C1. Select C1 under clouds, and select the NIO Ethernet

tab. Administrator rights are required for this. Select the network interface to use, in this case

the loopback interface which was set up previously, as shown below. Delete any in already

selected, and click the Add button to add the Loopback, and then OK to finish.

Use the Add a link button, and the Manual option to create your connection from the

Loopback interface to R1 F0/1 interface, as shown below.

At this stage the network layer IP Addresses should be added to GNS3 topology. Double click

each interface on the topology and add the IP Addresses, as shown below.


Configure R1 Interface

Assign an IP Address on the same network as the host, and enable the interface.


R1(config-if)# description INT TO THE 192.168.2.0/24 HOST NETWORK



R1(config-if)# exit

R1(config)#

Check the current interface states using show ip int brief, and view the running configuration.

Q: Do the interface states look similar to the following?

If not review the previous configuration steps.

Test Connectivity between the host system and R1 Device

From the host, open a CLI Window from the Windows Start button by typing cmd (use

CTRL+SHIFT+RETURN to run as Administrator), and use the ping command to check the local

loopback interface is enabled and can reply to ICMP packets, as shown below.

Now similarly, use ping to test connectivity to the R1 router interface 192.168.2.1.

Q: Were the ping commands successful?


Test Connectivity between R1 Router and the Host System

From R1 use the ping command to test connectivity to the host, starting with local interface,

then the host interface.

Q: Does the router interface respond?

Q: Does the host PC respond?

Q: If not, what might be causing the problem?

If the PC does not respond, the Windows firewall may be blocking the ICMP packets which the Ping

utility uses.

In Windows7, events can also be logged by the firewall. Open the event viewer, by clicking the

Windows Start button and typing event viewer. In the left pane, click applications and Services

Log > Microsoft > Windows >Windows Firewall With Advanced Security>Firewall, as shown below.

Q: Why might the firewall be set to drop ICMP packets by default on this network interface?

If the firewall is set to log the blocked packets (it doesn’t in this case), we can check the

packets Windows Firewall has blocked. Right click Firewall and select Logs. Or to look at the

firewall log file from the Windows Firewall with Advanced Security>Monitoring. Select the log

filename such as: C:\Windows\System32\logfiles\firewall\pfirewall.log


To turn the firewall off temporarily, on the Loopback Interface click the Windows Start button

. Type Windows Firewall, and open the Windows Firewall with Advanced Security

application.

Select Windows Firewall Properties and select the Public Profile tab.

Click Configure on the Protected Network Connections to see all the networks being

firewalled.

Turn the firewall off for the Loopback interface only, as shown above.

Retest the connectivity between router and loopback. From R1 use the ping command to

test connectivity to the host.

Q: Does the host PC respond to the ping now?


The loopback should now respond to the ping’s ICMP packets as shown below.


routers NVRAM, and then save the GNS3 project. (Check the configurations have been saved

to the host machine)


From the host, use the ping command to check connectivity to the R2 router.



2.2.8 Routing Network Traffic

We currently have two different networks set up. One between the two routers, and a second

between the host machine and router1. For the traffic to be routed from one network to

another, the routers need to be running routing software. To display the routers routing table

use:

R1(config)# show ip route

Use the following commands to run the rip routing protocol, and add routing for all attached

networks (0.0.0.0), on the R1 router.

R1(config)# router rip

R1(config-router)# network 0.0.0.0

R1(config-router)# exit

R1(config)#

Q: Check the routing table. Has it been populated with routes to networks?

Q: How many routes are directly connected to the router, and how many have been learned from

the rip routing protocol?

Use the following commands to run the rip routing protocol on the R2 router.

R2(config)# router rip

R2(config-router)# network 0.0.0.0


R2(config-router)# exit

R2(config)#

Q: Check the routing table. Has it been populated with routes to any networks?

Q: How many routes are directly connected to the router, and how many have been learned from

the rip routing protocol?

Test Connectivity between R2 Device and the host system

From the R2 router, use the ping command to check connectivity to the host.



From the host, use the ping command to check connectivity to the R2 router.

Q: Does the R2 router respond?


If another Wireless or LAN interface on the host is enabled, and has a Default Gateway set, the

traffic may be sent through that interface. If the pings to R2 failed disable any other enabled

interfaces temporarily from the Network Connections dialog. Test the connectivity to the R2

router again.

Q: Does the R2 router respond?


routers NVRAM, and then save the GNS3 project. Check the configurations have been saved to

the host machine.


2.2.9 Network Device Hardening – Admin Access Passwords

Console Administrative Access Security – Add Passwords

The simplest way to connect to the device is via the console port, as shown below.

Router Console

Interface

System

Administrator

Router

A console password can be configured and a password added, by using the following commands:

R1(config)#

R1(config)# line con<TAB>

R1(config)# line console 0

R1(config-line)# password conpass

R1(config-line)# login

R1(config-line)# exit

R1(config)#

View the routers configuration file.

Q: Is the console login password readable? (check the line con 0 section of the router config)

Router configurations are often printed out, and may be read by unauthorised staff. They are also typically stored centrally and may be transferred via the FTP or TFTP protocols, which send data in plain text. Therefore it is good practice to encrypt passwords stored in the configuration files.

Password Encryption

Password encryption can be set on Cisco devices, meaning all passwords configured on the router are encrypted. The encryption algorithm used is not a hash cipher (typically used for password staorage), and is fairly easily decrypted. Use the following: R1(config)#

R1(config)# service password-encryption

R1(config)# exit

R1#

View the routers configuration file.

Q: Is the console login password readable?

Q: What threat might this now mitigate?


The default type 7 encryption used by Cisco Devices is not a strong encryption algorithm. Using a simple password cracker the type 7 encoding is easily decoded. Go to the following link and try to crack the console login password.

http://www.firewall.cx/modules.php?name=Cisco_Decrypter

Q: Did you succeed?

Q: Did it take long to crack the passwords?

It should be easily crackable, as shown below:

Using the service password-encryption command only encrypts passwords on the router with the weak type 7 encryption.

Privileged Exec Mode Password –Ecrypt Using MD5 Hash

To encrypt username passwords, the command username secret can be used to encrypt using MD5 hashes. User authentication will be covered in the Access Control Unit.

Set the privileged exec password to cisco.

R1#config t

R1(config)# enable secret cisco

As discussed in Lab1, the enable secret command uses a very secure, one way, MD5 cryptographic hash algorithm which cannot be reversed easily. Cisco devices support various commands to save passwords to the configuration. View the routers configuration file.

Q: Is the privileged command mode password encrypted?

Q: What is the hash digest value?

Q: What is the salt value?

http://www.firewall.cx/modules.php?name=Cisco_Decrypter


This is a strong encryption algorithm with a salt, but if the password itself is not strong, a simple dictionary attack can crack this, as shown below. This took a few seconds, using Cain, a well known password cracking utility, and a standard dictionary of English words. A much stronger password could also be cracked given enough time.

Cain Cisco Router OS Salted MD5 Password Hash Cracker

By comparing the hashes with pre-computed lookup tables this can be done even quicker, so keeping passwords and password hashes out of the hands of attackers is vital. Methods such as storing passwords centrally, on an Authentication server, are covered in later units.


2.2.10 Remote Administrative Access - Telnet

Telnet Server Administrators typically need to configure devices remotely, as they may not have physical access to plug into the console port. Virtual interfaces (or lines) on the network device can be configured for access to the Routers Telnet server, and the Administrator can administer the device over the LAN using a telnet client, as shown below.

SysAdmin

R1

SysAdmin

R2

SysAdmin

Telnet client

Telnet server

Telnet server

The virtual line password provides authentication for remote administrative access to the router’s telnet service. The following command sets five virtual lines, 0-4. Unless a telnet password is set, access on that virtual line is blocked. Configure virtual terminal lines using:

R1# config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)# line vty 0 4

R1(config-line)# password telnetpass

R1(config-line)# login


R1(config)#

Telnet Client

Connect from the host system using a telnet client. Telnet is not installed in some versions of

Windows by default (such as Windows 7). To install the Telnet Client, Click the Windows Start

button , go to Control Panel, select Programs and Features, and then select Turn Windows

features on or off.

In the Windows Features dialog box, select the Telnet Client check box, as shown below, and

click OK. The installation may take a minute or two!


From the host system dminister the R1 Router via Telnet

From the host, open a Cmd Window, and use the telnet -? command to check the syntax of the Telnet client tool.

Now, use the telnet 192.168.2.1 command to connect to the telnet server on R1, as shown. Login with the Telnet password you set up.

Now telnet to R2: telnet 192.168.10.2

Q: Did you get access?

Q: Why not?

Set up the Telnet virtual lines on R2, and telnet to R2, but do not login.

Sniffing Telnet Traffic

We can use a packet sniffing application, such as Wireshark to eavesdrop on, and capture, the telnet conversation, as shown in the diagram below. If you would like a tutorial in Wireshark, an optional Lab4 – Packet Capture using Wireshark is available.


SysAdmin

R1

SysAdmin

R2

SysAdmin

Telnet client

Telnet server

Telnet server

Eve

In GNS3, right click on the link between R1 and R2, and select Capture, and select the R2 interface to capture traffic on, as shown below.

This should start Wireshark capturing traffic on the R2 interface. Now telnet to R2, from the host PC CLI, and login to R2 using the virtual line password. Wireshark should display the telnet traffic as shown below.


Using the wireshark capture:

Q: Which Network Layer protocol does Telnet use?

Q: What are the packet numbers of the packets performing the TCP handshake?

Q: Complete the diagram, with client and server ip addresses and port numbers.

Host

Router

IP Address:

_____________

IP Address:

_____________

Port Number:

_____________

Port Number:

_____________

In the top panel, the Packet List Panel - which contains a row per packet, right click on a packet and select Follow TCP Stream. This creates an automatic Display Filter which displays packets from that TCP session only. It also pops up a session display window, containing an ASCII representation of the reassembled TCP session (client packets in red, server packets in blue).

Q: Can you read the telnet session data?

YES/NO

Q: What is shown?

The reassembled data from the telnet packers should look something like shown below:

This highlights the vulnerability in some open protocols, which can be exploited to view, human readable, protocol payloads of conversations of any unencrypted protocols such as HTTP, SMTP, and FTP. For example you can reconstruct web pages seen by a user, or view unencrypted Email/Instant Message conversations.


2.2.11 Remote Administrative Access - Secure Shell (SSH)

SSH is a secure terminal emulation application allowing administrative access to devices with encrypted communications. It can also provide cryptographic authentication of the remote SSH server. Set up the SSH server on Router R1 as follows. SSH Server A domain name needs to be created to use SSH from Cisco IOS:

R1# config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)# ip domain-name secure.com

RSA asymmetric cryptography keys are needed by SSH, for authentication, and encryption of traffic. Use a key of 1024 bits and not the Cisco 512 default value, as shown below:

R1(config)# crypto key generate rsa general-keys modulus 1024

The name for the keys will be: R1.secure.com

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#

*Sep 21 00:25:58.719: %SSH-5-ENABLED: SSH 1.99 has been enabled

Set a login timeout of 15 seconds, and the number of retries to 3

R1(config)# ip ssh time-out 10

R1(config)# ip ssh authentication-retries 3

Q: Which threats might this help to mitigate?

SSH does not allow the use of the virtual line password to provide authentication for remote administrative access to the router. A user account has to be set up, either locally on the device, or on a Authentication server. The following commands sets up a user/password, and sets the five virtual lines, 0-4 to use SSH instead of telnet:

R1(config)# username admin secret sshpass R1(config)# line vty 0 4

R1(config-line)# transport input ssh

R1(config-line)# login local


R1(config)#

Verisfy the SSH server is running using the commands:

R1# show ip ssh

SSH Enabled - version 1.99

Authentication timeout: 10 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits


SSH Client On the host PC we will use the SSH client Putty.

If Putty is not installed on your system, download from:

http://www.chiark.greenend.org.uk/~sgtatham/putty/

Run wireshark, to capture the SSH session traffic. On the host system, open the Putty application, as shown below, and connect to the SSH Server on R1, selecting Yes to the dialog asking if you trust the SSH Server.

Putty SSH/telnet Client GUI You should be able to login with your user account and password defined on the router, as shown below.

Stop the Wireshark trace. From the trace , follow the TCP Stream for the SSH conversation:

Q: Can you read the SSH session data?

http://www.chiark.greenend.org.uk/~sgtatham/putty/


The SSH conversation should look something like shown below:

SSH Encrypted Conversation

Save R1 and R2 running configurations to the routers NVRAM, and then save the GNS3

project. Check the configurations have been saved to the host machine. The final R1

configuration file should look similar to Appendix 1.

Q: Which threats/attacks would SSH help to mitigate?

Q: Research which type of attack could allow the SSH traffic to be read, and give a brief description:


2.3 Appendix 1 - Cisco IOS router configuration

version 12.4

service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$Er41$tNsvIlqRbUHJ24IjjUU5p0

!

no aaa new-model

ip source-route

ip cef

!

ip domain name secure.com

no ipv6 cef

!

multilink bundle-name authenticated

!

username admin secret 5 $1$qYuv$g8cbnZ3AHUe27cPysahLb.

archive

log config

hidekeys

!

ip ssh time-out 10

!

interface FastEthernet0/0

description to the 192.168.1.0/24 network

ip address 192.168.10.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

description int to the 192.168.2.0/24 network

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

!

router rip

network 192.168.2.0

network 192.168.10.0

no auto-summary

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

line con 0

password 7 0822434019181604

login

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login local

transport input ssh

!

end

lab 3: networking and router hardening - napier40001507/csn11111/lab3.pdf · network security...

Documents