Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

OS and applications we used in this document

hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping
program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can
be used in order to transfer files encapsulated under supported protocols. Using hping3 you are able to
perform DoS attacks

http://linux.die.net/man/8/hping3
---------------
Yersinia is a network tool designed to take advantage of some weakeness in different network
protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and
systems.
Attacks can Yersinia preform :
http://www.yersinia.net/attacks.htm
-------------------
Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution.
Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards.
with more than 300 penetration testing tools

https://www.kali.org/
--------------------
Ike-scan is a command-line tool that uses the IKE protocol to discover, fingerprint and test IPSec VPN
servers. It is available for Linux, Unix, MacOS and Windows under the GPL license.
------------------
THC IPv6 tools
http://manpages.ubuntu.com/manpages/trusty/man8/thc-ipv6.8.html
https://www.thc.org/thc-ipv6/

1
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

DHCP Starvation Attack

R2 will be configured as DHCP server

Ip dhcp pool 10
Network 10.1.1.0 255.255.255.0
Default-router 10.1.1.1

Kali side we will run Yersinia , -G will run this application in GUI instead of CLI :
Yersinia –G ,
Go to DHCP tab

2
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Choose Lunch attack as shown below

After one few seconds choose List Attacks then choose cancel all attacks
From R2 side:

Countermeasure:
Use dhcp snooping in the switch and make interface connected to R1 with rate limit for receiving dhcp
discover messages , also we can make sure Kali will not perform dhcp spoofing attack by making same
interface to be the only trusted one to send dhcp offer messages
also we can prevent this attack by using port security command in the switch with max 1 mac address
allowed.

3
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Root Bridge Attack

Kali side:
Yersinia –G
STP tab
Choose Calming Root Role

Countermeasure to a root takeover attack is simple and straightforward. Two features help thwart a
root takeover attack:
 Root guard
 BPDU-guard

4
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

VTP Attack

From Kali side:

Yersinia –G
VTP tab
Choose sending VTP packet

Countermeasure
Just use vtp MD5 password , still attackers can crack MD5 hash passwords using tools such as Cain &
Abel but this will take long time from them.

5
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

CDP Flooding Attack

Kali side:
Yersinia –G
CDP tab

6
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Choose Flooding CDP table

7
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Before attack

After attack

Countermeasure

Just disable cdp globally using no cdp run from configuration mode
Or just disable it on interfaces facing the edge or external networks using per interface command no cdp
enable

8
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Takeover HSRP Active Role Attack

Before attack R1 is active with priority 110 , R2 is standby with default priority 100

In same network we have a hacker with kali OS

Kali side:
Yersinia –G
HSRP tab

9
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

choose becoming ACTIVE router

Choose your source ip address 200.1.1.20

10
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Now our kali machine we will try to notify R1&R2 that its HSRP router with higher possible priority 255
After few minutes lets check R1 & R2 and we will find both dealing with kali as the HSRP active router
now

Countermeasure
Just use max higher priority which is 255 in R1 will not fix the issue since If priorities are equal, the
primary IP addresses are compared, and the higher IP address has priority.
The best thing to do here will be using HSRP authentication password and with MD5 if possible ( will
depend in IOS version)

11
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

IKE Scan Attack

http://www.nta-monitor.com/tools-resources/security-tools/ike-scan
also available in kali Terminal

Ike scan can do some Man In The Middle Attack for reconnaissance purposes , it will easily find out in
below topology what IPsec VPN site-to-site Policy are being used with all IKE SA information whatever its
IKEv1 or IKEv2.

In above topology I will assume you configured R1&R2 with IPsec VPN site-to-site and any necessary
static routes
We can see from following command IKEv2 is not used

From following command we can know all SA isakmp & ipsec policy SA’s

12
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

SYN DoS Attack

Kali will perform SYN DoS Attack Against R1 using Hping3 CLI tool.

In Kali side we open terminal as root and assign ip address with default gateway (we should did that
before on all above labs ) then issue the attack using hping command:

ifconfig eth1 10.1.1.100/24 up

route add default gw 10.1.1.1
update-rc.d networking defaults

hping3 -i u1 -S -p 2000 10.2.2.2 --flood --rand-source

Countermeasure:

R2:
In R2 we create ACL to detect attack and applied in serial interface facing R1
We will know destination address and ports
ip access-list extended cisco
permit tcp any any syn log-input
permit ip any any log-input

int f0/0
ip access-group cisco in

to know source address:

access-list 101 permit tcp any 10.1.1.100 0.0.0.255
access-list 101 permit tcp any any
ip tcp intercept list 101

what R2 will show you

R2(config)#
*Sep 10 02:06:13.699: %SEC-6-IPACCESSLOGP: list CISCO permitted tcp 164.180.7.215(62243)
(FastEthernet0/0 0800.2732.1803) -> 10.2.2.2(2000), 1 packet
*Sep 10 02:06:14.711: %SEC-6-IPACCESSLOGP: list CISCO permitted tcp 145.76.15.197(109)
(FastEthernet0/0 0800.2732.1803) -> 10.2.2.2(2000), 1 packet
R2(config)#
*Sep 10 02:06:15.711: %SEC-6-IPACCESSLOGP: list CISCO permitted tcp 87.25.180.175(4389)
(FastEthernet0/0 0800.2732.1803) -> 10.2.2.2(2000), 1 packet

13
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

R2#sh tcp intercept connections

Incomplete:
Client Server State Create Timeout Mode
72.238.65.245:7883 10.2.2.2:2000 SYNRCVD 00:00:11 00:00:11 I
144.56.41.52:3804 10.2.2.2:2000 SYNRCVD 00:00:13 00:00:10 I
81.191.67.72:295 10.2.2.2:2000 SYNRCVD 00:00:16 00:00:01 I
37.192.18.21:63493 10.2.2.2:2000 SYNRCVD 00:00:16 00:00:01 I
71.88.119.114:63482 10.2.2.2:2000 SYNRCVD 00:00:16 00:00:01 I
252.247.172.236:10186 10.2.2.2:2000 SYNRCVD 00:00:11 00:00:11 I
58.136.199.189:3812 10.2.2.2:2000 SYNRCVD 00:00:13 00:00:10 I
224.53.35.205:63535 10.2.2.2:2000 SYNRCVD 00:00:16 00:00:01 I
192.43.202.178:320 10.2.2.2:2000 SYNRCVD 00:00:15 00:00:01 I
209.233.136.157:7861 10.2.2.2:2000 SYNRCVD 00:00:12 00:00:11 I
60.35.225.73:7848 10.2.2.2:2000 SYNRCVD 00:00:12 00:00:11 I

To prevent any unnecessary traffic

No ip access-list extended CISCO
permit ip host 10.1.1.100 any
int f0/0
ip access-group CISCO in

TCP intercept can run watch or intercept mode.

more information :
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_dos_atprvn/configuration/15-0m/sec-cfg-tcp-
intercpt.html

14
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Infrastructure Access Control List iACL

one of the most important countermeasure for spoofing attacks is applying Intfrastructure ACL on your
edge router , read more :
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html

To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct
infrastructure attacks, administrators are advised to deploy infrastructure access control lists (iACLs) to
perform policy enforcement of traffic sent to infrastructure equipment. Administrators can construct an
iACL by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with
existing security policies and configurations. For the maximum protection of infrastructure devices,
deployed iACLs should be applied in the ingress direction on all interfaces to which an IP address has
been configured.

in iACL we create Anti spoofing entries where internal address cannot be sourced from external
connection.
We will also Deny special-use address sources RFC 3330 such as:
0.0.0.0
255.255.255.255
127.0.0.0
broadcast address

and for sure we will filter RCF 1918 address as source :

Private Ip address

Finally we should Deny your address as source from entering network:

15
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

IPv6 FHS Attacks

Kali coming with many tools including a great tool called THC IPv6 Attack Toolkit

Some Of The Included Tools in THC IPv6 Attack Toolkit :

- parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle,
same as ARP mitm (and parasite)
- alive6: an effective alive scanng, which will detect all systems listening to this address
- dnsdict6: parallized dns ipv6 dictionary bruteforcer
- fake_router6: announce yourself as a router on the network, with the highest priority
- redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect
spoofer
- toobig6: mtu decreaser with the same intelligence as redir6
- detect-new-ip6: detect new ip6 devices which join the network, you can run a script to
automatically scan these systems etc.
- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network
(DOS).
- trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
- flood_router6: flood a target with random router advertisements
- flood_advertise6: flood a target with random neighbor advertisements
- exploit6: known ipv6 vulnerabilities to test against a target
- denial6: a collection of denial-of-service tests againsts a target
- fuzz_ip6: fuzzer for ipv6
- implementation6: performs various implementation checks on ipv6
- implementation6d: listen daemon for implementation6 to check behind a fw
- fake_mld6: announce yourself in a multicast group of your choice on the net
- fake_mld26: same but for MLDv2
- fake_mldrouter6: fake MLD router messages
- fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
- fake_advertiser6: announce yourself on the network
- smurf6: local smurfer
- rsmurf6: remote smurfer, known to work only against linux at the moment

16
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

- sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor solicitation requests

with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice.
- thcping6: sends a hand crafted ping6 packet
[and about 30 more tools for you to discover!]

Let’s see it in action

Kali will get network prefix from one of the routers and will use eui-64 by default as his host prefix

You can check your kali ipv6 address by typing ifconfig

17
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Now lets try to ping R1 by sending 4 icmp packets

Now lest do smurf attack against R1

In R1 lets debug icmp using debug ipv6 icmp

Lets stop this attack in Kali by press control + C

And from R1 lets stop debugging by typing u all

18
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Now lets try another tool in THC , will flood the all routers with RA messages

In R1 lets debug icmp using debug ipv6 nd

Lets stop this attack in Kali by press control + C

And from R1 lets stop debugging by typing u all

19
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

THC can detect any new IPv6 address in our network

R2(config)#int f0/0
R2(config-if)#sh
R2(config-if)#n0 sh

Also we can know what ipv6 machines are on and what ipv6 address assigned to it by :

Also we can performs various implementation checks on ipv6 using implementation6 command
To know more about the network and what protocols and techs are being used

20
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

21
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

We can do ARP spoofing ( ARP is NDP in ipv6)

22
Attacking Cisco R&S with Kali (Backtrack) By CCSI/CCIE: Yasser Auda

Also I can make my kali as fack router and start respond to RS with spoofed RA and assigned fake ipv6
address to machines by sending fake network prefix

Using command :
fake_router6 eth1 2001:BAD:BAD:BAD::1/64

R2#sh ipv6 int br

FastEthernet0/0 [up/up]
FE80::C001:12FF:FE1C:0
2001:BAD:BAD:BAD:C001:12FF:FE1C:0

We can even perform DoS attack against R1 for instance , using command:
denial6 eth1 2001:DAD:DAD:DAD::1 1

we can flood network with NA using command :

flood_advertise6 eth1

Countermeasure
For more about IPv6 FHS , what is NS/NA/RS/RA and how to countermeasure, kindly read my 23 pages
guide about it :
https://learningnetwork.cisco.com/docs/DOC-24288

Other tools you should play with in kali

SNMP hacking tools:
snmpcheck
snmpwalk

Good Luck
Yasser Auda
CCIE R&S # 45694
CCSI # 34215
https://learningnetwork.cisco.com/people/yasser.r.a?view=documents
https://www.facebook.com/YasserRamzyAuda
https://www.youtube.com/user/yasserramzyauda

23