Bypassing Port Security in Cisco Switch

Now It's time to Learn some ethical hacking like bypassing port security in Cisco 

On cisco switch there is a feature called port security, how port security works?
port security will only allows specific mac addresses that already connect to switchport, if the mac didn’t match, frame that sent by host through that switchport would be drop. To know more and good understanding about this, I strongly recommended to learn OSI Layers and TCP/IP first before jumping to this material.

There is 3 port security action or usually we called it violation, there is Shutdown, Restrict, and Protect. But now I will choose Restrict, because we can get notification when foreign mac address trying to connect, and why not shutdown? that’s the critical one, find out yourself.

Okay, let’s begin. In this post I’m using DracOs linux as my pentesting equipment. What is DracOs? DracOs is the first pentest linux distribution in Indonesia that build from LFS. Very light and powerful.

And this is our pentest LAB. Remember port-security in this lab only implemented on IOU2 interface e0/0 with 3 maximum mac addresses for IOU3 e0/0, PC1 e0 and PC2 e0.

First thing that you need to do is bring up your interface card. Now let’s start to thinking how to get information that can we use from authorized user without IP while we’re blocked by swithport?.

Network Scaning? No,You can’t because you don’t have IP address to do that yet. ✌

Okay and here is my config on e0/0 switchport, and you will see violation occured after bring up your interface. But why? because my device is not match with port-security rules and everytime you give power to any interface, that interface will automatically send out ARP broadcast to all ports and finding some friend in their network but sadly my frames got droped by portsec.

I setup my Router as DHCP server, the reason why I set it up is, I need ARP and DHCP Acknowledgement from authorized user, And I just want to make it like in real world with prefix /29

Okay, now from the client side, I’m requesting DHCP from PC1 to the server while I’m sniffing my own DracOs interface and looking for an ARP broadcast from authorized user, and gotcha, now I’ve got some information here.

As you can see from Layer 2, now we’ve got authorized mac-address and now we know what IP network that authorized user get from DHCP server. Now what?

Make sure your interface card still up and working well, then assign IP address within the same network as the information above, and I will make it to prefix /24 why? because we won’t get IP from DHCP Server, and I’m just gonna make it static with /24 because we don’t know what mask that DHCP srv use, And logically I can cover it up by using /24 just because it makes sense by using “C” Class. Can we do that? Absolutely yes.

But, just assigned IP to our interface is not enough, it doesn’t mean we can do ping to Router, because PortSec is matching with layer 2, we need to use mac address of authorized user to bypass this feature by manipulating it. Change your mac address with authorized user mac, then congratulation now you bypassing it and welcome to the network. 

Just looking at my arp tables after doing ping, and scanning my whole network and what I’ve got is just 2 host up, do you know why? because I have the same mac address with one of authorized user that has IP 172.16.0.2 and MAC 00:50:79:66:68:00, and I’m replacing him.

Examine LKS NTB 2016/Cisco Superlab 6th

Today i'm going to examine LKS NTB 2016 Cisco superlab and here are the Topology :

 

Here are the task that we're going to execute it : 

A company has a central office or the headquarters (HQ) in Mataram and Branch Office (Branch) in Sumbawa connected via a Wide Area Network (WAN) protocol encapsulation Point-to-Point Protocol (PPP) and connect to the Internet through an ISP router. At the Headquarters (HQ) there are 4 Virtual Local Area Network (VLAN) that VLAN MANAGEMENT, HR, MARKETING and FINANCE. Communication between VLANs (InterVLAN Routing) conducted through HQ router configuration with router-on-stick that implement IEEE 802.1Q encapsulation protocol on the subinterface GigabitEthernet0 / 0. Routing protocols Open Shortest Path First (OSPF) is used in the router's HQ and BRANCH routers can route data packets between networks headquarters (HQ) and branches (Branch). The allocation of IP addressing is distributed dynamically using Dynamic Host Configuration Protocol (DHCP) for each VLAN at the head office and Wireless Local Area Network (WLAN) in branch offices whose setting is centered on the HQ router as a DHCP Server. BRANCH Router enabled as a DHCP Relay Agent to client at a branch office obtain IP addressing allocation dynamically from a DHCP server router HQ.

Task 1

CLI of Switch SW_HQ can be accessed via the Terminal PC HQ MANAGEMENT2. Conditions configuration is as follows:     Set the IP addresses in VLAN interface 1 with a second IP address of the subnet address 192.168.169.8/29 and activate the interface.   
  Set the default gateway using the IP address subnet address 192.168.169.8/29 first of which is one of the HQ router's IP address in order to communicate with different networks.   
  Creating a new VLAN, among others:         VLAN 10 with the name of HRD. VLAN 20 with the name MARKETING.  VLAN 30 with name FINANCE. Set the port or interface membership of each VLAN, among others:         FastEthernet0 / 1 to VLAN 10   
 FastEthernet0 / 6 to VLAN 20        
 FastEthernet0 / 11 to VLAN 30   
  Enabling mode into a trunk port for interface GigabitEthernet0 / 1 is connected to the router HQ.     Verify the configuration has been done to ensure compliance with the provisions.
Task 2 :
Set the IP addresses in the interface Serial0 / 0/1 connected to the ISP router using the IP address of the subnet address WAN ISP-HQ 8.0.0.0/30 and activate the interface.
    Set the WAN encapsulation protocol on the interface Serial0 / 0/0 are connected to the BRANCH router with PPP and implementing PPP authentication using CHAP password "Suranadi".
    Set the IP addresses in the interface Serial0 / 0/0 to use the first IP address of the subnet address WAN-Branch HQ 192.168.169.0/30.
    Set the bandwidth of 1 Mbps and a clock rate adjusts to the bandwidth on the interface Serial0 / 0/0 acting as DCE for WAN connections-Branch HQ and activate the interface.
    Enabling interface GigabitEthernet0 / 0.
    Set the router-on-stick for inter-VLAN communication by making subinterface on interface GigabitEthernet0 / 0 and apply IEEE 802.1Q encapsulation protocol as well as the allocation of IP addresses in each subinterface as follows:
        Subinterface GigabitEthernet0 / 0.1 for VLAN 1 with the first IP address of the subnet address 192.168.169.8/29.
        Subinterface GigabitEthernet0 / 0.10 for VLAN 10 with the first IP address of the subnet address 192.168.169.16/29.
        Subinterface GigabitEthernet / 0.20 for VLAN 20 with the first IP address of the subnet address 192.168.169.64/27.
        Subinterface GigabitEthernet0 / 0.30 for VLAN 30 with the first IP address of the subnet address 192.168.169.96/28.
    Creating a DHCP Server
        make Pool
            Name Pool "MANAGEMENT" for VLAN 1 with the subnet address 192.168.169.8/29
            Name Pool "HR" for VLAN 10 with the subnet address 192.168.169.16/29
            Name Pool "MARKETING" for VLAN 20 with the subnet address 192.168.169.64/27
            Name Pool "FINANCE" for VLAN 30 with the subnet address 192.168.169.96/28
            Name Pool "WLAN_BRANCH" for subnet 192.168.169.192/26 in the Branch Office.
        TCP / IP parameters are set on each pool are:
            Default gateway acquired DHCP Client uses the first IP address of each subnet of each VLAN and WLAN.
            The IP address of the DNS server for the entire pool using the IP address of the DNS Root Server is 8.0.0.10.
        Set the IP address leased to DHCP Client for each pool.
            The first IP address of each VLAN and subnet address WLAN_BRANCH.
            The second IP address of the subnet address 192.168.169.8/29 specifically for pool "MANAGEMENT" allocated to VLAN1.
    Enable OSPF routing protocol with process-id 46 and set the network address wildcard mask 192.168.169.0/24 the network as part of a network router OSPF area 0 on HQ.
    Verify the configuration has been done to ensure compliance with the provisions.

Task   3 :

Set up each PC at headquarters unless the PC HQ MANAGEMENT2 as DHCP Client. Make sure each PC on every VLAN has successfully obtained an IP addressing dynamically from a DHCP server.
     Verify connection from PC to PC HQ management1 HRD, PC MARKETING and FINANCE PC using the Simple PDU. Make sure the connection is successful.

Task 4 :
CLI from Branch Router can be accessed via the Terminal PC MANAGEMENT BRANCH. Conditions configuration is as follows:

    Set the WAN encapsulation protocol on the interface Serial0 / 0/0 are connected to the HQ router with PPP and implementing PPP authentication using CHAP password "Suranadi".
    Set the IP addresses in the interface Serial0 / 0/0 using the second IP address of the subnet address WAN-Branch HQ 192.168.169.0/30 and activate the interface.
    Set the IP addresses in the interface GigabitEthernet0 / 0 using the first IP address of the subnet address WLAN_BRANCH 192.168.169.192/26 and activate the interface.
    Set the DHCP Relay Agent to forward requests from the DHCP Client on WLAN_BRANCH subnet to the DHCP server configured in the router HQ.
    Enable OSPF routing protocol with process-id 46 and set the network address using a wildcard mask 192.168.169.0/24 network as part of the network in the OSPF area 0 router BRANCH.
    Verify the configuration has been done to ensure compliance with the provisions.

Task  5 :
Set the Access Point AP_BRANCH with SSID "LKS-NTB" and enable WPA2-PSK authentication with a passphrase "SENGGIGI" as well as the type of encryption "AES" on Port 1.
     Make sure the Port Status for Port 0 and Port 1 have been active on the Access Point AP_BRANCH.
Task 6 :
Laptops connect to Wireless Access Point with SSID "LKS-NTB" and WPA2-PSK password "SENGGIGI".
     Laptop BRANCH verification of connections to other PCs located at HQ as PC HQ management1, HRD PC, PC MARKETING and FINANCE PC using the Simple PDU. Make sure the connection is successful. 
Task 7 :
Set the default route to an ISP using a gateway in the form of the first IP address of the subnet address WAN ISP-HQ 8.0.0.0/30 used by interface Serial0 / 0/0 of the ISP router.
     Entering (inject) a default route to OSPF that BRANCH router to obtain information about this route.
     Creating Named Standard ACL named "INTERNET" to allow Internet access for the hosts contained in 192.168.169.8/29 subnet (VLAN1 MANAGEMENT), subnet 192.168.169.64/27 (VLAN20 MARKETING) and subnet 192.168.169.192/26 (WLAN_BRANCH ).
     Set the NAT Overload or Port Address Translation (PAT) for Named Standard ACL "INTERNET".
     Verify that the configuration has been made to ensure compliance with the provisions.
Task 8 :
Verify the Internet connection of a PC HQ management1, PC and Laptop MARKETING BRANCH by accessing Server ntbprov.go.id and ditpsmk.net use Simple PDU and browser. Make sure the connection is successful.

Now we're going to execute it : 

SW_HQ :

 BRANCH#sh ru

Building configuration...

Current configuration : 1126 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname BRANCH

!

!

!

enable secret 5 $1$mERr$YsXqIF8306MddLsesE9MP/

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

username HQ password 0 SURANADI

!

!

license udi pid CISCO2911/K9 sn FTX15246JL0

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 192.168.169.193 255.255.255.192

ip helper-address 192.168.169.1

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 192.168.169.2 255.255.255.252

encapsulation ppp

ppp authentication chap

!

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 46

log-adjacency-changes

network 192.168.169.0 0.0.0.255 area 0

!

ip classless

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

password cisco

login

!

line aux 0

!

line vty 0 4

password sanjose

login

!

!

!

end

Router HQ :

HQ#sh ru

Building configuration...

Current configuration : 2629 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname HQ

!

!

!

enable secret 5 $1$mERr$YsXqIF8306MddLsesE9MP/

!

!

ip dhcp excluded-address 192.168.169.9

ip dhcp excluded-address 192.168.169.10

ip dhcp excluded-address 192.168.169.17

ip dhcp excluded-address 192.168.169.65

ip dhcp excluded-address 192.168.169.97

ip dhcp excluded-address 192.168.169.193

!

ip dhcp pool MANAGEMENT

network 192.168.169.8 255.255.255.248

default-router 192.168.169.9

dns-server 8.0.0.10

ip dhcp pool HRD

network 192.168.169.16 255.255.255.248

default-router 192.168.169.17

dns-server 8.0.0.10

ip dhcp pool MARKETING

network 192.168.169.64 255.255.255.224

default-router 192.168.169.65

dns-server 8.0.0.10

ip dhcp pool FINANCE

network 192.168.169.96 255.255.255.240

default-router 192.168.169.97

dns-server 8.0.0.10

ip dhcp pool WLAN_BRANCH

network 192.168.169.192 255.255.255.192

default-router 192.168.169.193

dns-server 8.0.0.10

!

!

!

no ip cef

no ipv6 cef

!

!

!

username BRANCH password 0 SURANADI

!

!

license udi pid CISCO2911/K9 sn FTX152474B2

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 192.168.169.9 255.255.255.248

ip nat inside

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.169.17 255.255.255.248

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip address 192.168.169.65 255.255.255.224

ip nat inside

!

interface GigabitEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.169.97 255.255.255.240

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

bandwidth 1000

ip address 192.168.169.1 255.255.255.252

encapsulation ppp

ppp authentication chap

ip nat inside

clock rate 1000000

!

interface Serial0/0/1

ip address 8.0.0.2 255.255.255.252

ip nat outside

!

interface Vlan1

no ip address

shutdown

!

router ospf 46

log-adjacency-changes

network 192.168.169.0 0.0.0.255 area 0

default-information originate

!

ip nat inside source list INTERNET interface Serial0/0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 8.0.0.1

!

ip flow-export version 9

!

!

ip access-list standard INTERNET

permit 192.168.169.8 0.0.0.7

permit 192.168.169.64 0.0.0.31

permit 192.168.169.192 0.0.0.63

!

!

!

!

!

line con 0

password cisco

login

!

line aux 0

!

line vty 0 4

password sanjose

login

!

!

!

end

 Router_BRANCH :

BRANCH#sh ru

Building configuration...

Current configuration : 1126 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname BRANCH

!

!

!

enable secret 5 $1$mERr$YsXqIF8306MddLsesE9MP/

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

username HQ password 0 SURANADI

!

!

license udi pid CISCO2911/K9 sn FTX15246JL0

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 192.168.169.193 255.255.255.192

ip helper-address 192.168.169.1

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 192.168.169.2 255.255.255.252

encapsulation ppp

ppp authentication chap

!

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 46

log-adjacency-changes

network 192.168.169.0 0.0.0.255 area 0

!

ip classless

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

password cisco

login

!

line aux 0

!

line vty 0 4

password sanjose

login

!

!

!

end

Access point :

and finally configure the DHCP Client for PC :D and the you got 100 :

Here are the Link to play this superlab :

Download
Cisco Superlab 6

Cisco Superlab 5th

Superlab Cisco 5th Scenario actually this superlab i adopted from lastyear LKS and this are the topology 🔺 🖧🖧🖧🖧🖧 : 

and here are the task :Packet Tracer Scenario

An Enterprise called Company is responsible for organizing the World Skills London 2011 event. The company called ISP has been requested to host the events two websites (www.worldskills.org , www.london2011.org). The company also works with two Agencies (Agency 1 and Agency2) to manage the event. The following is the detailed network description of ISP, Company, Agency1 and Agency 2:

Instructions:

1.       Most of the functionality of this Packet Tracer file been blocked. E.g creating or removing object, using CLI, etc…

2.       Since CLI is blocked, you must use the PC terminal.

3.       The Topology diagram is provided in the last page of this script.

4.       Read the whole script before starting your work in Packet Tracer.

5.       The last good backup file will be marked.

Network description:

ISP:

•       consist of two web servers:

Device

IP Address

Hosts

WEB1

80.80.80.80

www.worldskills.org

WEB2

70.70.70.70

www.london2011.org

Company:

•       the company router connected to other different network routers as following:

Connected to

Network Address

ISP router

90.90.90.0/30

Agency 1 router

192.168.0.0/30

Agency 2 router

192.168.0.4/30

•       Company Local Area Network Address = 172.18.0.0 and consist of three VLANs:

PC Name

VLAN #

Switch Port

DNS

10

Fa0/24

PC3

22

Fa0/10

PC4

20

Fa0/15

o   Server (VLAN 10) = 10 hosts

o   Publicity (VLAN 22) = 60 hosts

o   Admin (VLAN 20 ) = 25 hosts

o   Note: use the VLAN number as given in this script in for all configurations.

Agency 1:

•       Consist of 2 Local Area Networks:

o   LAN1 = 172.16.0.0/24

o   LAN2= 172.16.1.0/24

Agency 2:

•       consist of one Local Area Network = 172.17.0.0/24

Activity Tasks:

Task 1: Assigning and configuring IP address:

•       ISP Router:

o   Configure the IP Address of ISP port connected to the Company router; use the first valid IP address of the range.

•       Company Router:

o   Any port in company router (except for the one connected to ISP) must be assigned with the first valid IP Address of their ranges.

o   Company LAN:

§  Calculate the VLANs subnet range in descending order.

§  Use subnet 0 as first subnet range.

§  Gateways always get the first valid IP address.

§  DNS Server gets the second valid IP address of its range.

•       Configure switch vlan name and switch port vlan member

•       Agency 1 and Agency 2 LANs:

o   Gateways always get first usable IP address of their network ranges.

Task 2: DHCP

•       Configure the company router as DHCP server for :

o   Company VLANs with DHCP pool name VLAN20 and VLAN22, (except for the server VLAN)

o   Agency1 LANs with DHCP pool name:

§  AG1LAN1 for Agency 1 LAN 1

§  AG1LAN2 for Agency 1 LAN 2

o   Agency2 LAN with pool name AG2.

•       Configure DHCP relay on Agency 1 and Agency 2 Router to DHCP Server Company Router

Task2: WAN

•       Configure the default route to ISP (don’t use interface name) in Company router.

•       OSPF:

o   Configure the OSPF routing protocol (with the process ID 100) between company, Agency1 and Agency2 routers.

o   The routers must be configured under area 0.

o   Company router must propagate the default route to other routers.

•       WAN encapsulation:

o   The connection between the company router and the two agencies is secured by PPP CHAP using the password as cisco.

Task3: DNS Resolution:

•       The DNS Server in Company network must resolve the two websites hosted by ISP.

Task4: PC Configuration:

•       Configure All hosts with DHCP

•       All hosts in the company network and agencies network must access the two website using the URL link given above.

Download