VoIP Hopper is a Unix/Linux based free opensource security tool that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper mimicks the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments to hope into the Voice VLAN.  VoIP Hopper is both a VLAN Hop test tool and a tool to test VoIP infrastructure security. 

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID). This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request. It can also generate CDP messages just as an IP Phone based on CDP would do.  It will send two CDP packets, requesting the Voice VLAN ID.  After creating the new interface, it will then iterate between sleeping for 60 seconds, and sending a CDP packet.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176.  When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID.  It then creates a new voice interface and sends a DHCP request.

VOIP Hopper can be downloaded from here

VOIP Hopper requires

libpcap – For Sniffing

GNU C Compiler & Make utility to install

To install

Unzip & Untar VOIP Hopper

debian# tar -zxvf voiphopper-0.9.9.tar.gz

Change Directory and Install

debian# cd voiphopper-0.9.9

debian:~/voiphopper-0.9.9# make

This installs VoIP Hopper on your Linux distribution.

Now, some of the usage examples are

Sniff CDP & VoIP Hop

debian# voiphopper -i eth1 -c 0

where "eth1" is the interface

-c = 0 – Defines sniffing

Spoof CDP & VoIP Hop in Cisco SIP environment

debian# voiphopper -i eth1 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P003-08-8-00' -U 1

Spoof CDP & VoIP HOP in Cisco SCCP environment

debian# voiphopper -i eth1 -c 1 -E 'SEP0070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S 'P00308000700' -U 1

VLAN Hop without CDP Sniffing (if VLAN ID is known)

debian# voiphopper -i eth1 -v 200

Discover Voice VLAN in Avaya IP Phone environment

debian# voiphopper -i eth1 -a

Spoof MAC Address of an IP Phone by sniffing for CDP

debian# voiphopper -i eth1 -c 0 -m AA:AA:AA:AA:AA:AA

Spoof MAC Address of an IP Phone using Avaya DHCP request

debian# voiphopper -i eth1 -a -m AA:AA:AA:AA:AA:AA
 
Spoof MAC Address of an IP Phone by VLAN Hopping without CDP or DHCP

debian# voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA

Spoof MAC Address of IP Phone without changing the MAC Address of default ethernet interface

debian# voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA -D

A malicious user can easily gain access to data on another VLAN to which he is not authorised to access using VLAN hopping. A VLAN Hoping attack can be launched by using a Switch Spoofing or Double Tagging of 802.1q trunking protocol. To have a quick insight into VLAN Hopping, click here.

You can prevent VLAN Hopping in Cisco Switches as follows:

1. Prevent VLAN Hopping attacks using Switch Spoofing

In this form of VLAN Hopping attack, the simplest solution would be to disable "Dynamic Trunking Protocol (DTP)" on all untrusted ports, mostly imporantly on the access switches where end users connect their devices and gain access to network.

This can be done by

ciscoswitch# conf t

ciscoswitc(config)# int gi1/10

ciscoswitch(config-if)# switchport nonegotiate

In the above, the "switchport nonegotiate" command on interface "gi1/10" disable the DTP. So, the switchport will not negotiate trunking on the link.

An even more better option would be to explicitly coonfigure the port as a access port by which eliminates any fears of trunking on the port (assuming you are aware of the fact that there isn't going to be a need for that port to act as a trunking port)

ciscoswitch(config-if)# switchport mode access

This disables trunking and DTP on the port and marks it as an access port only.

2. Prevent VLAN Hopping attacks using Double Encapsulation (Double Tagging)

Use a isolated VLAN as a native VLAN for the trunks which is used for tunnel traffic only and not for any other traffic as the trunk port strips the VLAN tag and passes it as untagged traffic.

VLAN Hopping is a Layer 2 security exploit by which a malicous user connected to a switchport on a Switch assigned to a VLAN can hop on and gain access to another VLAN which otherwise is not accessible. This security exploit allows the malicous hacker to bypass the IP Securities implemented at Layer 3.

There are 2 ways that a malicious hacker can conduct a VLAN hopping hack on a network.

1. Switch Spoofing

Switch Spoofing is a method by which the host with the capability of emulating tagging and trunking protocols connected to a switchport with Auto-Trunking capabilities turns the port into a Trunk and thereby havng a complete visibility and access to all the traffic to all the VLANS in the network. In Cisco Switches, the "Dynamic Trunking Protocol" provides the auto-trunking capabilities and most if not all has it enabled by default.

To prevent such attacks, the solution obviously is to disable Auto-Trunking on all ports except the ones which actually trunk other switches. This especially, is very important on all access switches in a network. In cisco, disable the "Dynamic Trunking Protocol". Click here for the procedure

2. Double Tagging

Double Tagging or Double 802.1q encapsultaion is a method which takes advantage of the backward compatibility enabled into the 802.1Q protocol to support native VLANs. This allows the 802.1q trunk ports to talk to 802.3 ports directly to send & receive untagged traffic.

A mailicious hacker connected to a switchport generates a packet with two VLAN tags. The Outer VLAN tag is the tag for the Native VLAN of the trunk and the inner tag is the one of the target VLAN to which the hacker is trying to gain access to.

When a 802.1q trunk port on a switch whose native VLAN is the same as the VLAN  on the outer tag gets the packet, it strips the outer tag and forwards the packet as untagged traffic. Now, the inner tag which has the VLAN tag of the target VLAN becomes the permanent identity of the packet and hence the hacker has hopped onto the target VLAN and has gained access to data on the VLAN thereby bypassing the layer 3 securities.

While no security is fool proof, it is important that we do as much as we can to ensure maximum protection on our netowrk devices like Routers and Switches. Cisco IOS has enhanced Login restriction features which can control login attempts to it. This includes time delay between failed login attempts, block period after a set of failed login attempts and audit logs of successful and failed login attempts.

These login restrictions provides more control and make it that more harder for unauthorised accesses and prevent against Dictionary based DoS attacks.

To start of with,

Block Logins after failed attempts

From the Global configuration mode enter the login block-for command to block login attempts to the Cisco Router and Switches for a set period after a preset number of failed login attempts in a specified period of time.

ciscorouter# conf t

ciscorouter(config)# login block-for 300 attempts 3 within 60

Here we block all login attempts (except for the exception ACL list which we will see a few lines down) for 300seconds (5mins) after 3 failed login attempts with 60 seconds (1min). This blocking period is called "Quiet mode"

Set Login Delays

We can enforce a time delay after a failed login attempt. As soon as the "login lock-for" option is set, this automatically kicks in with the default value of 1 second. However, this can manually changed to anything upto 10 seconds.

ciscorouter(config)# login delay 10

Here we set a delay of 10 seconds after a failed login attempt.

Set Quiet Mode Exception ACL

While we enforce a blocking period after successive failed login attempts, we can configure an Exception Access list of hosts or networks. These hosts or networks will be able to login to the router even in the quiet mode.

ciscorouter(config)# login quiet-mode access-class 10

Where 10 is the ACL

Audit Logs on Failed and Successfule login attempts

To enable logging after failed login attempts

ciscorouter(config)# login on-failure log

This logs every time there is a failed login attempt. We can customize the number of failed attempts after which the message is logged.

ciscorouter(config)# login on-failure log 3

The above logs the failed attempts after 3 successive failure.

Similarly, successful logins can be logged as well

ciscorouter(config)# login on-success log

or

ciscorouter(config)# login on-success log 5

To display the Login configuration status

Simply do a

ciscorouter# sh login

A default login delay of 10 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

Router enabled to watch for login Attacks.

If more than 3 login failures occur in 60 seconds or less, logins will be disabled for 300 seconds.

Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds.

Denying logins from all sources.

To only display failed login attempts

ciscorouter# sh login failure

Information about login failure's with the device

Username      Source IPAddr  lPort Count  TimeStamp

admin1          192.168.1.1        23    1     21:52:49 UTC Sun Mar 9 2008

someone          192.168.1.2        23    1     21:52:52 UTC Sun Mar 9 2008

Virtual Private Network (VPN) is a network which uses a shared network infrastructure (Internet) which allows a secure access between two networks or securely connects a remote user to his corporate network.

Let's check out here how to configure a Site to Site VPN using a Pre-shared Key in Cisco Routers running Cisco IOS

Let's use a HQ-Branch office network setup with the following:

Authentication Method: Pre-Shared Key

Encryption Algorithm: 3DES

Hash Algorithm: SHA

HQ Router External IP : 172.10.10.100

(Peer IP for Branch Network)

HQ Internal Network: 172.11.1.0/24

Branch Router External IP : 10.1.1.100

(Peer IP for HQ Network)

Branch Internal Network: 10.11.2.0/24

Configuring IKE Policies

Create an IKE Policy

From the global configuration mode, create a new IKE Policy.

VPN-HQ(config)# crypto isakmp policy 1

Set the Keep-Alive & Retry intervals

The default Keep-Alive time os 10 seconds and retry when the keep-alive fails is 2 seconds. If you prefer changing this value then do the following else can be ignored

VPN-HQ(config-isakmp)# crypto isakmp keepalive 15 retry 3

Specify the Encryption Algorithm

I'm using 3DES encryption method here

VPN-HQ(config-isakmp)# encryption 3des

Specify the HASH Algorithm

I'm using sha hashing algorithm here

VPN-HQ(config-isakmp)# hash sha

Set the Authentication Method

We are using Pre-shared key here for Authentication

VPN-HQ(config-isakmp)# authentication pre-share

Set the Diffe-Hellman Group Identifier

We are using DH Group-2 (1024)

VPN-HQ(config-isakmp)# group 2

Specify SA's lifetime (seconds)

Set the lifetime of the Security Associations in seconds. I'll set it for 24hrs (86400 seconds) here

VPN-HQ(config-isakmp)# lifetime 86400

Set Pre-shared Key

The Authentication method we use here is the Pre-Shared key. We should now set this previously agreed shared key (don't exchange on emails. Use your phone,letters or faxes) from the global configuration mode.I'll use a simple pre-shared key "0urVpN" but use more complex key when configuring a production system.

VPN-HQ(config)# crypto isakmp key 0urVpN address 10.1.1.100

where 10.1.1.100 is the Peer routers IP Address and "0urVpN" is the pre-shared key.

Define Transformation Set

We set the transformation of ESP-3DES transform and ESP-SHA-HMAC transform to Transformation set 3DES-SHA-HMAC

VPN-HQ(config)# crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac

VPN-HQ(cfg-crypto-trans)# exit

Setup a Crypto ACL

This ACL defines the protected traffic that passes through the VPN tunnel. Customize the ACL as per your organisation needs.

VPN-HQ(config)# ip access-list 101 permit ip 172.11.1.0 0.0.0.0 10.11.2.0 0.0.0.0

Create an IPSec Map

Create an IPSec Crypto Map and assign it a Sequence number

VPN-HQ(config)# crypto map HQ-BR1-MAP 2 ipsec-isakmp

where 2 is the sequence number and HQ-BR1-MAP is the nameof the map.

Set the Network traffic to be protected

Here use the extended ACl created earlier to define the traffic that is protected and passed through the tunnel.

VPN-HQ(config-crypto-map)# match address 101

where 101 is the Extended ACL

Set the Peer Address

VPN-HQ(config-crypto-map)# set peer 10.1.1.100

Set Transform Set

VPN-HQ(config-crypto-map)# set 3DES-SHA-HMAC

Set Perfect Forwarding Secret

VPN-HQ(config-crypto-map)# set pfs group 2

Apply Crypto Map to the external Interface

VPN-HQ(config)# int fa0/0

VPN-HQ(config-if)# crypto map HQ-BR1-MAP

Allow inbound IPSec traffic from the Peer on the external interface

VPN-HQ(config)# ip access-list 102 permit udp host 10.1.1.100 any eq isakmp

VPN-HQ(config)# ip access-list 102 permit esp host 10.1.1.100 any

That completes the configuration on the Cisco Router at the HQ. Repeat the procedure with only changing

1. The Peer IP in the steps for setting the Pre-shared Key & setting Peer.

2. Modify the ACLs for the protected networks

3. Inbound ACL to allow incoming traffic from peer

To verify the configs, use the following show commands:

Display Crypto IKE Policy

VPN-HQ# show crypto isakmp policy

Display Crypto Transform Set

VPN-HQ# show crypto ipsec transform-set

Display Crypto Map entries

VPN-HQ# show crypto map

If you have site to site IPSec VPNs configured between two network with your Juniper Netscreen or SSG firewalls and clients from one network access servers or services from the other network then it is advisable to enable Path MTU Discovery support on the Juniper firewalls.

Juniper Netscreen or SSG firewalls running Screen OS by default disable the Path MTU Discovery support. This means, when an IP Packet with DF bit set ("1") in the ip Header and its size after IPSec Encapsulation is more the MTU of the Juniper VPN Firewall arrives at the VPN Firewall, the firewall will ignore the "DF" bit and simply fragments the packets and forwards it to the appropriate tunnel interface. This can cause serious problems with some applications. A classic example is the Microsoft Applications that rely on NetBIOS over TCP/IP which wouldn't prefer the packets being fragmented (and hence DF set).

It is advisable that the Path MTU Discovery support is enabled on the Juniper VPN Firewalls. When enabled in the above scenario, the Firewall will drop the packet instead and send an "ICMP Destination Unreachable (Datagram Too Big)" message (ICMP Type 3 Code 4 message) back to the host with its MTU value. The source host then adjusts its assumed Path MTU value appropriately and sends the packet accordingly so the packet size is well within the MTU of the firewall and hence the packet is not fragmented and is forwarded as such.

To enable Path MTU Discovery in Juniper firewalls running Screen OS logon as an admin user and run the following commands:

Set Path MTU

SSG20> set flow path-mtu

SSG20> save

To verify the change

SSG20> get config | incl path

Remember, this needs to be enabled on the other VPN Peer as well.

This change should make users on either side a happy bunny!!!

Yersinia is a free Network Penetration testing tool used to test and analyse some of the most commonly used protocols on your network. Penetration testing tools of this kind will provide deep insight on network security issues. Yersinia is a UNIX based tool that works on Linux, Solaris 8, FreeBSD.

NOTE: The tool is described as a tool to perform network tests and exercise responsible actions when performing tests which includes obtaining the permission from responsible authorities. DO NOT USE THIS TOOL FOR ANY UNAUTHROSIED HACKING PURPOSES

The attacks for testing can be performed on the following protocols:

Inter-Switch Link Protocol (ISL)

Cisco Discovery Protocol (CDP)

Sending RAW CDP packet
DoS flooding CDP neighbors table
Setting up a virtual device

Spanning Tree Protocol (STP)

Sending RAW Configuration BPDU
Sending RAW TCN BPDU
DoS sending RAW Configuration BPDU
DoS sending RAW TCN BPDU
Claiming Root Role
Claiming Other Role
Claiming Root Role dual home (MITM)

Dynamic Trunking Protocol (DTP)

Sending RAW DTP packet
Enabling trunking

Dynamic Host Configuration Protocol (DHCP)

Sending RAW DHCP packet
DoS sending DISCOVER packet (exhausting ip pool)
Setting up rogue DHCP server
DoS sending RELEASE packet (releasing assigned ip)

Hot Standby Router Protocol (HSRP)

Sending RAW HSRP packet
Becoming active router
Becoming active router (MITM)

IEEE 802.1Q

Sending RAW 802.1Q packet
Sending double encapsulated 802.1Q packet
Sending 802.1Q ARP Poisoning

IEEE 802.1X

Sending RAW 802.1X packet
Mitm 802.1X with 2 interfaces

VLAN Trunking Protocol (VTP)

Sending RAW VTP packet
Deleting ALL VLANs
Deleting selected VLAN
Adding one VLAN
Catalyst crash

Yersinia has precompiled builds for Ubuntu, Debian & FreeBSD but also has the source from which we can build and install Yersinia.

To build and install from source,

Download the latest versio (0.7.1) from here

Untar, Compile, Build and install as follows

pentest# tar -zxvf yersinia-0.7.1.tar.gz

pentest# cd yersinia-0.7.1

pentest# ./configure

pentest# make

pentest# make install

For more information and some very useful writeups click here

Secure destruction of data like personal details, banking information, confidential company information or critical customer data when they are no longer required is very important to information security for the simple reason that they can always be recovered in many ways from the hard disk. This is even more important when you sell or throw away your old PCs. Simply deleting the files from the PC doesn't really remove the files for good. They can always be recovered. FileShredder just protects you from that. File Shredder is an opensource free file secure destruction software for permanent removal of critical confidential files from the hard disk. With File Shredder you can remove files from your hard drive without fear they could be recovered. File Shredder has been developed as fast, safe and reliable tool to shred company files.

Read more… »

Phishers send well crafted emails as if coming from a valid source like your bank tricking you to enter your bank account or any portal (like eBay or Paypal) details including login and password or PIN numbers . Once, you enter the details, they are sent to remote servers. Now, that’s more than anything for the hackers to loot money out of your account.

Taking security seriously, we will discuss the community aided Netcraft tool bar for Internet Explorer & Firefox. First of all, I have to applaud NetCraft toolbar as by far the best toolbar that you can get for free. When I tested a new eBay scam email URL, no other toolbar other than NetCraft can catch the Phishing URL.

Read More…>>

Secunia Personal Security Inspector (PSI) is a great tool for Windows Operating Systems (Windows 2003,Windows XP SP2, Windows Vista, Windows SP4 )to assess the installed applications on your system for patch status of installed applications and audits the applications for insecured versions and End Of life status.

While Secunia PSI is not a replacement to a Antivirus, Firewall or a malware protection software, it does lend a great deal of help in auditing the applications installed on the system and to report Insecure, End Of Life applications.

Secunia PSI is very easy to use and the user does not have to be an IT expert and anyone (even a novice user) canuse the application without any trouble. Secunia PSI checks the files on the system and looks into the Meta-data of the applications found in EXE, DLL and OCX files. This is then sent to the Secunia PSI server where it is compared against the signatures on the server and reported back to the user in a nice friendly way.

When reporting an Insecure / End Of life applications, it also provides a direct download link to the latest patch/fix or newer version of the application. Secunia PSI has an option to hide applications that are not easy to patch but personally I wouldn't recommend to enable the option.

The overview is a dashboard with a nice pie chart and short summary of the system status and history on a graph.

Secunia also a network edition for corporates and can request for an evaluation.

Secunia PSI can be downloaded from Secunia website