Cisco ASA Software 8.x / 9.x – IKEv1 and IKEv2 Buffer Overflow

SOURCE:
RESULT:
-crashed ASA and force it to reboot

AFFECTED DEVICE:
Buffer overflow in the IKEv1 and IKEv2 implementations in
-Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices
-ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices
-Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000

VERIFICATION:
-find open port using kali linux
# nmap -v -A 10.0.10.221
opened ports are 22 and 443

-download python script from https://www.exploit-db.com/exploits/39823/
# python 39823.py 10.0.10.221 10.0.10.103:443
10.0.10.103 is my pc ip
443 is port that we want to attack, we can use port 22 instead

Firewall/Router Attack – BlackNurse

SOURCE: blacknurse.dk

This BlackNurse attack will causing high CPU on target device

REQUIREMENT:

-Kali linux

Attack (flood better)
# hping3 -1 -C 3 -K 3 -i u20

# hping3 -1 -C 3 -K 3 –flood

RESULTS:
-Mikrotik v6.37.1 CPU utilization before attack 4%, after attack 44%
-Fortigate 5.2 CPU utilization before attack idle 99%, after attack idle 70%

This attack only from 1 source. Could be more damage if I am using more attack sources

LIST OF REPORTED AFFECTED PRODUCTS :
-Cisco ASA 5505, 5506, 5515, 5525 , 5540 (default settings)
-Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface – 100% CPU load
-Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
-Cisco Router 897 – Can be mitigated – The current code from https://www.cymru.com/Documents/secure-ios-template.html will make evil worse.
-Fortinet v5.4.1 – One CPU consumed
-Fortigate units 60c and 100D (even with drop ICMP on) – RESPONSE FROM FORTINET
-Some unverified Palo Alto – SEE ANSWER FROM PALO ALTO
-Palo Alto 5050 Firewalls with firmware 7.1.4-h2
-SonicWall – Misconfiguration can be changed and mitigated (Enable Anti-DDOS)
-Zyxel NWA3560-N (Wireless attack from LAN Side)

-Zyxel Zywall USG50

NOT AFFECTED:
-AVM Fritz!Box 7360 (common ADSl router in Germany)
-Check Point Security Gateways – Checkpoint response!
-Cisco ISR4321 Router IOS XE – Version 15.5(3)S2, RELEASE SOFTWARE (fc2)
-GigaVUE HC-Serie (Gigamon)
-Iptables
-Juniper SRX
-Mikrotik CCR1036-12G-4S firmware: 3.27 (250 Mbit/sek) and no problem && RouterOS 5.4 on Mikrotik RB750
-OpenBSD 6.0 and current
-pfSense
-Ubiquiti Networks – EdgeRouter Lite CPU 60-70% load but still going
-Windows Firewalls

Trunk between 3 switches

Image.png

Let say you have vlan10 in SW1 and SW3. Both switches have VTP in transparent mode.
Now between SW1 and SW3, we add SW2 with transparent vtp too.
We need to add all vlans that reside on SW1 and SW3 into SW2.
Even if those vlans not being used in any ports in SW2
NOTE:
-“vlan 10” in SW2 is important, without it I can’t ping PC2 from PC1

PC1
hostname PC1
interface Ethernet0/0
ip address 10.10.10.1 255.255.255.0

SW1
hostname SW1
vtp domain POC
vtp mode transparent
vlan 10
interface Ethernet0/0
switchport access vlan 10
switchport mode access
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk

SW2
hostname SW2
vtp domain POC
vtp mode transparent
vlan 10
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
interface Ethernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk

SW3
hostname SW3
vtp domain POC
vtp mode transparent
vlan 10
interface Ethernet0/0
switchport access vlan 10
switchport mode access
interface Ethernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk

PC2
hostname PC2
interface Ethernet0/0
ip address 10.10.10.2 255.255.255.0

Named EIGRP

SOURCE:
Since IOS ver 15.2 Cisco support Named EIGRP.

Named EIGRP is Cisco’s attempt to improve the way you configure EIGRP. With Named EIGRP, all of the EIGRP routing process parameters reside in a single, hierarchical section of the running configuration. No longer are EIGRP commands scattered throughout the running configuration. Named EIGRP also provides consistency between the IPv4 and IPv6 EIGRP commands and their parameters.

With this Named mode, we can create a single Instance of EIGRP, which can be used for all address family type as shown above.

Another simplicity is if want to turn off the entire AS, you can use “shutdown” command under address-family to turn off the entire instance.
R1(config)#router eigrp HQ1
R1(config-router)#shutdown

Named EIGRP has 3 configuration modes. These are:
  1) address-family configuration mode – (config-router-af)#
  2) address-family interface configuration mode – (config-router-af-interface)#

  3) address-family topology configuration mode – (config-router-af-topology)#

A) Address-family configuration mode:
In this mode, you can configure networks, EIGRP neighbor, EIGRP Router-id, metric etc. From this mode you can access the other two configuration modes used in EIGRP named configuration.
R2(config-router)#address-family ipv4 unicast autonomous-system 1
R2(config-router-af)#?
Address Family configuration commands:
  af-interface            Enter Address Family interface configuration
  default                   Set a command to its defaults
  eigrp                     EIGRP Address Family specific commands
  exit-address-family Exit Address Family configuration mode
  help                      Description of the interactive help system
  maximum-prefix     Maximum number of prefixes acceptable in aggregate
  metric                   Modify metrics and parameters for address advertisement
  neighbor               Specify an IPv4 neighbor router
  network                Enable routing on an IP network
  no                        Negate a command or set its defaults
  shutdown              Shutdown address family
  timers                   Adjust peering based timers

  topology               Topology configuration mode

B) Address-family interface configuration mode:

This mode takes all the interface specific commands that were previously configured on an actual interface (logical or physical) and moves them into the EIGRP configuration. EIGRP authentication, Bandwidth-percentage, split-horizon, and summary-address configuration are some of the options that are now configured here instead of in interface configuration mode.

R2(config-router-af)#af-interface fa0/0
R2(config-router-af-interface)#?
Address Family Interfaces configuration commands:
authentication           authentication subcommands
bandwidth-percent    Set percentage of bandwidth percentage limit
bfd                          Enable Bidirectional Forwarding Detection
dampening-change   Percent interface metric must change to cause update
dampening-interval   Time in seconds to check interface metrics
default                    Set a command to its defaults
exit-af-interface       Exit from Address Family Interface configuration mode
hello-interval           Configures hello interval
hold-time                Configures hold time
next-hop-self           Configures EIGRP next-hop-self
no                          Negate a command or set its defaults
passive-interface     Suppress address updates on an interface
shutdown                Disable Address-Family on interface
split-horizon            Perform split horizon
summary-address    Perform address summarization

In traditional way if we want run EIGRP on all interface we use “network 0.0.0.0 0.0.0.0” command. Here you can use “af-interface default” to function same.
R2(config-router-af)#af-interface default

R2(config-router-af-interface)#

C) Address-family topology configuration mode:
This mode provide several options which operates on EIGRP topology table .here you can define content like redistribution, distance, offset list, variance etc. To enter this mode, we need to go back to address-family configuration mode:
R2(config-router-af-interface)#exit
R2(config-router-af)#topology base
R2(config-router-af-topology)#?
Address Family Topology configuration commands:
  auto-summary        Enable automatic network number summarization
  default                   Set a command to its defaults
  default-information  Control distribution of default information
  default-metric         Set metric of redistributed routes
  distance                 Define an administrative distance
  distribute-list          Filter entries in eigrp updates
  eigrp                     EIGRP specific commands
  exit-af-topology      Exit from Address Family Topology configuration mode
  fast-reroute           Configure Fast-Reroute
  maximum-paths     Forward packets over multiple paths
  metric                   Modify metrics and parameters for advertisement
  no                        Negate a command or set its defaults
  offset-list              Add or subtract offset from EIGRP metrics
  redistribute           Redistribute IPv4 routes from another routing protocol
  snmp                    Modify snmp parameters
  summary-metric    Specify summary to apply metric/filtering
  timers                   Adjust topology specific timers
  traffic-share          How to compute traffic share over alternate paths

  variance                Control load balancing variance

 Image.png
PC1:
hostname PC1
interface Ethernet0/0
 ip address 12.0.0.11 255.255.255.0

ip route 0.0.0.0 0.0.0.0 12.0.0.1

R1:
hostname R1
key chain MYCHAIN
 key 1
  key-string c1$c0
interface Loopback0
 ip address 1.0.0.1 255.255.255.255
interface Ethernet0/0
 ip address 23.0.0.1 255.255.255.0
interface Ethernet0/1
 ip address 12.0.0.1 255.255.255.0
router eigrp HQ1
 address-family ipv4 unicast autonomous-system 1
  af-interface Ethernet0/0
   authentication key-chain MYCHAIN
  exit-af-interface
  topology base
   redistribute static
  exit-af-topology
  network 1.0.0.0
  network 12.0.0.0
  network 23.0.0.0

 exit-address-family

R2:
hostname R2
key chain MYCHAIN
 key 1
  key-string c1$c0
interface Loopback0
 ip address 1.0.0.2 255.255.255.255
interface Ethernet0/0
 ip address 23.0.0.2 255.255.255.0
interface Ethernet0/1
 ip address 34.0.0.1 255.255.255.0
router eigrp HQ1
 address-family ipv4 unicast autonomous-system 1
  af-interface Ethernet0/0
   authentication key-chain MYCHAIN
  exit-af-interface
  topology base
   redistribute static
  exit-af-topology
  network 1.0.0.0
  network 23.0.0.0
  network 34.0.0.0

 exit-address-family

PC2:
hostname PC2
interface Ethernet0/0
 ip address 34.0.0.11 255.255.255.0
ip route 0.0.0.0 0.0.0.0 34.0.0.1
VERIFICATION
PC1#ping 34.0.0.11

Limiting Bandwidth

SOURCE
NOTE:
Option 3 haven’t tested because didn’t appear in unetlab IOL router cli and only outbound traffic only

Option 1 CAR (Committed Access Rate)
R1#interface e0/2
rate-limit intput 128000 24000 48000 conform-action transmit exceed-action drop
rate-limit output 128000 24000 48000 conform-action transmit exceed-action drop

Formula
rate-limit input|output configured_rate normal_burst extended_burst
configured_rate=(expressed in bits per second)
normal_burst=(configured_rate/8)*1.5
extended_burst=2*normal_burst

Option 2 Policing via MQC (Modular Quality of Service)
policy-map 128K
class class-default
!bc=cir/4
police 128k bc 32000
interface e0/2
service-policy input 128K
service-policy output 128K

Option 3 (Generic Traffic Shaping–less draconian, but outbound only)
interface FastEthernet0/0

traffic-shape rate 7000000 175000 175000 1000

Option 4 MQC (Modular Quality of Service) based traffic shaping–less draconian, but outbound only
policy-map SHAPE128K
class class-default
  shape average 128000 128000 128000
interface Ethernet0/2
 ip address 12.0.0.2 255.255.255.0
 service-policy output SHAPE128K
Image.png
OPTION1
R1:
hostname R1
interface Loopback0
 ip address 1.0.0.1 255.255.255.255
interface Ethernet0/0
 ip address 10.0.1.1 255.255.255.0 secondary
 ip address 10.0.0.1 255.255.255.0
 ip policy route-map ISPSelect
interface Ethernet0/1
 ip address 13.0.0.2 255.255.255.0
 rate-limit input 64000 12000 24000 conform-action transmit exceed-action drop
 rate-limit output 64000 12000 24000 conform-action transmit exceed-action drop
interface Ethernet0/2
 ip address 12.0.0.2 255.255.255.0
 rate-limit input 128000 24000 48000 conform-action transmit exceed-action drop
 rate-limit output 128000 24000 48000 conform-action transmit exceed-action drop
router eigrp 1
 network 1.0.0.1 0.0.0.0
 network 10.0.0.0 0.0.0.255
 network 10.0.1.0 0.0.0.255
 network 12.0.0.0 0.0.0.255
 network 13.0.0.0 0.0.0.255
 redistribute static
ip route 0.0.0.0 0.0.0.0 Ethernet0/2
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
route-map ISPSelect permit 1
 match ip address 101
 set ip next-hop 12.0.0.1
route-map ISPSelect permit 2
 match ip address 102
 set ip next-hop 13.0.0.1
access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 102 permit ip 10.0.1.0 0.0.0.255 any

Verification

to proof bandwidth between PC1 and SVR1 is 128kb, we will use bult-in ttcp

SVR1#ttcp
transmit or receive [receive]:
perform tcp half close [n]:
receive buflen [8192]:
bufalign [16384]:
bufoffset [0]:
port [5001]:
sinkmode [y]:
rcvwndsize [4128]:
delayed ACK [y]:
show tcp information at end [n]:
ttcp-r: buflen=8192, align=16384/0, port=5001
rcvwndsize=4128, delayedack=yes  tcp
ttcp-r: accept from 12.0.0.2
ttcp-r: 409600 bytes in 24821 ms (24.821 real seconds) (~15 kB/s)+++
ttcp-r: 163 I/O calls

ttcp-r: 0 sleeps (0 ms total) (0 ms average)

PC1#ttcp
transmit or receive [receive]: t
Target IP address: 45.0.0.2
perform tcp half close [n]:
send buflen [8192]:
send nbuf [2048]: 50
bufalign [16384]:
bufoffset [0]:
port [5001]:
sinkmode [y]:
buffering on writes [y]:
show tcp information at end [n]:

Throughput calculation
SOURCE:
http://feamane.org/comms/testtools/ttcp/ttcp-quickstartguide.html
50 buffers * 8192 bytes each = 409,600 bytes
163 IP packets * 40 bytes of header = 6520 bytes
Total data transmitted = 416120 bytes
416120 bytes * 8 bits/byte = 3328960 bits
3328960 bits / 24.821 seconds = 134118  bits/second

For Serial interface
!set bandwidth on DTE DCE
!set clock-rate only on DCE
interface Serial1/1
bandwidth 128

clock-rate 128000

Catalyst
SOURCE
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# srr-queue bandwidth limit 90

The 90 sets the outbound bandwidth limit on the port to 90 percent of the port speed. Since this is a 100-Mb port, this should limit the outbound traffic from the port to 10 Mb.

-on the vlan, we can do this
int vlan 400
rate-limit input 128000 24000 48000 conform-action transmit exceed-action drop
rate-limit output 128000 24000 48000 conform-action transmit exceed-action drop

How to enable https web authentication

This just for your knowledge.
For security reason, don’t enable this function

R1#sh run
hostname R1
interface Ethernet0/0
 ip address 10.0.10.111 255.255.255.0
aaa new-model
aaa authentication login default local
ip domain-name poc.com
username cisco privilege 15 password 0 c1$c0
ip http authentication local
ip http secure-server

#show ip http server status
HTTP server status: Disabled
HTTP server port: 80
HTTP server active supplementary listener ports:
HTTP server authentication method: local
HTTP server digest algorithm: md5
HTTP server access class: 0
HTTP server base path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 1
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

ACL Standard, Extended and Named difference

SOURCE:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#standacl
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

Standard ACL
A standard ACL provides the ability to match traffic based on the source address of the traffic only. This is, of course, rather limiting, but in many situations is all that is required.
-Standard number: 1–99 and 1300–1999
-Example
#router(config)#access-list access-list-number {permit | deny} {source [source-wildcard] | host hostname | any}
or
#router(config)#ip access-list standard {access-list-name}
#router(config-std-nacl)# [sequence-number] {permit | deny} {source [source-wildcard] |host hostname | any}
Example:
192.168.1.0/24 —F0/0 RTR F0/1 —172.16.1.0/24
In this example, the router needs to be configured with an access list that will block the traffic that comes in the f0/0 interface from the 192.168.1.0/24 network. The access list itself is the first thing that is configured; in this example the access list number 10 will be used.
#router(config)#access-list 10 deny 192.168.1.0 0.0.0.255
The second step is to apply the access list on the correct interface; as the access list being configured is standard access list, it is best for it to be applied as close to the destination as possible.
#router(config)#interface f0/1
#router(config-if)#ip access-group 1 out

Extended ACL
Unlike a standard ACL, the extended ACL provides much more flexibility in matching traffic as it provides the ability to match based on protocol, source and destination address as well as several other features like matching based on an established connection.
Extended number: 100–199 and 2000–2699
Example:
interface ethernet0/0
ip access-group 101 in
!permit ports
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 21
!permit dns
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
!permit routing updates
access-list 101 permit udp any any eq rip
access-list 101 permit eigrp any any
access-list 101 permit ospf any any
!permit bgp
access-list 101 permit tcp any any eq 179
access-list 101 permit tcp any eq 179 any

Named ACL
Access-lists are identified using Names rather than Numbers
Names are Case-Sensitive
No limitation of Numbers
Advantage is editing of ACL is possible. i.e removing a specific statement from the ACL is possible
Supported on IOS ver 11.2 or later

Lab example here. We will create a named acl that
-only allow http access from 13.0.0.0 subnet into 34.0.0.2 server
-only allow https access from 23.0.0.0 subnet into 34.0.0.2 server

Image.png

SVR1:
hostname SVR1
interface Ethernet0/0
ip address 34.0.0.2 255.255.255.0
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 34.0.0.1

SW1:
hostname SW1
interface Ethernet0/0
ip address 34.0.0.1 255.255.255.0
ip access-group WEB out
interface Ethernet0/2
ip address 13.0.0.1 255.255.255.0
interface Ethernet0/3
ip address 23.0.0.1 255.255.255.0
ip access-list extended WEB
permit tcp 23.0.0.0 0.0.0.255 host 34.0.0.2 eq 443
permit tcp 13.0.0.0 0.0.0.255 host 34.0.0.2 eq www
permit icmp any any echo
permit icmp any any echo-reply
deny tcp any any

PC1:
hostname PC1
interface Ethernet0/0
ip address 13.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 13.0.0.1

PC2:
hostname PC2
interface Ethernet0/0
ip address 23.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 23.0.0.1

Verification
PC1:
PC1#telnet 34.0.0.2 80
Trying 34.0.0.2, 80 … Open
PC1#telnet 34.0.0.2 443
Trying 34.0.0.2, 443 …
% Destination unreachable; gateway or host down

PC2:
PC2#telnet 34.0.0.2 443
Trying 34.0.0.2, 443 … Open
PC2#telnet 34.0.0.2 80
Trying 34.0.0.2, 80 …
% Destination unreachable; gateway or host down