Tuesday 15 January 2019

What is Root guard and how to prevent Root guard attack?


The root guard prevents the wrong switch from becoming the spanning tree root. If a root guard port receives a superior BPDU that might cause it to become a root port, the port is put into a “root-inconsistent” state and does not pass traffic through it. If the port stops receiving these BPDUs, it automatically re-enables itself.






In short- Root Guard is similar to the BPDU Guard. The root guard feature prevents a designating port from becoming a root port.

let's see the configuration: -
Topology:








 Goal:
  • configure the topology as per the diagram.
  • assign the IP addresses to their respective ports
  • configure trunking between switches
  • configure switch-4 root bridge for VLAN 1
  • configure KALI machine to act as a switch and become the ROOT bridge for VLAN 1
  • make sure the attacker will not become a ROOT bridge 
  • to prevent this attack configure Root Guard 
  • we want to switch 4 to not accept superior BPDU\ and make it root-inconsistent to that port.

(Starting from configuring the IP addresses on the PCs)


PC1> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC1    10.1.1.10/8          10.1.1.1          00:50:79:66:68:00


PC2> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC2    10.1.1.11/8          10.1.1.1          00:50:79:66:68:01


PC3> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC3    10.1.1.13/8          10.1.1.1          00:50:79:66:68:02


PC4> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC4    10.1.1.14/8          255.0.0.0         00:50:79:66:68:03


PC5> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC5    10.1.1.15/8          255.0.0.0         00:50:79:66:68:04


PC6> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC6    10.1.1.16/8          255.0.0.0         00:50:79:66:68:05

PC7> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC7    10.1.1.17/8          255.0.0.0         00:50:79:66:68:06


PC8> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC8    10.1.1.18/8          255.0.0.0         00:50:79:66:68:07


PC9> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC9    10.1.1.19/8          255.0.0.0         00:50:79:66:68:08


PC10> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC10   10.1.1.20/8          255.0.0.0         00:50:79:66:68:09


(Now assign the IP 10.1.1.2 on the Kali machine)














 



(Click on the setting icon assign the IP on Kali)







(Configure trunking between switches)




Switch-1(config)#interface gigabitEthernet 0/0
Switch-1(config-if)#switchport trunk encapsulation dot1q
Switch-1(config-if)#switchport mode trunk
Switch-1(config-if)#switchport trunk allowed vlan all
Switch-1(config-if)#exit


Switch-1#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/0       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/0       1-4094


Switch-2(config)#interface range gigabitEthernet 0/0-1
Switch-2(config-if-range)#switchport trunk encapsulation do
Switch-2(config-if-range)#switchport trunk encapsulation dot1q
Switch-2(config-if-range)#switchport mode trunk
Switch-2(config-if-range)#switchport trunk allowed vlan all
Switch-2(config-if-range)#exit

Switch-2#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/0       on               802.1q         trunking      1
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/0       1-4094
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/0       1,100,200,300
Gi0/1       1,100,200,300


Switch-3(config)#interface range gigabitEthernet 0/0-1
Switch-3(config-if-range)#switchport trunk encapsulation dot1q
Switch-3(config-if-range)#switchport mode trunk
Switch-3(config-if-range)#switchport trunk allowed vlan all
Switch-3(config-if-range)#exit
Switch-3(config)#end

Switch-3#show interface trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/0       on               802.1q         trunking      1
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/0       1-4094
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/0       1,100,200,300
Gi0/1       1,100,200,300



Switch-4(config)#interface range gigabitEthernet 0/0-1
Switch-4(config-if-range)#switchport trunk encapsulation dot1q
Switch-4(config-if-range)#switchport trunk allowed vlan all
Switch-4(config-if-range)#exit
Switch-4(config)#exit

Switch-4#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/0       desirable        802.1q         trunking      1
Gi0/1       desirable        802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/0       1-4094
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/0       1,100,200,300
Gi0/1       1,100,200,300



Switch-5(config)#interface gigabitEthernet 0/1
Switch-5(config-if)#switchport trunk encapsulation dot1q
Switch-5(config-if)#switchport mode trunk
Switch-5(config-if)#switchport trunk allowed vlan all
Switch-5(config-if)#exit
Switch-5(config)#exit

Switch-5#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,100,200,300


(Configure switch-4 root bridge for VLAN 1)



Switch-4(config)#spanning-tree vlan 1 root primary
Switch-4(config)#end


Switch-4#show spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c92.011b.0000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0c92.011b.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Desg FWD 4         128.1    Shr
Gi0/1               Desg FWD 4         128.2    Shr
Gi0/2               Desg FWD 4         128.3    Shr
Gi0/3               Desg FWD 4         128.4    Shr
Gi1/0               Desg FWD 4         128.5    Shr
Gi1/1               Desg FWD 4         128.6    Shr
Gi1/2               Desg FWD 4         128.7    Shr
Gi1/3               Desg FWD 4         128.8    Shr
Gi2/0               Desg FWD 4         128.9    Shr
Gi2/1               Desg FWD 4         128.10   Shr
Gi2/2               Desg FWD 4         128.11   Shr
Gi2/3               Desg FWD 4         128.12   Shr
Gi3/0               Desg FWD 4         128.13   Shr
Gi3/1               Desg FWD 4         128.14   Shr
Gi3/2               Desg FWD 4         128.15   Shr
Gi3/3               Desg FWD 4         128.16   Shr

(Now let's ping to ensure the connectivity)


PC1> ping 10.1.1.2
84 bytes from 10.1.1.2 icmp_seq=1 ttl=64 time=21.895 ms
84 bytes from 10.1.1.2 icmp_seq=2 ttl=64 time=38.968 ms
84 bytes from 10.1.1.2 icmp_seq=3 ttl=64 time=49.215 ms
84 bytes from 10.1.1.2 icmp_seq=4 ttl=64 time=51.478 ms
84 bytes from 10.1.1.2 icmp_seq=5 ttl=64 time=36.524 ms

PC1> ping 10.1.1.12
84 bytes from 10.1.1.12 icmp_seq=1 ttl=64 time=19.803 ms
84 bytes from 10.1.1.12 icmp_seq=2 ttl=64 time=9.089 ms
84 bytes from 10.1.1.12 icmp_seq=3 ttl=64 time=34.237 ms
84 bytes from 10.1.1.12 icmp_seq=4 ttl=64 time=23.287 ms
84 bytes from 10.1.1.12 icmp_seq=5 ttl=64 time=10.744 ms

PC1> ping 10.1.1.15
84 bytes from 10.1.1.15 icmp_seq=1 ttl=64 time=52.330 ms
84 bytes from 10.1.1.15 icmp_seq=2 ttl=64 time=50.599 ms
84 bytes from 10.1.1.15 icmp_seq=3 ttl=64 time=50.814 ms
84 bytes from 10.1.1.15 icmp_seq=4 ttl=64 time=44.130 ms
84 bytes from 10.1.1.15 icmp_seq=5 ttl=64 time=81.414 ms

PC1> ping 10.1.1.19
84 bytes from 10.1.1.19 icmp_seq=1 ttl=64 time=78.078 ms
84 bytes from 10.1.1.19 icmp_seq=2 ttl=64 time=116.942 ms
84 bytes from 10.1.1.19 icmp_seq=3 ttl=64 time=126.684 ms
84 bytes from 10.1.1.19 icmp_seq=4 ttl=64 time=57.858 ms
84 bytes from 10.1.1.19 icmp_seq=5 ttl=64 time=70.056 ms

PC1>
 

(Configure KALI machine to act as a switch and become the ROOT bridge for VLAN 1)
(Install yersinia tool. and remember this blog purpose is to educate not to harm)








(Make sure the attacker will not become a ROOT bridge)


Switch-4#show spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c92.011a.0000
             Cost        12
             Port        1 (GigabitEthernet0/0)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0c92.011b.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Root FWD 4         128.1    Shr
Gi0/1               Desg FWD 4         128.2    Shr
Gi0/2               Desg FWD 4         128.3    Shr
Gi0/3               Desg FWD 4         128.4    Shr
Gi1/0               Desg FWD 4         128.5    Shr
Gi1/1               Desg FWD 4         128.6    Shr
Gi1/2               Desg FWD 4         128.7    Shr

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------


{As you can see our switch-4 is no longer root unfortunately. attacker machine become the root for our network)
to prevent this attack, configure Root Guard we want to switch 4 to not accept superior BPDU\ and make it root-inconsistent to that port.



Switch-4(config)#interface gigabitEthernet 0/0
Switch-4(config-if)#spanning-tree guard root
Switch-4(config-if)#exit

*Jul  5 05:36:36.974: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/0.

*Jul  5 05:36:36.980: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/0 on VLAN0100.

(As you can see the switch-4 block gig 0/0)



Switch-4#show spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0c92.011b.0000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0c92.011b.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Desg BKN*4         128.1    Shr *ROOT_Inc
Gi0/1               Desg FWD 4         128.2    Shr
Gi0/2               Desg FWD 4         128.3    Shr
Gi0/3               Desg FWD 4         128.4    Shr
Gi1/0               Desg FWD 4         128.5    Shr
Gi1/1               Desg FWD 4         128.6    Shr
Gi1/2               Desg FWD 4         128.7    Shr
Gi1/3               Desg FWD 4         128.8    Shr


(Switch-4 again become the root for VLAN 1)
I hope you like this blog, please visit to our YouTube program https://youtu.be/F5MG1qNwp9c  )






























 


Instagram

Facebook


Twitter



LINKEDIN








No comments:

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP . VR...