How to spoof the IP address? | How to prevent spoofed IP packets from entering in network? | What is unicast reverse path forwarding?

In this blog, you see, how to spoof the IP address and how to prevent spoofed IP packets from entering in network. What is unicast reverse path forwarding? 

The router uses Unicast Reverse Path Forwarding also called uRPF check. uRPF is a security feature to prevent spoofing attacks. As we all know routers normally look for the destination IP in its routing table when forwarding unicast IP packets and forward the IP packet to the right interface. We and the attacker also know the routers, so an attacker can spoof the source IP address and send packets. Well, the uRPF feature checks the incoming source IP packets and looks for matching entries in the routing table. if the entry is found then the router can forward the packet but if there is no entry found in the routing table then the router will drop the packet.

Unicast reverse path forwarding has two modes

1. Strict mode – in this mode, the router does two checks, first check the source IP matching entry in the routing table. second, it checks the interface from where the router receives source IP packets.
2. Lose mode – in this mode, the router only checks the matching source IP entry in the routing table.

Let's take the example of our topology 

In this topology where we have an attacker machine IP 192.168.1.10 that is in a different network and the victim PC1 10.1.1.10 is in a different network. The attacker machine is going to send ICMP packets with spoof source IP address 100.100.100.100  to PC1.  router 1 will forward this packet because the router will look for the destination and remember we have not configured unicast RPF. router 2 will do the same. PC1 will get an ICMP request and PC1 will reply continuously. To prevent this attack we are going to configure uRPF on router 2 serial 4/0 interface and the spoofed IP packet will not forward. 

(before starting this lab. this blog is only for study purposes please do not try this on a real device)

let's see the configuration:- https://youtu.be/wJLfydyH_Nc?si=zHaH6ENmDZSNcj5C

Topology: 

Goal:

• configure  the topology as per the diagram
• configure the IP addresses as per the topology 
• configure IGP routing and make sure the Attacker can ping the victim's PC
• configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8
• after successfully attacking the victim configure uRPF on router 2 serial 4/0 
• configure strict mode and make sure spoofed packets will be discarded.

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
 
R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 10.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
 
PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1
 
PC1> show ip
 
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10019
RHOST:PORT  : 127.0.0.1:10020
MTU:        : 1500
 
PC2> ip 10.1.1.20 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.20 255.0.0.0 gateway 10.1.1.1
 
PC2> show ip
 
NAME        : PC2[1]
IP/MASK     : 10.1.1.20/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10021
RHOST:PORT  : 127.0.0.1:10022
MTU:        : 1500

 (Configure IP 192.168.1.10/24 default-gateway 192.168.1.1 on Kali Linux)

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES manual up                    up
Serial4/0                  1.1.1.1         YES manual up                    up

R2#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual up                    up

Serial4/0                  1.1.1.2         YES manual up                    up

(Configure EIGRP on both the routers)

R1(config)#router eigrp 100

R1(config-router)#network 192.168.1.0

R1(config-router)#network 1.0.0.0

R1(config-router)#no auto-summary

R1(config-router)#exit

*Feb 22 13:45:39.083: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 1.1.1.2 (Serial4/0) is up: new adjacency

R2(config)#router eigrp 100

R2(config-router)#network 10.0.0.0

R2(config-router)#network 1.0.0.0

R2(config-router)#no auto-summary

R2(config-router)#exit

R1#show ip route eigrp

D    10.0.0.0/8 [90/2172416] via 1.1.1.2, 00:02:52, Serial4/0

R2#show ip route eigrp

D    192.168.1.0/24 [90/2172416] via 1.1.1.1, 00:03:28, Serial4/0

(Make sure the Attacking machine can ping the 10.0.0.0/8 network)

(PC1 configure Wireshark for capturing packets)

(capture packets)

configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8

(now you see the screenshot of captured traffic, you see the source IP has been changing spoofed IP 192.168.1.10 to 100.100.100.100 and PC1 continuously replying to the spoofed IP.)

configure strict mode and make sure spoofed packets will be discarded.

R2(config)#interface serial 4/0
R2(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received
R2(config-if)#ip verify unicast source reachable-via rx
R2(config-if)#exit

R2(config)#ip cef
R2(config)#exit

(Now again we try to attack)

(you notice router 2 discarding spoofed IP packets)

R2#show ip interface serial 4/0 | include drops

   30 verification drops

   0 suppressed verification drops

R2#show ip interface serial 4/0 | include verify

  IP verify source reachable-via RX

What is RBAC Role Based Access Control? | What are RBAC Views? | What is the Concept behind Role Based Access Control? | How to configure RBAC on gns3?

 

What is Role-Based Access Control?

RBAC (Role Based Access Control), is also known as Role-Base security. RBAC assigns access permission to users on their role in IT. Only the admin has complete access to the network while the other network engineers do not need full access, some of them just need to monitor and crosscheck the configuration with show commands. Admin can define what user can access as per the user roles.

Why do we need RBAC?

RBAC reduces the risk of cybersecurity and protects against human error, RBAC ensures that admin define users can only access the information and perform actions they need to do as per the role. RBAC is good for large organizations.

What is the Concept behind Role Based Access Control

Admin creates a set of permissions and assigns that permission to the user. For example, user-1 is a junior engineer L-1 and the role is just to monitor interface state. Admin will allow user-1 to only show ip interface brief command to user-1 and now user-1 only access show ip interface brief command not show ip route not configure any and delete anything on the device. Now the security level has been increased because only the admin can configure and delete the configuration.

What are RBAC Views?

Admin creates the Views and views define the commands that a user can access. Mainly we have two types of view. Root view is an admin view where you configure views and superview in this view admin assigns multiple views (users) in superview. Superview can access all the commands that the admin configures the views. Remember these views should be in superview.

(configure the password before configuring any view, if you configure configure then you can lock yourself )

Let's see the topology: https://www.youtube.com/watch?v=D0t29ZdO09I&t=579s

Goal:

• configure  the topology as per the diagram 
• configure the IP addressing as per the topology 
• configure telnet and ensure the computer in our LAN network can access the router. 
• configure root view and password admin and username admin
• configure Parser view user1 and allow ping and show IP int br commands password user1
• configure Parser view user2 and allow show IP int br, show IP route, show IP protocol and trace commands only.
• configure super view and allow user1 and user2 in superview
• ensure computer can access all views 

Router-one-(config)#int fa 0/0
Router-one-(config-if)#ip add 192.168.1.1 255.255.255.0
Router-one-(config-if)#no shutdown
Router-one-(config-if)#exit

Router-one-(config)#int fa 1/0
Router-one-(config-if)#ip address 10.1.1.1 255.255.255.0
Router-one-(config-if)#no shutdown
Router-one-(config-if)#exit

Router-one-(config)#int fa 1/1
Router-one-(config-if)#ip address 192.168.2.1 255.255.255.0
Router-one-(config-if)#no shut
Router-one-(config-if)#exit

*Feb  1 22:20:42.979: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Feb  1 22:20:43.059: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Feb  1 22:20:43.099: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up

Telnet and ensure the computer in our LAN network can access the router.

Router-one-(config)#line vty 0 15
Router-one-(config-line)#password admin
Router-one-(config-line)#login
Router-one-(config-line)#exit

Router-one-(config)#username admin password admin
Router-one-(config)#exit

Root view and password admin and username admin

Router-one-(config)#aaa new-model

Router-one-(config)#enable secret admin

Router-one-(config)#exit

Router-one-#enable view

Password:

%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Router-one-#show parser view

Current view is 'root'

Configure Parser view user1 and allow ping and show IP int br commands password user1

Router-one-(config)#parser view user1

Router-one-(config-view)#secret user1

Router-one-(config-view)#command exec include show ip int br

Router-one-(config-view)#command exec include ping

Router-one-(config-view)#exit

%PARSER-6-VIEW_CREATED: view 'user1' successfully created.

Router-one-(config)#username user1 view user1 secret user1

Router-one-(config)#end

Router-one-#enable view user1

Password:

%PARSER-6-VIEW_SWITCH: successfully set to view 'user1'.

Router-one-#show parser view

Current view is 'user1'

Router-one-#show ip route

                    ^

% Invalid input detected at '^' marker.

Router-one-#traceroute 192.168.1.2

            ^

% Invalid input detected at '^' marker.

(From the above you see user-1 is not able to access show ip route and traceroute command because of admin only two commands to user-1. show ip int br and ping)

Router-one-#show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.1.1     YES manual up                    up

FastEthernet1/0            10.1.1.1        YES manual up                    up

FastEthernet1/1            192.168.2.1     YES manual up                    up

Router-one-#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/37/56 ms

configure Parser view user2 and allow show IP int br, show IP route, show IP protocol and trace commands only.

Router-one-(config)#parser view user2

Router-one-(config-view)#secret user2

Router-one-(config-view)#command exec in

Router-one-(config-view)#command exec include show ip int br

Router-one-(config-view)#command exec include show ip route

Router-one-(config-view)#command exec include show ip protocol

Router-one-(config-view)#command exec include traceroute

Router-one-(config-view)#command exec include ping

Router-one-(config-view)#exit

%PARSER-6-VIEW_CREATED: view 'user2' successfully created.

Router-one-(config)#username user2 view user2 secret user2

Router-one-(config)#exit

Router-one-#enable view user2

Password:

%PARSER-6-VIEW_SWITCH: successfully set to view 'user2'.

Router-one-#show parser view

Current view is 'user2'

Router-one-#show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.1.1     YES manual up                    up

FastEthernet1/0            10.1.1.1        YES manual up                    up

FastEthernet1/1            192.168.2.1     YES manual up                    up

Router-one-#show ip protocol

Router-one-#show ip route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, FastEthernet1/0

C    192.168.1.0/24 is directly connected, FastEthernet0/0

C    192.168.2.0/24 is directly connected, FastEthernet1/1

Router-one-#traceroute 192.168.1.2

Type escape sequence to abort.

Tracing the route to 192.168.1.2

  1 192.168.1.2 24 msec 40 msec 20 msec

Router-one-#show ?

  bootflash:  display information about bootflash: file system

  disk0:      display information about disk0: file system

  disk1:      display information about disk1: file system

  flash:      display information about flash: file system

  ip          IP information

  parser      Show parser commands

  slot0:      display information about slot0: file system

  slot1:      display information about slot1: file system

Router-one-#show ip ?

  interface  IP interface status and configuration

  protocols  IP routing protocol process parameters and statistics

  route      IP routing table

(From above you see the admin allows user-2 to access only these commands above)

configure super view and allow user1 and user2 in superview

Router-one-(config)#parser view supuser superview

Router-one-(config-view)#secret supuser

Router-one-(config-view)#view user1

Router-one-(config-view)#view user2

Router-one-(config-view)#exit

%PARSER-6-SUPER_VIEW_EDIT_ADD: view user1 added to superview supuser.

%PARSER-6-SUPER_VIEW_EDIT_ADD: view user2 added to superview supuser.

(from the above output you notice we added user-1 and user-2 in superview and now superview can access all the commands that are in user-1and user-2)

Router-one-(config)#username supuser view supuser secret supuser

Router-one-(config)#exit

%PARSER-6-SUPER_VIEW_CREATED: super view 'supuser' successfully created.

Router-one-#enable view supuser

Password:

*Feb  1 22:57:11.823: %PARSER-6-VIEW_SWITCH: successfully set to view 'supuser'.

Router-one-#show parser view

Current view is 'supuser'

ensure the computer can access all views 

Computer#telnet 192.168.1.1

Trying 192.168.1.1 ... Open

User Access Verification

Username: user1
Password:
Router-one->enable view user1
Password:

Router-one-#show ip route
                    ^
% Invalid input detected at '^' marker.

Router-one-#show ip int br

Interface                  IP-Address      OK? Method Status                Prot                                                                                                                                         ocol
FastEthernet0/0            192.168.1.1     YES manual up                    up                                                                                                                                           
FastEthernet1/0            10.1.1.1        YES manual up                    up                                                                                                                                           
FastEthernet1/1            192.168.2.1     YES manual up                    up  

(user-1 allows only two commands ping and show ip int br)

How to configure CDP flood attack? | How to prevent CDP attack?

In this blog, we will see how to completely destroy an enterprise switch & router and also see how to prevent this DoS Attack.  We are to attack the CDP Cisco discovery protocol with the help of Yersinia. This attack is very easy and extremely powerful. This attack comes under of denial-of-service attack. To make the switch fail we need a Linux machine and simulation. The protocol we are going exploit is by default enabled on Cisco routers and switches CDP.

Let’s take an overview look at CDP: -

CDP (Cisco discovery protocol) is a Cisco proprietary protocol which is designed by Cisco. CDP is used to collect information about directly connected devices. We can collect the hardware and protocol information about neighboring devices. This information is very helpful when we do troubleshoot or document the network.

this is the topology we are going to use for the lab: -

So before starting our lab let me give the overview of what is actually going to happen to our switch while doing this attack. For example, when we log into a switch and write the command show CDP neighbors. The router is going to display all the directly connected enabled CDP neighbors' devices. Like this

R1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater

 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

switch2          Fas 1/0            178         R S I     Linux Uni Eth 0/0

switch1          Fas 0/0            149         R S I     Linux Uni Eth 0/0

 

 We are going flood thousands of CDP fake packets to the switch with the help of Yersinia and these packets will freeze down the switch operating system and the switch processor will utilize its full power until it crashes. In the end switch will no longer be a switch it’s become a hub. 

you will also see a warning:

 

*Sep 21 10:02:23.606: %SYS-2-NOMEMORY: No memory available for DSensor Malloc 17

 

let's see the configuration: -

•  configure topology as per the diagram 
• configure the IP address on kali machine 
• make sure to check CPU utilization before and after attack 
• configure attack using yersinia 
• diagnose the attack and prevent this attack. 

What are the basics of ethical hacking?

 Ethical Hacking (basic)

White-hat hackers are also known as ethical hackers and they are professionals with expertise in cybersecurity. They are authorized by the company and certified to hack the systems. They hack systems from the loop to find weaknesses in the system. They never intend to harm the system, rather than try to find out weaknesses in a computer or a network system as a part of penetration testing and vulnerability assessments. well, Ethical hacking is not illegal actually it is one of the most demanding jobs available in the IT Industry. many companies hire ethical hackers for penetration testing and vulnerability assessments. ethical hackers' job is to protect the system network from hackers.

What is hacking?

Hacking is the act of finding the possible entry points that exist in a computer system or computer network and finally entering into them. hacking is usually done to gain unauthorized access to a computer system or a computer network, either to harm the system or to steal sensitive information available on the computer. Hacking is not always a malicious activity, but the term has mostly negative connotations due to its association with cybercrime. hacking is usually legal as long as it is being done to find weaknesses in a computer or network system for testing purposes. 

Types of hacking (BASIC)

we can segregate hacking into different categories, based on what is being hacked. 

here is a set of basic hacking examples: 

Social engineering

Social engineering is a manipulation technique. Using a fake identity and various psychological tricks, hackers can deceive you into disclosing personal or financial information. They rely on phishing scams, spam emails or instant messages, or even fake websites to achieve hacking.

Hacking passwords

Hackers use many ways to gain passwords. The trial-and-error method in which involves hackers trying to guess every possible combination to obtain access. Hackers also use simple algorithms to generate different combinations for letters, numbers, and symbols to help them identify password combinations. Another technique is known as a dictionary attack, which is a program that inserts common words into password fields to see if one works.

 

 Malware hacking

Hackers infiltrate a user’s device to install malware. More likely, hackers will target potential victims via email, instant messages, and websites with downloadable content or peer-to-peer networks.

 

Wireless Networks Hacking

hackers just simply take advantage of open wireless networks. Many people do not secure their Wi-Fi routers, and this can be exploited by hackers driving around looking for open and unsecured wireless connections. This is an activity known as wardriving. When hackers are connected to an unsecured network, they only need to bypass basic security to gain access to devices connected to that network.

 

Website hacking

Website hacking: hacking a website means taking unauthorized control over a web server and its associated software such as databases and other interfaces. 

Network hacking

Network hacking a network means gathering information about a network by using tools like telnet, NS lookup, ping, tracert, netstat, etc. with the intent to harm the network system and hamper its operation. 

Email hacking

Email hacking includes getting unauthorized access to an email account and using it without taking the consent of its owner. 

 

 

The advantages of hacking 

are quite valuable for the following scenarios:

Whenever you need to recover lost information, especially in case you lost your password. 

When you want to perform penetration testing to strengthen computer and network security. 

when to put adequate preventative measures in place to prevent security breaches. 

to have a computer system that prevents malicious hackers from gaining access. 

 

The disadvantages of hacking 

are quite dangerous if it is done with harmful intent. it can cause: 

massive security breach. 

unauthorized system access to private information. 

privacy violation. 

hampering system operation.

denial of service attacks 

malicious attack on the system. 

purpose of hacking 

there could be various positive and negative intentions behind performing hacking activities, here is a list of some probable reasons why people indulge in hacking activities: 

just of fun 

show-off 

steal important information 

damaging the system 

hampering privacy 

money extortion 

system security testing 

to break policy compliance

 

What are Types of hackers? free cybersecurity course.

 Types of hackers

Who is a Hacker? 

A hacker is basically a person who has highly skilled in information technology. Hacker uses their technical skills to overcome an obstacle or sometimes even achieve a goal within a computerized system and networks. However, nowadays, the term hacker is always associated with a security hacker – someone who is always on the lookout for ways to acquire and exploit sensitive personal, financial and organizational information, which is otherwise not accessible to them. Legitimate figures often use hacking for legal purposes.

{A hacker has knowledge of computer networking, programming, cryptography, database, and other information technologies. for hacking, there is no particular syllabus. normally ethical hacker in the industry works in the scenario to save the data of the company from the hacker, finds bugs in the system, and inform the developer in a company. }

we can classify hackers into different categories such as white hat, black hat, and grey hat, based on their intention of hacking systems we differentiate. These different terms come from the Western style. where a bad guy wears a black cowboy hat and a good guy wears a white hat.

White hat hackers

 White hat hackers are also known as ethical hackers and they are professionals with expertise in cybersecurity. They are authorized by the company and certified to hack the systems. They hack systems from the loop to find weaknesses in the system. They never intend to harm the system, rather than try to find out weaknesses in a computer or a network system as a part of penetration testing and vulnerability assessments. well, Ethical hacking is not illegal actually it is one of the most demanding jobs available in the IT Industry. many companies hire ethical hackers for penetration testing and vulnerability assessments. ethical hackers' job is to protect the system network from hackers.

Black hat hackers.

Black hat hackers are highly skilled and knowledgeable in computer networks with the wrong intention. Black hat hackers hack another system to steal private data or destroy the system. They use the stolen data to profit themselves and sell them on the black market or harass their target company. As the intentions of the hacker make the hacker a criminal. 

 

Grey hat hackers

The Gray hat hacker falls between the black and white hat hackers or we can say Grey hat hackers are a blend of both black and white hat hackers. Grey hat hackers are not certified hackers like white hat hackers. Keep in mind the intention behind hacking decides the types of hackers. If the intention is to gain personal data without permission this considers a gray hat hacker. Well, they act without malicious intent but for their fun, they exploit a security weakness in a computer system or network without the owner's permission or knowledge. Their aim is not to rob people and not want to help the owner, their intent is to bring the weakness to the attention of the owners and get appreciation or a little bounty from the owners or find fun in hacking. 

 

 

Red hat hacker

Red hat hackers are again a blend of both black hat and white hat hackers, they are usually on the top level of hacking government agencies: top secret information hub, and generally anything that falls under the category of sensitive information. The difference between red hat hackers and white hat hackers is that the process of hacking through intention remains the same. Red hat hackers are very ruthless when dealing with black hat hackers or counteracting malware.

 

Blue hat hackers

A blue hat hacker is someone computer security consulting firm who is used to bug-test a system prior to its launch, they look for loopholes that can be exploited and try to close these gaps. Microsoft also uses the term blue hat to represent a series of security briefing events.

 

 

Script kiddies

 Script kiddies is a non-expert who breaks into computer systems by using a pre-packaged automated tool written by others, in other words, they try to hack the system with scripts from other fellow hackers. usually with little understating of the underlying concept, hence the term kiddies.

 

 

Hacktivist

A hacktivist is a hacker who utilizes technologies to announce a social, ideological, religious, or political message. These types of hackers intend to hack government websites. They pose themselves as activists, so known as a hacktivist. In general, most hacktivist involves website defacement or denial of service attacks.

 

 Neophyte

A neophyte, “noob”, or green hat hacker is someone who is new to hacking or phreaking and has almost no knowledge or experience of the working of technology and hacking.