Senior Project Description
JARED DOLL
2021

Contents

Overview: 2

Acquiring Hardware: 2

Setting up hardware: 3

Cabling Hardware: 5

Configuring Network Devices: 7

R1: 7

R0: 9

R2: 10

S0: 12

S1: 13

Testing configuration: 14

Exploit 1: 16

Executing the Exploit: 17

Remediating Exploit 1: 18

Exploit 2: 22

Remediating Exploit 2: 24

Exploit 3: 25

Discovering SSH Session: 25

Using Hydra to Brute Force SSH Credentials: 27

Remediating Exploit 3: 30

 

 

 

 

 

 

 

Project Description

Overview:

Within this project, a simple network will be created using three 2800 Series Routers and two Cisco 2960 series Switches. The network will utilize RIP routing and a DHCP server on one router to configure end devices that connect to the network. Once the network is configured, a set of penetration tests will be performed to test the integrity of the network. The project will finish with solutions to patch the discovered vulnerabilities within the network.

 

Acquiring Hardware:

The first task in this project is to acquire the necessary hardware. The following items will be used in this project:

·         3 x Cisco 2800 Series Router

·         2 x Cisco 3750 Series Switch

·         2 x Windows 10 PC

·         1 x Server running Windows Server 2016

·         1 Tabletop 12U desk rack (optional)

·         50 Ft Cat5e cable

·         1 Ethernet crimping tool and rj45 caps

·         1 USB thumb drive (1GB minimum)

·         1 USB thumb drive containing a bootable install of Kali Linux.

The most economical way to acquire these items has been found through Ebay.com. By searching “CCNA Lab Kit” on Ebay.com, a wide range of kits that include the above hardware may be found. Note that shipping will be expensive and slow (around 2 weeks) given the weight and size of these kits.

Setting up hardware:

Once the networking equipment arrives, take inventory of all pieces. Plug each appliance in to verify it works and connect to the console port of the device to ensure it is booting correctly. If the optional 12U rack was purchased, mount the 3 routers at the bottom of the rack as they are the heaviest, and the switches at the top. See example mounting configuration below:

From here out, the devices will be called by their assigned names in the topology of the project. R0 will be the top router in the racking configuration, R1 the middle router, and R2 the bottom. S0 will be the top switch, and S1 the bottom. This will be important in the cabling steps below.


 

Cabling Hardware:

With the devices mounted to the rack it is now time to begin cabling the hardware. 7 cables in total will be created. The steps below outline the cabling process.

1.      Create two cables of one-foot length each. These cables will connect R0 to R1 and R1 to R2.

2.      Create two cables of three-foot length each. These cables will connect R0 to S0 and R2 to S1

3.      Create three cables of five-foot length each to connect end devices to S0 and S1.

4.      Connect cables to appropriate ports as defined in the network topology.

The ports for which to connect all devices is shown in the topology diagram below:


 

Configuring Network Devices:

All networking devices will require a configuration except S0 which will function fine with its default configurations. R1 will be configured first as it will act as a DHCP server for the rest of the network.

R1:

Basic Setup:

1.      Connect a console cable to R1.

2.      Enter global configuration mode on R1.

3.      Set the hostname to R1 with the command “hostname R1”

4.      Set an enable password with command “username Admin password Graduate”

5.      Encrypt password with command “Service password-encryption”

IP Configuration:

1.      Enter interface Ge0/0 with command “interface gigabitethernet0/0”

2.      Set the IP address on interface Ge0/0 with the command: “ip address 10.0.1.1 255.255.255.252”

3.      Set the port status to up with command “no shutdown”

4.      Enter interface Ge0/1 with command “interface gigabitethernet0/1”

5.      Set the IP address on interface Ge0/1 with the command: “ip address 10.0.0.2 255.255.255.252”

6.      Set the port status to up with command “no shutdown”

Routing configuration:

1.      From global configuration mode enter the command “router RIP”

2.      Use RIP version two with command “version 2”

3.      Enter the network with command “network 10.0.0.0”

DHCP Configuration:

1.      Create a DHCP pool for the R0 network with the command: “ip dhcp pool R0”

2.      Define the R0 network with the command “network 192.168.10.0 255.255.255.0”

3.      Set the default router with the command “default-router 192.168.10.1”

4.      Create a DHCP pool for the R0 network with the command: “ip dhcp pool R2”

5.      Define the R0 network with the command “network 192.168.20.0 255.255.255.0”

6.      Set the default router with the command “default-router 192.168.20.1”

7.      Exit DHCP setup with command “exit”

8.      Exclude DHCP addresses for R0 with command “ip dhcp excluded-address 192.168.10.1 192.168.10.10”

9.      Exclude DHCP addresses for R0 with command “ip dhcp excluded-address 192.168.20.1 192.168.20.10”

Save configurations:

1.      Save the running configuration to the startup configuration with the command: “Copy run start”

 

R0:

Basic Setup:

1.      Connect a console cable to R0.

2.      Enter global configuration mode on R0.

3.      Set the hostname to R0 with the command “hostname R0”

4.      Set an enable password with command “username Admin password Graduate”

5.      Set a console password by entering line con 0 and entering the command “password project”

6.      Encrypt password with command “Service password-encryption”

 

IP Configuration:

1.      Enter interface Ge0/0 with command “interface gigabitethernet0/0”

2.      Set the IP address on interface Ge0/0 with the command: “ip address 192.168.10.1 255.255.255.0”

3.      Set the DHCP helper address with command: “ip helper-address 10.0.0.2”

4.      Set the port status to up with command “no shutdown”

5.      Enter interface Ge0/1 with command “interface gigabitethernet0/1”

6.      Set the IP address on interface Ge0/1 with the command: “ip address 10.0.0.1 255.255.255.252”

7.      Set the port status to up with command “no shutdown”

Routing configuration:

1.      From global configuration mode enter the command “router RIP”

2.      Use RIP version two with command “version 2”

3.      There are two networks to add on this Router. Enter the networks with commands “network 10.0.0.0” and “network 192.168.10.0”

Save configurations:

1.      Save the running configuration to the startup configuration with the command: “Copy run start”

2.      Insert the USB thumb drive into R0 and enter the command “copy run flash:

 

 

R2:

Basic Setup:

1.      Connect a console cable to R2.

2.      Enter global configuration mode on R2.

3.      Set the hostname to R2 with the command “hostname R2”

4.      Set an enable password with command “username Admin password Graduate”

5.      Encrypt password with command “Service password-encryption”

IP Configuration:

1.      Enter interface Ge0/0 with command “interface gigabitethernet0/0”

2.      Set the IP address on interface Ge0/0 with the command: “ip address 192.168.20.1 255.255.255.252”

3.      Set the DHCP helper address with command: “ip helper-address 10.0.1.1”

4.      Set the port status to up with command “no shutdown”

5.      Enter interface Ge0/1 with command “interface gigabitethernet0/1”

6.      Set the IP address on interface Ge0/1 with the command: “ip address 10.0.1.2 255.255.255.252”

7.      Set the port status to up with command “no shutdown”

Routing configuration:

1.      From global configuration mode enter the command “router RIP”

2.      Use RIP version two with command “version 2”

3.      There are two networks to add on this Router. Enter the networks with commands “network 10.0.0.0” and “network 192.168.20.0”

SSH configuration:

1.      From Global configuration mode, set a domain name on the router with the command “IP domain-name doll.com”

2.      Generate Crypto keys with command “crypto key generate rsa” at the prompt enter 2048.

3.      Set SSH version to 2 using command “ip ssh version 2”

4.      Enter virtual line configuration with the command “line vty 0 4”

5.      Set logins to local logins with command “login local”

6.      Set the transport type to SSH with command “transport input SSH”

Save configurations:

1.      Save the running configuration to the startup configuration with the command: “Copy run start”

 

S0:

Basic Setup:

1.      Connect a console cable to S0.

2.      Enter global configuration mode on S0.

3.      Set the hostname to S0 with the command “hostname S0”

4.      Enter interface f1/0/2 using the command “Int f1/0/2”

5.      Set the switchport mode to access using the command “Switchport mode access”

6.      Enable port security on the switchport using the command “Switchport port-security”

7.      Set maximum devices for the interface to 1 using the command “switchport port-security maximum 1”

8.      Set the violation mode to protect using the command “switchport port-security violation protect”

9.      Configure the port with PC0’s MAC address by connecting PC0 to the switchport and entering the command “switchport port-security mac-address sticky”.

S1:

Basic Setup:

1.      S1 will not need configured for use in this project. However, to make sure the switch does not have existing configurations, follow the steps below:

2.      Erase the current Startup configuration using the command “write erase”

3.      Reload the switch using the command “reload”


 

Testing configuration:

The following pings and SSH attempts will verify network connectivity:

            Ping from PC2 to R2:

           

Ping from R2 to R1:

Ping from R1 to R0:

Ping from PC2 to PC0:

SSH from PC2 to R2:

           

Exploit 1:

The first exploit used will be deciphering the encrypted passwords of the startup configuration of R0. This will be done by simulating a Network administrator backing up configurations to a USB flash drive inserted into the router. This USB will be “Stolen” by the doer of this project and deciphered. Below are the steps to set up the exploit:

1.      Insert a USB flash drive into the USB port of R0

2.      From user EXEC mode, enter the command “copy startup-config usb:r0startupconfig”


 

Executing the Exploit:

The routers used in this project by default use Cisco 7 passwords. These passwords go through an encryption algorithm that is 100% reversible. Therefore, decryption can be performed using this same algorithm. There are publicly available scripts that can perform this process on a given Router Configuration. The script used in this project can be found at https://github.com/theevilbit/ciscot7/blob/master/ciscot7.py. To decipher the passwords on R0, follow the steps below:

1.      Remove the flash drive from the USB port of R0

2.      Insert the flash drive into the USB port of PC1

3.      Retrieve the Python script found at the link above and save the file as Cisco7Cracker.py

4.      Place the file r0startupconfig and Cisco7Cracker.py in the same directory,

5.      Open a command prompt and navigate to the directory the files are saved in.

6.      In the command prompt, enter the command “Cisco7Cracker.py -f r0startupconfig”

7.      The output of the command will include all the decrypted Cisco 7 passwords within the file as shown below


 

Remediating Exploit 1:

To prevent Router configurations from being stolen from a USB drive, an FTP server will be used to back up the running configuration of R0. Follow the steps below to create an FTP server within Windows 2016 and backup running configurations to the created FTP server.

1.      Best practice when utilizing a network server is to allocate a static IP address to the server. Assign the NIC card connected to the test network to IP address 192.168.20.12 from command center. The Subnet mask will be 255.255.255.0 and the Default Gateway will be 192.168.20.1.

2.      Within Server manager select “add roles and features”

3.      Under server roles, add web server (IIS) to the server and select next to finish the install.

4.      Within server manager, select tools>IIS manager.

5.      Within the IIS Manager, expand the local Server and right click sites. Select “Add FTP site”

6.      In the box that appears, name the server “FTP Server” and select a path for the FTP server. Click Next.

7.      Under IP address binding, select the statically assigned IP address created in step one. Select “No SSL” and click next.

8.      In the next pane select Anonymous and basic authentication

9.      Click Finish to finish the FTP set up.

10.  In the FTP server, click “FTP authentication”

11.  Right-click “anonymous authentication” and click edit.

12.  Add a username and password for R0

13.  Log in to R0 via console connection

14.  From Global configuration mode, set the FTP username to the same username set in step 12 using command “ip ftp username R0”

15.  Set the FTP password to the password set in step 12 using command “ip ftp password PASSWORD”

16.  Exit global configuration mode.

17.  Back up the running configuration to the FTP server using the command “copy running-conf ftp” at the prompt enter the IP address of the server (192.168.20.12).

18.  Verify the file was transferred by navigating to the FTP directory created on the server.


 

Exploit 2:

The second exploit will be spoofing the MAC address of PC0 in Kali Linux to fool the switchport security of S0. For this exploit, Kali Linux will need to either run as the host operating system or as a bootable USB on a host. This exploit will NOT work on Kali Virtual Machine.

1.      Retrieve the MAC address of PC0 with the command ipconfig /all.

2.      Boot PC1 into Kali Linux using a bootable USB drive.

3.      Upon booting into Kali Linux, remove the ethernet cable from PC0 to Fe1/0/2 on Switch0.

4.      Plug PC1 into Fe1/0/2 on S0.

5.      Verify the connection is not working and packets are being dropped. This can be done by using the command “ifconfig” in a terminal and noting that PC1 is not receiving a DHCP address.

6.      Shutdown the Ethernet port on PC1 using the command “ifconfig Eth0 down”

7.      Change the Mac address of PC1 to the mac address of PC0 using the command “macchanger -m xx:xx:xx:xx:xx:xx eth0”

8.      Bring the Ethernet port of PC1 back up using the command “ifconfig eth0 up”

9.      Verify that packets are no longer being dropped from PC1 using the command “ifconfig” a DHCP address should now be resolved and assigned by the server.


 

Remediating Exploit 2:

To remediate this exploit, the violation mode for switchport security interface f1/0/2 will be changed from protect to shut down. When an unauthorized machine is plugged into the port on S0, the switch will completely disable the port until brought back online by a system administrator. To do so, follow the steps below:

1.      From global configuration mode on S0, enter int f1/0/2 using the command “int f1/0/2”

2.      Set the security violation mode to shutdown using the command “switchport port-security violation Shutdown”

 


 

Exploit 3:

Exploit three involves detecting an SSH session on the Network using the Nmap tool within Kali Linux. Once the session is discovered, Hydra will be used to crack the SSH password on R2 and gain access to the device. The steps below will walk through this process in its entirety.

            Discovering SSH Session:

1.      From PC1, SSH into R2 (192.168.20.1) using Putty.

2.      From the Kali Linux VM on PC2, open a terminal, and run the command “sudo nmap 192.168.20.1”. This command will show any open ports on the target machine. As shown in the screenshot below, port 22 (SSH) should be open on the device.

 

3.      It is now time to begin working with Hydra to crack the SSH password.


 

Using Hydra to Brute Force SSH Credentials:

There are some changes that must be performed before Hydra is ready to be used. A password list will be pulled from John the Ripper, and the key exchange offers on the Kali Linux machine must be altered to SSH to the antiquated Cisco routers.

1.      Open a terminal and navigate to the John the ripper directory using the command “cd /usr/share/john”

2.      Move the password.txt file to the user’s desktop directory. While this step isn’t entirely necessary, it adds a level of simplicity to things and prevents this exploit from impacting John in the future. The command to move the file is “mv password.txt /home/jdoll/Desktop”

3.      Navigate to the configuration files for SSH on the Kali box using the command “cd /etc/ssh”

4.      The sshd_config file will need to be altered to allow Kali to use the Diffie-hellman key exchange offered by the Cisco Routers. Open the file in the VI editor using the command “vi sshd_config”.

5.      Add a subfield in the file called “legacy changes” and within the field add the lines “kexalgorithms +Diffie-hellman-group1-sha1”, “Ciphers +aes256-cbc” The final product should match the screenshot below.

6.      Save changes and close the file.

7.      Verify SSH connectivity from the Kali Linux machine to R2 by entering the command “ssh 192.168.20.1”

8.      If the terminal prompts for a username the test is successful.

9.      To obtain the SSH password Hydra will be used. The command used will be “hydra -l Admin -P /home/jdoll/Desktop/password.txt 192.168.20.1 ssh -t 4”

*Breakdown of above command: -l option allows us to assign a username to use during brute force attempts, in this case “Admin” was used. -P allows the user to designate a password list to be used, in this case the password list from John was used. -t designates the number of parallel SSH sessions opened by Kali at once. In this case 4 sessions will be used.

            10. Hydra will run and begin Brute forcing passwords using the password list provided

NOTE: This is a lengthy process that can take Hours

Once Hydra has finished running, the correct Username and Password to SSH into R2 will be displayed as shown in the screenshot below:


 

Remediating Exploit 3:

The easiest and most effective way to protect against Hydra attacks is to use long and complex passwords. To protect the network a complex password will be set, and Hydra will be used again to verify the network is more protected.

1.      Log in to R2 via a console session.

2.      From global configuration mode, set a complex password using the command “username Admin password 2Good4Hyrda!”

3.      From the Kali Linux install, run the same Hydra command of “hydra -l Admin -P /home/jdoll/Desktop/password.txt 192.168.20.1 ssh -t 4”

4.      Hydra will run for an extended period of time as it runs through the entire password list. A password will not be discovered.

In the screenshot below, Hydra was run for nearly an hour with no passwords discovered: