Project Proposal
Jared Doll
16 January 2021
Project Name: Penetration Testing a Cisco Based Network
Project
Description:
A network will be designed and built with three routers, two switches,
and 4 PCs. The Network will feature several known vulnerabilities which will be
exploited. The vulnerabilities will be patched and tested again to ensure the
network is more secure. All steps in this process will be extensively
documented to ensure the project is comprehensible to a reader and repeatable. PC0
and PC1 will act as workstations on the network. They will perform basic tasks
such as ICMP pings to ensure connectivity across the network, and SSH sessions
to show vulnerabilities in the network. PC2 will act as a Criminal PC that has
breached the network and is now connected to one of the switches within the
network. PC2 will use Kali Linux to brute force an SSH session with R2, as well
as decrypting the console and Enable passwords of R0. The Kali Linux install on
PC2 will also spoof the physical address of PC1 in order to fool the Switchport
Security of S1. PC3 will be used exclusively to RDP into PC2 in order to
perform the penetration testing remotely.
Network
Equipment:
·
3
x Cisco 2800 Series Router
·
2
x Cisco 3750 Series Switch
·
3
x Windows 10 PC
·
1
Dell T410 server running windows server 2016
o
A
Kali Linux VM will be run on this server to perform penetration tests on the
network
Detailed
Objective:
1.
Research:
a.
John
the ripper
i.
Deciphering
a hashed password into readable text
b.
Nmap
i.
Nmap
will be used to Discover hosts on the network and discover any services they
are actively running
c.
Hydra
i.
Brute
forcing SSH Credentials using Wordlists
d.
Exporting
Configurations to flash memory on a Cisco router
e.
MacChanger
i.
Macchanger
will be used to spoof the MAC address of PC1 to fool switchport security on a
3750 Series switch.
2.
Design
a.
Topology
b.
IP
Scheme
|
Device |
Interface |
IP
Address |
|
R0 |
Ge0/0 |
192.168.10.1/24 |
|
Ge0/1 |
10.0.0.1/30 |
|
|
R1 |
Ge0/0 |
10.0.1.1/30 |
|
Ge0/1 |
10.0.0.2/30 |
|
|
S0/0/0 |
NA |
|
|
R2 |
Ge0/0 |
192.168.20.1/24 |
|
Ge0/1 |
10.0.1.2/30 |
|
|
PC0 |
NIC |
DHCP
Assigned |
|
PC1 |
NIC |
DHCP
Assigned |
|
PC2
(Dual NIC) |
NIC
1 |
DHCP
Assigned |
|
NIC
2 |
192.168.0.4 |
|
|
PC3 |
NIC |
192.168.0.2 |
c.
Basic
Router hardening
i.
A
Console and enable password will be set on R0 to be later cracked using John The Ripper on PC2
d.
DHCP
and routing Configuration
i.
Implement
OSPF Routing protocol on all routers and test connectivity across the network.
ii.
Traffic
will be allowed anywhere on the Intranet
iii.
Create
two DHCP pools on R1 with R0 and R2 as relay agents.
e.
Switchport
Security on S0 and S1
i.
Switches
will use Switchport security to implement Sticky MAC Addresses. If a violation
of this rule occurs, Packets will be dropped by the switch (protect mode)
f.
SSH
configuration on R2.
i.
R2
will be configured to allow SSH connections from the 192.168.20.0/24 network
3.
Implementation
a.
Cabling
of Network (See Topology above).
i.
All
cables will be made using Cat5e cable. Cables between all devices will be made
using standard T568A Pinouts.
ii.
The
intranet will be in the basement of the Network engineer’s home. Ge0/2 from PC2
will run to the second floor. A cable will need to be run from the second floor
to the basement to allow this, at the benefit of allowing the engineer to do
most of the penetration testing utilizing RDP from PC3 to PC2, which hosts a
Kali Linux VM on its secondary NIC card.
b.
Configuring
of IP addresses and routing Protocols on all routers
i.
RIP
Routing will be implemented
c.
Configuration
of DHCP Pools on R1
i.
R1
will act as a DHCP server for both the 192.168.10.0/24 and the 192.168.20.0/24
networks
d.
Configuring
PCs on the Network
i.
PCs
0, 1, and 2 will be connected to the appropriate switches and will receive
their DHCP configurations from R1.
e.
Macchanger
i.
Macchanger
will be used to spoof the MAC address of PC1 to fool switchport security on a
3750 Series switch. Once the MAC address is changed, ICMP requests will be sent
across the network to verify Switchport Security is not dropping packets in
protect mode.
f.
Utilizing
Nmap
i.
PC1
will initiate an SSH session with R2. Once the session has connected, PC2 will
use Nmap to verify an SSH session is occurring on the Network
g.
Utilizing
Hydra
i.
With
the SSH Session discovered on the 192.168.20.0/24 network by PC2, PC2 will then
use Hydra to brute force the SSH credentials to R2.
h.
Utilizing
John The Ripper.
i.
The
startup config of R0 will be saved the USB flash storage to imitate a company
performing a “backup” of the startup config.
ii.
The
USB device will be removed from R0 and plugged into PC2. From here the startup
config will be parsed for the encrypted Console and Enable passwords.
iii.
The
Encrypted Console and enable passwords will be converted into Plain text using
John the Ripper on PC2.
4.
Testing
a.
Confirm
connectivity between PC 0 and 1 using ICMP requests to confirm initial
connectivity.
b.
Confirm
packets are dropped from Fe0/2 on S1 when PC2 is plugged in instead of PC1
(before Macchanger is used).
c.
Hardening
of Network:
i.
To
prevent the vulnerabilities above from being exploited, the network will be hardened,
and the vulnerabilities tested again.
1.
Instead
of using USB flash storage for a backup on R0, an FTP server will be used to
perform backups.
2.
Instead
of switchport security being in “protect mode”, “Shutdown mode” will be used to
completely shutdown the port Fe0/2 until a network
administrator brings the port back online.
3.
The
SSH password of R2 will be changed to a more complex password. Hydra will used
again to attempt to brute force the SSH session and verify the more complex password
is harder to crack.
5.
Documentation
a.
Research
References
b.
Project
plan
c.
Running
configurations of all routers and S1 documented before and after hardening
d.
Implementation
documentation
i.
Nmap
Scan
ii.
Hydra
Exploit
iii.
Macchanger
Exploit
iv.
FTP
backup of startup configuration.
e.
Weekly
Journals
Time
Estimate in hours:
|
Research |
Design |
Implementation |
Testing |
Documentation |
Total |
|
5 |
5 |
20 |
5 |
10 |
50 |
Cost
Estimate:
Equipment still
needed to perform this project are all Switches and Routers included in the
topology above. The equipment will be sourced secondhand from ebay.com at a
cost estimate of $250.
Topologies:
Initial Topology:
Topology changes:
The topology will remain the same throughout the project with the
exception of PC2 replacing PC1 at Fe0/2 on S1 to perform the Macchanger exploit.