I was craving for Filipino food, so I took my family to Islas Pinas in Pasay City, Philippines (near SM Mall of Asia). The buffet was reasonably priced and the highlights for me were the salmon sinigang, pancit, pork lechon and traditional desserts such as the halo-halo, kamote cue and ginataang mais.
The food hall is very spacious and they've got mini version of tourist spots around the Philippines such as the Banaue Rice Terraces and Intramuros. They also showcase pinoy icons like the jeepney, bahay kubo and sari-sari store. Not too far away is DreamPlay located in City of Dreams Manila, where my daughter (Sophia) played and had fun activities in the indoor theme park.
Task 1: Configure uRPF on the Cisco IOS Router
Select the Interfaces: dmz, inside, outside > click Enable > Apply > Send.
Launch the ASA Real-time Log View under Monitoring > Logging > Real-Time Log Viewer > View.
The food hall is very spacious and they've got mini version of tourist spots around the Philippines such as the Banaue Rice Terraces and Intramuros. They also showcase pinoy icons like the jeepney, bahay kubo and sari-sari store. Not too far away is DreamPlay located in City of Dreams Manila, where my daughter (Sophia) played and had fun activities in the indoor theme park.
Task 1: Configure uRPF on the Cisco IOS Router
Open a terminal in Kali Linux (192.168.1.110) and issue an nping to perfrom an IP spoofing attack by pinging CSRv WAN IP
address 192.168.1.140 using a spoof source IP 10.1.1.20 (CSRv LAN IP).
root@kali:~#
nping 192.168.1.140 -S 10.1.1.20
Starting
Nping 0.7.80 ( https://nmap.org/nping ) at
2019-12-05 02:13 EST
SENT
(0.0504s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0)
id=33489 seq=1] IP [ttl=64 id=14042 iplen=28 ]
SENT
(1.0522s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0)
id=33489 seq=2] IP [ttl=64 id=14042 iplen=28 ]
SENT
(2.0538s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0)
id=33489 seq=3] IP [ttl=64 id=14042 iplen=28 ]
SENT
(3.0564s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0)
id=33489 seq=4] IP [ttl=64 id=14042 iplen=28 ]
SENT
(4.0585s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0)
id=33489 seq=5] IP [ttl=64 id=14042 iplen=28 ]
Max rtt:
N/A | Min rtt: N/A | Avg rtt: N/A
Raw
packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping
done: 1 IP address pinged in 5.10 seconds
Configure unicast Reverse Path Forwarding (uRPF) on both the CSRv WAN and LAN interfaces.
CSRv(config)#interface
g1
CSRv(config-if)#ip
verify ?
unicast
Enable per packet validation for unicast
CSRv(config-if)#ip
verify unicast ?
notification
drop-rate notify
reverse-path
Reverse path validation of source address (old command format)
source
Validation of source address
CSRv(config-if)#ip
verify unicast source ?
reachable-via
Specify reachability check to apply to the source address
CSRv(config-if)#ip
verify unicast source reachable-via ?
any
Source is reachable via any interface
rx
Source is reachable via interface on which packet was received
CSRv(config-if)#ip
verify unicast source reachable-via rx ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or
extended)
allow-default Allow default route to match when checking
source address
allow-self-ping Allow router to ping itself (opens
vulnerability in verification)
l2-src Check packets arrive with correct L2
source address
<cr>
CSRv(config-if)#ip
verify unicast source reachable-via rx allow-default
CSRv(config)#interface
loopback1
CSRv(config-if)#ip
verify unicast source ?
reachable-via
Specify reachability check to apply to the source address
CSRv(config-if)#ip
verify unicast source reachable-via ?
any
Source is reachable via any interface
rx
Source is reachable via interface on which packet was received
CSRv(config-if)#ip
verify unicast source reachable-via rx
Run nping
to launch again the IP spoofing attack. Verify uRPF statistics using the show ip interface command.
Notice
the verification drops has incremented.
CSRv#show
ip interface g1
GigabitEthernet1
is up, line protocol is up
Internet address is 192.168.1.140/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is not set
Inbound Common access list is not set
Inbound
access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
Associated unicast routing topologies:
Topology "base", operation
state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is
disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is enabled,
interface in domain outside
BGP Policy Mapping is disabled
Input features: Virtual Fragment Reassembly,
uRPF, NAT Outside, MCI Check
Output features: Post-routing NAT Outside
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
IP verify
source reachable-via RX, allow default
10
verification drops
0 suppressed verification drops
0 verification drop-rate
Task 2: Configure uRPF on the Cisco ASA
Run nping and ping the DMZ server 172.16.1.50
using a spoof source IP of 172.16.1.100.
oot@kali:~#
nping 172.16.1.50 -S 172.16.1.100
Starting
Nping 0.7.80 ( https://nmap.org/nping ) at
2019-12-05 03:54 EST
SENT
(0.0382s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=30508 seq=1] IP [ttl=64 id=17914 iplen=28 ]
SENT
(1.0391s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=30508 seq=2] IP [ttl=64 id=17914 iplen=28 ]
SENT
(2.0407s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=30508 seq=3] IP [ttl=64 id=17914 iplen=28 ]
SENT
(3.0425s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=30508 seq=4] IP [ttl=64 id=17914 iplen=28 ]
SENT
(4.0442s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=30508 seq=5] IP [ttl=64 id=17914 iplen=28 ]
Max rtt:
N/A | Min rtt: N/A | Avg rtt: N/A
Raw
packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping
done: 1 IP address pinged in 5.13 seconds
Configure
uRPF on the Cisco ASA firewall under Configuration > Firewall > Advanced
> Anti-Spoofing.
Select the Interfaces: dmz, inside, outside > click Enable > Apply > Send.
Launch the ASA Real-time Log View under Monitoring > Logging > Real-Time Log Viewer > View.
Run nping again to launch an IP spoofing attack.
root@kali:~#
nping 172.16.1.50 -S 172.16.1.100
Starting
Nping 0.7.80 ( https://nmap.org/nping ) at
2019-12-05 03:56 EST
SENT
(0.0470s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=19627 seq=1] IP [ttl=64 id=19503 iplen=28 ]
SENT
(1.0483s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=19627 seq=2] IP [ttl=64 id=19503 iplen=28 ]
SENT
(2.0504s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=19627 seq=3] IP [ttl=64 id=19503 iplen=28 ]
SENT
(3.0520s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=19627 seq=4] IP [ttl=64 id=19503 iplen=28 ]
SENT
(4.0577s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0)
id=19627 seq=5] IP [ttl=64 id=19503 iplen=28 ]
Max rtt:
N/A | Min rtt: N/A | Avg rtt: N/A
Raw
packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping
done: 1 IP address pinged in 5.10 seconds
Notice the spoofed ICMP packets were denied due to uRPF check.
No comments:
Post a Comment