Hacking networks with Python (FREE CCNA 200-301 Course 2024)

32.71k views5157 WordsCopy TextShare
David Bombal
Big thanks to Cisco for sponsoring this video! You can access the free lab tutorial here: https://da...
Video Transcript:
this video is part of my complete practical  CCNA course where I'm not showing you things using simulations but I'm actually demonstrating  stuff with real equipment such as Cisco switches Linux in this case Kali Linux which I'll use to  hack this network Windows devices and a Mac I've also got great news in that Cisco is sponsoring  this video and making Labs available so that you can practice what I'm doing here yourself use  the links below to access CSCO U so that you can practice this yourself. In the CCNA exam  200-301 v1. 1 they tell us that we need to know root guard Loop guard BPDU filter and BPDU guard  for the exam in this video I'm specifically going to show you root guard and demonstrate it as well  as BPDU guard but again rather than just using a simulation I'm going to attack these physical  devices using Kali Linux and a Python script that I've written now you don't have to study the  Python script for the CCNA exam even though highly recommend that you learn python what you need to  know is how to use root guard as an example and BPDU guard to protect a Spanning Tree Network I'm  going to show you those two in this video and in the next video I'll show you Loop guard and BPD  filtering.
Did you know that you can join Cisco U for free and get access to a whole bunch of  content there is both paid as well as free content available on Cisco U huge amount of content  available in their paid tier where you get access to networking train training security training  cloud training and a whole bunch of other training it's not just Cisco training you also get access  to third party training as part of Cisco U but if you can't afford the price of Cisco U there is  a whole bunch of free training available you can get access to various tutorials created on Cisco  U once again you can practice what I'm showing you in this video on Cisco U for free I really want  to thank Cisco for sponsoring this video as well as creating Labs that go with this training so use  the link below once again to sign up to CSCO show The Love register for a free account get access  to the free content there as well as follow along with this video now back to me showing you how you  can use Python to hack networks and then I'll show you how to protect your networks from fake BPDUs  sent into a Spanning Tree network using very basic Python scripts. So let's start with root guard  so what is root guard it basically protects your Spanning Tree topology against unauthorized  switches attempting to become the root bridge in other words they send superior BPDUs not inferior  BPDUs or Bridge Protocol Data Units Superior BPDUs means that they have a lower priority as an  example or lower Mac address and therefore through the election process become the root we want to  block that so root guard is going to block access on a port until receipt of superior BPDU stops  this allows you to protect your network against hackers which I'm going to demonstrate in this  video or switches that are introduced into the topology that have a lower priority or lower Mac  address in other words are going to be elected as the root bridge now in a Spanning Tree environment  like this this switch could be the root as an example and this could be the backup route we do  not want to allow switches to tell us that they are the root Bridge or root switch remember Bridge  as a term in Spanning Trees based on bridges that existed years ago so we often talk about a root  Bridge rather than a root switch in Spanning Tree so here's a example a rogue switch is introduced  into the environment sending BPDUs but in this case Superior BPDUs let's say this switch has a  priority of 4096 it's the root switch or the root bridge in the topology this switch sends BPDUs  saying I am the root Bridge my priority is 0 as an example this will therefore become the root bridge  but we want to stop that we want to make sure that our switch remains the root bridge in the same way  we don't want to switch like this switch over here this access switch telling the network that it's  the root Bridge we're going to error disable a port where Superior BPDUs are received now there's  no better way I think to show this than to do a demonstration in this example I'm using Kali  Linux which is running over here on this laptop in a Virtual Machine I'm going to send BPDUs  from Kali using a Python script at the moment this switch the 9200CX switch in the middle is is  the root switch but we going to say that we are the root switch by sending Superior BPDUs so in  our topology we've got the 9200 over here we've got a Cisco 1000 switch switch one over here and  another Cisco 1000 switch over here so three Cisco switches the 9200 has a Mac connected to it and  the 1,000 series switches have Windows devices connected to them but the important part of the  network is what's going to happen on this port 1/0/2 on the 9200 so the 9200 series switch I'll  go to enable mode show Spanning Tree notice at the moment for VLAN1 the root ID and the bridge ID are  the same so in other words the priority for both is 4097 that's because this switch and I'll just  type sh run | include span to show us the output this switch has a priority set to 4096 increments  of 4096 to set the priority this one is set to 4096 this is VLAN1 so the priority here is 4097  4096 + 1 because extended system IDs are used on this switch so what we can see is that this  bridge is the root in other words this switch in the middle is the root switch we can see  that all ports are designated ports all ports of forwarding we would expect the root switch  or root bridge to have all ports as designated ports and all of them forwarding so again shows  spanning tree local switch is the root priority of the root and Bridge are the same Mac address is  the same okay but on Kali Linux which is connected to gigabit 102 on the 9200 we're going to send  BPDUs so ls on Kali I've got the script spanning tree root hack. py I'm going to run the script  so that you can see what happens and then I'll talk a bit about the script again you don't have  to learn the details of the script I'm basically using something called scapy to create packets and  inject packets into the network so sudo python3 I'm using Python 3 in this example and the python  script that we're going to run is stp root_hack.
py before I run that again show spanning tree notice  this port gigabit 102 is a designated port it's forwarding the local switch is the root switch  okay so run the script put in my sudo password something happens now you can see packets are  being sent into the network previously gigabit 1/0/2 was a designated Port show spanning tree  now notice gigabit 1/0/2 is now root Port it is forwarding but notice the root switch has a MAC  address of a bunch of zeros and a one I don't know about you but I think that's a little bit  suspicious which device has a MAC address of all 0 and a one and notice the priority is set to  0 in other words Kali Linux has now become the root switch in the topology again gigabit 1/0/2  is the root Port of the 9200 series switch in our topology this port is a root Port indicating  that the root switch of the topology is Kali Linux by running a simple python script made  Kali the root switch of our topology so again on the switch gigabit 102 is the root Port of  the switch it's no longer the root the root has a priority of 0 and a MAC address of 1 what I'll  do is stop the script on Kali on the switch show spanning tree still showing root Port give it a  bit of time and as you can see it's now become the designated Port the switch has now become the  root again whereas previously it wasn't the root if I run the script again switch was the root  no longer the root the root is now Kali Linux so by running a simple python script I'm able  to change the root switch in a Spanning Tree topology this is what the script looks like what  I'm doing basically and again you don't need to know the details of the script I'm just showing  you this for interest sake you can get the script on my GitHub so I have put the script on my GitHub  using this link or you can just search for David Bombal GitHub and you'll find my scapy scripts  what I'm doing is importing scapy scapy allows you to create or forge packets of any kind if  you like so you can put layer three above layer four as an example you can mix your layers up  you can do all kinds of interesting things with scapy create packets that shouldn't be allowed on  a network but in this example I'm importing scapy and then I'm going to capture a Spanning Tree  packet this is the destination Mac address for Spanning Tree so rather than creating a frame from  scratch I'm going to capture this frame off the network with a destination address of this and  then all I'm going to do is change some values in the packet so I'm going to change the source  Mac address to be this so when the packet is sent into the network we can actually view the packet  that's sent out at Layer Two the destination Mac address is the spanning tree protocol but I've  changed the source to be a bunch of 0s and 1 so that's the source Mac address LLC has values that  haven't been changed and this is the advantage of capturing a packet and then manipulating it when  you send it out because you don't have to create all the layers but notice the root Mac address is  this and the bridge Mac address is this because in the packet I'm saying root Mac address is this  bridge Mac address is this and I'm setting the root ID to this and the bridge ID to this so I'm  basically changing all the fields in the packet to ensure that my Kali Linux machine becomes the root  so root ID is that bridge ID is that Mac addresses are set to a bunch of zeros and a one I've set  the port ID age max age and other timers I've just left at default again one of the advantages  of grabbing the packet off the Y and then just making changes to it is that your packet is a or  frame is a legitimate packet or frame and you're just changing some values rather than having to  recreate the entire packet so again you don't have to know this for the exam but there is my simple  python script I'm showing the frame and then I'm creating a loop where I send 50 packets into the  network so I'm sending packet into the network waiting a second and then looping so every second  just send a BPDU into the network saying that I am the root switch and the net result is once again  show spanning Tree on the 9200 it has this port as a designated Port it is the root switch but as  soon as I launch my script it captures the packet off the wire or frame off the wire manipulates it  and sends frames into the network the 9200 is no longer the spanning tree root the root becomes  Kali you're going to want to stop this kind of nonsense and the way to do that again is to use  root guard so I'll show you how to set up root guard first and then I'll show you demo 2 where a  switch has a lower priority and becomes the root switch okay to enable root guard you do this on a  per Port basis so you go into Global configuration mode and then on each interface or each port in  this example gigabit 1/0/1 or for this specific example be 1/0/2 we enable root guard by using  the command spanning tree guard root so simple as that to set this up if you type show run and  a interface such as gigabit 1/0/1 you'll see in the output that that command has been enabled  on your interface so before continuing with slides let's actually do a demonstration so  we can see what's happening practically so on the switch conft interface gigabit 1/0/2 in this  example spanning tree press question mark guard question mark root question mark enter so all I  have to do is type that command on the interface and as you can see root guard has been enabled on  that interface of the switch now in my topology I also have an interface to these two switches so I  could enable spanning tree root guard on both of those ports so let's do that while we're here  so I'll press up key twice go on to interface gigabit 1/0/3 and enable spanning tree guard root  on that go on to the other interface gigabit 1/0/4 and enable spanning tree guard root on that  interface okay so that may not be so clear so I'll type show run | begin gig and as you can see  there in the running configuration of the switch this interface this interface and this interface  have spanning tree root guard enabled on them okay so let's see what happens when Kali Linux sends  BPDUs into the network so I'll clear the screen here and type pseudo and run the command again  sudo python spanning tree root hack packets are now being sent into the network and notice  straight away on the switch it says spanning tree root guard block root guard blocking on Port  gigabit 1/0/2 on VLAN1 so show spanning tree now notice we've got a root inconsistent output notice  on gigabit 1/0/2 it says blocking for for VLAN 1 root inconsistent so this is done on a per VLAN  basis for VLAN1 that Port is blocked you can see once again in the output that it was blocking on  VLAN1 and notice now it says unblock on VLAN 1 and that's because BPDUs are no longer being received  so the port is now moved to the learning state it is now a designated port and should transition  to the forwarding state after a period of time so it's learning and then should go forwarding  which it's now done because no BPDUs are being received that's because Kali only sends 50 packets  and then stops but if I run that again notice Port is now blocking again so shows spanning tree  this port is now blocking Port is marked as a root inconsistent okay so what triggers root  guard to block a port so the trigger is when a superior BPDUs is received by the switch switch  on a specific Port the port is then put into the broken state for that VLAN so I said blocking  but it's actually seen as broken all traffic is discarded the port state is root inconsistent  as we could see over here notice broken root inconsistent by default the port is restored after  a period of time when Superior BPDUs are no longer received and that's what we saw here notice root  guard unblock Port is unblocking on gigabit 1/0/2 in VLAN 1 because no Superior BPDUs are received  by the switch now you can use the command show spanning tree inconsistent ports to see which  ports are in the inconsistent state so at the moment show spanning tree looks good show spanning  tree inconsistent ports now you can see no ports are inconsistent at the moment but let's change  that by running our script again so you can see that root guard is blocking the port show spanning  tree inconsistent ports this port gigabit 1/0/2 on VLAN 1 is now root inconsistent number of  ports in system is 1 if we look at a specific interface so gigabit 1/0/2 you can see that for  this interface which is different to say 1/0/1 this interface is broken root inconsistent  is the current state now that no BPDUs are received if we run that command again notice  it's back to a point-to-point link it's busy learning the role is now designated status is  learning and that will take a bit of time and then it will go forwarding as you can see over  there send BPDUs again into the network Port is blocking show spanning tree status is broken type  is Rooting consistent okay I think I've covered that enough now last demonstration is to simply  change one of the switches to be a root switch so rather than introducing another switch into the  topology I'm simply going to make this switch switch1 say that it's the root switch so on the  9200 show spanning tree at the moment switch is the root switch all ports are designated ports and  are forwarding but what I'll do on the 1000 series switch switch1 that's the switch at the top here  I will type spanning tree VLAN1 priority and in this case I'll set it to 0 the reason why is Show  run | include span shows me that this switch has a priority of 4096 so I need to make the 1000 series  switch have a lower priority so I'll set that to 0 and notice straight away root guard blocking  on gigabit 1/0/3 so show spanning tree again this port is now broken root inconsistent on the  switch show spanning tree it says that it's the root switch all ports are designated and I'll just  do that command again so we can see clearly for VLAN1 priority is 1 it thinks it's the root switch  but on the other side this switch is blocking the 1000 series switch so what I'll do is remove that  command show spanning tree now switch still thinks it's the root it's now learned that it's no longer  the root the switch with this priority 4096 and this Mac address is the root in other words the  9200 the local switch has a higher priority and Mac address so it now has a root port forwarding  to the root switch and on the root switch or the 9200 notice the port is no longer blocking because  no superior BPDUs are received okay so I think that's enough I have now shown you how to enable  root guard using this simple command you do that on ports where you don't want to receive Superior  BPDUs and if you do the port on a specific VLAN is basically blocked now let's talk about BPDU  guard and how you can use BPDU guard to protect a spanning tree Network now on ports such as these  two connected to PCs you may enable PortFast so spanning tree doesn't have to go through the  different stages of blocking listening learning forwarding it can immediately go forwarding the  problem with that is what happens if BPDUs are received by clients in that case we want to enable  BPDU guard so that the port is error disabled if we receive BPDUs now a user with a PC may be  connected directly to a switch but may decide that they're going to use a switch to allow  two PCs to connect to the network in that case BPDUs may be sent by that switch and the switch  could potentially become the root Bridge remember lowest Mac address lowest priority becomes  the root Bridge which means that an old switch could potentially become the root Bridge of your  topology another thing a user may do is connect two ports to the switch and that will cause  a loop if you've got PortFast enabled on your edge switch so the moral of the story is don't  trust your users enable BPDU guard on PortFast Port so that users don't by mistake or on purpose  cause spanning tree loops or cause problems in your topology so in this topology I've changed it  slightly I've made switch1 the root Bridge so this little 1000 series switch is now the route  I've changed the cables as well so that the 9200 the middle switch is now connected to this  bottom switch on Port 1/0/4 and c1002 is connect connected to the top switch so basically from  the 9200 series point of view to get to the root Bridge it has to go via c1002 this bottom switch  we can see that on the switch shows spanning tree its root port is gigabit 1/0/4 the switch in the  topology but Kali Linux is now going to send BPDUs saying that it has a better path to get to the  root Bridge so basically we're going to tell the switch to use that path to get to the root  Bridge which means it should block this port because it has a better path to get to the root  bridge in other words it'll cause problems in the network if this Mac sends traffic to this PC  or to that PC it's not going to be able to send that traffic successfully because this port is  now blocking so again we're going to make this switch believe that its root Port is the port  to the Kali Linux machine when this Mac tries to send traffic through the network it's not going  to work because this port is blocking so we're going to essentially break this network so on the  MacBook at the top there I've got it sending a continuous ping to both the PCs on the Mac if we  do a command such as if config pipe grip 192 we can see that its IP address is 192. 168. 1.
2 it's  pinging 1. 1 which is this Windows computer and pinging 1. 3 which is the Windows computer at the  top continuous ping from the Mac to those two PCS let's hack the network user a simple Python script  once again script that looks like this essentially what we're going to do is sniff spanning tree  destination Mac address is spanning tree we're going to manipulate the packet to say that the  path cost to get to the root is zero and we're going to send 50 packets into the network so ls  on Kali we're going to block the network so cat stp block that's the script again you don't  need to know this python script for the exam I simply want to show you a practical example  of this so sudo of python spanning tree block before I hit enter notice once again on the  9200 series switch its root Port is gigabit 1/0/4 1/0/2 where the PC is connected is  forwarding and it's a designated Port so press enter put in my password go back to the switch  notice the root Port has become 1/0/2 GB 1/0/4 which was originally the root Port is now an  alternate port and the state is blocking it was forwarding and now it's blocking because the  switch believes that the best path to the root is via the hacking machine it believes that it can  get to the root Bridge or root switch via the Kali Linux machine which it can't obviously what you'll  notice is pings are failing on the MacBook the Mac is no longer able to Ping 192.
168. 1. 1 this Windows  computer or 192.
168. 1.
Copyright © 2024. Made with ♥ in London by YTScribe.com