Hello again, fellows.
Today we’re using the preconfigured (see Part I) GNS3 to build our basic lab. Imagine the following scenario:
Your pentesting company got contracted by a small company to do a white/grey box pentest. This means you know everything about the present IT infrastructure and got all info on software patchlevels and hardware used. And to safely mitigate possible downtimes or other unforseen consequences of a full-blown pentest on the production network, network simulation comes in handy.
Also if your pentesting company is contracted to do a black box pentest a virtual network that is built on findings from the information gathering process can be used as a test environment before actually conducting the test on the real systems.
As for our pentest we choose a mid-sized software company called Noob.net with the following network properties:
- Dual firewall DMZ with port forwarding
- Webserver & Services (Email, DNS, etc.) in DMZ
- Internal network that is split into VLANs according to department (Management, IT, Software Development, Sales)
- Routing via OSPF, backed up by static routes
As prerequisites you need at least two different iOS images and one PIX image. In our case we use the following:
Firewall: PIX 803
RouterDMZ & Router_ISP: c2691-jk9s-mz.123-17.image
Additionaly you should have a few virtual machine handy that to do ping/traceroute tests. I use a Windows XP SP3 and a Kali Linux VM to do so.
First of before we start we need to assign IP and subnet addresses and VLANs. The following table includes all the information necessary to model your virtual networks after.
Note: Due to the constraints of the VMWare Networks I only used subnetting on the interfaces that interconnect the routers with the firewall (PIX).
|Dept.||VLAN||If.||# of IP-Add.||CIDR||Network||Subnet Mask|
|Management||10||F0/1 @ Router||254||/24||10.10.10.0||255.255.255.0|
|Sales||300||F2/0.30 @ Router||254||/24||10.10.30.0||255.255.255.0|
|Marketing||400||F2/0.40 @ Router||254||/24||10.10.40.0||255.255.255.0|
|Internal ↔ PIX||–||F0/0 @ router e0 @ PIX||2||/30||10.0.0.0||255.255.255.252|
|PIX ↔ DMZ||–||E1 @ PIX F0/0 @ DMZ||2||/30||192.168.0.0||255.255.255.252|
|PIX ↔ Ext||–||E4 @ PIX F0/0 @ Ext||2||/30||192.168.0.4||255.255.255.252|
The next table shows the interal (Router_FW_Internal) router’s ports and their connectivity:
|F0/0||Firewall External @ E0||10.0.0.1||–|
|F0/1||Management_Switch @ 1||10.10.10.2||10|
|F1/0||SoftwareDev_Switch @ 1||10.10.200.2||200|
|F2/0.300||Sales_Marketing_Switch @ 1||10.10.30.2||30|
|F2/0.400||Sales_Marketing_Switch @ 1||10.10.40.2||40|
The following table shows the Firewall’s (PIX) connections.
|Port||Connected to||IP Address / CIDR|
|E0||Router_FW_Internal @ F0/0||10.0.0.2 /30|
|E1||Router_DMZ @ 1||192.168.0.1 /30|
|E5||Router_ISP @ 1||192.168.0.5 /30|
The following table shows the Router_ISP’s connections
|Port||Connected to||IP Address / CIDR|
|F0/0||PIX @ E4||192.168.0.6 /30|
|F0/1||Internet @ vmware8||192.168.10.2 /24|
The following table shows the RouterDMZ’s connections
|Port||Connected to||IP Address / CIDR|
|F0/0||PIX @ E1||192.168.0.2 /30|
|F0/1||Internet @ vmware13||172.16.100.2 /24|
The next table shows the Virtual Networks used and their configuration:
Here is a picture what the topology should look like:
Next we need to configure the router to enable routing between the internal networks and the DMZ and the Internet respectively.
Note that the commands described within this tutorial are always executed from enable mode.
So we log into the console of Router_FW_Internal and start with the interface facing the internal network that connects to the management LAN. First off, we’re going to apply the correct IP addresses to the corresponding interfaces:
Conf t int fastEthernet1/1 description toMGMT no shut ip address 10.10.10.2 255.255.255.0 full-duplex exit
Next up we’re going to setup basic security configurations on the switch, starting with the enable secret and password encryption.
conf t enable secret Cisco1 service password-encryption
Then we’re going to implement SSH connectivity on the standard VTY lines (0-5) and disallow Telnet. But first we have to give the router a qualified domain name and generate a RSA key pair.
ip domain-name noob.net crypto key generate rsa → Choose 1024 to support SSH v.2 line vty 0 5 login local transport input ssh ip ssh version 2 motd-banner exit line con 0 login local motd-banner exit
Then we generate a username with password.
username admin password administrator
Let’s create a banner to warn potential intruders. We also need to enable the messasge-of-the-day banner on the VTY lines.
banner motd # Trespassers will be prosecuted. # line vty 0 5 motd-banner exit
Next we will configure interface f1/0. The connection to the Software Development switch:
conf t int fastEthernet1/0 description toSoftDev no shut ip address 10.10.200.2 255.255.255.0 full-duplex exit
We will configure interface f2/0 as a Router-on-a-stick configuration since Marketing and Sales share the same switch, but they should be on different broadcast domains. Therefore we add the following commands:
conf t int fastEthernet2/0 description setup_if ip address 10.10.20.2 255.255.255.0 no shut exit int fastEthernet2/0.30 no shut description to_Sales encapsulation dot1Q 30 ip address 10.10.30.2 255.255.255.0 no shut exit int fastEthernet2/0.40 description to_Marketing encapsulations dot1Q 40 ip address 10.10.40.2 255.255.255.0 no shut exit
The next step will connect the internal router/firewall to the external firewall.
conf t int fastEthernet0/0 no shut ip address 10.0.0.1 255.255.255.252 description toFirewallExt
We also need to configure static routing as a back-up system. Therefore we will add an administrative distance of 250 to the route:
ip route 0.0.0.0 0.0.0.0 10.0.0.2 250
To prevent access from any unauthorized users we now put a few extended ACLs in place. We start with the access list for int fa0/1 (MGMT). This list will prevent traffic coming from the MGMT network to reach the other local networks.
conf t access-list 100 remark fromMGMT access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.200.0 0.0.0.255 log-input access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log-input access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255 log-input access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.40.0 0.0.0.255 log-input access-list 100 permit ip any any int fastethernet 0/1 ip access-group 100 in
We now repeat these steps for all the internal interfaces starting with fa1/0.
conf t access-list 101 remark fromSoftDev access-list 101 deny ip 10.10.200.0 0.0.0.255 10.10.10.0 0.0.0.255 log-input access-list 101 deny ip 10.10.200.0 0.0.0.255 10.10.20.0 0.0.0.255 log-input access-list 101 deny ip 10.10.200.0 0.0.0.255 10.10.30.0 0.0.0.255 log-input access-list 101 deny ip 10.10.200.0 0.0.0.255 10.10.40.0 0.0.0.255 log-input access-list 101 permit ip any any int fastethernet 1/0 ip access-group 101 in
We also need to setup an ACL for sub-interface fa2/0.30
conf t access-list 102 remark fromSales access-list 102 deny ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255 log-input access-list 102 deny ip 10.10.30.0 0.0.0.255 10.10.200.0 0.0.0.255 log-input access-list 102 deny ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255 log-input access-list 102 deny ip 10.10.30.0 0.0.0.255 10.10.40.0 0.0.0.255 log-input access-list 102 permit ip any any int fastethernet 2/0.30 ip access-group 102 in
The next step will be to configure an ACL for sub-interface fa2/0.40
conf t access-list 103 remark fromMarketing access-list 103 deny ip 10.10.40.0 0.0.0.255 10.10.10.0 0.0.0.255 log-input access-list 103 deny ip 10.10.40.0 0.0.0.255 10.10.200.0 0.0.0.255 log-input access-list 103 deny ip 10.10.40.0 0.0.0.255 10.10.20.0 0.0.0.255 log-input access-list 103 deny ip 10.10.40.0 0.0.0.255 10.10.30.0 0.0.0.255 log-input access-list 103 permit ip any any int fastethernet 2/0.40 ip access-group 103 in
With those ACLs in place our internal network will be fairly secure. The ACLs we put in place will make it impossible to directly access the other networks. Yet, it will still be possible to connect to the Internet or to the DMZ.
Firewall configuration (PIX)
Now on the external firewall (PIX), we need to do some basic configurations.
conf t enable password Cisco1 int ethernet 0 description toInternal nameif inside security-level 100 ip address 10.0.0.2 255.255.255.252 no shut int ethernet 1 description toDMZ_Router nameif DMZ security-level 50 ip address 192.168.0.1 255.255.255.252 no shut int ethernet 4 description toISP_Router nameif outside security-level 0 ip address 192.168.0.5 255.255.255.252 no shut
We will now enable the routing between the different interfaces. Again with an administrative distance of 250. Note also how all internal destinations are within the 10.0.0.0/8 network and we can therefore use route summarization:
route outside 0.0.0.0 0.0.0.0 192.168.0.6 250 route inside 10.0.0.0 255.0.0.0 10.0.0.1 250 route DMZ 172.16.100.0 255.255.255.0 192.168.0.2 250
To enable ICMP (ping) traffic from the inside interface to the DMZ we also need to put in place the following access list and attach it inbound to the DMZ interface.
access-list ICMP permit icmp any any access-group ICMP in interface DMZ
Next up is the Router that connects the DMZ to the PIX firewall. We will establish static routing and some minor security features:
conf t enable secret Cisco1 service password-encryption username admin password administrator ip domain-name noob.net crypto key generate rsa  banner # Access to permitted personel only. # banner motd # Trespassers will be prosecuted.# line vty 0 5 transport input ssh motd-banner login local line con 0 motd-banner login local int fastEthernet 0/0 description to PIX_FW ip address 192.168.0.2 255.255.255.252 int fastEthernet 0/1 description to_DMZ ip address 172.16.100.2 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.0.1 250
conf t enable secret Cisco1 service password-encryption username admin password administrator ip domain-name noob.net crypto key generate rsa  banner # Access to permitted personel only. # banner motd # Trespassers will be prosecuted.# line vty 0 5 transport input ssh motd-banner login local line con 0 motd-banner login local interface fastethernet 0/0 description to_PIX_FW ip address 192.168.0.6 255.255.255.252 interface fastEthernet 0/1 description INTERNET ip address 192.168.10.2 255.255.255.0 ip route 10.0.0.0 255.0.0.0 192.168.0.5 250 ip route 172.16.100.0 255.255.255.0 192.168.0.5 250
We built a DMZ network were traffic can flow from each VLAN to the outside. Yet, any IP traffic between the VLANS is blocked by ACLs.
The VLANs also can connect to the DMZ, but not vice versa.
The DMZ can connect to the outside.
The Outside is not able to reach the anything.
Static routing as a backup measure is in place, but will be upgraded by OSPF in the next post.
If you got any questions or need clarification on something, feel free to ask.