you NEED to learn Port Security…….RIGHT NOW!! // FREE CCNA // EP 14

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this video is brought to you by privacy they virtualize your credit cards to help protect your identity we'll talk more about them later i see ethernet ports or jacks what do you call i don't know i see these things everywhere businesses airports restaurants my house just sitting there exposed ready for me to attack every time i see one i see a hacking opportunity each jack is a port to a network that i can take advantage of especially if we have something like this a shark jack from hack five if i see an exposed ethernet port all i gotta do is uncap this baby switch it to attack mode plug it in and boom wait a few moments and i get a slack message with all the information about that network now first how cool is that i'm actually giving away two of these in the description so check that out but also how do you protect against that that is what we're talking about in this video yeah we're going to talk about attacks and what this looks like when we use it it's super cool but i want to blue team this a bit let's talk about security port security how to secure your ports now since this is episode 14 of my free ccna course a series sponsored by bozon software check out their summer sale if you want to get serious about getting your ccna link below anyways of course we'll be covering how to protect ports on a cisco switch configuring things like well port security which you are required to learn if you want to get your ccna so i'll walk you through that how to configure it give you a lab it's going to be awesome it's going to be fun but hey we all might not have cisco switches in our house i mean i have like a billion but you might have unify you might have something else we'll cover some of those too now disclaimer this is for educational purposes only do not hack anyone for any reason under any circumstances unless you are a legit ethical hacker pen tester and you have permission to do this but i do give you permission to hack that youtube algorithm so hit that like button notification bell subscribe comment yeah hack youtube today ethically of course now we can't protect our ports unless we first learn a bit more about our attacker let's talk about what's happening here in this device the shark jack from hack five hack five sent me this last year i think in november and i'm just now getting a chance to play with it and it's amazing there's actually a linux server running on this and it's sitting on my keychain what we can actually connect to it so if i put it into uh arming mode which is the middle notch here boop and then go plug it into my pc i'm gonna fire up my terminal command prompt and association to this bad boy and boom i'm in look at those little sharks all right so this is the linux server running on the usb device if i do an ls i've got a couple directories i can access my loot which is the stuff i gather for my attacks let me show you that real quick i'll get into that directory results from my nmap scan it's all sitting right there just in case you don't get that slack message and then the payload your attack again the one we used was nmap if i look at that script real quick it's doing a ton of fun stuff and by the way this is all customizable if you can script it you can do it here so nmap is just the beginning and i do feel like i have to mention this this tool isn't just for hacking as an admin you can use this for i don't know testing a jack just saying hey is this port working do we have internet access on this port can we ping things so yeah it's a legit utility you can use as an admin so that's pretty cool that's honestly a big reason why i'm keeping this on my keychain at all times but when i flip the sucker into arming mode and plug it into a switch what's happening what is it doing so let's walk through what it's doing so we can know how to stop it so first let's plug the sucker into a switchboard here right there wait i gotta make my favorite sound in the world hold on ah much better okay the shark jack will power on and attempt to get an ip address and it gets that ip address via dhcp which if you recall is how our networks dynamically give out ip addresses essentially a host will plug into a network and say hey i need an ip address and you'll have a dhcp server that says here you go buddy the shark jack is hoping that that is the case for this network port and assuming there is a dhcp server the shark jack will get his ip address which will honestly tell him a ton of stuff about the network like hey here's how big the network is by giving the subnet mask you'll also know the gateway or the router's ip address and probably the dns server now once the shark jack has this and i think it'll actually show you it'll change the color of the ethernet jack or head once it does get an ip address armed with that information it can then script an attack and in our case this was an nmap scan scanning the network for all available hosts and telling us what ports are available all things that we could possibly exploit if we were doing something nefarious so for a hacking device like a shark jack for it to work a few things have to be there for example the port has to be active or up not shut down no shutdown this port must also be on a network that a dhcp server lives on so the shark jack can get an ip address and finally the shark jack has to be able to scan the other host it has to be able to reach everything else on that network so knowing that this is what the shark jack needs to perform an attack what do you say we mess that up what do you say we take away a few of these things by adding some security now one of the first and probably most obvious thing we can do is shut down our stinking ports that we aren't using right yes because hey the shark jack does need the sucker to be up shut her down every port that you're not using shut now let's do that on a cisco switch i'm going to show you in bozon's netsim which is amazing it's fantastic for practicing for your ctna i'm going to be demoing their enhanced switch security one lab in their ccna pack again check it out link below it's like 25 off right now for their summer sale code summer 21 i'm going to type in show ip interface brief my favorite command then i'll do a pipe at the end of that i'll type include down what this will do is show me all the interfaces on the switch that are currently down meaning they're not up meaning there's nothing plugged into them and so why should they be up anyway let's try it out so right here on the switch all these interfaces right here they may not be up but they could be yeah they're showing down down but that's just because nothing's plugged into them we want to make sure that if something does plug into it it can't come up so let's do that right now simple command one of the most common you'll see and use in cisco we're gonna do comp t or configure terminal to get into our configuration mode we'll jump into an interface we'll type an interface and we'll specify our interface this is going to be fast ethernet i'll just type in fa for short 0 1. now real quick i know it's still pretty early in our cisco ccna course right now we haven't covered a lot of interface commands so this might be really new that's okay we'll walk through it don't feel like you should know this you're learning it right now now to shut down this interface and make sure it can't come up by itself one simple command shut that's it shut and notice what happened here our log message fast ethernet zero one changed to administratively down not just down i don't have anything plugged into me down like i can't come up at all unless the admin says i can and that's the way we want it right i'm gonna type n to get back and i'll do that same command as before show ip interface brief and now look it looks a bit different doesn't it this is what you want to see to make sure on your cisco switch ports are not going to come up if something plugs into them it's administratively down now right there we pretty much already forwarded the shark jack right like he can't make the port come up it's done and this applies to pretty much every switch in the walls if you want to secure the ports on your switch we'll then shut down the ones you're not using okay we covered cisco what about unify i love unify that's what i have in my house right now if i jump into my golden snitch my primary 48-port switch we got quite a few unused ports if i go to ports scroll down to one of these guys let's say unlucky number 13 to make sure he can't be used which right now he totally could be he's on my keith fam network i'll change the profile to disabled and apply changes now nothing can happen on other switches they have similar commands or gui options so just shut those suckers down now often shutting down every available port on your switch is a bit inconvenient like for example if you're trying to plug in something you want to actually work on like the third floor if you don't have things properly labeled it might be kind of hard to figure out which port on your switch needs to be turned up no shut that's the cisco command by the way so sometimes it does make sense to leave available ports open but then aren't you still screwed aren't you still like unprotected yes unless you do a few things if we want to keep those ports up we need to make sure they can't access anything like our network our dhcp servers um our host on the network to solve that admins will often put these ports into a black hole network a network that goes absolutely nowhere you're just stuck in a hole this is a network that has nothing there's no dhcp there's no default gateway you're just sitting there on the switch in a hole with no friends and you're sad we also call this creating a black hole vlan which i know we haven't covered vlans on this course just yet but for this example a vlan is basically a way to create a switch inside of a switch so we might put these four ports right here and their own network and they're separate from all these other ports and we'll call that vlan 666. that's what i've always done in my networks and vlan stands for virtual lan so we're creating a virtual local area network with these four ports and like i said this is a black hole nothing going on here nothing's happening you're sad so let's do that let's create a black hole back here in bozon netsim i'm gonna do a quick command to show what vlans i have on my current switch i'll do show vlan brief now this right here is default when you boot up a cisco switch and you've done nothing to it it'll have one vlan vlan 1 and all ports are part of that vlan meaning the one switch all the ports are part of the same network we don't want that right now no bad what i want to do right now is take ports 10 11 and 12. i'm going to isolate them put them by themselves black hole them so first i'll create a new vlan i'll get in my configuration mode comp t then i'll simply type in vlan and then my vlan number 666 vlan done i'm going to hit exit to get out this vlan configuration mode and then i'll configure my interfaces i'll do interface fa 0 10 and i'll put them in that vlan to do that one command switch port access vlan 666 done i'll do the same for the other ports 11 in the black hole 12 get in that hole done now if i run that same command as earlier show vlan brief boom 666 those three ports are locked away in a hole devices plugged into these ports cannot talk to any other ports on that switch it's like they're on their own little separate switch and that switch is connected to nothing just a black hole and they're sad now there are some other considerations you want to have in mind when you're doing this for example if these two switches right here switch one and switch two were connected with a trunk which we haven't covered yet we'll cover later we want to make sure that vlan 666 did not go across that trunk put them in a black hole and shut them down double protection on unifi you can do the same kind of thing if i went to my settings here on my unified dashboard went to networks i could create a stupid network add a network name black hole go to advanced and change the vlan id to 666 of course and turn off all the network features of this particular one no dhcp server i'll even take it a step further and do device isolation so even devices on that same vlan and that black hole can't talk to each other we're blindfolding everyone in the hole and add network and then i'll go back to my switch and add those ports into the black hole but 13 and 666 right now black hole ply now real quick we're protecting our ports but what about our debit cards we gotta protect our financial identity and we can do that with privacy the sponsor of this video privacy makes it ridiculously easy to buy stuff online while also making sure you're secure now it does this in a cool way it takes your one debit card or your bank account and creates a bunch of virtual debit cards to be used at whatever margin you want to go to for example maybe i want to sign up for netflix i can create one debit card virtual that's just for netflix i can even set a spending limit or maybe you only want netflix for like one month just to watch that one show you want to watch but you don't want to have to remember to cancel your subscription well just make it a one-time used card that's it throw away and of course if you want to buy some coffee from network shop.coffee man create a card just for network chuck coffee set a spending limit like you would want to i don't know maybe a thousand just go for it but anyways privacy gives you a ton of control on your interactions with merchants online a privacy is actually free for personal use for up to 12 cards which is pretty cool you can also go pro for 10 bucks a month and you can go up to 36 cards and you get one percent cash back on your purchases and it's really cool for business if you've got teams of people you're dealing with you can go for the team's plan you can control what a team member has what card and how much they can spend and avoid all the headaches of like oh hey who spent all this money you know exactly what happened so anyways you should definitely check out privacy to virtualize your debit cards that's a cool concept so check it out link below privacy.com forward slash network chuck you'll get five dollars of cash just to use for signing up anywhere so five dollars so it's more than free it's five dollars for you it costs negative five dollars that's what i mean now we still have a pretty big problem let me explain there is nothing stopping me from doing this sure all these ports right here are unused shut down in a black hole but what if i did this hey i'm gonna unplug that guy and plug in my guy easy enough right so how do you stop hackers from unplugging your existing devices and just plugging theirs in for a moment to steal information port security and it's freaking awesome let's try it out so here's our scenario with port security we want to make sure that only the devices we want to be plugged into our switch are plugged into our switch so when our attacker does decide to unplug our raspberry pi boop and plug himself in nothing happens let's do that with port security right now to understand port security and appreciate what it's doing we have to understand what's happening when we plug in our device to a port now we've already talked about this in our series so far it has everything to do with layer 2 addresses or mac addresses for example our raspberry pi here has this mac address right here when we plug our raspberry pi into the switch into that switch port the switch will take his mac address and go oh that's who this raspberry pi is i'm going to add that to my mac address table now with port security here's what we're going to do we're going to tell that switch port that only a device with the mac address of this one right here ending in e3d9 only that mac address can actually be alive and up on that switchboard if any other device with a different mac address comes onto that switch port shut that sucker down get him away don't let him come on that's security right he's like our bouncer he's going to bounce him out this guy is the only guy on the list so let's say our shark jack had this mac addressed if he did try to connect in unplugger irish raspberry pi and his mac address showed up nope bounced that's not the right mac address shark jack you're out of here dude so let's configure that right now it's actually pretty cool now configuring port security does have a few steps i encourage you to go check out bozon's lab here netsim they have two lab security one security two and then one called troubleshooting port security it's awesome so go check that out but real quick i do want to try this on my actual switch so i can show you plugging in my shark jack and what happens when i actually have security enabled let's try it out first i'll ssh or log into my switch over here ssh network chuck at his ip address i'm in i'll get into enable mode boom a port i want to mess with let me see it's going to be port 39 on my switch let's go take a look at it show run next specify my interface interface gi and that's gonna be four zero thirty nine so this is his current running configuration nothing crazy he's just in a certain vlan that's on my home network and he has access to all he needs now let's configure poor security so i'll get into configuration mode conf t i'll jump into my interface configuration mode by doing interface gi4039 now first i need to specify his mode kind of hard coded i'm going to use the command switch port mode access essentially each port on the cisco switch could be an access port or a trunk port we want to make sure they're hard coded to be an access port what does all that mean we'll talk more about that later in the series but let's hard code that right now bam then one simple command to enable poor security switchboard port dash security bam now it's enabled but not configured there are a few things we want to do and add here real quick the next thing we want to configure is how many mac addresses we want allowed on this port so the command will be switch port port security maximum and then the number of addresses you want now by default it's going to be one which is perfect for my case now sometimes you might want to put two why two because often you might have a cisco phone or an ip phone sitting on someone's desk and that's plugged directly into the wall then your computer might be plugged into your phone now how that works is obviously magic we'll talk more about that later in this course but on that one switch port you'll have two mac addresses one for the phone and one for the computer so just keep that in mind if you have that situation but for me it's only one host so i could leave it as is or specify one i'll do that right now boom one mac address allowed no others now we have to tell the switch that we only want the mac address of my raspberry pi to be allowed and that's it here's how we do that switch port port security then we'll say mac dash address and then we'll see the value now we have a few options actually if i hit question mark it'll show me my options here first we can obviously just put in the mac address of my raspberry pi and be done with it that's it could also say you know what this mac address is not allowed maybe we'll learn the mac address of the hack shark no shark jack i forgot his name for a bit we can learn his mac address and say you know what i'm going to explicitly deny him by putting the forbidden command or this is my favorite way of doing it we have the sticky command things get a little sticky and what will happen is you don't have to hard code the mac address of your raspberry pi when you plug it into your switch or any other device you might plug in what it will do is you plug in your device your switch will learn that mac address and then stick it like a post-it and say okay that's the only mac address allowed that's it and that's normally the one i go with because i'm too lazy to go find all the mac addresses and hard code them so i'll just say you know what whatever gets plugged in first is the only one allowed so sticky boom the last but certainly not least let's decide what we're gonna do to people who violate our rules here the command will be switchport port security violation what we're going to do to you let's hit question mark and see what our options are now by default and this is probably my favorite one it's shut down if something happens shut that sucker down this will shut the port down send an snmp message saying hey it got shut down because of this reason again default behavior restrict will actually keep the port up if it violates but it will restrict traffic on that interface dropping packets frames and it will send an snp message saying hey something happened here this is why we'll cover what snmp means later in this course don't worry about that and then protect does the same kind of thing as restrict but no snmp message so it will keep the port up restrict traffic but no message now again i like this shutdown scenario it's default we don't have to configure it but i'm going to do it anyway so violation shutdown boom so now how do we know it's working how do we verify things from show commands here real quick first one show port security just like that it shows us the port that we have port security configured on configuration of only one mac address allowed there's currently only one address cool no violations and if it does violate we're going to shut the sucker down we can also see the addresses learned from the sticky command if we type in address just after that command boom we can see that's the ip address of my i'm sorry the mac address of my raspberry pi and it was learned via a secure sticky it's just a funny phrase i don't know why so what do you say we simulate a hacking scenario hold on let's become a hacker for a second and do this so i can't wear that all the time i'm gonna try and get some information here there we go i'll give it a second to come up i think it's been enough time i want to do show port security nothing yet look at this okay okay cool so currently there's one mac address on there but it's not the right one sucker security violation shut down i'm gonna do show port security and i can specify let me see the interface i'll do interface gi4039 and get some more info on that there we go security enabled current port status it's secure shut down that hacker has been thwarted he's not getting a thing from us whew i'm gonna pull my raspberry pi back in now one thing you'll notice is that it doesn't come back up how do you fix that what the violations happen and also if i do show ip interface brief and i only want to see my one port there i'll include gi four zero three nine oh wait just four zero three nine sorry yeah it is down down can also do show interfaces gi four zero three nine and status right after that and look at that cool it puts it in an error disabled state error disabled different from an admin shutdown similar results but different we didn't shut this down as an admin the switch shut it down because of a port security violation and you'll see stuff like this in the status error disabled now to fix that it's pretty simple we're just going to jump into the interface conf t interface gi4039 we'll do a shut to administratively shut it down and then no shut to bring it back up and if i do a show interface gi4039 status bam status connected no i want to see show port security interface gi4039 and cool we know things are groovy are good are golden when it shows secure up now secured down now how do we do this on other switches that aren't cisco unify has a similar feature but it's not going to be sticky for example here on port 13 on my switchback in unified portal i can do a mac id filter allow list and control what mac addresses are allowed to connect to that switch so kind of hard coding it like we could with a cisco switch i don't believe there is a sticky option so correct me if i'm wrong if you're a unified guru let me know in the comments below um but this is one way to do it so the shark jack and devices like that are out there in the wild whether your company is being audited by a pin tester and they're testing all the open ports or there's a legit hacker just walking around trying to insert things into your ports and hack you you need to protect yourself what we cover here in this video are some best practices some baseline things to make sure you don't get hacked by exposing your exposed ports the best thing to do for ports that are just not being used is to put them in a black hole and shut them down and for every other port that is being used by a legit device you have to make sure a hacker can't just unplug your device and plug his device in so with that we're going to use something like poor security now i do want to mention this with automation and all kinds of cool stuff coming out and networking there are better ways to do this you might work at a company where they have this they might use things like 802.1x which is a port security feature that will require you to actually log in with credentials to gain access to that port so legit you plug in your computer a login screen will come up and you got to log in and then boom you're authorized to use that switch you can also go a step further by using certificates where you don't have to log in but your device has to have a certain certificate to be able to use that switch port a lot of enterprise companies do this and then they'll have more advanced features like cisco ice which is kind of automation for security it'll intelligently profile devices that plug into the switch and figure out if they're good or bad based on all kinds of stuff and that was episode 14 of my free cisco ccna course now i know i kind of jumped the shark jumped the shark a bit by going forward in the exam objectives and going to poor security i did that because i just couldn't help it i wanted to jump to it because i thought it was cool i had this device i wanted to play with so i jumped the shark now i did this also because i know that there wasn't too much information that you didn't already have so hopefully it wasn't too much let me know below going forward we will continue with the exam objectives in order and again shout out to privacy the sponsor of this video if you want to create virtual cards and do all kinds of cool stuff to control your financial identity online check them out link below privacy.com forward slash network chuck and you get five dollars just for trying it it cost you negative five dollars and boson who sponsors this entire series again they're doing a summer sale right now the code i think is summer 21 just use my link below and you get 25 off most of the products i've personally used boson they're exams and they're they're lab software for my ccnp they're fantastic the gold standard for getting your ccna so if you want to get serious about that and get your ccna this year check it out now's the time so go ahead and do that and oh yeah i almost forgot i'm giving away two of these shark jacks if you want to enter to win that contest link below and um there's a lot of stuff i have to add at the end of this video there's so much stuff to talk about i've also got a lab you can go through for poor security to pack a tracer lab go check it out link below and yeah i think i i think i said everything right don't forget to hack the youtube algorithm like this video comment subscribe notification bell all that youtube stuff you gotta hack youtube today ethically easy for me to say ethically of course and for real i'm gonna let you guys go that's all i have i'll catch you guys in the next episode let me know what you think of the series so far i'm gonna keep working on it it's gonna be fun i'll catch you guys next time you
Info
Channel: NetworkChuck
Views: 254,546
Rating: undefined out of 5
Keywords: Ccna, free ccna, cisco ccna, cisco certified network associate, ccna 200-301, cisco training, learn networking, cisco certification, ccna certification, free ccna course, ccna course, network chuck, networkchuck
Id: 0W4JZIWtjLQ
Channel Id: undefined
Length: 23min 23sec (1403 seconds)
Published: Fri Jul 30 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.