By Steve Bochenski
Cisco Discovery Protocol is a data link level protocol that is used to share information about other directly connected Cisco equipment such as switches and routers. Some information contained in the protocol is version, hop number (distance in hops from current device), IP address, and MAC address. However, the data can vary based on version and device. The protocol sends multicast announcements out of each interface every 60 seconds, with a destination address of 01-00-0c-cc-cc-cc. Any Cisco device that accepts Cisco Discovery Protocol announcements will then take this information sent to them and store it a table that can be shown using the “show cdp neighbors” on any Cisco device. Figure 1 shows an example of the output from the “show cdp neighbors” command. While the output shown shows things such as the device name and the interface that’s sending the information; information such as IP address, and version are also exchanged in the protocol. While Cisco Discovery Protocol is very useful for Cisco devices being able to immediately communicate upon connection, it also poses many security risks.
Two of the major attacks people tend to think about that involve Cisco Discovery Protocol are Cisco Discovery Protocol spoofing and Cisco Discovery Protocol flooding. Cisco Discovery Protocol spoofing is the process of spoofing Cisco Discovery Protocol packets to make it seem like there is another Cisco device connected to the network and then will be sent packets from other Cisco devices on the network containing their network in formation. This attack can be used with the main topic of this blog post; building attack trees using Cisco Discovery Protocol. The other major Cisco Discovery Protocol attack is flooding which is simply a Denial of Service attack. An attacker creates a Cisco Discovery Protocol packet that will be accepted by Cisco devices and then releases millions of these packets onto the network. Cisco devices, by design, are then forced to respond to the packet and as a result, uses up all network resources trying to respond to the millions of Cisco Discovery Packets being sent out. As a result you are left with a Denial of Service Attack that has effectively crippled a company network.
While spoofing and flooding are both major security risks, one security risk many people do not think about is how Cisco Discovery Protocol can be used in order to build attack trees. These attack trees can be built using two methods. One method of gathering information is simply using Wireshark in order to sniff Cisco Discovery Protocol packets. An example if a trace containing Cisco Discovery Protocol packets is shown in Figure 2. When using this method for sniffing packets, you would have to put in some extra effort in order to get any information out of the packets since the data is encrypted. The fact that the traffic is encrypted is also shown in Figure 2 under the drop-down label “Data”. One favorable part of the Cisco Discovery Protocol is that it does support strong end to end encryption using RSA but is not configured by default. If not configured, Cisco Discovery Protocol is left extremely vulnerable. Once the information is decrypted an attacker could easily use a network trace in order to build an attack tree for the Cisco devices on a network. This attack tree could then be used by an attacker in order to map their way through a network assuming the network is made up of Cisco devices. The attacker could then find a way to sensitive information stored on the network such as credit card information of personally identifiable information of employees or customers.
Another method for an attacker to obtain Cisco Discovery Protocol packets to be used in building attack trees is to send out spoofed Cisco Discovery Protocol packets. Attackers could create Cisco Discovery Protocol packets, using a tool such as Scapy, coupled with the correct destination address and use their IP address as the return address. This would be a very simple task for a modern-day attacker. They could then formulate the rest of the packet using the basic layout of a packet to make it seem as though they were a new Cisco device being added to the network. Other Cisco devices on the network would then store the attacker’s information in their cdp tables, per protocol programming, and would respond in kind to the attacker. Since the attacker would be pretending to be a Cisco device, the attacker would then have the unencrypted Cisco Discovery Protocol information for all Cisco devices on the network. This information could then be used by an attacker to, just like in the last case, build an attack tree to map their way through the network. The attacker could then find a way to sensitive information stored on the network such as credit card information of personally identifiable information of employees or customers.
All in all, Cisco Discovery Protocol is very powerful tool that can be very helpful when building a network and would leave less configuration to an administrator. However, Cisco Discovery Protocol is also very insecure and is vulnerable to many attacks that very easy for an attacker to write and that could potentially bring down a network. Attackers could also use the information obtained from the Cisco Discovery Protocol to build attack trees. These attack trees could then be used to amp a way through the network to sensitive data. Companies need to be aware to be aware that not only can their network be brought down but sensitive data can be compromised because of the Cisco Discovery Protocol. This is why, in a majority of cases, most companies immediately disable Cisco Discovery Protocol whenever releasing a new Cisco device into the network. The sheer security risk of leaving it enabled greatly outweigh the benefits of leaving it enabled.
Figure 1: Example “show cdp neighbors” command
Figure 2: Wireshark trace containing Cisco Discovery Protocol packets