Exploiting Layer 2: by Balwant Rathore

Exploiting Layer 2
By Balwant Rathore
Mahindra-British Telecom Ltd.
Exploiting Layer 2
Exploiting VLANs by VLAN Hopping Exploiting CAM Table Attack Exploiting Spanning Tree Attack
Exploiting VLANs by VLAN Hopping

Refreshing VLANs VLAN Hopping Attack
Refreshing VLANs
What is VLAN?
A broadcast domain created by one or more switches.
Why VLAN?
Used to separate LANs logically in one or more switches.
Benefits of VLANs?
Broadcast control Effective Bandwidth Utilisation CPU Utilisation Good Administrative Control with L3 device Access Control List Accounting Easy Movement
MAC Address Table

Dynamic Address: Added by normal bridge/switch processing Permanent Address: Added via configuration, no time out Restricted-Static Address: A MAC address would be configured only with specific port.
Some facts about VLAN

Max VLAN limit depends on switch model. VLAN1 is also called management VLAN CDP and VTP Adviserment are sent on VLAN1 Creation, Addition, or Deletion of VLANs is only possible in VTP server mode A layer 3 device is required for Inter VLAN communication
Trunk Port
Trunk Port...
Trunk Ports has access to all VLAN by default Used to route traffic for multiple VLANs across switches It can use 802.1Q or ISL encapsulation
VLAN Hopping Attack

Sample Frame Capture Insert 802.1q tag 802.1q Frames into non-trunk ports
VLAN Hopping Attack
A host can spoof as a switch with ISL or 802.1Q tag
Step1: Sample Frame Capture

Connect two PCs in the same VLAN of one switch. Send ICMP echo message from PC1 to PC2 Capture this with Sniffer Pro on PC 2 View packets in raw hex Start Packet generation component of sniffer pro Enter above captured packet in step 3 Send entered packet from PC1 to PC 2
Step2: Insert 802.1q tag

Shift PC2 on trunk port (port 24) of switch and start Sniffer software Ping non-existent IP address from PC1 Capture ARP lookup on PC2 Shift PC1 on VLAN 2 port and repeat it VLAN1 and VLAN2 will have 81 00 00 01 and 81 00 00 02 tag respectively
Step3: 802.1q Frames into nontrunk ports

Put PC1 on VLAN 1 switch one Put PC2 on VLAN1 of second switch Connect trunk cable between them Crafted packet from VLAN1, VLAN2 and VLAN3 was delivered to their destination VLAN
Step4: VLAN Hopping

Connect PCs in different VLANs and in different switches Change VLAN IDs and send it to as many combinations as possible
In Different Switches
Src 1 1 2 3 3 VLAN | Dst 2 3 1 2 1 VLAN | Tag ID 2 3 1 3 1 Success? Yes Yes No No No
In Same Switch
Src 1 1 2 3 3 VLAN | Dst 2 3 1 2 1 VLAN | Tag ID 2 3 1 3 1 Success? No No No No No
Till today no proof of concept Tool Available

Attack is not easy, require followings: Access to native VLAN Target machine is in different switch Attacker knows MAC address of the target machine Some layer 3 device for traffic from targets VLAN to back.
Safeguard
Never, Never use VLAN 1 Always use a dedicated VLAN ID for all trunk ports Disable unused ports and put them in an unused VLAN Shutdown DTP on all user ports
Exploiting CAM Table
CAM Table Review

Content Addressable Memory Contain MAC Address, Port and associated VLAN Have limited size Normally broadcast is limited to device port itself if the device entry is present in CAM table.
macof
Use macof from Dsniff suit to overflow CAM Table Syntax Macof [-I interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times] -n option is very important to perform exploit in control environment # sh cam count dynamic # total matching CAM entries = 131052 As CAM table is full, traffic floods to other switch on same VLAN
macof...
macof...
As you know dsniff is developed for BSD not for linux Its Installation is a pain, refer following document for Dsniff Installation over Linux 8.0 http://groups.yahoo.com/group/PenTest/messag e/242
Safeguard
Implement Port Security Port Security Limits MAC addresses to a port. port secure max-mac-count 3 On detection of invalid MAC switch can be configured to block only invalid MAC Switch can be configured to shutdown the port
Port Security
Restrict option may fail under macof load and disable the port, shutdown option is more appropriate. Consider management puzzle and performance hit Visit this for more detail on Port Security www.cisco.com/univercd/cc/td/doc/product/ lan/cat6000/sw_7_3/confg_gd/sec_port.htm - 34k
Exploiting Address Resolution Protocol (ARP)
Gratuitous ARP
Is used by host to announce their IP address It's a broadcast packet like an ARP request
Gratuitous ARP
Safeguard
Private VLANs provides protection against ARP attacks. ARPWatch is a freely available tool Consider static ARP for critical static routers and hosts Cisco is under development of an ARP firewall
Exploiting Spanning Tree

Send BPDUs using brconfig and make yourself new Root Bridge.
References
.http://www.cisco.com/go/safe/ .http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf .http://www.cisco.com/warp/public/473/103.html .http://monkey.org/~dugsong/dsniff/ .http://www.sans.org/newlook/resources/IDFAQ/vlan.htm .http://www.ietf.org/rfc/rfc0826.txt .http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm .http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/c65sp_wp.htm .http://www.atstake.com/
Thank You

Exploiting Layer 2: by Balwant Rathore

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Exploiting Layer 2: by Balwant Rathore

Hochgeladen von

Copyright:

Verfügbare Formate

Exploiting Layer 2

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Exploiting VLANs by VLAN Hopping

Mahindra-British Telecom Ltd.

A broadcast domain created by one or more switches.

Mahindra-British Telecom Ltd.

Used to separate LANs logically in one or more switches.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

MAC Address Table

Mahindra-British Telecom Ltd.

Some facts about VLAN

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

VLAN Hopping Attack

Mahindra-British Telecom Ltd.

VLAN Hopping Attack

A host can spoof as a switch with ISL or 802.1Q tag

Mahindra-British Telecom Ltd.

Step1: Sample Frame Capture

Mahindra-British Telecom Ltd.

Step2: Insert 802.1q tag

Mahindra-British Telecom Ltd.

Step3: 802.1q Frames into nontrunk ports

Mahindra-British Telecom Ltd.

Step4: VLAN Hopping

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Till today no proof of concept Tool Available

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Exploiting CAM Table

Mahindra-British Telecom Ltd.

CAM Table Review

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Exploiting Address Resolution Protocol (ARP)

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Exploiting Spanning Tree

Mahindra-British Telecom Ltd.

Exploiting Spanning Tree

Mahindra-British Telecom Ltd.

Exploiting Spanning Tree

Mahindra-British Telecom Ltd.

Exploiting Spanning Tree

Mahindra-British Telecom Ltd.

Exploiting Spanning Tree

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Mahindra-British Telecom Ltd.

Das könnte Ihnen auch gefallen