Beruflich Dokumente
Kultur Dokumente
By Balwant Rathore
Exploiting Layer 2
Exploiting VLANs by VLAN Hopping Exploiting CAM Table Attack Exploiting Spanning Tree Attack
Refreshing VLANs
What is VLAN?
Why VLAN?
Benefits of VLANs?
Broadcast control Effective Bandwidth Utilisation CPU Utilisation Good Administrative Control with L3 device Access Control List Accounting Easy Movement
Trunk Port
Trunk Port...
Trunk Ports has access to all VLAN by default Used to route traffic for multiple VLANs across switches It can use 802.1Q or ISL encapsulation
In Different Switches
Src 1 1 2 3 3 VLAN | Dst 2 3 1 2 1 VLAN | Tag ID 2 3 1 3 1 Success? Yes Yes No No No
In Same Switch
Src 1 1 2 3 3 VLAN | Dst 2 3 1 2 1 VLAN | Tag ID 2 3 1 3 1 Success? No No No No No
Safeguard
Never, Never use VLAN 1 Always use a dedicated VLAN ID for all trunk ports Disable unused ports and put them in an unused VLAN Shutdown DTP on all user ports
macof
Use macof from Dsniff suit to overflow CAM Table Syntax Macof [-I interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times] -n option is very important to perform exploit in control environment # sh cam count dynamic # total matching CAM entries = 131052 As CAM table is full, traffic floods to other switch on same VLAN
macof...
macof...
As you know dsniff is developed for BSD not for linux Its Installation is a pain, refer following document for Dsniff Installation over Linux 8.0 http://groups.yahoo.com/group/PenTest/messag e/242
Safeguard
Implement Port Security Port Security Limits MAC addresses to a port. port secure max-mac-count 3 On detection of invalid MAC switch can be configured to block only invalid MAC Switch can be configured to shutdown the port
Port Security
Restrict option may fail under macof load and disable the port, shutdown option is more appropriate. Consider management puzzle and performance hit Visit this for more detail on Port Security www.cisco.com/univercd/cc/td/doc/product/ lan/cat6000/sw_7_3/confg_gd/sec_port.htm - 34k
Gratuitous ARP
Is used by host to announce their IP address It's a broadcast packet like an ARP request
Gratuitous ARP
Safeguard
Private VLANs provides protection against ARP attacks. ARPWatch is a freely available tool Consider static ARP for critical static routers and hosts Cisco is under development of an ARP firewall
References
.http://www.cisco.com/go/safe/ .http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf .http://www.cisco.com/warp/public/473/103.html .http://monkey.org/~dugsong/dsniff/ .http://www.sans.org/newlook/resources/IDFAQ/vlan.htm .http://www.ietf.org/rfc/rfc0826.txt .http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm .http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/c65sp_wp.htm .http://www.atstake.com/
Thank You