I was reviewing some networking best practice documents a short while back, and when I got to the Layer 2 Security Section I started thinking…
[Begin inner monologue]
…. hmm… Layer 2 security, is it all hype? Could an attacker really implement these attacks?…. I could really go for some cake… I wonder how these attacks work… chocolate cake…. it might be fun to be the bad guy for a change….
[End inner monologue]
So after having a piece of cake or two, I sat down and started figuring out how to attack a network. Obviously, there are many different types of network attacks, varying in complexity, but I decided to focus on two of the ones that we all start learning about with our first Networking 101 Primer.
CAM Table Overflow attack – or how to turn your switch into a hub
The idea behind this attack is to overload the upstream switch, and cause it to spit every bit of traffic out all ports, instead of following the normal switching behavior of only sending traffic out the port where the intended destination exists. This attack works because every switch has a limited number of slots to store associations between MAC addresses and interfaces. If all these slots fill up, the switch is unable to learn the location of new MAC addresses, and floods traffic destined for those addresses out all interfaces.
Man In The Middle (MITM) – or how to play Toll Keeper on the Packet Highway
There are many flavors of a MITM attack, but the idea remains the same in them all. The attacker convinces a host to send outbound traffic to towards their computer instead of the real destination. The attacker then has some options on what to do with this power.
- Capture the traffic for analysis and then forward onto the destination
- eg. to steal usernames and passwords for later use
- Drop the traffic, preventing the victim from communicating on the network
- Make changes to the traffic before forwarding onto the destination
- eg. redirect the web requests for www.bigguns.com to www.tulips.com
- Or nearly anything nefarious minds can envision
Being a fine upstanding networking engineer, I’d heard about attacks, and attacker tools before, but I didn’t have any first hand experience to build from. So I did what any good nerd does, turned to the web. Some googling later, I realized there was WAY too much information available and I was suffering from overload. Not willing to give up the good fight, I turned to Twitter, and within moments had a couple of good suggestions for some tools to look at.
macof – You want address? I got addresses…
After seeing the suggestion of macof, I recalled that I’d seen it referred to several times when learning about port-security (hint… port-security prevents CAM Table Overflow attacks). The macof tool is a small and very simple utility that spits out random MAC addresses from the indicated network interface as fast as your computer can go. I found this to be a very effective tool for this attack.
First, lets take a look at my switches CAM Table Stats prior to letting Bad-Hank run wild.
SBH-SW2#show mac address-table count
Mac Entries for Vlan 1:
—————————
Dynamic Address Count : 5
Static Address Count : 0
Total Mac Addresses : 5
Mac Entries for Vlan 10:
—————————
Dynamic Address Count : 2
Static Address Count : 0
Total Mac Addresses : 2
Mac Entries for Vlan 11:
—————————
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1
Mac Entries for Vlan 12:
—————————
Dynamic Address Count : 3
Static Address Count : 0
Total Mac Addresses : 3
Total Mac Address Space Available: 8155
SBH-SW2#
A couple of things to note from this output. First, this is a switch in a lab network, so there aren’t too many addresses in the table yet. A word of caution to anyone who wants to play with these tools, don’t do it on your live network. You could easily turn into a “real” attacker, and that would make a great story at your next job. Second, though this is a 24 port switch, it has space for over 8,000 addresses. This means that under normal operation, the switch shouldn’t have any problem with keeping track of all the hosts on the network.
Now, lets take a look from the Attacking computer. The goal of this attack is to be able to capture/sniff all network traffic on the local segment. To show that the switching network is working as expected pre-attack, that is the attacker can’t see other network traffic, I’ll run a tcpdump and look for traffic from my intended victim (10.133.12.101).
hapresto@SBH-PC2:~$ sudo tcpdump host 10.133.12.101
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:48:53.978868 ARP, Request who-has 10.133.12.1 tell 10.133.12.101, length 46
I had the above running while firing up a telnet session to a switch from 10.133.12.101. The only traffic that my attacker got to see is the ARP request sent from the victim looking for the default gateway.
Now, I’ll fire-up macof to get my switch as bloated as the Mississippi during raining season… both of which result in flooding 🙂
hapresto@SBH-PC2:~$ sudo macof -i eth0
78:28:e3:2f:6e:b4 6b:42:f9:62:cc:c2 0.0.0.0.21760 > 0.0.0.0.62882: S 1868209709:1868209709(0) win 512
6:c0:31:22:61:95 66:84:80:59:80:1d 0.0.0.0.59634 > 0.0.0.0.23252: S 739313207:739313207(0) win 512
93:4a:9c:66:87:ec 3e:ed:55:63:3f:a3 0.0.0.0.21726 > 0.0.0.0.5481: S 1451594923:1451594923(0) win 512
26:dd:3c:3c:ca:4e 70:81:8:65:f6:e9 0.0.0.0.3562 > 0.0.0.0.50920: S 1418194883:1418194883(0) win 512
.
.
.
Above is just a small sampling of the output that starts flying by the screen as my attacking terminal is ripping out the mac addresses towards the switch upstream. If we take a glimpse at the CAM Table Stats now, we’ll see something a little different.
SBH-SW2#show mac address-table count
Mac Entries for Vlan 1:
—————————
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1
Mac Entries for Vlan 10:
—————————
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1
Mac Entries for Vlan 11:
—————————
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1
Mac Entries for Vlan 12:
—————————
Dynamic Address Count : 8163
Static Address Count : 0
Total Mac Addresses : 8163
Total Mac Address Space Available: 0
Now we see that the switch reports 0 free slots in the table, and 8163 addresses inside Vlan 12 (the VLAN my attacker and victim are sitting on).
And one last piece of output for this attack, the tcpdump that remained running while I fired off the attack.
23:14:21.356136 IP 10.192.81.76.58020 > 10.133.12.101.3389: Flags [P.], seq 221:233, ack 626, win 65535, options [nop,nop,TS val 565642190 ecr 873761], length 12
23:14:21.356283 IP 10.133.12.101.1073 > 10.100.0.1.23: Flags [P.], seq 4083277514:4083277516, ack 428233130, win 65361, length 2
23:14:21.356861 IP 10.100.0.1.23 > 10.133.12.101.1073: Flags [P.], seq 1:3, ack 2, win 4038, length 2
23:14:21.357081 IP 10.100.0.1.23 > 10.133.12.101.1073: Flags [P.], seq 3:17, ack 2, win 4038, length 14
23:14:21.357120 IP 10.133.12.101.1073 > 10.100.0.1.23: Flags [.], ack 17, win 65345, length 0
What this output shows, is that the Attacker now has visibility into the telnet traffic between the victim and the switch (as well as all other traffic on that VLAN. Though I’m only showing details from the packet headers, I have access to the full contents of the packets, providing all sorts possibilities for information gathering.
arp poisoning with ettercap
After doing some digging, and trying a few different hacking tools out, I found the ettercap application to be fairly versatile and easy to use. I won’t dive into all the features of ettercap here, but it offers the would-be attacker the ability to perform MITM attacks, dhcp attacks, CAM Overflows, real-time packet manipulation, and many others. For this example, I’m using what I found to be the most straightforward MITM attack, arp poisoning.
Though applications and users typically think of sending traffic on a network to an IP address, ethernet actually relies on MAC Addresses to forward the traffic between devices. The ARP protocol is how IP speaking hosts translate an IP address to a MAC Address. ARP Poisoning is a method of convincing a victim that the MAC address of their intended destination is that of the Attackers computer.
Ettercap offers several interfaces for working with the application ranging from pure CLI input to a full fledged GUI. I found that the Ncurses based command line GUI was the most useful for my work (started up with “ettercap -C”)
 Starting Ettercap |
 Scanning For Hosts |
The first steps to get going is to launch ettercap (ettercap -C) and choose Unified Sniffing (Unified means one interface, Bridged means two interfaces). That will bring you into the main application, where you’ll begin by scanning for hosts on the network.
 Host List |
 Select Targets |
Then you can view the hosts that were discovered and select your targets.
 ARP Poisoning |
 ARP Poison Parameters |
With the targets selected, we’ll want to start the ARP Poisoning MITM attack. We need to tell the ettercap to use the “remote” parameter. This indicates to ettercap that we want to process packets that are not directed to/from the local machine. This will be important later when we want to capture usernames/passwords entered on our Victim.
 Start Sniffing Traffic |
 Statistics |
We now need to tell ettercap to start sniffing the traffic seen on the network. We can also view the statistics on traffic seen/processed.
At this point, we can move onto the “Victim” computer and open start some telnet and ssh sessions to network devices.
 Telnet Passwords Exposed |
 Even SSH Isn't Safe |
As we can see here, ettercap automatically processes the packets seen on the network and displays in the output usernames and passwords for several common protocols, including telnet. We’ve long known that telnet was an insecure protocol for managing devices, but I know that many organizations continue to use it rather than move to SSH for management. However, as can be seen in the image above, even SSH isn’t safe. This is because SSHv1 has known vulnerabilities making it non-secure, and though most gear supports SSHv2 today, out of the box they will accept v1 or v2 connections. Ettercap comes with packet filters that will automatically modify any SSH traffic passing through a MITM attack to force SSH sessions to v1, enabling exploitation of the SSHv1 vulnerability. Of all the things I learned during this experiment, this was probably the biggest surprise and exposed a personal false sense of security I had from making sure I only use SSH to manage devices.
It is also good to mention you’ll also see SNMP community strings in the output. In addition to automatically displaying Telnet and SSH passwords to the attacker, SNMP, IMAP, HTTP, and many other credentials will automatically show up clear as day with little extra effort by the attacker.
Is all hope lost….
What I learned from this exercise, and what I hope readers will realize, is that integrating security into a network design end to end is important. Those Layer 2 Security Best Practices I mentioned at the start go a long way towards protecting a network from these and other types of attacks. In fact, look for a follow-up post showing how to mitigate these attacks though using technologies that are already present in most of our networks.
