Exploiting Layer 2

Exploiting Layer 2
By Balwant Rathore

Mahindra-British Telecom Ltd.

Exploiting Layer 2

•Exploiting VLANs by VLAN Hopping
•Exploiting CAM Table Attack
•Exploiting Spanning Tree Attack


Exploiting VLANs by VLAN
Hopping

•Refreshing VLANs
•VLAN Hopping Attack


Refreshing VLANs

What is VLAN?

A broadcast domain created by one or more switches.


Why VLAN?

Used to separate LANs logically in one or more switches.


Benefits of VLANs?
•Broadcast control
•Effective Bandwidth Utilisation
•CPU Utilisation
•Good Administrative Control with L3 device
•Access Control List
•Accounting
•Easy Movement


MAC Address Table
•Dynamic Address: Added by normal bridge/switch
processing
•Permanent Address: Added via configuration, no time
out
•Restricted-Static Address: A MAC address would be
configured only with specific port.


Some facts about VLAN

•Max VLAN limit depends on switch model.
•VLAN1 is also called management VLAN
•CDP and VTP Adviserment are sent on VLAN1
•Creation, Addition, or Deletion of VLANs is only
possible in VTP server mode
•A layer 3 device is required for Inter VLAN
communication


Trunk Port


Trunk Port...

•Trunk Ports has access to all VLAN by default
•Used to route traffic for multiple VLANs across switches
•It can use 802.1Q or ISL encapsulation


VLAN Hopping Attack

•Sample Frame Capture
•Insert 802.1q tag
•802.1q Frames into non-trunk ports


VLAN Hopping Attack

A host can spoof as a switch with ISL or 802.1Q tag


Step1: Sample Frame Capture
•Connect two PCs in the same VLAN of one switch.
•Send ICMP echo message from PC1 to PC2
•Capture this with Sniffer Pro on PC 2
•View packets in raw hex
•Start Packet generation component of sniffer pro
•Enter above captured packet in step 3
•Send entered packet from PC1 to PC 2


Step2: Insert 802.1q tag
•Shift PC2 on trunk port (port 24) of switch and start
Sniffer software
•Ping non-existent IP address from PC1
•Capture ARP lookup on PC2
•Shift PC1 on VLAN 2 port and repeat it
VLAN1 and VLAN2 will have 81 00 00 01 and 81 00 00
02 tag respectively


Step3: 802.1q Frames into non-
trunk ports
•Put PC1 on VLAN 1 switch one
•Put PC2 on VLAN1 of second switch
•Connect trunk cable between them
•Crafted packet from VLAN1, VLAN2 and VLAN3 was
delivered to their destination VLAN


Step4: VLAN Hopping
•Connect PCs in different VLANs and in different
switches
•Change VLAN IDs and send it to as many combinations
as possible


In Different Switches

Src VLAN | Dst VLAN | Tag ID Success?
1 2 2 Yes
1 3 3 Yes
2 1 1 No
3 2 3 No
3 1 1 No


In Same Switch

Src VLAN | Dst VLAN | Tag ID Success?
1 2 2 No
1 3 3 No
2 1 1 No
3 2 3 No
3 1 1 No


Till today no proof of concept
Tool Available
•Attack is not easy, require followings:
•Access to native VLAN
•Target machine is in different switch
•Attacker knows MAC address of the target machine
•Some layer 3 device for traffic from targets VLAN to
back.


Safeguard
•Never, Never use VLAN 1
•Always use a dedicated VLAN ID for all trunk ports
•Disable unused ports and put them in an unused
VLAN
•Shutdown DTP on all user ports


Exploiting CAM Table


CAM Table Review
•Content Addressable Memory
•Contain MAC Address, Port and associated VLAN
•Have limited size
•Normally broadcast is limited to device port itself if the
device entry is present in CAM table.


macof
Use macof from Dsniff suit to overflow CAM Table
Syntax
Macof [-I interface] [-s src] [-d dst] [-e tha] [-x sport] [-y
dport] [-n times]
-n option is very important to perform exploit in control
environment
# sh cam count dynamic
# total matching CAM entries = 131052
As CAM table is full, traffic floods to other switch on
same VLAN


macof...


macof...
As you know dsniff is developed for BSD not for
linux
It’s Installation is a pain, refer following
document for Dsniff Installation over Linux 8.0
http://groups.yahoo.com/group/PenTest/messag
e/242


Safeguard
Implement Port Security
•Port Security Limits MAC addresses to a port.
•port secure max-mac-count 3
•On detection of invalid MAC

•switch can be configured to block only invalid
MAC
•Switch can be configured to shutdown the port


Port Security
•Restrict option may fail under macof load and disable
the port, shutdown option is more appropriate.
•Consider management puzzle and performance hit
•Visit this for more detail on Port Security…
www.cisco.com/univercd/cc/td/doc/product/
lan/cat6000/sw_7_3/confg_gd/sec_port.htm - 34k


Exploiting Address Resolution
Protocol (ARP)


Gratuitous ARP

Is used by host to announce their IP address
It's a broadcast packet like an ARP request


Gratuitous ARP


Safeguard

•Private VLANs provides protection against ARP attacks.
•ARPWatch is a freely available tool
•Consider static ARP for critical static routers and hosts
•Cisco is under development of an ARP firewall


Exploiting Spanning Tree


Exploiting Spanning Tree

Send BPDUs using brconfig and make yourself
new Root Bridge.


References
.http://www.cisco.com/go/safe/
.http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf
.http://www.cisco.com/warp/public/473/103.html
.http://monkey.org/~dugsong/dsniff/
.http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
.http://www.ietf.org/rfc/rfc0826.txt
.http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm
.http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/c65sp_wp.htm

.http://www.atstake.com/


Thank You


Exploiting Layer 2

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Exploiting Layer 2

Similar to Exploiting Layer 2 (20)

More from Conferencias FIST

More from Conferencias FIST (20)

Recently uploaded

Recently uploaded (20)

Exploiting Layer 2