Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploiting Layer 2

1,441 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Exploiting Layer 2

  1. 1. Exploiting Layer 2 By Balwant Rathore Mahindra-British Telecom Ltd.
  2. 2. Exploiting Layer 2•Exploiting VLANs by VLAN Hopping•Exploiting CAM Table Attack•Exploiting Spanning Tree Attack Mahindra-British Telecom Ltd.
  3. 3. Exploiting VLANs by VLAN Hopping•Refreshing VLANs•VLAN Hopping Attack Mahindra-British Telecom Ltd.
  4. 4. Refreshing VLANs What is VLAN?A broadcast domain created by one or more switches. Mahindra-British Telecom Ltd.
  5. 5. Why VLAN?Used to separate LANs logically in one or more switches. Mahindra-British Telecom Ltd.
  6. 6. Benefits of VLANs?•Broadcast control •Effective Bandwidth Utilisation •CPU Utilisation•Good Administrative Control with L3 device •Access Control List •Accounting•Easy Movement Mahindra-British Telecom Ltd.
  7. 7. MAC Address Table•Dynamic Address: Added by normal bridge/switchprocessing•Permanent Address: Added via configuration, no timeout•Restricted-Static Address: A MAC address would beconfigured only with specific port. Mahindra-British Telecom Ltd.
  8. 8. Some facts about VLAN•Max VLAN limit depends on switch model.•VLAN1 is also called management VLAN•CDP and VTP Adviserment are sent on VLAN1•Creation, Addition, or Deletion of VLANs is onlypossible in VTP server mode•A layer 3 device is required for Inter VLANcommunication Mahindra-British Telecom Ltd.
  9. 9. Trunk PortMahindra-British Telecom Ltd.
  10. 10. Trunk Port...•Trunk Ports has access to all VLAN by default•Used to route traffic for multiple VLANs across switches•It can use 802.1Q or ISL encapsulation Mahindra-British Telecom Ltd.
  11. 11. VLAN Hopping Attack•Sample Frame Capture•Insert 802.1q tag•802.1q Frames into non-trunk ports Mahindra-British Telecom Ltd.
  12. 12. VLAN Hopping AttackA host can spoof as a switch with ISL or 802.1Q tag Mahindra-British Telecom Ltd.
  13. 13. Step1: Sample Frame Capture•Connect two PCs in the same VLAN of one switch.•Send ICMP echo message from PC1 to PC2•Capture this with Sniffer Pro on PC 2•View packets in raw hex•Start Packet generation component of sniffer pro•Enter above captured packet in step 3•Send entered packet from PC1 to PC 2 Mahindra-British Telecom Ltd.
  14. 14. Step2: Insert 802.1q tag•Shift PC2 on trunk port (port 24) of switch and startSniffer software•Ping non-existent IP address from PC1•Capture ARP lookup on PC2•Shift PC1 on VLAN 2 port and repeat it VLAN1 and VLAN2 will have 81 00 00 01 and 81 00 00 02 tag respectively Mahindra-British Telecom Ltd.
  15. 15. Step3: 802.1q Frames into non- trunk ports•Put PC1 on VLAN 1 switch one•Put PC2 on VLAN1 of second switch•Connect trunk cable between them•Crafted packet from VLAN1, VLAN2 and VLAN3 wasdelivered to their destination VLAN Mahindra-British Telecom Ltd.
  16. 16. Step4: VLAN Hopping•Connect PCs in different VLANs and in differentswitches•Change VLAN IDs and send it to as many combinationsas possible Mahindra-British Telecom Ltd.
  17. 17. In Different SwitchesSrc VLAN | Dst VLAN | Tag ID Success?1 2 2 Yes1 3 3 Yes2 1 1 No3 2 3 No3 1 1 No Mahindra-British Telecom Ltd.
  18. 18. In Same SwitchSrc VLAN | Dst VLAN | Tag ID Success?1 2 2 No1 3 3 No2 1 1 No3 2 3 No3 1 1 No Mahindra-British Telecom Ltd.
  19. 19. Till today no proof of concept Tool Available•Attack is not easy, require followings:•Access to native VLAN•Target machine is in different switch•Attacker knows MAC address of the target machine•Some layer 3 device for traffic from targets VLAN toback. Mahindra-British Telecom Ltd.
  20. 20. Safeguard•Never, Never use VLAN 1•Always use a dedicated VLAN ID for all trunk ports•Disable unused ports and put them in an unusedVLAN•Shutdown DTP on all user ports Mahindra-British Telecom Ltd.
  21. 21. Exploiting CAM Table Mahindra-British Telecom Ltd.
  22. 22. CAM Table Review•Content Addressable Memory•Contain MAC Address, Port and associated VLAN•Have limited size•Normally broadcast is limited to device port itself if thedevice entry is present in CAM table. Mahindra-British Telecom Ltd.
  23. 23. macofUse macof from Dsniff suit to overflow CAM TableSyntaxMacof [-I interface] [-s src] [-d dst] [-e tha] [-x sport] [-ydport] [-n times]-n option is very important to perform exploit in controlenvironment# sh cam count dynamic# total matching CAM entries = 131052 As CAM table is full, traffic floods to other switch on same VLAN Mahindra-British Telecom Ltd.
  24. 24. macof...Mahindra-British Telecom Ltd.
  25. 25. macof...As you know dsniff is developed for BSD not forlinuxIt’s Installation is a pain, refer followingdocument for Dsniff Installation over Linux 8.0http://groups.yahoo.com/group/PenTest/message/242 Mahindra-British Telecom Ltd.
  26. 26. SafeguardImplement Port Security•Port Security Limits MAC addresses to a port.•port secure max-mac-count 3•On detection of invalid MAC•switch can be configured to block only invalidMAC•Switch can be configured to shutdown the port Mahindra-British Telecom Ltd.
  27. 27. Port Security•Restrict option may fail under macof load and disablethe port, shutdown option is more appropriate.•Consider management puzzle and performance hit•Visit this for more detail on Port Security…www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_3/confg_gd/sec_port.htm - 34k Mahindra-British Telecom Ltd.
  28. 28. Exploiting Address Resolution Protocol (ARP) Mahindra-British Telecom Ltd.
  29. 29. Gratuitous ARPIs used by host to announce their IP addressIts a broadcast packet like an ARP request Mahindra-British Telecom Ltd.
  30. 30. Gratuitous ARPMahindra-British Telecom Ltd.
  31. 31. Safeguard•Private VLANs provides protection against ARP attacks.•ARPWatch is a freely available tool•Consider static ARP for critical static routers and hosts•Cisco is under development of an ARP firewall Mahindra-British Telecom Ltd.
  32. 32. Exploiting Spanning Tree Mahindra-British Telecom Ltd.
  33. 33. Exploiting Spanning TreeSend BPDUs using brconfig and make yourselfnew Root Bridge. Mahindra-British Telecom Ltd.
  34. 34. Exploiting Spanning Tree Mahindra-British Telecom Ltd.
  35. 35. Exploiting Spanning Tree Mahindra-British Telecom Ltd.
  36. 36. Exploiting Spanning Tree Mahindra-British Telecom Ltd.
  37. 37. References.http://www.cisco.com/go/safe/.http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf.http://www.cisco.com/warp/public/473/103.html.http://monkey.org/~dugsong/dsniff/.http://www.sans.org/newlook/resources/IDFAQ/vlan.htm.http://www.ietf.org/rfc/rfc0826.txt.http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm.http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/c65sp_wp.htm.http://www.atstake.com/ Mahindra-British Telecom Ltd.
  38. 38. Thank YouMahindra-British Telecom Ltd.

×