Embed Size (px)
Citation preview
1SANS Technology Institute - Candidate for Master of Science Degree 1
Detecting and Responding to Data Link Layer Attacks With
Scapy
TJ OConnorSeptember 2011
GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE)
The Hotel Area Network Dilemma
• About 1 year ago, sitting in a hotel room in Washington D.C.– “Free” Wireless Internet starts working intermittently– Users start complaining of Facebook posts they
didn’t make
• Fire up IDS toolkit – IDS doesn’t see anything happening at Layer 3– IPS isn’t seeing any attacks against the hotel either
• What’s happening?– As incident responders, need the ability to quickly
write tools to parse data… in this case, Layer 2 traffic
SANS Technology Institute - Candidate for Master of Science Degree 2
SANS Technology Institute - Candidate for Master of Science Degree 3
Cam-Table Exhaustion Attack
• CAM Table maintains a list of switch ports and destination MAC addresses by port
• Overloading the switch with CAM Table entries results in overflowing memory. Switch no longer knows how to deliver based on MAC-port bindings
SANS Technology Institute - Candidate for Master of Science Degree 4
Cam-Table Exhaustion Attack
11
22
33
44
SANS Technology Institute - Candidate for Master of Science Degree 5
Arp Spoofing
• ARP translates layer 3 to layer 2 addresses
• Clients maintain their own ARP tables of these logical-to-physical bindings
• But anyone can broadcast a gratuitous ARP and client tables are updated
SANS Technology Institute - Candidate for Master of Science Degree 6
Arp Spoofing
11
22
33
44
SANS Technology Institute - Candidate for Master of Science Degree 7
DHCP Starvation Attack
• Dynamic IP addresses are leased from a DHCP server after a request by a client. The lease allows the client to use the specified address for a period of time.
• By sending 254 DHCP Requests, a DHCP starvation attack prevents any new clients from joining
SANS Technology Institute - Candidate for Master of Science Degree 8
DHCP Starvation Attack
11
22
33
44
SANS Technology Institute - Candidate for Master of Science Degree 9
CTS/RTS Wireless Attack
• Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2 unencrypted/unauthenticated messages used to prevent wireless collisions
• Clients wishing to send traffic, transmit a RTS. If the medium is clear, destination responds with a CTS. Everybody else who hears the CTS- backs off.
SANS Technology Institute - Candidate for Master of Science Degree 10
CTS/RTS Wireless Attack
11
22
33
4141
SANS Technology Institute - Candidate for Master of Science Degree 11
Wireless Deauth Attack
• Clients authenticate themselves to access points prior to association with the network
• Authentication typically occurs over unencrypted layer 2 management frames
• De-authentication also occurs over unencrypted layer 2 management frames
• Tools such as aircrack-NG can spoof a de-authentication
SANS Technology Institute - Candidate for Master of Science Degree 12
Wireless Deauth Attack
11
22
33
44
SANS Technology Institute - Candidate for Master of Science Degree 13
Fake Access Point Attack
• Wireless access points are advertised over an 802.11 beacon frame
• Clients use the information in the 802.11 beacon frame to connect to the wireless AP
• Anyone can broadcast an 802.11 beacon, impersonating a network
• Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP.
SANS Technology Institute - Candidate for Master of Science Degree 14
Fake Access Point Attack
11
22
33
44
55
SANS Technology Institute - Candidate for Master of Science Degree 15
Conclusions
• Layer two attacks still present a threat to modern networks
• Typically these threats go unnoticed by intrusion detection systems
• Scapy and a little creativity can be used to automate detecting layer two attacks
• For more information, see “Detecting and Responding to Data Link Layer Attacks” published in SANS GCIA Reading Room
