Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting Layer 2 By Balwant Rathore.

Published byMark Richard Modified over 6 years ago

Similar presentations

Presentation on theme: "Exploiting Layer 2 By Balwant Rathore."— Presentation transcript:

1 Exploiting Layer 2 By Balwant Rathore

2 Exploiting Layer 2 Exploiting VLANs by VLAN Hopping
Exploiting CAM Table Attack Exploiting Spanning Tree Attack

3 Exploiting VLANs by VLAN Hopping
Refreshing VLANs VLAN Hopping Attack

4 What is VLAN? A broadcast domain created by one or more switches.
Refreshing VLANs What is VLAN? A broadcast domain created by one or more switches.

5 Used to separate LANs logically in one or more switches.
Why VLAN? Used to separate LANs logically in one or more switches.

6 Benefits of VLANs? Broadcast control Effective Bandwidth Utilisation
CPU Utilisation Good Administrative Control with L3 device Access Control List Accounting Easy Movement

7 MAC Address Table Dynamic Address: Added by normal bridge/switch processing Permanent Address: Added via configuration, no time out Restricted-Static Address: A MAC address would be configured only with specific port.

8 Some facts about VLAN Max VLAN limit depends on switch model.
VLAN1 is also called management VLAN CDP and VTP Adviserment are sent on VLAN1 Creation, Addition, or Deletion of VLANs is only possible in VTP server mode A layer 3 device is required for Inter VLAN communication

9 Trunk Port

10 Trunk Port... Trunk Ports has access to all VLAN by default
Used to route traffic for multiple VLANs across switches It can use 802.1Q or ISL encapsulation

11 VLAN Hopping Attack Sample Frame Capture Insert 802.1q tag
802.1q Frames into non-trunk ports

12 A host can spoof as a switch with ISL or 802.1Q tag
VLAN Hopping Attack A host can spoof as a switch with ISL or 802.1Q tag

13 Step1: Sample Frame Capture
Connect two PCs in the same VLAN of one switch. Send ICMP echo message from PC1 to PC2 Capture this with Sniffer Pro on PC 2 View packets in raw hex Start Packet generation component of sniffer pro Enter above captured packet in step 3 Send entered packet from PC1 to PC 2

14 VLAN1 and VLAN2 will have 81 00 00 01 and 81 00 00 02 tag respectively
Step2: Insert 802.1q tag Shift PC2 on trunk port (port 24) of switch and start Sniffer software Ping non-existent IP address from PC1 Capture ARP lookup on PC2 Shift PC1 on VLAN 2 port and repeat it VLAN1 and VLAN2 will have and tag respectively

15 Step3: 802.1q Frames into non-trunk ports
Put PC1 on VLAN 1 switch one Put PC2 on VLAN1 of second switch Connect trunk cable between them Crafted packet from VLAN1, VLAN2 and VLAN3 was delivered to their destination VLAN

16 Step4: VLAN Hopping Connect PCs in different VLANs and in different switches Change VLAN IDs and send it to as many combinations as possible

17 In Different Switches Src VLAN | Dst VLAN | Tag ID Success? 1 2 2 Yes
No No No

18 In Same Switch Src VLAN | Dst VLAN | Tag ID Success? 1 2 2 No 1 3 3 No

19 Till today no proof of concept Tool Available
Attack is not easy, require followings: Access to native VLAN Target machine is in different switch Attacker knows MAC address of the target machine Some layer 3 device for traffic from targets VLAN to back.

20 Safeguard Never, Never use VLAN 1
Always use a dedicated VLAN ID for all trunk ports Disable unused ports and put them in an unused VLAN Shutdown DTP on all user ports

21 Exploiting CAM Table

22 CAM Table Review Content Addressable Memory
Contain MAC Address, Port and associated VLAN Have limited size Normally broadcast is limited to device port itself if the device entry is present in CAM table.

23 As CAM table is full, traffic floods to other switch on same VLAN
macof Use macof from Dsniff suit to overflow CAM Table Syntax Macof [-I interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times] -n option is very important to perform exploit in control environment # sh cam count dynamic # total matching CAM entries = As CAM table is full, traffic floods to other switch on same VLAN

24 macof...

25 macof... As you know dsniff is developed for BSD not for linux
It’s Installation is a pain, refer following document for Dsniff Installation over Linux 8.0

26 Safeguard Implement Port Security
Port Security Limits MAC addresses to a port. port secure max-mac-count 3 On detection of invalid MAC switch can be configured to block only invalid MAC Switch can be configured to shutdown the port

27 Port Security Restrict option may fail under macof load and disable the port, shutdown option is more appropriate. Consider management puzzle and performance hit Visit this for more detail on Port Security… lan/cat6000/sw_7_3/confg_gd/sec_port.htm - 34k

28 Exploiting Address Resolution Protocol (ARP)

29 Gratuitous ARP Is used by host to announce their IP address
It's a broadcast packet like an ARP request

30 Gratuitous ARP

31 Safeguard Private VLANs provides protection against ARP attacks.
ARPWatch is a freely available tool Consider static ARP for critical static routers and hosts Cisco is under development of an ARP firewall

32 Exploiting Spanning Tree

33 Exploiting Spanning Tree
Send BPDUs using brconfig and make yourself new Root Bridge.

34 Exploiting Spanning Tree

35 Exploiting Spanning Tree

36 Exploiting Spanning Tree

37 References

38 Thank You

Download ppt "Exploiting Layer 2 By Balwant Rathore."

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Virtual LANs.

Virtual LANs.
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.

Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
VLANs- Chapter 3 CCNA Exploration Semester 3 Modified by Profs. Ward

VLANs- Chapter 3 CCNA Exploration Semester 3 Modified by Profs. Ward
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.

Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.

We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.
Chapter 4: Managing LAN Traffic

Chapter 4: Managing LAN Traffic
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
– Chapter 5 – Secure LAN Switching

– Chapter 5 – Secure LAN Switching
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition

Similar presentations

Ads by Google