Switched into Shared in one easy step

1
Switched into Sharedin one easy step
Kevin Sheldrake
2
Switched into Shared in one easy step

• Quick overview of TCP/IP technology
• Purpose
• Why not Ettercap / ArpSpoof?
• How
• Usage
• Related Projects
• Possible Countermeasures
• Summary

3
Quick overview of TCP/IP technology 1

• Host identification
• Application layer gt Hostnames
• Network layer gt IP addresses
• Data Link layer gt MAC addresses
• ARP
• Address Resolution Protocol
• Sends and receives packets to convert IP
  addresses into MAC addresses
• At the Data Link layer all host identification is
  by MAC address

4
Quick overview of TCP/IP technology 2

• MAC addresses can be forged
• ARP packets can be forged
• Within TCP/IP ARP packets are trusted

5
Hubs, switches, and routers

• Hubs operate at the Physical layer
• can be sniffed by a NIC in promiscuous mode
• Switches operate at Data Link layer
• knows which MAC addresses are on which port
• directs packets based on destination MAC address
• can only sniff packets sent down your port
• Routers operate at Network layer
• knows which IP addresses are on which port
• directs packets based on destination IP address
• not covered in this presentation...

6
Purpose

• Cannot normally sniff on a switched network
• Attacking switches directly is unreliable
• different makes exhibit different vulnerabilities
• different switches respond differently to ARP
  storms
• large scale networks may consist of many switches
• Dont attack switches directly
• Attack vulnerability in TCP/IP through ARP
  Poisoning
• Do not rely on implementation errors

7
Why not Ettercap / ArpSpoof?

• Ettercap performs ARP Poisoning on a one-to-one
  or one-to-many basis
• ArpSpoof similarly works on a one-to-one or
  one-to-all basis
• To sniff effectively, we need many-to-many
• Ettercap exhibits a nasty user interface and/or
  complex command-line options )
• ArpSpoof requires a separate relay process
• We want a simple tool to do a simple job

8
How - ARP

• Address Resolution Protocol
• Each host maintains an ARP cache for hosts it has
  had dealings with
• Performs IP address to MAC address lookup in its
  ARP cache
• Sends ARP requests for hosts it does not hold a
  MAC address for
• Records latest ARP reply for hosts it has an
  entry for
• ARP cache entries age and die over time

9
How - ARP
10
How - ARP
SvrSMAC
11
How - ARP
SvrSMAC
12
How - ARP Poisoning

• For all hosts we are interested in
• Send ARP requests to all hosts and record their
  responses (create a table of IP address to MAC
  address)
• Send spoofed packets between hosts (ICMP Echo
  Request) to gain an entry in their ARP caches
  (MAC address spoofing)
• Continuously send spoofed ARP Replies to all
  hosts claiming to be all other hosts (ARP
  Poisoning)
• Hosts will send packets for all other hosts to my
  MAC address (hence getting them onto my switched
  segment)
• Relay packets by replacing the destination MAC
  address (my MAC address) with the correct MAC
  address (from my table) and re-send.

13
How - ARP Poisoning
14
How - ARP Poisoning
15
How - ARP Poisoning
SvrSMAC
16
How - ARP Poisoning
SvrSMAC
17
How - ARP Poisoning
SvrSMAC
18
How - ARP Poisoning
SvrLMAC
19
How - Program Design

• brian
• Hes not the Messiah, hes a very naughty man!
• Uses Libnet for packet creation
• Uses Libpcap for packet capture
• Uses threads to perform ARP Poisoning and Packet
  Relay in parallel
• Written in C for Red Hat 8 (but should work on
  most Linux distributions - could even be ported
  to Windoze!)

20
How - Program Design
21
Usage - Normal Modes

• List mode
• brian -l 192.168.0.1-10,192.168.0.200-254
• Sends ARP Requests to the specified IP addresses
  and displays reachable hosts with MAC addresses
• Preach mode
• brian -p 192.168.0.1-10,192.168.0.200-254 -g
  192.168.0.1
• ARP poisons the specified IP addresses and relays
  packets. The -g option specifies the gateway to
  other subnets, including the internet
• Set your ethereal filter to ether src ltyour MACgt

22
Usage - Options

• -i interface
• Specifies which interface to use (defaults to
  first non-loopback interface)
• -t timeout
• Time to wait after sending an ARP request before
  deciding a host is dead (default 2 seconds)
• -w wait
• Time to wait between repeating sending the set of
  ARP replies (default 5000ms)

23
Usage - Options

• -r pause
• Time to pause between sending each ARP reply
  (default 10ms)
• -d
• Specifies Denial-Of-Service, i.e. Dont relay
• This is just to demonstrate how easy it is to DOS
  a network without sending any particularly nasty
  packets
• ARP Poisoning without relaying sends all packets
  down a black-hole...

24
Usage - Benefits

• Allows sniffing of a number of hosts on a
  switched network as if they are on a shared
  network
• Inclusion of gateway switch allows the sniffing
  to include packets destined for other networks
• In simple networks (i.e. one gateway), network
  operation should not be greatly affected
• Allows sniffing of hosts on same subnet but
  separated by a number of switches
• Warning Preaching to a large number of hosts may
  trash the network!

25
Related Projects

• Router Masquerade (RMX)
• Designed to intercept and modify interesting
  packets
• Default action is to relay (as in brian)
• Interesting packets are referred to the
  application layer for modification
• Used for man-in-the-middle attacks
• Used to provide different pages to internet web
  requests
• Used to decode and log interesting information
• Covert Masquerade (CMX)
• Not ARP Poisoning - only for shared bearers
• Uses ICMP Unreachable messages to collapse and
  take over a connection

26
Possible Countermeasures

• Static ARP
• Difficult to manage
• ARP Watch (or Host IDS)
• Watches changes to the ARP cache and reports
  anomalies
• Requires active monitoring and action
• Network IDS
• Will generally (incorrectly) spot the ARP
  Poisoning as an ARP Storm
• Must be on the SPAN port of the attackers switch
  to see the volume of ARPs (esp with timing
  options)

27
Possible Countermeasures cont...

• Authenticated ARP
• Could use certificates embedded into operating
  system
• Requires a rewrite and cross-platform deployment
• IPSEC
• Spoofing still possible but at least packets
  encrypted
• IPv6 ICMPv6
• Uses IPSEC-like Authentication Header
• Neighbour Solicitation / Neighbour Advertisement
  messages likely to occur before encryption is
  established
• Unlikely to provide authentication for these
  messages...

28
Summary

• brian - ARP Poisoning and relaying made easy
• Turn switched networks into shared networks
• Cannot be easily prevented
• Can be detected but requires active monitoring
• Encryption can protect packet content
• ARP / ICMPv6 authentication unlikely
• Denial-Of-Service is a big problem

29
References

• Ettercap
• http//ettercap.sourceforge.net
• ArpSpoof
• http//naughty.monkey.org/dugsong/dsniff/
• Address Resolution Protocol
• RFC1027
• ethereal
• http//www.ethereal.com
• libnet
• http//www.packetfactory.net/libnet/
• libpcap
• http//www.tcpdump.org
• Life of Brian
• http//www.mwscomp.com/movies/brian/brian-19.htm