sniffing Sniffing attacks overview Version: 1.0.2 On this page
Sniffing attacks overview MAC floodingβ MAC address is a unique identifier of a network node. E.g. 52:54:00:e5:83:bbFirst three sets (52:54:00): Manufacturers signature Last three sets is set in different ways depending on manufacturers Embedded in the device (firmware or some read-only part of the device) In a network, each device has its own MAC addressAssociates the device with a physical port π€ If your MAC address is logged, police can use it to contact the manufacturer to ask who purchased the device.Difficult to trace it if it was paid by cash. π‘π€ You may have free WiFi forever if you can change your MAC address.Usually checked in public places e.g. in an airport when they give you free WiFi. Content Addressable Memory (CAM) tableβ Used by switches Stores all available MAC addresses and their virtual LAN parameters for each port. Possible to sniff by flooding it. MAC flooding attackβ Flooding the switch with thousands of MAC address mappings such that it cannot keep up.When the table can't keep up it starts sending every message out to every port. I.e. switch is forced to behave as a hub. Allowed by the fixed size of the CAM table. Steps:Send large number of fake MAC addresses to the switch until CAM table becomes full Switch enters fail-open modewhere it broadcasts the incoming traffic to all ports on the network Attacker (with promiscuous mode) starts sniffing the traffic passing through the network. Can be followed up using ARP spoofing to retain access to data after switches recover. See also MAC spoofing DHCP attacksβ DHCP introductionβ DHCP: Dynamic Host Configuration Protocol Client/server protocol Used by routers as they start a DHCP server Server provides following to DHCP-enabled clients:IP addresses Configuration information Time period of the lease offer A possible way to drop connection of others in network is to brute-force DHCP server with "returning lease" messages.It'll force everybody to lose connection and request IP addresses again DHCP snoopingβ Layer 2 security feature Built into operating system of a capable network switches Filters, rate-limits suspicious DHCP traffic Builds and maintains the DHCP snooping binding database Also known as DHCP snooping binding table Stores MAC + assigned IP + VLAN and switch ports Uses to validate subsequent requests from untrusted hosts. π Dynamic ARP Inspection (DAI) Defense against too many incoming ARP broadcasts. Each port on VLAN is untrusted by default Each IP to MAC conversion is validated using DHCP snooping binding database. DHCP starvationβ Exhaust all available addresses from the server Exploits that DHCP has a limited number of ip addresses to lease. A type of Denial of Service attack FlowStarve it, and no new clients will be able to connectAttacker broadcasts large number of DHCP REQUEST messages with spoofed source MAC addresses. Available IP addresses in the DHCP server scope becomes depleted. DHCP server becomes unable to allocate configurations to new clients and issue any IP addresses Set-up rogue (fake server) to respond to the discovery requestsAttacker sets up a rogue DHCP server to respond to DHCP discovery requests. If a client accepts the rogue server as its DHCP server, then the attacker can listen to all traffic going from or to the client. Tools DHCP starvation countermeasuresβ Authentication Configure DHCP snooping Trusted sourcesβVulnerable to mimicing them Port securityβ Allows traffic from a specific MAC address to enter to a port Only allowing one MAC through a port Only one IP at a time can be requested β Vulnerable to spoofing MAC addresses DNS poisoningβ DNS introductionβ Domain Name Server π Protocol that resolves domain names into IP addresses using default port 53. Stores domain name and IP address pairs in a DNS table . DNS poisoning attackβ π Also known as DNS cache poisoning and DNS spoofing π Manipulating the DNS table by replacing a legitimate IP address with a malicious oneE.g. redirecting cloudarchitecture.io to attackers IP address. π€ Used for internet censorship in many countries. FlowAttacker makes DNS request to target DNS server asks the root name server for the entry Attacker floods the DNS server with a fake response for the targeted domain until legitimate response from root server is ignored The poisoned entry remains in cache for hours and even days Can be used after ARP poisoning through DNS spoof plugin of Ettercap . Can be followed up with e.g. β’ man-in-the-middle attacks β’ website defacement attacks DNS poisoning countermeasuresβ Active monitoring Monitor DNS data for new patterns such as new host E.g. by using intrusion detection system (IDS) Keep DNS servers up-to-date Updated versions have port randomization and cryptographically secure transaction IDs against attackers. Randomize source and destination IP, query IDs, during name requests Makes harder for attackers to send spoofed responses as it'd be harder to guess the address and query ID. Use HTTPS and/or TLS for securing the traffic Also known as DNS over HTTPS (DoH) and DNS over TLS (DoT) SSL and TLS use certificates to verify the identity of the other party. So although they do not protect against cache poisoning itself, the certificates help to protect against the results DNSSEC (Domain Name System Security Extension)β Developed by The Internet Engineering Task Force (IETF)Open standards organization, which develops and promotes voluntary Internet standards Help verifying the true originator of DNS messaging π Provides secure DNS data authentication by using digital signatures and encryption.Adds cryptographic signatures to existing DNS records, stored in DNS name servers. Widely considered one of the greatest cache poisoning prevention tool as a defense Allows verifying that a requested DNS record comes from its authoritative name server and wasn't altered, opposed to a fake record injected in a man-in-the-middle attack. Chain of trust : E.g. cloudarchitecture.io's signature is verified by .io signature that is verified by root certificate (signed by IANA )IANA : Centrally coordinates Internet for DNS Root, IP addressing, and other Internet protocol resources.VLAN hoppingβ π Allows multiple separate LANs/networks on same switch through logical grouping Provides network separationHosts one one VLAN does not see hosts on other one Port-based VLAN Designate set of ports on the switchaccount department VLAN, shipping department VLAN.. Connect devices to right ports each group is a VLAN Tag-based VLAN aka IEEE 802.1q VLANsBasically a tags frames with which VLAN it belongs toFrame = Primitive packet on layer 2 Tagged frame = IEEE 802.1q frame Can tag/assign based on e.g. 802.1x Trunk (=802.1q link)Allows sharing VLANs (VLAN IDs) between switches VLAN hopping attackβ Attacking host on a VLAN to gain access to traffic on other VLANs E.g. using Frogger Switch spoofing Attacking host imitates a trunking switch Double tagging Attacker prepends two VLAN tags to frames Second tag is the target host First switch removes first innocent VLAN tag and sends packet to second switch. Allows bypassing security mechanisms and reaching the target hosts. Replies are not forwarded to the attacker host OSPF attacksβ Forms a trusted relationship with the adjacent router Usually these attacks go undetected Remote attacks : caused by misconfigurationsOSPF: Open Shortest Path Firstβ Most popular routing protocol for IP networks Dynamically discovers neighbors like RIPv2 and BPG (Border Gateway Protocol) Used by e.g. internet service providers (ISP) and cloud providers for hybrid communication Compromised router attacksβ Placing a rogue router in target network e.g. remote branch/headquarters Allows attacker to inject routes to redirect traffic for MITM attacks or DoS attacks. Attacker learns about that entire routing domain such network types, links etc OSPF attacks countermeasuresβ π Configure OSPF to authenticate every OSPF messageRouters must pass the authentication process before becoming OSPF neighbors. Monitor OSPF neighbors for eavesdropping through e.g. a SIEM