[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] sniffing switched nets and VLANs

To: sage-members@usenix.org
Subject: Re: [SAGE] sniffing switched nets and VLANs
From: "Cory L. Scott" <cory@crazypenguin.com>
Date: Fri, 25 Jan 2002 17:12:38 -0800
In-Reply-To: <200201251623.KAA01500@mailhost1.vuse.vanderbilt.edu>
Sender: owner-sage-members@usenix.org

The talk you are referring to is Dug Song's paper on collecting passwords 
on a wireless network.

The link to the paper is at http://www.monkey.org/~dugsong/talks/usenix00.ps

Note that only the front page of monkey.org/~dugsong is "censored". The 
rest of the content is there.

To answer your question about switched networks, there are several ways to 
sniff switched networks.

If you are an authorized administrator (or just happen to know how to 
authenticate and login to the switch), most departmental-grade and higher 
switches support SPAN ports. A SPAN port mirrors traffic from all ports on 
the switch. SPAN ports are often used for diagnostic purposes or intrusion 
detection deployments. A good tutorial on SPAN ports is available at 
http://www.cisco.com/warp/public/473/41.html

If you are an attacker, there are other opportunities.

ARP flooding, as alluded to in another post, will cause some switches to 
"fall open" and act as a hub or repeater rather than a switch. The ARP 
table on a switch (also known as a CAM table) maintains the port numbers 
and MAC addresses to forward packets to. Most switches have enough memory 
for the CAM table to handle normal use-cases. However, when an attacker 
starts producing multiple ARP entries at a fast rate, the table fills up, 
and the switch falls open in order to continue (albeit, slower) operations. 
Sniffing can then take place. You can find multiple utilities out there to 
do this.

ARP poisoning/spoofing is not an attack on the switch, per se, but an 
attack on two communicating hosts in the same segment on a switch. Since 
all ARP replies are broadcast on a switch and hosts typically insert all 
ARP replies into their ARP table, a malicious host can broadcast ARP 
replies to the two victim hosts, overwriting the ARP table of the victim 
hosts with the attacker's ARP address. All future packets (until there is 
another ARP reply by a victim host causing an overwrite of the ARP table) 
will go to the attacker. The attacker (if they want to be somewhat 
stealthy) will need to forward these packets after interception to their 
original destination afterwards, otherwise the connection breaks down 
rather quickly. Common attacks include spoofing the ARP address of the 
default gateway in order to capture all outbound traffic on a switched 
network. You can catch these types of attacks by keeping an eye on the ARP 
table of hosts in your network. When multiple fresh ARP entries have the 
same IP address, you probably have a problem. Arpwatch is a nice utility to 
catch this activity. Note that some OS implementations of TCP/IP handle 
gratuitous ARP replies in different ways (ie. ARP table can only be updated 
after a timeout period), so your mileage may vary.

For more information on ARP poisoning/spoofing, check out 
http://packetstorm.decepticons.org/papers/protocols/intro_to_arp_spoofing.pdf

Another entry-level discussion on the topic is at 
http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm

And since we're on the topic, what about VLANs on a switch?

VLANs, which are used for Layer 2 separation for virtual segments, are 
often deployed on medium to large-sized switches. I have often seen 
deployments where the same switch blade will handle a DMZ network on ports 
1-10 on VLAN 1, an internal segment on ports 11-20 on VLAN 2, and an 
extranet segment on ports 21-24 on VLAN 3. This rather precarious 
deployment assumes that there is no way for traffic to "leak" or be 
monitored between VLANs and that Layer 3 routing and access control is 
sufficient. However, VLANs are not designed to be used as security 
boundaries. Even Cisco says so:

"Avoid using VLANs as the sole method of securing access between two 
subnets. The capability for human error, combined with understanding that 
VLANs and VLAN tagging protocols were not designed with security in mind, 
makes their use in sensitive environments inadvisable. When VLANs are 
needed in security deployments, be sure to pay close attention to the 
configurations and guidelines mentioned above."
         - from 
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm

Attacks on the tagging protocols have taken place in the past (see 
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm) and configuration of 
VLANs can be less than straightforward when attempting to limit access to 
VLANs or trunk ports.

Be careful out there! :-)

C

At 10:23 AM 1/25/2002 -0600, David R. Linn wrote:
>A few meetings ago (perhaps the ATC in San Diego), I seem to recall
>that some attendees demonstrated that you can sniff switched nets by
>collecting and then posting a set of passwords that they had captured
>from the switched TTY room net.  I believe that they wrote up their
>technique, maybe for a WIP, maybe for a later conference.

References:
- [SAGE] sniffing switched nets
  - From: "David R. Linn" <drl@vuse.vanderbilt.edu>

Prev by Date: Re: [SAGE] Apple Airport base station admin SW for Wintel
Next by Date: Re: [SAGE] Apple Airport base station admin SW for Wintel
Prev by thread: Re: [SAGE] sniffing switched nets
Next by thread: Re: [SAGE] sniffing switched nets
Index(es):
- Date
- Thread