ES HDI TH een MODULE 08 SatEta Hacking and Countermeasures sam 34250 Certfied Ethical aher Salting Learning Objectives This module starts with an overview of sniffing concepts and provides an insight into MAC, DHCP, ARP, MAC spoofing, and DNS poisoning attacks, Later, the module discusses various sniffing tools, countermeasures, and detection techniques. At the end of this module, you will be able to: = Describe sniffing concepts = Explain different MAC attacks + Explain different DHCP attacks "Describe ARP poisoning = Explain different spoofing attacks "Describe ONS poisoning = Apply a defense mechanism against various sniffing techniques "Use different sniffing tools "Apply various sniffing countermeasures "Apply various techniques to detect sniffing attacks Sniffing Concepts This section describes network sniffing and threats, how a sniffer works, active and passive sniffing, how an attacker hacks a network using sniffers, protocols vulnerable to sniffing, sniffing in the data link layer of the Open Systems Interconnection (OSI) model, hardware protocol analyzers, Switched Part Analyzer (SPAN) ports, wiretapping, and lawful interception, Network Sniffing Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most networks teday work on switches, A switch is an advanced computer networking device. The major difference between a hub and a switeh is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network. An attacker needs to manipulate the functionality of the switch to see all the traffic passing through it. A packet sniffing program (also known as a sniffer) can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network, Often, any laptop can plug into a network and gain access to it, Many enterprises’ switch ports are open, A packet sniffer placed on a network in promiscuous mode ean therefore capture and Modite 08 Page 815 eieal acing and Countermeasures Copy © by EO-Oaumcl ‘AN Rights senred Reproduction is Sircty Probie {ical Hacking and Coumermeasires ‘am 312 $0 Certfied Eten Hacker Saifne analyze all the network traffic. Sniffing programs turn off the filter employed by Ethernet rerface cards (NICs) to prevent the host machine from seeing other stations’ traffic. Thus, sniffing programs can monitor all traffic. Although most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy. It allows an attacker to observe and access the entire network traffic from one point. Packet sniffers can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS traffic, email traffic, web traffic, chat sessions, and FTP passwords. This allows an attacker to read passwords in cleartext, the actual emails, credit card numbers, financial transactions, etc. tt also allows an attacker to sniff SMTP, POP, IMAP traffic, IMAP, telnet authentication, SQL database, SMB, NFS, and FTP traffic. An attacker can gain a substantial amount of information by reading captured data packets; then, the attacker can use that information to break into the network. An attacker carries out more effective attacks by combining these techniques with active transmission. The following diagram depicts an attacker sniffing the data packets between two legitimate network users: a* through the ich Figure 8.1: Packet sing scenario How a Sniffer Works The most common way of networking computers is through an Ethernet connection. computer connected to a local area network (LAN) has two addresses: a MAC address and an Internet Protocol (IP) address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The data link layer of the OS! model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The network layer is responsible for mapping IP network addresses to the MAC address as required by the data fink protocol. It initially looks for the MAC address of the destination machine in a table, usually called the Address Resolution Protocol (ARP) cache. If there is no entry for the IF address, an ARP broadcast of a request packet goes out to all machines on the local sub- network. The machine with that particular address responds to the source machine with its MAC address. The source machine's ARP cache adds this MAC address to the table. The source ‘machine, in all its communications with the destination machine, then uses this MAC address. Module ob Page 316 tna Hoeuing ané Countermestutes Copy © EE-Cemmc Al Rights Reserved. Reproduction Strcty ProhiatedEthlal Hacking and Counterme sures fxam 12.50 ered Ethical Hacker ‘Snifing There are two basic types of Ethernet environments, and sniffers work differently in each ‘These two types are: = Shared Ethernet In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. In this environment, all the other machines receive packets meant for one machine. Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the network with the destination MAC address of machine 2, along with its awn source MAC address. The other machines in the shared Ethernet (machines 3 and 4) compare the frame's destination MAC address with their own and discard the unmatched frame. However, a machine running a sniffer ignores this rule and accepts all the frames. Sniffing in a shared Ethernet environment is passive and, hence, difficult to detect + Switched Ethernet In a switched Ethernet environment, the hosts connect with a switch instead of a hub. ‘The switch maintains a table that tracks each computer's MAC address and the physical port on which that MAC address is connected, and then delivers packets destined for a particular machine. The switch is a device that sends packets to the destined computer ‘only; furthermore, it does not broadcast them to all the computers on the network. This results in better utilization of the available bandwidth and improved security. Hence, the process of putting a machine NIC into promiscuous mode to gather packets does not work. As a result, many peaple think that switched networks are secure and immune to shiffing, However, this is not true, Although a switch is more secure than a hub, sniffing the network is possible using the following methods: = ARP Spoofing ARP is stateless. A machine can send an ARP reply even without asking for it; furthermore, it can accept such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. The ARP. cache of the target machine will have an incorrect entry for the gateway. Thus, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address, = MAC Flooding ‘Switches maintain a translation table that maps various MAC addresses to the physical ports on the switch. As a result, they can intelligently route packets from one host to another, However, switches have a limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch, Once that happens, it becomes easy to perform sniffing. macof is a utility that comes with the sniff suite and helps the attacker to perform MAC flooding, ‘med 08 Page 17 ‘thea Macking and Countermeasures Copyraht © by £O-Coumel ‘A igh Reserved, Reproduction Sic Proheted (ical Hacking and Countermeasures Exam 212 80 eid thea Hacker ‘soi Once a switch turns into a hub, it starts broadcasting all packets it receives to all the computers in the network. By default, promiscuous mode is turned off in network machines; therefore, the NICs accept only those packets that are addressed to a user's machine and discard the packets sent to the other machines. A sniffer turns the NIC of a system to promiscuous mode so that it listens to all the data transmitted on its segment. A sniffer can constantly monitor all the network traffic ta a computer through the NIC by decoding the information encapsulated in the data packets. Attackers configure the NIC in their machines to run in promiscuous mode so that the card starts accepting all the packets. Thus, the attacker can view all the packets that are being transmitted in the network. peaderPc running NIC Card in (2p Promscoous node sartacker forces A. jap switch to bere Figure 82: Working ofa sniffer Types of Sniffing Attackers run sniffers to convert the host system’s NIC to promiscuous mode. As discussed earlier, the NIC in promiscuous mode can then capture packets addressed to the specific network, There are two types of sniffing, Each is used for different types of networks. The two types are: = Passive sniffir Active sniffing Passive Sniffing Passive sniffing involves sending no packets. It simply captures and monitors the packets flowing in the network. A packet sniffer alone is not preferred for an attack because it works only in a common callision domain, A common collision domain is the sector of the network that is not switched or bridged (i.e., connected through a hub). Common collision domains are present in hub environments. A network that uses hubs to connect systems uses passive sniffing. In such networks, all hosts in the network can see all the traffic. Hence, it is easy to capture traffic through the hub using passive sniffing. fies Maing snd Countermeasures Cosyrgh! © by EB-Commel Al fights Reseed Reproduction i Stet Prose{thin backing and Countermeasures (vam 212.0 cerned Pthes Maker satin Attacker Figure 8.3: Passive snifing Attackers use the following passive sniffing methods to gain control over a target network: = Compromising physical security: An attacker who succeeds in compromising the physical security of a target organization can walk into the organization with a laptop and try to plug into the network and capture sensitive information about the organization. = Using a Trojan horse: Most Trojans have in-built sniffing capability. An attacker can install these on a victim’s machine to compromise it. After compromising the victim's machine, the attacker can install a packet sniffer and perform sniffing. Most modern networks use switches instead of hubs, A switch eliminates the risk of passive sniffing. However, a switch is still vulnerable to active sniffing. Note: Passive sniffing provides significant stealth advantages over active sniffing. Active Sniffing Active sniffing searches for traffic on a switched LAN by actively injecting traffic into it. Active sniffing also refers to sniffing through a switch. In active sniffing, the switched Ethernet does not transmit information te all the systems connected through LAN as it daes in a hub-based network. For this reason, a passive sniffer is unable to sniff data on a switched network. It is easy to detect these sniffer programs and highly difficult to perform this type of sniffing. ‘Switches examine data packets for source and destination addresses and then transmit them to the appropriate destinations, Therefore, it is cumbersome to sniff switches, However, attackers can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. Switehes maintain their own ARP cache in Content Addressable Memary (CAM). CAM is a special type of memory that maintains a record of which host is connected to which port. A sniffer records all the information visible on the network for future review. An attacker can see all the information in the packets, including data that should remain hidden, To summarize the types of sniffing: passive sniffing daes not send any packets; it only monitors the packets sent by others. Active sniffing involves sending out multiple network probes to identify access points. The follawing is alist of different active sniffing techniques: = MAC flooding = DNS poisoning = ARP poisoning Mode a8 Pg0 819, ‘ca Mocking an¢ Countermeanures Copyright © by B-Caumell ‘A Rights Reserved. Reproductions Stn Proheated tical Masking ane Countermasrines ‘beam 212-50 Cert Eien Harker saiting = DHCP attacks Switch port stealing * Spoofing attack How an Attacker Hacks the Network Using Sniffers Attackers use sniffing tools to sniff packets and monitor network traffic on a target network. The steps that an attacker follows to make use of sniffers to hack a network are illustrated below. + Step 1; An attacker who decides to hack a network first discovers the appropriate switch to access the network and connects a system or laptop to one of the ports on the switch. Figure 84: Discovering 2 switch to access the network Step 2: An attacker who succeeds in connecting to the network tries to determine network information such as the topology of the network by using network discovery © Be 9g Figute 8S: Using network discovery tool te lesen topology + Step 3: By analyzing the network topology, the attacker identifies the victim's machine to target his/her attacks, Figure 86: identifying the victim's machine + Step 4: An attacker who identifies a target machine uses ARP spoofing techniques to send fake (spoofed) Address Resolution Protocol (ARP) messages. Se Figure 8.7: Atacker sending fake ARP messages mace 08 P2¢6 320 {ical aching and Countermeasures Copyright ©by EO oumel AU Rights Resewed. Repro Sint PrehesedEthical aching and Countermentres Exam 31240 Certified Ethical Hacker salting + Step 5: The previous step helps the attacker to divert all the traffic from the victim’s computer to the attacker's camputer. This is a typical man-in-the-middle (MITM) type of attack. Faure 88; Redirecting the traffic tothe attacker = Step 6: Now, the attacker can see all the data packets sent and received by the victim. The attacker can now extract sensitive information from the packets, such as passwords, usernames, credit card details, and PINs. Figure 89: Attacker extrating sensitive infermation Protocols Vulnerable to Sniffing The following protocols are vulnerable to sniffing. The main reason for sniffing these protocols is to acquire passwords. "Telnet and Rlogin Telnet is a protocol used for communicating with a remote host (via port 23) on a network using a command-line terminal. rlogin enables an attacker to log into a network machine remotely via a TCP connection, Neither af these protocols provides encrypti therefore, data traveling between clients connected through any of these protocols are in plaintext and vulnerable to sniffing. Attackers can sniff keystrokes, including usernames and passwords. * HTTP Due to vulnerabilities in the default version of HTTP, websites implementing HTTP transfer user data across the network in plaintext, which attackers can read to steal user credentials = SNMP Simple Network Management Protocol (SNMP) is a TCP/IP-based protocol used for exchanging management information between devices connected on a network. The first version of SNMP (SNMPv1 and SNMPw2) does not offer strong security, which leads to the transfer of data in a cleartext format. Attackers exploit the vulnerabilities in this version to acquire passwords in plaintext. ‘Mode on P3g0 221, [thc Machng an Countermeasures Copyright © by E-Cmumelt ‘AU Rights Reserved. Represction is Stncty Prehies (ical Hacking nd Countermennires fram 212 S0 Certified Ethical Hacker ‘Simple Mail Transfer Protocol (SMTP) is used for transmitting email messages over the Internet. In most implementations, SMTP messages are transmitted in cleartext, which enables attackers to capture plaintext passwords. Further, SMTP does not provide any: protection against sniffing attacks. + NNTP Network News Transfer Protocol (NNTP) distributes, inquires into, retrieves, and posts news articles using a reliable stream-based transmission of news among the ARPA- Internet community. However, this protocol fails to encrypt the data, which allows attackers to sniff sensitive information. + POP Post Office Protocol (POP) allows a user’s workstation to access mail from a mailbox server. A user can send mail from the workstation to the mailbox server via SMTP. Attackers can easily sniff the data flowing across a POP network in cleartext because of the protocot’s weak security implementations. + FP File Transfer Protocol {FTP} enables clients to share files between computers in a network. This protocol fails to provide encryption; therefore, attackers can sniff data, including user credentials, by running tools such as Cain & Abel = map Internet Message Access Protocol (IMAP) allows a client to access and manipulate electronic mail messages on a server. This protocol offers inadequate security, which allows attackers to obtain data and user credentials in cleartext. Sniffing in the Data Link Layer of the OSI Model The OSI model describes network functions as a series of seven layers. Each layer provides services to the layer above and receives services from the layer below. The data link layer is the second layer of the OSI model. In this layer, data packets are encoded and decoded into bits. Sniffers operate at the data link layer and can capture packets from this layer. Networking layers in the OS! model are designed to work independently of each other; thus, if a sniffer sniffs data in the data link layer, the upper OSI layers will not be aware of the sniffing. Mode 08 hg0822 ica Maeing se Countermesturer Cooyrght © by KE-Cemme ‘A igs Reserved Reproduction i Stet ProbieEta Mackng and Countermentures, Exam 312.0 Certified Etica Hacker Salfing ‘Anplication Stream ‘Application Ta ‘Application Presentation Presentation Session Session ‘Transport ‘Transport Network Network Data tink Data tink Physical Physical Figure 8.20: suffingin the data link layer ofthe Ot mode Hardware Protocol Analyzers ‘A hardware protocol analyzer is a device that interprets traffic passing over a network. It captures signals without altering the traffic segment. Its purpose is to monitor network usage and identify malicious network traffic generated by hacking software installed on the network. It captures @ data packet, decodes it, and analyzes its content according to predetermined rules. It allows an attacker to see the individual data bytes of each packet passing through the network, Compared to software protocol analyzers, hardware protocol analyzers are capable of capturing more data without packet drops at the time of data overload, Hardware protocol analyzers provide a wide range of network connection options varying from LAN, WAN, and wireless to circuit-based telco network lines. They are capable of displaying bus states and low- level events such as highspeed negotiation (K/J chirps), transmission errors, and retransmissions, The analyzers provide accurate timestamps of the captured traffic. However, hardware analyzers are more expensive and tend to be out of reach for individual developers, hobbyists, and ordinary hackers. Hardware protocol analyzers from different manufacturers include the following. + Xgig 1000 32/128 G FC & 25/50/100 GE Analyzer Source: httos://www. viavisolutions.com The VIAVI Xeig 1000 32/128 G Fiber Channel (FC) and 25/50/100 G Ethernet (GE) platform is a hardware product that addresses 8G/16G/32G/128G FC and 10/25/50/100 GE in an integrated, portable platform with reconfigurable ports. It provides a platform to perform inline, nonintrusive capture and analysis and inline jamming (error injection). It uses the industry's first true analog pass-through adapter while keeping the linear nature of signal-over-copper connections, The platform offers unmatched visibility to ‘the OS! physieal layer with features such as aute negotiation, link training, and forward error correction (FEC). tical aching and Countermeasures copyright © by EO-Coumell "AU Rights Retered. Reproduction Sncty Probe {ical Machng and Cournermestures fram 82 S0Cenied Ehcal Hacker Figore 8.11: gig 1000 32/128 G FC and 25/50/100 GE Analyrer = TPI4000 Series Source: https://www.tek.com Each of the TP14000 protocol analyzers captures and displays link data, even at full line rates. Views of primitives as well as the frame delimiter, frame header, and payload data are also provided. The Protocol Database Editor allows the user to define the additional decoding of protocols to further enhance existing functions. Deep, bit-level triggering and pre- and post-filtering capabilities ensure that relevant data can be extracted from multi-gigabit data streams. Figure 8.12: TP14000 protocol anahjzer Some examples of hardware protocol analyzers are listed below: + PTW60 (https://www.globalspec. com) PSSSIA PCIe 5.0 Protocol Exerciser (https://www.keysight.com) = Voyager Max Protocol Analyzer (https://teledynelecroy.com) NN2X NSS40A Agilent Protocol Analyzer (https://www- voluetronics.com) Xgig 1000 (https://www. viovisolutions.com) modute 08 rage 824 cal aciing and Countermeaiores Cyt? © by £8 Somme ‘Ai ages heservect Reproductions Sire ProbateEthical aching and Countermeasures sam 212 $0 Certified Ethical Hatker Saline SPAN Port Switched Port Analyzer (SPAN) is a Cisco switch feature, also known as “port mirroring,” that monitors network traffic on one or more ports on the switch. A SPAN port is a port that is configured to receive a copy of every packet that passes through a switeh. It helps to analyze and debug data, identify errors, and investigate unauthorized network access. When port mirroring is on, the network switch sends a copy of the network packets from the source port to the destination port, which studies the network packets with the help of a network analyzer. There can be one or more sources, but there shauld be only one destination port on the switch. Source ports are the ports for which network packets are monitored and mirrored. The user can simultaneously monitor the traffic of multiple ports, such as the traffic en all the ports of a specific virtual local area network (VLAN), Hast Host host Host ar Ol Cl 1 a Figure 8.13: Working of SPAN. Most Most Most Wiretapping Wiretapping, of telephone tapping, refers to the monitoring of telephone or Internet conversations by a third party with covert intentions. To perform wiretapping, the attacker first selects a target person or host on the network to wiretap and then connects a listening device (hardware, software, or a combination of both) to the circuit carrying information between the ‘two target phones or hosts. Typieally, the attacker uses a small amount of the electrical signals. generated by the telephone wires to tap the conversation. This allows attackers to monitor, Intercept, access, and record infarmation contained in the data flow in a communication system, Wiretapping Methods. The following are ways to perform wiretapping: * The official tapping of telephone lines * The unofficial tapping of telephone lines "Recording the conversation ‘Medea Pape 22% [thest Haching sn Countermenures Copyright © by EB-CaaREl "AURIght Reterved Repoduetionm Stnety Prahite {ical Hacking and Countermeatire: tram 312 Sb Cestfid this Hacker ‘soto = Direct line wiretap wiretap Types of Wiretapping There are two types af wiretapping that an attacker can use to monitor, record, and even alter the data flow in the communication system. Active Wiretapping In hacking terminology. active wiretapping is an MITM attack. This allows an attacker to monitor and record the traffic or data flow in a communication system. The attacker can also alter or inject data into communication or traffic. Passive Wiretapping Passive wiretapping is snooping or eavesdropping. This allows an attacker to monitor and record traffic. By observing the recorded traffic flow, the attacker can snoop for a password or other information. Note: Wiretapping without a warrant or the consent of the people conducting the conversation isa criminal offense in most countries, and is punishable depending on the country’s law. Lawfal Interception Lawful interception (Li) refers to legally intercepting data communication between two endpoints for surveillance on traditional telecommunications, VolP, data, and multiservice networks. Ll obtains data fram a communication network for analysis or evidence. This is useful in activities like infrastructure management and protection, as well as cybersecurity-related issues. Here, the network operator or service provider legally sanctions access to private network data for monitoring private communications like telephone calls and email messages. Such operations are carried out by law enforcement agencies (LEAs). This type of interception is necessary only to monitor messages exchanged on suspicious channels in which the users are engaged in illegal activity. Countries around the world are making strides to standardize this type of procedure for interception. The figure shows the telco/ISP lawful solution provided by the Decision Computer Group. The solution consists of one tap/access switch and multiple systems for the reconstruction of intercepted data, The tap/access switeh collects traffic from the Internet service provider (ISP) network, sorts the traffic by IP domain, and serves it to E-Detective (ED) systems that decode and reconstruct the intercepted traffic into its original format. The tool performs this with the help of supporting protocols such as POP3, IMAP, SMTP, P2P and FTP, and telnet. The Centralized Management Server (CMS) manages all the ED systems, odie 08 hg 826 eal aching snd Countermassores Copyright © by FE-Beume ‘AN Reh Reserved Reproduetion& ireh Probesflat sching and Countermasiures fxam 212.0 certfed thes Hacer sting e cearorsrreasnta snes soe Ceonrl aragement Serve {a} Inet Figure 8.14: TelcofisPlawtul solution Sniffing Technique: MAC Attacks Attackers use various sniffing techniques, such as MAC attacks, DHCP attacks, ARP poisoning, spoofing attacks, and ONS poisoning, to steal and manipulate sensitive data. Attackers use these techniques to gain control over a target network by reading captured data packets and then using that information to break into the network. This section discusses MAC attacks or MAC flooding. Attackers use the MAC flooding technique toforce a switch to act as a hub, so that they can easily sniff the traffic. MAC Address A MAC address uniquely identifies each node of a network. Each device in the network has MAC address associated with a physical port on the netwark switch, which makes it possible to designate a specific single point of the network. MAC addresses are used as network addresses for most IEEE 802 network technologies, including Ethernet. Logically, the MAC protocol in the OSt reference model uses MAC addresses for information transfer, ‘A MAC address comprises 48 bits that are split into two sections, each containing 24 bits. The first section contains the ID number of the organization that manufactured the adapter and is. called the organizationally unique identifier (GUI). The next section cantains the serial number assigned to the NIC adapter and is called the NIC specific, The MAC address contains 12-digit hexadecimal numbers, divided into three or six groups, The first six digits indicate the manufacturer, while the next six digits indicate the adapters serial number. For example, consider the MAC address D4-BE-D9-14-C8-29. The first six digits, Le, DABEDS, indicate the manufacturer (Dell, Inc.}, and the next six digits, 14C829, indicate the serial number of the adapter, odie a8 Page 827 {hea Hacking an¢ Countermeasures Copyright © by E-Caumclt ‘AURight Reserved. Reproduction Sine Probes thes Hacking and Countermeasures (sam 202 SoCcensiad ites acer saifieg 3oytes 3bytes Organizationally Unique Network interface Identifier (OUl) Controller (NIC) Specific: sais « > a8 a7 a6 aS a4 a3 a2 al (©: Globally unique 1: Locally administered \< Figure 8.15:MAC address ‘CAM Table A CAM table is a dynamic table of fixed-size. It stores information such as MAC addresses available on physical ports slong with VLAN parameters associated with them, When a machine sends data to another machine in a network, the data passes through the switch. The switch searches for the destination MAC address (located in the Ethernet frame) in its CAM table, and ‘once the MAC address is found, it forwards data to the machine through the port with which the MAC address is bound. This method of transferring data in a switched network is more secure than that of a hub-based network, in which the hub forwards the incoming traffic to all the machines in the network. vlan MAC Add ‘Type Learn | Age | Ports 255 | O0:d3:ad:34:12:3g. Dynamic Yes 0 | Gis/2 5 as:23:dF-45:45:06 Dynamic Yes 0 | Gas Ss er:23:23:er:t5:e3 Dynamic Yes 0 | Gi1/6 Table 8.1: camatable How CAM Works A. CAM table refers to the dynamic form of content and works with an Ethernet switch. The [Ethernet switch maintains connections between ports, and the CAM table keeps track of MAC ‘address locations on the switch, but the table is limited in size. If the CAM table is flooded with more MAC addresses than it can hold, the switch will turn into a hub. The CAM table does this to ensure the delivery of data to the intended host. Attackers exploit this vulnerability in the ‘CAM table to sniff network data. An attacker who can connect to the shared switch of the Ethernet segment can easily sniff network data. Refer to the diagrams of the working of the CAM table, Three machines are shown: Machine A, Machine B, and Machine C, each holding MAC addresses A, B, and C. Machine A, holding the IMAC address A, wants to interact with Machine 8. Module 08 rage 528 ical acing snd Countermeasores Copyright © by FE-Cammcl Ad ight Rsenred, Reproduction i Srcthy ProheitedEthical Mocking and Gauntermeasures tram 312-80 Cert Ethical Hocker ‘Saifing Machine A broadcasts an ARP request to the switch. The request contains the IP address of the ‘target machine (Machine 6), along with the source machines (Machine A) MAC and IP. addresses. The switch then broadcasts this ARP request to all the hosts in the network and waits for the reply, Gaus few) co ssf ince es MAC A D isunkown, brondcasts the aR? Figure 8.16; Working of CAM table step-1 Machine B possesses the target/destination IP address, so it sends an ARP reply along with its MAC address. The CAM table stores this MAC address along with the port on which this machine is connected. Jam MAC Lear Bison port? Figure 8.17; Working of CAM table step-2 Now the connection is successfully established, and Machine A forwards the traffic to Machine B, while Machine Cis unable to see the traffic flowing between them, Figore 8.18 Working of CAM table step-3 ‘What Happens when a CAM Table is Full? As discussed, a CAM table contains network information such as MAC addresses available on physical switch ports and associated VLAN parameters. A CAM table’s limited size renders it ‘susceptible to attacks from MAC flooding, which bombards the switch with fake source MAC addresses until the CAM table is full. Thereafter, the switch broadcasts all incoming traffic to all ports, This causes the switch to reset to its learning mode, causing the switch to broadcast on ‘every port similar to a hub, thereby enabling the attacker to monitor the frames sent from the victim host to another host without any CAM table entry. This attack also fills the CAM tables of, adjacent switches ‘The figure illustrates how a CAM table can be flooded with fake MAC addresses to monitor the frames sent from the wictim host to another host without any CAM table entry. Mode 8 Page 29 ‘eical Hacking and Coumtermeasures Copyright © by EO-oumall -AURghts Reserved, Reproductions Strict Profi. {ical Maching and Cournermesture: Gram 382 S0Centied fhical Hacker MA Cc sae theta om Ato Figure 19: Rooting s CAMtabe MAC Flooding MAC flooding is a technique used to compromise the security of network switches that connect network segments or devices, Attackers use the MAC flooding technique to force a switch to act asa hub so that they can easily sniff the traffic. In a switched network, an Ethernet switch contains a CAM table that stores all the MAC addresses of devices connected jin the network. A switch acts as an intermediate device between one or more computers in a network. It looks for Ethernet frames, which carry the destination MAC address; then, it tallies this address with the MAC address in its CAM table and forwards the traffic to the destined machine. Unlike a hub, which broadcasts data across the network, a switch sends data only to the intended recipient. Thus, a switched network is more secure compared to a hub network, However, the size of the CAM table is fixed, and as it can store only a limited number of MAC addresses in it, an attacker may send numerous fake MAC address to the switch. No problem occurs until the MAC address table is full. Once the MAC address table is full, any further requests may force the switch to enter fail-open mode. in the fail-open mode, the switch starts behaving like a hub and broadcasts incoming traffic through all the ports in the network. The attacker then changes his/her machine's NIC to promiscuous ‘mode to enable the machine to accept all the traffic entering it. Thus, attackers can sniff the traffic easily and steal sensitive informati User2 Figure 8.20: MAC Nooding Modute 08 rage 830 [ical acing snd Countermeasures Copyatt © by EE-Commcl ‘Ad Rights Isenred, Reproduction i Sct ProhiitedEthlalMackng and Cauntermaasres fram 312.50 certfed tical Hacker Saling Mat Flooding Switches with macof Source: htéps://monkey.org macof is a Unix/Linux too! that is a part of the dsniff collection. it floods the local network with random MAC and IP addresses, causing some switches to fail and open in repeating mode, thereby facilitating sniffing. This toal flaads the switch’s CAM tables (131,000 per min) by sending forged MAC entries. When the MAC table fills up, and the switch converts to hub-like operation, an attacker can monitor the data being broadcast. Figure 8.21: MAC flooding using macot Switch Port Stealing ‘The switch port stealing sniffing technique uses MAC flooding to sniff the packets. The attacker floods the switch with forged gratuitous ARP packets with the target MAC address as the source and his/her own MAC address as the destination. A race condition of the attacker’s flooded packets and target host packets will occur, and thus, the switch has to change its MAC address to bind constantly between two different ports. In this case, if the attacker is fast enough, he/she will be able to direct the packets intended for the target host toward his switch port. Here, the attacker manages to steal the target host switch port and sends an ARP request to this switch port to discover the target host's IP address, When the attacker gets an ARP reply, this indicates that the target host’s switch part binding has been restored and the attacker can now sniff the packets sent towards the targeted hast. Medial 08 Page 3 [thal Maching and Countermeas ‘AB Rights Reserved, he hataingad cuter: am 312 $0 Corte thiol Hacker Layer 2 Switch ~ Logical Connection Real Connection Figure 822: Switch por stealing Assume that there are three machines in 2 network: Host A, the target’s Hest 8, and the attacker's Host C. Machine MAC Address IP Address Ports Host A aa-bb-cc-dd-ee-ff 1000.1 Port A Host 8 bb-cc-dd-ee-ff-g 10.00.2 Port 8 Host C ce-dd-2e-ff-gp-hh 10.003 Port C Table 8.2:Detait of three host in 8 network ‘The switch’s ARP cache and MAC table contain the following values: MAC Table Vian Type beam Age Ports 255, Host A. aabbecddeeff | 1000.1 0 Port A 5 Host 8. bb-ce-dd-eetfigg | 100.0.2 Port B 5 Host ¢ co-dd-ee-tf-ge-hh | 100.03 o Port ¢ Table 8 3: MAC table dt 8 rage 32 teal Maching sd CountermestorEta Mackng and Countermeasures txam 312-40 Certed Ethical Hacer Siting (ARP Cache ° MAC 10.0.0.1 aa-bb-cc-dd-ee-ff 10.002 | bb e@- oO Ae it HS i onder Figure 8.25: Working of DHCP DHCP Request/Reply Messages A device that already has an IP address can use the simple request/reply exchange to obtain other configuration parameters from a DHCP server. When the DHCP client receives a DHCP offer, the client immediately responds by sending back a DHCP request packet. Devices that are not using HCP to acquire IP addresses can still utilize DHCP’s other configuration capabilities. A client can broadcast a DHCPINFORM message to request that any available server send its parameters on the usage of the network, DHCP servers respand with the requested parameters and/or default parameters carried in DHCP options of a DHCPACK message. If a DHCP request comes from a hardware address that is in the DHCP server's reserved pool and the request is not for the IP address that this DHCP server offered, the DHCP server's offer is invalid. The DHCP server can put that IP address back into the pool and offer it to another client, Modute 08 Page 837 [hlcal Hachng and Countermeasures Copa © by TAIRGHE Reserved Reproduction ety Pahasted (ical Hacking and Countermensiret cam 212 80 Cetin heal Hacker DHCPVa DHCPYE Message Message Description DHEPDiscover Solicit Client broadcast to locate the available DHCP servers NCO Advertise | S#M€F to client in response to DHCPDiseover with the offer of ‘configuration parameters Request, _| Client to servers either (a) requesting offered parameters, (b} DHOPRequest | Confirm, —_| confirming the correctness of the previously allocated address, Renew, Rebind | ar (c) extending the lease period Server to client with configuration parameters, including the DHCPACK Reply | committed network address pucpReiease | Release | “Het TO Server relinquishing the network address and canceling the remaining lease Ducroedine | eine | CHM TOSOverindeting at the eto esi aay ‘Server to client saying that it has new or updated configuration settings. The client then sends either a renew/reply of Recon mia econtigure | nformation-request/reply transaction to get the updated information pucrintorm | ‘formation | Cient to server asking only for local configuration parameters: Request _| the client already has the externally configured network address ‘Arolay agent sends a relay-forward message to relay messages NIA Relay Forwards 10 servers, either directly or through another relay agent “Aserver sends a relay-reply message to 3 rel containi wn flay Reply | MEETVEr senda relay-reply message toa relay agent containing a message that the relay agent delivers to a client Server to client indicating that the client’s notion of the network DHCPNAK NA address is incorrect (e.g, the client has moved to a new subnet) or the client’s lease has expired Table 8.8: DHCP request/reply messages IPv4 DHCP Packet Format DHCP enables communication on an IP network by configuring network devices. It assigns IP addresses and other information to computers so that they can communicate on the network in the client-server mode. DHCP has two functionalities: delivering host-specific configuration parameters and allocating network addresses to hosts. A series of DHCP messages is used in communication between DHCP servers and DHCP clients. DHCP messages have the same format as that of Bootstrap Protocol (BOOTP) messages. This is because DHCP maintains its compatibility with BOOTP relay agents, thus eliminating the need to change the BOOTP client's initialization software to interoperate with DHCP servers, Module OF Page x38 tpi Hocuing ané Countermentates Conve © by EB-Cemmcl Al Rights Reserved Reprosition Sire Mahe(hie aekingand Caunermessiner fxam 212.0 certfed thes Hacer sting ce [ote | Figure 8.26:1P4 DHCP packet format The following table details every field of the IPva DHCP message: FIELD ‘OCTETS DESCRIPTION This field contains the message opcode that represents the Opcode 1 _| message type: opcode "1" represents messages sent by the client, while “2” represents responses sent by the server 1 _| Hardware address type defined atthe Internet Assigned Hardware Address Type Numbers Authority (IANA) (e.g.."1" = 10 Mb Ethernet} Hardware Address Length 1 | Hardware address length in octets In general, the DHCP clients set the value to “0”; however, Hops 1 | optionally used to count the number of relay agents that forwarded the message ‘A random number is chasen by the client to associate the Transaction ID (XID) 4 | request messages and their responses between a client and aserver Seconds elapsed since the client began the address Seconds 2 | acquisition or renewal process Flogs 2 | Flags set by the client; For example, ifthe client cannot receive unicast IP datagrams, then the broadcast flag is set Client IP Adress (CIADOR) 4 _ | Used when the client has an IP address and can respond to ARP requests Your IP Address (VIADDR) 4 _| The address assigned by the DHCP server to the DHCP client Module 08 Pape 839 {Ethical Hackng and Countermeasures Copyright © by -Euumclt ‘AURGh Reteved Rapreducion Sine Mahe thes Hacking and Countermeasures (sam 202 SoCcensiad ites acer ‘saiting Server IP Address (SIADDR) a | seners iP address Gateway IP Address (GIADDR) |_| The IP address of the DHCP relay agent Ghent Hardware Address 16 | The hardware address of the client (CHADD) Server Name (SNAME) 64 _| Optional server hostname File Name 128 | Name of the file containing BOOTP client's bootimage HEP Options Variable ‘Tobie 89: Fields of Pvt DHE message DHCP Starvation Attack In a DHCP starvation attack, an attacker floods the DHCP server by sending numerous DHCP requests and uses all of the available IP addresses that the DHCP server can issue. As a result, the server cannot issue any more IP addresses, leading to a DoS attack. Because of this issue, valid users cannot obtain or renew their IP addresses; thus, they fail to access their network. An attacker broadcasts DHCP requests with spoofed MAC addresses with the help of tools such as Yersinia, Hyenae, and Gobbler. oa: User User will be unable to getthe valid iP address 20.10.10.1 10.10.10.2 ‘Attacker sends many 10.10.10.3 different DHCP requests with many source macs] & | ‘Attacker 10.10.10.254 gure 8.27: ONCPsartion stk DHCP Starvation Attack Tools DHCP starvation attack tools send a large number of requests to a DHCP server, leading to ‘exhaustion of the server's address pool. Subsequently, the DHCP server is unable to allocate configurations to new clients. due 08 Pape 0 ‘thal Mocking and Countermeatures Cosyiht © by H-bwmmell AT Rigts Reserved Reproduction Stney PohEthical Hackingand Countermeasures {Exam 312-50 Cered Ethical Hacker ‘srifing Yersinia Source: htéps://sourceforge.net Yersinia is @ network tool designed to take advantage of weaknesses in different network protocols like DHCP. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. As shown in the screenshot, attackers use Yersinia to perform a DHCP starvation attack on the target system. Figure 828: Screenshot of Yersinia Some examples of DHCP starvation attack tools are listed below: * dhepStarvation.py (https://github.com) = Hyenae (httos://sourceforge.net) = dhepstary (https://github.com) = Gobbler (https://sourceforge.net) = DHCPig (https://github. com) ‘Rogue DHGP Server Attack In addition to DHCP starvation attacks, an attacker can perform MITM attacks such as sniffing. ‘An attacker who succeeds in exhausting the DHCP server's IP address space can set up a rogue DHCP server on the network, which is not under the control of the network administrator. The rogue DHCP server impersonates a legitimate server and offers IP addresses and other network ‘Moda 8 Page 4 (ical aching and Courermensates Copyright © by EO-Gommel "AURGhts Retened Reprodution i Snety Probate (ical Hacking and Countermennires fxam 31248 Certied fticl acer ssutng information to other clients in the network, acting as a default gateway. Clients connected to the network with the addresses assigned by the rogue server will now become victims of MITM and other attacks, whereby packets forwarded from a client's machine will reach the rogue server first. In a rogue DHCP server attack, an attacker will introduce a rogue server into the network. This rogue server can respond to clients’ DHCP discovery requests. Although both the rogue and actual DHCP servers respond to the request, the client accepts the response that comes first. In the case where the rogue server responds earlier than the actual DHCP server, the client takes the response of the rogue server. The information provided to the clients by this rogue server can disrupt their network access, causing a DoS attack. The DHCP response from the attacker's rogue DHCP server may assign the IP address that serves as a client's default gateway. As a result, the attacker's IP address receives all the traffic from the client. The attacker then captures all the traffic and forwards it to the appropriate default gateway. The client thinks that everything is functioning correctly. This type of attack is difficult for the client to detect for long periods. Sometimes, the client uses a rogue DHCP server instead of the standard one. The rogue server directs the client to visit fake websites in an attempt to gain their credentials, To mitigate a rogue DHCP server attack, set the connection between the interface and the rogue server as untrusted. This action will block all incoming DHCP server messages from that interface. ‘yroning rough OCP serve naar (Ccaeend cores 10 coting ‘trons beth ontewer + ate the cer Neue OS eer Aaa nth OS ere rang adGres > Os wth gales Fe EE NE ES DHCP Attack Tools Some additional DHCP attack tools are listed below: = mitmé (https://github.com) * DHCP wn (https://github.com) * DHCPig (https://github.com) Module 84 Mage 843 [thc Hacking and Gountermessures Copyright © by Beem ‘AD Tighs Reserved Rapveduction& icy ahsEval Hacking and Countermeasures Exam 312-50 corti Ethical Hacer Salting How to Defend Against DHCP Starvation and Rogue Server Attacks Defend Against DHCP Starvation Enable port security to defend against a DHCP starvation attack. Port security limits the maximum number of MAC addresses on the switch port, When the limit is exceeded, the switch drops subsequent MAC address requests (packets) from external sources, which safeguards the server against a DHCP starvation attack. | —- DHCP Server Attacker User Figure 8.30: Defend HCP starvation attack Internetwork Operating System (10S) Switch Commands Source: httpsi//www.cisco.com * switchport port-security The switchport port-security command configures the switch port parameters. to enable port security, = switchport port-security maximum 1 ‘The switchport port-security maximum command configures the maximum number of secure MAC addresses for the port. The switchpert port-security maximum 1 command configures the maximum number of secure MAC addresses for the port as 2 = switchport port-security violation restrict ‘The switchport port-security violation command sets the violation mode and the necessary action in case of detection of a security violation. The switchport port-security vielation restrict command drops packets ‘with unknown source addresses until a sufficient number of secure MAC addresses are removed © ewitchport port: The switchport port-security aging time command configures the secure MAC address aging time on the port curity aging time 2 Module an Page 288 lea kings Countrmannos Copyright © by ‘AU Rghts Reserved Reproduetionm Stet Probes hcl Macking and Countermeasures nam 22 S0Censed Ehcal Hacker Saifing The switchport port-security aging time 2 command sets the aging time as 2 minutes, + switchport port-security aging type inactivity The switchport port-security aging type command configures the secure MAC address aging type on the port The switchport port-security aging type inactivity command sets the aging type as inactivity aging. + switchport port-security mac-address sticky This command enables sticky learning on the interface by entering only the MAC- address sticky keywords. When sticky learning is enabled, the interface adds all secure IMAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Defend Against Rogue Server Attack The DHCP snooping feature that is available on switches can mitigate against rogue DHCP servers. It is configured on the port on which the valid DHCP server is connected. Once configured, DHCP snooping does not allow other ports on the switch to respond to DHCP Discover packets sent by clients. Thus, even an attacker who manages to build a rogue DHCP server and connects to the switch cannot respond to DHCP Discover packets, DHCP Snooping Enabled — a) Tes (oor) DHCP vee Untrusted Server Attacker User Figure 81: Defending agains s rogue server attack 105 Global Commands Source: https://www.cisco.com Steps to configure DHCP snooping: 1. ip dhep snooping Enables DHCP snooping globally. soda rage 224 (bes acing Sn ouitermasiars Copyht © by KORE AN aphs sauereec Reproduction Seth Probes