Category: Common Layer 2 Attacks

BPDU Guard, Root Guard + Port Security

layer2

I’m still using the topology above. I am going to setup the following security measures BPDU Guard, Root Guard and Port Security and use the Kali Linux box in my topology to launch attacks FUN TIMES!

BPDU Guard

So BPDU Guard is used to protect the switch from an attacker that connects into the network via a switch port. Host port (Access port) shouldn’t send in BPDU messages into the switch. Once you enable BPDU Guard on an access port and a BPDU message is received on that port the switch will disable the port. This could prevent manipulation of your current STP topology.

bpduguardconf

The port was already configured as an access port on VLAN 10. I have R1 acting as a DHCP Server handing out IP addresses in the 10.1.10.0/24 range so the Kali Linux machine got the IP address of 10.1.10.2.

To enable BPDU it is straight forward using the command #spanning-tree bpduguard enable

Now that BPDU Guard is enabled it is time to send in BPDU messages on the access port Gi1/1.

On the Kali Linux machine I’m using an attack tool called Yersinia. I used the interactive option which is:

root@kali:~# yersinia -I

bpduattack

I know I’m not showing much in the screen above but the second line in the output is the BPDU packet getting sent into the access port of the switch which results in the port getting shutdown.

bpduerrport

Before I sent the BPDU packet in on Access port Gi1/1 I checked the status of the interface and you can see that it is connected meaning it’s up and on VLAN 10.

Next, the BPDU is sent on Gi1/1 from the Kali Linux machine causing the port to go err-disabled and it was shutdown automatically by the switch as you can see from the second interface status command.

To get the port back up you have to bring it back up manually (there is a way to do it automatically which I will show later). You need to go into the interface do a shutdown followed by a no shutdown, doing just a no shutdown will NOT bring it back up.

bpduportup

So as you can see I just did a no shutdown first and the port didn’t come back up, but after doing a shutdown followed by a no shutdown the port came back up.

As I mentioned above you can have the switch automatically bring the port back up after a period of time with no BPDU violations.

Enter the commands below in global configuration to enable errdisable recovery for BPDU Guard.

errdisablebpduconfig

I’ll launch another attack on that port and let us see the port go down and back up automatically.

bpduautorecov

As you can see (just about) that the port went down at 20:35:01 due to a BPDU Guard violation and 30 seconds later the port came back up at 20:35:31.

Root Guard

I have removed BPDU Guard from interface Gi1/1 and now I’m going to configure Root Guard. Root Guard is useful if you have your switch connected to another switch you do not manage or have no control over, to prevent it claiming root for STP and causing problems with your STP topology or you may have a less powerful switch in your topology and you never want that less powerful switch becoming the root switch.

rootguard

Go into the interface that is connected to the other switch in my case I am configuring it on the port that is connected to the Kali Linux machine so I can run an attack to try and claim that I am the root switch. Once I run the attack you can see that the switch puts the port in blocking mode.

rootblocking

The port is now in blocking mode. The port will unblock once the attack or the switch stops trying to claim that it’s the root switch.

Port Security

How many MAC addresses should a switch port have? One for the host that is connected to it? What about if that same user has an IP Phone? We might see two MAC addresses on that port. However, you do not want hundreds of MAC addresses on any given switch port and the main reason for that is the switch can only hold so many MAC addresses in its CAM table. If a switch is overloaded with too many MAC addresses than what it can’t hold in its CAM Table memory will be broadcast to all ports in the switch because it can’t add the MAC port mapping to its CAM table anymore.

This is where port security comes into play. We can use port security to restrict the number of MAC addresses allowed on a switch port. For example, if you set the limit to 2 MAC addresses and a 3rd MAC address showed up on that port the switch could shut the port down in doing so it is protecting itself from an attack such as the CAM table overflow attack where an attacker floods the switch with spoofed MAC addresses and filling up the CAM tables memory.

Before putting on port security on my access port I’m going to run a CAM table overflow attack using my Kali Linux machine and a tool called macof. This will send in thousands of spoofed MAC addresses and cause the CAM table to fill up.

mactable

At the moment I don’t have a lot of MAC addresses in my MAC table. Running the #show mac address-table count command shows me that I have one MAC addresses in VLAN 1 and another in VLAN 10.

I’ll now log into the Kali Linux machine and run the macof attack.

kalimacof

This is a screenshot of the macof attack in progress sending thousands of spoofed MAC addresses into the switch. My switch started to complain straight away about CPU load which isn’t surprising since I am running all of the nodes in VM as it is.

mactablefull

As you can see the number of MAC addresses on VLAN 10 is now at 11983 and I only ran the command for a few seconds as my switch wasn’t responding due to high CPU. This just shows how easy it is to cause damage to a network running a simple attack.

I’m going to configure port security on port Gi1/1 so it will shut the port down after it receives more than 5 MAC addresses. Again just like BPDU Guard you can configure the switch to automatically bring the port back up after a period of time, 30 seconds is the default and minimum time you can set the errdisable recovery command to.

portsec2

Above shows how to configure port-security and setting the max allowed mac addresses to 5. Also, I set the port to shutdown if a violation happens. You can set a violation to take different actions depending on how you configure it. They are: Protect, Restrict or Shutdown.

Also included in the printout above is the current state of the ports with port-security configured on them. There is a mac address on each port and both of the max allowed set to 5 and there are no violations at the moment and lastly what action should be taken if a violation is triggered and that is to shutdown the port.

Time to run macof again and see what happens!

portsecdown

As you can see that port-security detected the attack and shutdown the port!

ARP Poisoning/Snooping Attack

ARP

First of all a quick review of ARP and what it is used for in networking is a good place to start. ARP stands for Address Resolution Protocol and it is used to map IP addresses to MAC addresses so data can be delivered to the correct host. An IP address on its own can’t do the job. MAC addresses are used to deliver the IP packets on the network. But what happens if a host, for example host A wants to send a packet to host B, host A knows the IP address of host B but does not know what his MAC address is, without this the packet will never get delivered. ARP steps in. To find out the MAC address of host B, host A will send an ARP request with the IP Address of host B asking who has IP Address 10.1.1.1, this is broadcast out onto the network, all hosts will see this messages as it is a broadcast message. However host B will be the only one to respond to the message by sending a unicast message back to host A saying basically I’m host B, in the reply will be host B’s MAC address now host A has all the information it needs to send the packet on its way. The next time that host A or host B needs to send packets to each other they wont have to use ARP they will use their arp cache that is stored locally. The cache stores the IP address to MAC address mappings.

ARP Poisoning

arppoisoning

In the diagram above we have a simply network topology. Local LAN with some PCs and a Router to get off the local network out towards the Internet.

In normal operation the ARP table on the hosts would look like this.

IP ADD                   MAC ADD              PORT

192.168.1.1            AA:AA                    Fa0/0

192.168.1.2           BB:BB                     Fa0/1

192.168.1.254       CC:CC                    Fa0/2

So if PCB wanted to get out onto the internet to the web server it would have Destination IP address of the web server 200.1.1.1 and the MAC address of the default gateway CC:CC it would get this information from its ARP address table shown above.

But if an attacker wanted to launch a Man In The Middle attack to look at the information flowing between the web server and PCB it could use a technique called ARP poisoning. So how does this work. The attacker would spoof the MAC address for PCB and the Default Gateway using Gratuitous ARP by sending out a message saying if you need to get to 192.168.1.2 use AA:AA he would do the same with 192.168.1.254.

IP ADD                   MAC ADD              PORT

192.168.1.1            AA:AA                    Fa0/0

192.168.1.2           AA:AA                     Fa0/1

192.168.1.254       AA:AA                    Fa0/2

Now when PCB wants to communicate with the web server it will look at its ARP cache table and put in the MAC address of PCA in its packet due to the attacker poisoning the ARP tables on the network. PCB wouldn’t be aware that its ARP table was poisoned.

arp

Now the Attacker can sniff all the traffic going to and from the web server. To make sure that PCB does not suspect anything is up the attacker will send on the traffic to the web server after he sniffs it and he will also do the same for the return traffic. This way PCB will never know there is a Man In The Middle attack going on. In my next post I will show you how to mitigate this attack.

4.4.g DHCP Spoofing

When a host connects to a network it will send a ‘DHCP Discovery’ message (Broadcast) asking for an IP address. The DHCP server on the network will receive this message and respond with a ‘DHCP Offer’ the host will receive this message and in return will send back a ‘DHCP Request’ which basically tells the DHCP server that it is happy with the IP address it has been offered, finally the server with send back a ‘DHCP Ack’ telling the host ok its all yours.

So as you may have noticed there are 4 DHCP messages used here. A good way to remember them is using an image of DORA The Explorer. There are 2 server and 2 client (host) messages.

  • DHCP Discovery (client/host)
  • DHCP Offer (DHCP server)
  • DHCP Request (client/host)
  • DHCP Ack (DHCP server)

DHCP Spoofing

DHCP spoofing is where an attacker adds a rogue DHCP server to the network. As part of the attack they will also launch a DHCP starvation attack.  A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such as “the gobbler”. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers.

The next step is to make the rogue DHCP available on the network to hand out new IP addresses, default gateway and DNS configuration from a different subnet range. Client devices will get an IP address from this range along with a default gateway pointing to the rogue DHCP server. If a client needs to get off its local subnet it will send the traffic to the default gateway in this case the rogue DHCP server, we now have what is known as a MITM (Man In The Middle). Because the attacker is so nice he or she will forward the request onto the correct default gateway so the clients traffic can get to where it needs to and the client will never know someone has carried out a Man In The Middle attack using DHCP Spoofing.

DHCP Snooping

What can be done to stop this attack from being successful? We can enable a feature called DHCP Snooping on our switch. This puts all switch ports into Untrusted mode. When a port is in this state it blocks the server DHCP messages from being allowed on the port (DHCP Offer, DHCP Ack). This will stop an attacker that is running software that acts as a DHCP server on their computer from successfully sending DHCP server messages on the network. To allow the real DHCP server reply to DHCP Discovery messages we make the port that the real DHCP is on a ‘Trusted port’. This port is allowed to pass ALL DHCP messages on it.

Enable DHCP Snooping

To enable DHCP Snooping on a switch use the following commands.

#ip dhcp snooping (globally)

Remember by default all ports become untrusted ports. So to allow the real DHCP server in your network respond to DHCP Discovery messages you must make the port a trusted port.

#interface fa0/1

#ip dhcp snooping trust

You also have to set it on your VLANs

#ip dhcp snooping vlan 1,3,5

One thing to note is if you have multiple switches in your network connected via trunk ports so for example SW1 is an access switch and SW2 is core switch which has the DHCP server on it you need to set the trunk port on the access switch to a trusted port to allow the DHCP messages across that link.

 

 

4.4.d CAM Table overflow

The CAM Table is the same as the MAC Address Table and stands for Content Addressable Memory. The CAM/MAC address table is responsible for storing MAC addresses and what port that MAC address is reachable on.

So what is a CAM table overflow attack? An attacker that gains access to a switch via a wall jack for example could easily run a tool such as ‘macof’ which floods the switch with spoofed MAC addresses. The CAM table can only hold so many addresses in its memory, once that limit has been reached any new frames that come into the switch will be flooded to all ports as the switch can’t process it in the CAM table. This will now allow the attacker to sniff the traffic using a tool like wireshark.

So how do we mitigate this attack and stop it from being successful? We can use Port Security.

Port Security

What can port security do to help us stop the CAM table from getting overloaded with bogus MAC addresses. Port security limits the number of MAC addresses that are allowed on a switch port. When you enable port security the default limit is 1 MAC address allowed on a port. If a second MAC address comes in on that port that is different from what the switch has previously learnt the port is shutdown, this is the default action but this can be changed.

The different actions that can be set are:

  • Protect – In this mode frames are dropped if the number of mac addresses is over the limit, no syslogs, SNMP or alarms are raised, it is silent and you would never know an attack was underway.
  • Restrict – In this mode frames are also dropped but syslogs and SNMP messages are sent to warn us that this is occurring.
  • Shutdown (Port) – In this mode the port is shutdown when an attack is detected
  • Shutdown (VLAN) – In this mode the VLAN that the port is part of is shutdown when an attack is detected.

Configuring Port Security

To implement port security on a switch port you first need to set the port to an access port manually, it can’t be a dynamically learnt port.

#interface FastEthernet0/2

#switchport mode access

Enable port security

#switchport port-security

You can also set the max mac address to a different value to the default which is 1.     

#switchport port-security maximum <1-132>

There are 3 different ways you can set the switch to learn the MAC addresses on a port using port security.

  • Dynamic – MAC addresses are learnt dynamically but are lost if a switch reboots
  • Static – Add a MAC address manually to the configuration
  • Sticky – Dynamically learn MAC addresses which can be saved in the running configuration and dont have to be learnt after a switch reboot.

Setting it to sticky is shown below

#switchport port-security mac-address sticky

If you want to change the default action taken when a violation is detected you can set it to one of the following using the violation command.

#switchport port-security violation <protect, restrict, shutdown (port/vlan)>

If a security violation occurs and the port is shutdown the administrator has to go into the interface that is shutdown and use the shutdown and no shutdown command, simply issuing the no shutdown command on its own will not return the port to an UP state. You can also use errdisable recovery to bring the port back up after a certain time, this will save you getting a call in the early hours of the morning to remotely access your network and bring the port back up manually.