Oconnor Data Rev4

7/30/2019 Oconnor Data Rev4

1/15

1SANS Technology Institute - Candidate for Master of Science Degree 1

Detecting and Responding to DataLink Layer Attacks With Scapy

TJ OConnorSeptember 2011

GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM,GPEN, GWAPT, GCFE)


2/15

The Hotel Area Network

Dilemma About 1 year ago, sitting in a hotel room in

Washington D.C. Free Wireless Internet starts working intermittently Users start complaining of Facebook posts they didn t make

Fire up IDS toolkit IDS doesn t see anything happening at Layer 3 IPS isn t seeing any attacks against the hotel either

What s happening? As incident responders, need the ability to quickly write tools

to parse data in this case, Layer 2 traffic

SANS Technology Institute - Candidate for Master of Science Degree 2


3/15


Cam-Table Exhaustion Attack

CAM Table maintains a list of switch ports anddestination MAC addresses by port

Overloading the switch with CAM Table entriesresults in overflowing memory. Switch no longerknows how to deliver based on MAC-port bindings

ETH.SRC = AA:AA:AA:AA:AA:AA

ETH.SRC = AA:AA:AA:AA:AA:AB

ETH.SRC = AA:AA:AA:AA:AA:AC

ETH.SRC = AA:AA:AA:AA:AA:AD

ETH.SRC = AA:AA:AA:AA:AA:AE..


4/15


Cam-Table Exhaustion Attack

def monitorPackets (p):if p .haslayer(IP):

hwSrc = p .getlayer(Ether) .srcif hwSrc not in hwList:

hwList .append(hwSrc)delta = datetime .datetime .now() - startif (( len (hwList) / delta .seconds) > THRESH)):

print "[*] - Detected CAM Table Attack."

start = datetime .datetime .now()

sniff(iface = interface,prn = monitorPackets) 1

2

3

4


5/15


Arp Spoofing

ARP translates layer 3 to layer 2 addresses

Clients maintain their own ARP tables of theselogical-to-physical bindings

But anyone can broadcast a gratuitous ARP and clienttables are updated

AB

CB's IP ADDR is located

at HW ADDR for CA's IP ADDR is located

at HW ADDR for C


6/15


Arp Spoofing

def monitorPackets (p):global hwTableif (p.getlayer(ARP) .op==2):

hwSrc =p.getlayer(ARP) .hwsrcipSrc =p.getlayer(ARP) .psrcif ipSrc in hwTable:

if (hwSrc != hwTable[ipSrc]):print "[*] - Conflict for IP: " +ipSrc

hwTable[ipSrc] =hwSrc

sniff(iface =interface, filter ="arp" ,prn =monitorPackets) 1

2

3

4


7/15


DHCP Starvation Attack

Dynamic IP addresses are leased from a DHCP serverafter a request by a client. The lease allows the clientto use the specified address for a period of time.

By sending 254 DHCP Requests, a DHCP starvationattack prevents any new clients from joining

X X

DHCP Request,DHCP Request,DHCP Request,

.DHCP Request Fail

No addresses available


8/15


DHCP Starvation Attack

def monitorPackets (p):if p.haslayer(BOOTP):

global reqCntglobal ofrCntopCode = p.getlayer(BOOTP) .opif opCode == 1:

reqCnt =reqCnt +1 elif opCode == 2:

ofrCnt =ofrCnt +1 print "[*] - " +str (reqCnt) +" Requests. print "[*] - " +str (ofrCnt) +" Offers."

sniff(iface =interface,prn =monitorPackets) 1

2

3

4


9/15


CTS/RTS Wireless Attack

Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2unencrypted/unauthenticated messages used to preventwireless collisions

Clients wishing to send traffic, transmit a RTS. If the medium isclear, destination responds with a CTS. Everybody else whohears the CTS- backs off.


10/15


CTS/RTS Wireless Attack

def monitorPackets (p):if p.haslayer(Dot11):

delta =datetime .datetime .now() -start

if (p.getlayer(Dot11) .subtype) == 11 :rtsCNT = rtsCNT +1 if ((rtsCNT / delta .seconds) > THRESH)):

print "[*] - Detected RTS Fl ood. elif (p.getlayer(Dot11) .subtype) == 12:

ctsCNT = ctsCNT + 1

if ((ctsCNT / delta .seconds) > THRESH)):print "[*] - Detected CTS Fl ood.

start = datetime .datetime .now()sniff(iface =interface,prn =monitorPackets) 1

2

3

41


11/15


Wireless Deauth Attack

Clients authenticate themselves to access points priorto association with the network

Authentication typically occurs over unencryptedlayer 2 management frames

De-authentication also occurs over unencrypted layer2 management frames

Tools such as aircrack-NG can spoof a de-authentication


12/15


13/15


Fake Access Point Attack

Wireless access points are advertised over an 802.11beacon frame

Clients use the information in the 802.11 beaconframe to connect to the wireless AP

Anyone can broadcast an 802.11 beacon,impersonating a network

Combined with tools like karmetasploit, an attackercan instantly attack a client that joins a fake AP.


14/15


Fake Access Point Attack

def monitorPackets (p):if p.haslayer(Dot11):

if (p.getlayer(Dot11) .subtype ==8):ssid = p.getlayer(Dot11) .infobssid = p.getlayer(Dot11) .addr2

stamp = str(p.getlayer(Dot11) .timestamp)prev = ssidDict[bssid][ len (ssidDict[bssid]) -1])if bssid not in ssidDict:

ssidDict[bssid] = []ssidCnt[bssid] =0

elif (long (stamp) < long(prev)) ssidCnt[bssid] =ssidCnt[bssid] +1 if (ssidCnt[bssid] > THRESH):

print "[*] - Detected fakeAP print "[*] SSID: " +ssid

ssidDict[bssid] .append(stamp)

sniff(iface =interface,prn =monitorPackets)1

2

3

4

5


15/15


Conclusions

Layer two attacks still present a threat to modernnetworks

Typically these threats go unnoticed by intrusiondetection systems

Scapy and a little creativity can be used to automatedetecting layer two attacks

For more information, see Detecting and Respondingto Data Link Layer Attacks published in SANS GCIA Reading Room

Documents

Oconnor Data Rev4