Post on 04-Apr-2018
7/30/2019 Oconnor Data Rev4
1/15
1SANS Technology Institute - Candidate for Master of Science Degree 1
Detecting and Responding to DataLink Layer Attacks With Scapy
TJ OConnorSeptember 2011
GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM,GPEN, GWAPT, GCFE)
7/30/2019 Oconnor Data Rev4
2/15
The Hotel Area Network
Dilemma About 1 year ago, sitting in a hotel room in
Washington D.C. Free Wireless Internet starts working intermittently Users start complaining of Facebook posts they didn t make
Fire up IDS toolkit IDS doesn t see anything happening at Layer 3 IPS isn t seeing any attacks against the hotel either
What s happening? As incident responders, need the ability to quickly write tools
to parse data in this case, Layer 2 traffic
SANS Technology Institute - Candidate for Master of Science Degree 2
7/30/2019 Oconnor Data Rev4
3/15
SANS Technology Institute - Candidate for Master of Science Degree 3
Cam-Table Exhaustion Attack
CAM Table maintains a list of switch ports anddestination MAC addresses by port
Overloading the switch with CAM Table entriesresults in overflowing memory. Switch no longerknows how to deliver based on MAC-port bindings
ETH.SRC = AA:AA:AA:AA:AA:AA
ETH.SRC = AA:AA:AA:AA:AA:AB
ETH.SRC = AA:AA:AA:AA:AA:AC
ETH.SRC = AA:AA:AA:AA:AA:AD
ETH.SRC = AA:AA:AA:AA:AA:AE..
7/30/2019 Oconnor Data Rev4
4/15
SANS Technology Institute - Candidate for Master of Science Degree 4
Cam-Table Exhaustion Attack
def monitorPackets (p):if p .haslayer(IP):
hwSrc = p .getlayer(Ether) .srcif hwSrc not in hwList:
hwList .append(hwSrc)delta = datetime .datetime .now() - startif (( len (hwList) / delta .seconds) > THRESH)):
print "[*] - Detected CAM Table Attack."
start = datetime .datetime .now()
sniff(iface = interface,prn = monitorPackets) 1
2
3
4
7/30/2019 Oconnor Data Rev4
5/15
SANS Technology Institute - Candidate for Master of Science Degree 5
Arp Spoofing
ARP translates layer 3 to layer 2 addresses
Clients maintain their own ARP tables of theselogical-to-physical bindings
But anyone can broadcast a gratuitous ARP and clienttables are updated
AB
CB's IP ADDR is located
at HW ADDR for CA's IP ADDR is located
at HW ADDR for C
7/30/2019 Oconnor Data Rev4
6/15
SANS Technology Institute - Candidate for Master of Science Degree 6
Arp Spoofing
def monitorPackets (p):global hwTableif (p.getlayer(ARP) .op==2):
hwSrc =p.getlayer(ARP) .hwsrcipSrc =p.getlayer(ARP) .psrcif ipSrc in hwTable:
if (hwSrc != hwTable[ipSrc]):print "[*] - Conflict for IP: " +ipSrc
hwTable[ipSrc] =hwSrc
sniff(iface =interface, filter ="arp" ,prn =monitorPackets) 1
2
3
4
7/30/2019 Oconnor Data Rev4
7/15
SANS Technology Institute - Candidate for Master of Science Degree 7
DHCP Starvation Attack
Dynamic IP addresses are leased from a DHCP serverafter a request by a client. The lease allows the clientto use the specified address for a period of time.
By sending 254 DHCP Requests, a DHCP starvationattack prevents any new clients from joining
X X
DHCP Request,DHCP Request,DHCP Request,
.DHCP Request Fail
No addresses available
7/30/2019 Oconnor Data Rev4
8/15
SANS Technology Institute - Candidate for Master of Science Degree 8
DHCP Starvation Attack
def monitorPackets (p):if p.haslayer(BOOTP):
global reqCntglobal ofrCntopCode = p.getlayer(BOOTP) .opif opCode == 1:
reqCnt =reqCnt +1 elif opCode == 2:
ofrCnt =ofrCnt +1 print "[*] - " +str (reqCnt) +" Requests. print "[*] - " +str (ofrCnt) +" Offers."
sniff(iface =interface,prn =monitorPackets) 1
2
3
4
7/30/2019 Oconnor Data Rev4
9/15
SANS Technology Institute - Candidate for Master of Science Degree 9
CTS/RTS Wireless Attack
Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2unencrypted/unauthenticated messages used to preventwireless collisions
Clients wishing to send traffic, transmit a RTS. If the medium isclear, destination responds with a CTS. Everybody else whohears the CTS- backs off.
7/30/2019 Oconnor Data Rev4
10/15
SANS Technology Institute - Candidate for Master of Science Degree 10
CTS/RTS Wireless Attack
def monitorPackets (p):if p.haslayer(Dot11):
delta =datetime .datetime .now() -start
if (p.getlayer(Dot11) .subtype) == 11 :rtsCNT = rtsCNT +1 if ((rtsCNT / delta .seconds) > THRESH)):
print "[*] - Detected RTS Fl ood. elif (p.getlayer(Dot11) .subtype) == 12:
ctsCNT = ctsCNT + 1
if ((ctsCNT / delta .seconds) > THRESH)):print "[*] - Detected CTS Fl ood.
start = datetime .datetime .now()sniff(iface =interface,prn =monitorPackets) 1
2
3
41
7/30/2019 Oconnor Data Rev4
11/15
SANS Technology Institute - Candidate for Master of Science Degree 11
Wireless Deauth Attack
Clients authenticate themselves to access points priorto association with the network
Authentication typically occurs over unencryptedlayer 2 management frames
De-authentication also occurs over unencrypted layer2 management frames
Tools such as aircrack-NG can spoof a de-authentication
7/30/2019 Oconnor Data Rev4
12/15
7/30/2019 Oconnor Data Rev4
13/15
SANS Technology Institute - Candidate for Master of Science Degree 13
Fake Access Point Attack
Wireless access points are advertised over an 802.11beacon frame
Clients use the information in the 802.11 beaconframe to connect to the wireless AP
Anyone can broadcast an 802.11 beacon,impersonating a network
Combined with tools like karmetasploit, an attackercan instantly attack a client that joins a fake AP.
7/30/2019 Oconnor Data Rev4
14/15
SANS Technology Institute - Candidate for Master of Science Degree 14
Fake Access Point Attack
def monitorPackets (p):if p.haslayer(Dot11):
if (p.getlayer(Dot11) .subtype ==8):ssid = p.getlayer(Dot11) .infobssid = p.getlayer(Dot11) .addr2
stamp = str(p.getlayer(Dot11) .timestamp)prev = ssidDict[bssid][ len (ssidDict[bssid]) -1])if bssid not in ssidDict:
ssidDict[bssid] = []ssidCnt[bssid] =0
elif (long (stamp) < long(prev)) ssidCnt[bssid] =ssidCnt[bssid] +1 if (ssidCnt[bssid] > THRESH):
print "[*] - Detected fakeAP print "[*] SSID: " +ssid
ssidDict[bssid] .append(stamp)
sniff(iface =interface,prn =monitorPackets)1
2
3
4
5
7/30/2019 Oconnor Data Rev4
15/15
SANS Technology Institute - Candidate for Master of Science Degree 15
Conclusions
Layer two attacks still present a threat to modernnetworks
Typically these threats go unnoticed by intrusiondetection systems
Scapy and a little creativity can be used to automatedetecting layer two attacks
For more information, see Detecting and Respondingto Data Link Layer Attacks published in SANS GCIA Reading Room