AT TAC K S# 2

A t t a c k s o n n e t w o r k

T U T U N J U H A N A T E L E C O M M U N I C A T I O N E N G I N E E R I N G

S C H O O L O F E L E C T R I C A L E N G I N E E R I N G & I N F O R M A T I C SI N S T I T U T T E K N O L O G I B A N D U N G

ET4045Telecommunication Network Security

2

Transmission media, hubs, etc.

Switch, ARP, etc.

Routers, IP etc.

TCP, etc.

3

Attacks on Media

4

5

Even on optical fiber

6

7

Mitigation Protect the cables

Protect the switches and patch panels

Document the cable infrastructure

Investigate all outages

Inspect your cables and infrastructure regularly

Investigate undocumented hosts and connections

8

Hub Security Issues

Sniffer

9

Hub is layer 1 device

It repeat any signal that comes in on one port and copy it to the other ports broadcasting

Network Sniffers10

Network Interface Cards (NICs) usually works in non-promiscuous mode Only accept the frame with destination MAC address the same with

its address

To tap the traffic, sniffer must use promiscuous NIC Accept all the frame received

Sniffers: tcpdump

Ethereal (wireshark) : http://softlayer.dl.sourceforge.net/project/wireshark/OldStable/Wireshark%201.0.9/wireshark-setup-1.0.9.exe

Snort

11

11

12

Is sniffing legitimate?13

Yes if you have permission to perform one ethical hacking

Mitigation14

Use non-promiscuous NIC

Encrypt the traffic

Use switch

15

Switch Vulnerability

16

Use switch to prevent sniffing

Nothing flows here

17

Feeling save already go to vacation :D

Not Yet Man!

18

Your nightmare is called

ARP

19

First we have a look at how a switch works

When first turned on, or not yet know destination MAC address, switch will perform frame flooding received frame will be forwarded to all of it’s port

http://www.firewall.cx/networking-topics/general-networking/236-switches-bridges.html

Node 1 send the frame to node 2 switch record the MAC address of node 1 into its MAC table (source MAC address learning) Flood the frame to all of its port (except node 1 port) Node 2 receive the frame (another node supposed to be dropping the frame) node 2 answer the frame switch records the MAC address of node 2 into the MAC table

20

21

Example when switch completes its learning

22

Now let’s have a little ARP recaps

“ARP (Address Resolution Protocol) is used in obtaining IP to MAC address mapping “

23

24

Here comes the devil (network security-wise)

Gratuitous ARP

25

A gratuitous ARP request is an Address Resolution Protocol request packet The source and destination IP are both set to the IP of the machine

issuing the packet

The destination MAC is the broadcast address ff:ff:ff:ff:ff:ff

Ordinarily, no reply packet will occur

26

Gratuitous ARPs are useful for four reasons: They can help detect IP conflicts When a machine receives an ARP

request containing a source IP that matches its own, then it knows there is an IP conflict.

They assist in the updating of other machines' ARP tables

They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.

Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts

If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces

27

To change the MAC address use locally administered MAC address

Locally administered addresses are useful when creating virtual machines or virtual network interfaces

28

Put your MAC address here

29

MAC Address Flooding Frames with unique, invalid source MAC addresses flood the switch,

exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts

Traffic to valid hosts is subsequently flooded out all ports.

30

Man in the Middle Attack using ARP poisoning

31

32

Please play with the nighthawk

https://code.google.com/p/nighthawk/downloads/detail?name=nighthawk-0.9.4-rc.zip&can=2&q=

Combine with your wireshark

Mitigation33

Use some type of passive monitoring on the network arpwatch

DecaffeinatID

Hard coding the ARP cache

Different switch vendors have different countermeasures and methods

Switches should failsafe when flooded New threat: Denial of Service Provide notification to network admin