1 / 15

Detecting and Responding to Data Link Layer Attacks With Scapy

Detecting and Responding to Data Link Layer Attacks With Scapy. TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE). The Hotel Area Network Dilemma. About 1 year ago, sitting in a hotel room in Washington D.C.

niles
Download Presentation

Detecting and Responding to Data Link Layer Attacks With Scapy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE) SANS Technology Institute - Candidate for Master of Science Degree

  2. The Hotel Area Network Dilemma • About 1 year ago, sitting in a hotel room in Washington D.C. • “Free” Wireless Internet starts working intermittently • Users start complaining of Facebook posts they didn’t make • Fire up IDS toolkit • IDS doesn’t see anything happening at Layer 3 • IPS isn’t seeing any attacks against the hotel either • What’s happening? • As incident responders, need the ability to quickly write tools to parse data… in this case, Layer 2 traffic SANS Technology Institute - Candidate for Master of Science Degree

  3. Cam-Table Exhaustion Attack • CAM Table maintains a list of switch ports and destination MAC addresses by port • Overloading the switch with CAM Table entries results in overflowing memory. Switch no longer knows how to deliver based on MAC-port bindings SANS Technology Institute - Candidate for Master of Science Degree

  4. Cam-Table Exhaustion Attack 2 3 4 1 SANS Technology Institute - Candidate for Master of Science Degree

  5. Arp Spoofing • ARP translates layer 3 to layer 2 addresses • Clients maintain their own ARP tables of these logical-to-physical bindings • But anyone can broadcast a gratuitous ARP and client tables are updated SANS Technology Institute - Candidate for Master of Science Degree

  6. Arp Spoofing 2 3 4 1 SANS Technology Institute - Candidate for Master of Science Degree

  7. DHCP Starvation Attack • Dynamic IP addresses are leased from a DHCP server after a request by a client. The lease allows the client to use the specified address for a period of time. • By sending 254 DHCP Requests, a DHCP starvation attack prevents any new clients from joining SANS Technology Institute - Candidate for Master of Science Degree

  8. DHCP Starvation Attack 2 3 4 1 SANS Technology Institute - Candidate for Master of Science Degree

  9. CTS/RTS Wireless Attack • Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2 unencrypted/unauthenticated messages used to prevent wireless collisions • Clients wishing to send traffic, transmit a RTS. If the medium is clear, destination responds with a CTS. Everybody else who hears the CTS- backs off. SANS Technology Institute - Candidate for Master of Science Degree

  10. CTS/RTS Wireless Attack 2 3 41 1 SANS Technology Institute - Candidate for Master of Science Degree

  11. Wireless Deauth Attack • Clients authenticate themselves to access points prior to association with the network • Authentication typically occurs over unencrypted layer 2 management frames • De-authentication also occurs over unencrypted layer 2 management frames • Tools such as aircrack-NG can spoof a de-authentication SANS Technology Institute - Candidate for Master of Science Degree

  12. Wireless Deauth Attack 2 3 4 1 SANS Technology Institute - Candidate for Master of Science Degree

  13. Fake Access Point Attack • Wireless access points are advertised over an 802.11 beacon frame • Clients use the information in the 802.11 beacon frame to connect to the wireless AP • Anyone can broadcast an 802.11 beacon, impersonating a network • Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP. SANS Technology Institute - Candidate for Master of Science Degree

  14. Fake Access Point Attack 2 3 4 5 1 SANS Technology Institute - Candidate for Master of Science Degree

  15. Conclusions • Layer two attacks still present a threat to modern networks • Typically these threats go unnoticed by intrusion detection systems • Scapy and a little creativity can be used to automate detecting layer two attacks • For more information, see “Detecting and Responding to Data Link Layer Attacks” published in SANS GCIA Reading Room SANS Technology Institute - Candidate for Master of Science Degree

More Related