1 sans technology institute - candidate for master of science degree 1 detecting and responding to...
TRANSCRIPT
![Page 1: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/1.jpg)
1SANS Technology Institute - Candidate for Master of Science Degree 1
Detecting and Responding to Data Link Layer Attacks With
Scapy
TJ OConnorSeptember 2011
GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE)
![Page 2: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/2.jpg)
The Hotel Area Network Dilemma
• About 1 year ago, sitting in a hotel room in Washington D.C.– “Free” Wireless Internet starts working intermittently– Users start complaining of Facebook posts they
didn’t make
• Fire up IDS toolkit – IDS doesn’t see anything happening at Layer 3– IPS isn’t seeing any attacks against the hotel either
• What’s happening?– As incident responders, need the ability to quickly
write tools to parse data… in this case, Layer 2 traffic
SANS Technology Institute - Candidate for Master of Science Degree 2
![Page 3: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/3.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 3
Cam-Table Exhaustion Attack
• CAM Table maintains a list of switch ports and destination MAC addresses by port
• Overloading the switch with CAM Table entries results in overflowing memory. Switch no longer knows how to deliver based on MAC-port bindings
![Page 4: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/4.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 4
Cam-Table Exhaustion Attack
11
22
33
44
![Page 5: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/5.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 5
Arp Spoofing
• ARP translates layer 3 to layer 2 addresses
• Clients maintain their own ARP tables of these logical-to-physical bindings
• But anyone can broadcast a gratuitous ARP and client tables are updated
![Page 6: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/6.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 6
Arp Spoofing
11
22
33
44
![Page 7: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/7.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 7
DHCP Starvation Attack
• Dynamic IP addresses are leased from a DHCP server after a request by a client. The lease allows the client to use the specified address for a period of time.
• By sending 254 DHCP Requests, a DHCP starvation attack prevents any new clients from joining
![Page 8: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/8.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 8
DHCP Starvation Attack
11
22
33
44
![Page 9: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/9.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 9
CTS/RTS Wireless Attack
• Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2 unencrypted/unauthenticated messages used to prevent wireless collisions
• Clients wishing to send traffic, transmit a RTS. If the medium is clear, destination responds with a CTS. Everybody else who hears the CTS- backs off.
![Page 10: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/10.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 10
CTS/RTS Wireless Attack
11
22
33
4141
![Page 11: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/11.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 11
Wireless Deauth Attack
• Clients authenticate themselves to access points prior to association with the network
• Authentication typically occurs over unencrypted layer 2 management frames
• De-authentication also occurs over unencrypted layer 2 management frames
• Tools such as aircrack-NG can spoof a de-authentication
![Page 12: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/12.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 12
Wireless Deauth Attack
11
22
33
44
![Page 13: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/13.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 13
Fake Access Point Attack
• Wireless access points are advertised over an 802.11 beacon frame
• Clients use the information in the 802.11 beacon frame to connect to the wireless AP
• Anyone can broadcast an 802.11 beacon, impersonating a network
• Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP.
![Page 14: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/14.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 14
Fake Access Point Attack
11
22
33
44
55
![Page 15: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September](https://reader035.vdocuments.mx/reader035/viewer/2022062517/56649eff5503460f94c14965/html5/thumbnails/15.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 15
Conclusions
• Layer two attacks still present a threat to modern networks
• Typically these threats go unnoticed by intrusion detection systems
• Scapy and a little creativity can be used to automate detecting layer two attacks
• For more information, see “Detecting and Responding to Data Link Layer Attacks” published in SANS GCIA Reading Room