View Presentation with Notes - PPT
Download
Report
Transcript View Presentation with Notes - PPT
Detecting and Responding to Data
Link Layer Attacks With Scapy
TJ OConnor
September 2011
GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM,
GPEN, GWAPT, GCFE)
SANS Technology Institute - Candidate for Master of Science Degree
1
1
The Hotel Area Network
Dilemma
• About 1 year ago, sitting in a hotel room in
Washington D.C.
– “Free” Wireless Internet starts working intermittently
– Users start complaining of Facebook posts they didn’t make
• Fire up IDS toolkit
– IDS doesn’t see anything happening at Layer 3
– IPS isn’t seeing any attacks against the hotel either
• What’s happening?
– As incident responders, need the ability to quickly write tools
to parse data… in this case, Layer 2 traffic
SANS Technology Institute - Candidate for Master of Science Degree
2
Cam-Table Exhaustion Attack
• CAM Table maintains a list of switch ports and
destination MAC addresses by port
• Overloading the switch with CAM Table entries
results in overflowing memory. Switch no longer
knows how to deliver based on MAC-port bindings
ETH.SRC = AA:AA:AA:AA:AA:AA
ETH.SRC = AA:AA:AA:AA:AA:AB
ETH.SRC = AA:AA:AA:AA:AA:AC
ETH.SRC = AA:AA:AA:AA:AA:AD
ETH.SRC = AA:AA:AA:AA:AA:AE
…..
SANS Technology Institute - Candidate for Master of Science Degree
3
Cam-Table Exhaustion Attack
2
3
4
def monitorPackets(p):
if p.haslayer(IP):
hwSrc = p.getlayer(Ether).src
if hwSrc not in hwList:
hwList.append(hwSrc)
delta = datetime.datetime.now() - start
if ((len(hwList)/delta.seconds) > THRESH)):
print "[*] - Detected CAM Table Attack."
start = datetime.datetime.now()
1
sniff(iface=interface,prn=monitorPackets)
SANS Technology Institute - Candidate for Master of Science Degree
4
Arp Spoofing
• ARP translates layer 3 to layer 2 addresses
• Clients maintain their own ARP tables of these
logical-to-physical bindings
• But anyone can broadcast a gratuitous ARP and client
tables are updated
B
A
B's IP ADDR is located
at HW ADDR for C
C
A's IP ADDR is located
at HW ADDR for C
SANS Technology Institute - Candidate for Master of Science Degree
5
Arp Spoofing
2
3
4
1
def monitorPackets(p):
global hwTable
if (p.getlayer(ARP).op==2):
hwSrc=p.getlayer(ARP).hwsrc
ipSrc=p.getlayer(ARP).psrc
if ipSrc in hwTable:
if (hwSrc != hwTable[ipSrc]):
print "[*] - Conflict for IP: "+ipSrc
hwTable[ipSrc]=hwSrc
sniff(iface=interface,filter="arp",prn=monitorPackets)
SANS Technology Institute - Candidate for Master of Science Degree
6
DHCP Starvation Attack
• Dynamic IP addresses are leased from a DHCP server
after a request by a client. The lease allows the client
to use the specified address for a period of time.
• By sending 254 DHCP Requests, a DHCP starvation
attack prevents any new clients from joining
X
X
DHCP Request,
DHCP Request,
DHCP Request,
….
DHCP Request Fail
No addresses
available
SANS Technology Institute - Candidate for Master of Science Degree
7
DHCP Starvation Attack
2
3
4
1
def monitorPackets(p):
if p.haslayer(BOOTP):
global reqCnt
global ofrCnt
opCode = p.getlayer(BOOTP).op
if opCode == 1:
reqCnt=reqCnt+1
elif opCode == 2:
ofrCnt=ofrCnt+1
print "[*] - "+str(reqCnt)+" Requests.”
print "[*] - " +str(ofrCnt)+" Offers."
sniff(iface=interface,prn=monitorPackets)
SANS Technology Institute - Candidate for Master of Science Degree
8
CTS/RTS Wireless Attack
• Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2
unencrypted/unauthenticated messages used to prevent
wireless collisions
• Clients wishing to send traffic, transmit a RTS. If the medium is
clear, destination responds with a CTS. Everybody else who
hears the CTS- backs off.
SANS Technology Institute - Candidate for Master of Science Degree
9
CTS/RTS Wireless Attack
2
3
4
1
1
def monitorPackets(p):
if p.haslayer(Dot11):
delta=datetime.datetime.now()-start
if (p.getlayer(Dot11).subtype) == 11:
rtsCNT = rtsCNT +1
if ((rtsCNT/delta.seconds) > THRESH)):
print "[*] - Detected RTS Flood.”
elif (p.getlayer(Dot11).subtype) == 12:
ctsCNT = ctsCNT + 1
if ((ctsCNT/delta.seconds) > THRESH)):
print "[*] - Detected CTS Flood.”
start = datetime.datetime.now()
sniff(iface=interface,prn=monitorPackets)
SANS Technology Institute - Candidate for Master of Science Degree
10
Wireless Deauth Attack
• Clients authenticate themselves to access points prior
to association with the network
• Authentication typically occurs over unencrypted
layer 2 management frames
• De-authentication also occurs over unencrypted layer
2 management frames
• Tools such as aircrack-NG can spoof a deauthentication
SANS Technology Institute - Candidate for Master of Science Degree
11
Wireless Deauth Attack
2
3
4
1
def monitorPackets(p):
global deauthCNT
if p.haslayer(Dot11):
type = p.getlayer(Dot11).type
subtype = p.getlayer(Dot11).subtype
if ((type==0) and (subtype==12)):
deauthCNT = deauthCNT + 1
delta = datetime.datetime.now()-start
rate = deauthCNT/delta.seconds
if rate > THRESH)):
print "[*] - Detected Death Attack"
print "[*] – Count: +"str(deauthCNT)
deauthCNT = 0
start = datetime.datetime.now()
sniff(iface=interface,prn=monitorPackets)
SANS Technology Institute - Candidate for Master of Science Degree
12
Fake Access Point Attack
• Wireless access points are advertised over an 802.11
beacon frame
• Clients use the information in the 802.11 beacon
frame to connect to the wireless AP
• Anyone can broadcast an 802.11 beacon,
impersonating a network
• Combined with tools like karmetasploit, an attacker
can instantly attack a client that joins a fake AP.
SANS Technology Institute - Candidate for Master of Science Degree
13
Fake Access Point Attack
2
3
4
5
1
def monitorPackets(p):
if p.haslayer(Dot11):
if (p.getlayer(Dot11).subtype==8):
ssid = p.getlayer(Dot11).info
bssid = p.getlayer(Dot11).addr2
stamp = str(p.getlayer(Dot11).timestamp)
prev = ssidDict[bssid][len(ssidDict[bssid])-1])
if bssid not in ssidDict:
ssidDict[bssid] = []
ssidCnt[bssid]=0
elif (long(stamp) < long(prev))
ssidCnt[bssid]=ssidCnt[bssid]+1
if (ssidCnt[bssid] > THRESH):
print "[*] - Detected fakeAP”
print "[*] – SSID: "+ssid
ssidDict[bssid].append(stamp)
sniff(iface=interface,prn=monitorPackets)
SANS Technology Institute - Candidate for Master of Science Degree
14
Conclusions
• Layer two attacks still present a threat to modern
networks
• Typically these threats go unnoticed by intrusion
detection systems
• Scapy and a little creativity can be used to automate
detecting layer two attacks
• For more information, see “Detecting and Responding
to Data Link Layer Attacks” published in SANS GCIA
Reading Room
SANS Technology Institute - Candidate for Master of Science Degree
15