Tuesday, October 9, 2012

How to Convert victim switch to a HUB

First way
ARP Poisoning (arpspoof)
Attack is based on weakness of ARP protocol, its so old and limited to local network segments but still one of the biggest threat on L2 networks
Enable routing on the attacker so that it can route the traffic back to victim, its required if you dont want to make DOS, to silently listen the traffic.
"echo 1 > /proc/sys/net/ipv4/ip_forward" # enable IP forwarding in the Linux kernel.
to test whats going on at the victim machine type arp -a and check the mac of the victims gw once started to poison it will change the value to attackers mac address

Lets start
first SSH
# arpspoof -t victimip gwip
Second SSH
# arpspoof -t gwip victimip

Protection from ARP Poisoning
Open Dynamic ARP Inspection on the related switch,

If you have a dhcp server
Cisco(config)# IP dhcp snooping vlan
Cisco(config)# IP arp inspection vlan
Cisco(config)# interface GigabitEthernet 1/11
Cisco(config-if)# IP dhcp snooping trust
Cisco(config-if)# IP arp inspection trust

If not, you have to manually set static ip-mac addresses
Cisco(config)# IP arp inspection vlan
Cisco(config)# IP source binding vlan interface Gi1/1
Cisco(config)# arp access-list
Cisco(config-arp-acl)# permit IP host mac host
Cisco(config)# IP arp inspection filter vlan

Second way
Mac Flooding is to attack with lots of bogus ARP packets on a switch network, thus overloading the switch CAM tables and making it acting like a hub.
A typical switch can handle few thousands of ARP records and can be overloaded.
Once its overloaded you may start sniffing..

you may use the tool macof
#macof -i eth0

Protection of this attack is simply enabling Port Security