Scribd Logo
Unggah

Selamat datang di Scribd!

  • Oconnor Data Rev4

    Diunggah oleh

    saleem4uahamed
    15 tayangan15 halaman

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PPT, PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PPT, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    15 tayangan15 halaman

    Oconnor Data Rev4

    Diunggah oleh

    saleem4uahamed

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PPT, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 15

    Detecting and Responding to Data Link Layer Attacks With Scapy

    TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE)

    SANS Technology Institute - Candidate for Master of Science Degree

    The Hotel Area Network Dilemma


    About 1 year ago, sitting in a hotel room in Washington D.C.
    Free Wireless Internet starts working intermittently Users start complaining of Facebook posts they didnt make

    Fire up IDS toolkit


    IDS doesnt see anything happening at Layer 3 IPS isnt seeing any attacks against the hotel either

    Whats happening?
    As incident responders, need the ability to quickly write tools to parse data in this case, Layer 2 traffic

    SANS Technology Institute - Candidate for Master of Science Degree

    Cam-Table Exhaustion Attack


    CAM Table maintains a list of switch ports and destination MAC addresses by port
    Overloading the switch with CAM Table entries results in overflowing memory. Switch no longer knows how to deliver based on MAC-port bindings
    ETH.S = AA:AA:AA:AA:AA:AA RC ETH.S = AA:AA:AA:AA:AA:AB RC ETH.S = AA:AA:AA:AA:AA:AC RC ETH.S = AA:AA:AA:AA:AA:AD RC ETH.S = AA:AA:AA:AA:AA:AE RC ..

    SANS Technology Institute - Candidate for Master of Science Degree

    Cam-Table Exhaustion Attack


    2
    3
    def monitorPackets(p): if p.haslayer(IP): hwSrc = p.getlayer(Ether).src if hwSrc not in hwList: hwList.append(hwSrc) delta = datetime.datetime.now() - start if ((len(hwList)/delta.seconds) > THRESH)): print "[*] - Detected CAM Table Attack." start = datetime.datetime.now()

    sniff(iface=interface,prn=monitorPackets)

    SANS Technology Institute - Candidate for Master of Science Degree

    Arp Spoofing
    ARP translates layer 3 to layer 2 addresses
    Clients maintain their own ARP tables of these logical-to-physical bindings But anyone can broadcast a gratuitous ARP and client tables are updated
    A B

    B's IP ADDR is located at HW ADDR for C

    A's IP ADDR is located at HW ADDR for C

    SANS Technology Institute - Candidate for Master of Science Degree

    Arp Spoofing
    2
    3
    def monitorPackets(p): global hwTable if (p.getlayer(ARP).op==2): hwSrc=p.getlayer(ARP).hwsrc ipSrc=p.getlayer(ARP).psrc if ipSrc in hwTable: if (hwSrc != hwTable[ipSrc]): print "[*] - Conflict for IP: "+ipSrc hwTable[ipSrc]=hwSrc sniff(iface=interface,filter="arp",prn=monitorPackets)

    SANS Technology Institute - Candidate for Master of Science Degree

    DHCP Starvation Attack


    Dynamic IP addresses are leased from a DHCP server after a request by a client. The lease allows the client to use the specified address for a period of time.
    By sending 254 DHCP Requests, a DHCP starvation attack prevents any new clients from joining
    DHCP Request, DHCP Request, DHCP Request, . DHCP Request Fail No addresses available

    SANS Technology Institute - Candidate for Master of Science Degree

    DHCP Starvation Attack


    2
    def monitorPackets(p): if p.haslayer(BOOTP): global reqCnt global ofrCnt opCode = p.getlayer(BOOTP).op if opCode == 1: reqCnt=reqCnt+1 elif opCode == 2: ofrCnt=ofrCnt+1 print "[*] - "+str(reqCnt)+" Requests. print "[*] - " +str(ofrCnt)+" Offers." sniff(iface=interface,prn=monitorPackets)

    3 4

    SANS Technology Institute - Candidate for Master of Science Degree

    CTS/RTS Wireless Attack


    Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2 unencrypted/unauthenticated messages used to prevent wireless collisions
    Clients wishing to send traffic, transmit a RTS. If the medium is clear, destination responds with a CTS. Everybody else who hears the CTS- backs off.

    SANS Technology Institute - Candidate for Master of Science Degree

    CTS/RTS Wireless Attack


    2
    3
    def monitorPackets(p): if p.haslayer(Dot11): delta=datetime.datetime.now()-start if (p.getlayer(Dot11).subtype) == 11: rtsCNT = rtsCNT +1 if ((rtsCNT/delta.seconds) > THRESH)): print "[*] - Detected RTS Flood. elif (p.getlayer(Dot11).subtype) == 12: ctsCNT = ctsCNT + 1 if ((ctsCNT/delta.seconds) > THRESH)): print "[*] - Detected CTS Flood. start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets)
    SANS Technology Institute - Candidate for Master of Science Degree 10

    4 1 1

    Wireless Deauth Attack


    Clients authenticate themselves to access points prior to association with the network
    Authentication typically occurs over unencrypted layer 2 management frames De-authentication also occurs over unencrypted layer 2 management frames

    Tools such as aircrack-NG can spoof a deauthentication


    SANS Technology Institute - Candidate for Master of Science Degree 11

    Wireless Deauth Attack


    2
    def monitorPackets(p): global deauthCNT if p.haslayer(Dot11): type = p.getlayer(Dot11).type subtype = p.getlayer(Dot11).subtype if ((type==0) and (subtype==12)): deauthCNT = deauthCNT + 1 delta = datetime.datetime.now()-start rate = deauthCNT/delta.seconds if rate > THRESH)): print "[*] - Detected Death Attack" print "[*] Count: +"str(deauthCNT) deauthCNT = 0 start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets)
    SANS Technology Institute - Candidate for Master of Science Degree 12

    3 4

    Fake Access Point Attack


    Wireless access points are advertised over an 802.11 beacon frame
    Clients use the information in the 802.11 beacon frame to connect to the wireless AP Anyone can broadcast an 802.11 beacon, impersonating a network

    Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP.
    SANS Technology Institute - Candidate for Master of Science Degree 13

    Fake Access Point Attack


    2 3 4 5
    def monitorPackets(p): if p.haslayer(Dot11): if (p.getlayer(Dot11).subtype==8): ssid = p.getlayer(Dot11).info bssid = p.getlayer(Dot11).addr2 stamp = str(p.getlayer(Dot11).timestamp) prev = ssidDict[bssid][len(ssidDict[bssid])-1]) if bssid not in ssidDict: ssidDict[bssid] = [] ssidCnt[bssid]=0 elif (long(stamp) < long(prev)) ssidCnt[bssid]=ssidCnt[bssid]+1 if (ssidCnt[bssid] > THRESH): print "[*] - Detected fakeAP print "[*] SSID: "+ssid ssidDict[bssid].append(stamp) sniff(iface=interface,prn=monitorPackets)
    SANS Technology Institute - Candidate for Master of Science Degree 14

    Conclusions
    Layer two attacks still present a threat to modern networks
    Typically these threats go unnoticed by intrusion detection systems Scapy and a little creativity can be used to automate detecting layer two attacks

    For more information, see Detecting and Responding to Data Link Layer Attacks published in SANS GCIA Reading Room
    SANS Technology Institute - Candidate for Master of Science Degree 15

    Anda mungkin juga menyukai