TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE)
Whats happening?
As incident responders, need the ability to quickly write tools to parse data in this case, Layer 2 traffic
sniff(iface=interface,prn=monitorPackets)
Arp Spoofing
ARP translates layer 3 to layer 2 addresses
Clients maintain their own ARP tables of these logical-to-physical bindings But anyone can broadcast a gratuitous ARP and client tables are updated
A B
Arp Spoofing
2
3
def monitorPackets(p): global hwTable if (p.getlayer(ARP).op==2): hwSrc=p.getlayer(ARP).hwsrc ipSrc=p.getlayer(ARP).psrc if ipSrc in hwTable: if (hwSrc != hwTable[ipSrc]): print "[*] - Conflict for IP: "+ipSrc hwTable[ipSrc]=hwSrc sniff(iface=interface,filter="arp",prn=monitorPackets)
3 4
4 1 1
3 4
Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP.
SANS Technology Institute - Candidate for Master of Science Degree 13
Conclusions
Layer two attacks still present a threat to modern networks
Typically these threats go unnoticed by intrusion detection systems Scapy and a little creativity can be used to automate detecting layer two attacks
For more information, see Detecting and Responding to Data Link Layer Attacks published in SANS GCIA Reading Room
SANS Technology Institute - Candidate for Master of Science Degree 15