Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor
advertisement
Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE) SANS Technology Institute - Candidate for Master of Science Degree 1 1 The Hotel Area Network Dilemma • About 1 year ago, sitting in a hotel room in Washington D.C. – “Free” Wireless Internet starts working intermittently – Users start complaining of Facebook posts they didn’t make • Fire up IDS toolkit – IDS doesn’t see anything happening at Layer 3 – IPS isn’t seeing any attacks against the hotel either • What’s happening? – As incident responders, need the ability to quickly write tools to parse data… in this case, Layer 2 traffic SANS Technology Institute - Candidate for Master of Science Degree 2 Cam-Table Exhaustion Attack • CAM Table maintains a list of switch ports and destination MAC addresses by port • Overloading the switch with CAM Table entries results in overflowing memory. Switch no longer knows how to deliver based on MAC-port bindings ETH.SRC = AA:AA:AA:AA:AA:AA ETH.SRC = AA:AA:AA:AA:AA:AB ETH.SRC = AA:AA:AA:AA:AA:AC ETH.SRC = AA:AA:AA:AA:AA:AD ETH.SRC = AA:AA:AA:AA:AA:AE ….. SANS Technology Institute - Candidate for Master of Science Degree 3 Cam-Table Exhaustion Attack 2 3 4 def monitorPackets(p): if p.haslayer(IP): hwSrc = p.getlayer(Ether).src if hwSrc not in hwList: hwList.append(hwSrc) delta = datetime.datetime.now() - start if ((len(hwList)/delta.seconds) > THRESH)): print "[*] - Detected CAM Table Attack." start = datetime.datetime.now() 1 sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 4 Arp Spoofing • ARP translates layer 3 to layer 2 addresses • Clients maintain their own ARP tables of these logical-to-physical bindings • But anyone can broadcast a gratuitous ARP and client tables are updated B A B's IP ADDR is located at HW ADDR for C C A's IP ADDR is located at HW ADDR for C SANS Technology Institute - Candidate for Master of Science Degree 5 Arp Spoofing 2 3 4 1 def monitorPackets(p): global hwTable if (p.getlayer(ARP).op==2): hwSrc=p.getlayer(ARP).hwsrc ipSrc=p.getlayer(ARP).psrc if ipSrc in hwTable: if (hwSrc != hwTable[ipSrc]): print "[*] - Conflict for IP: "+ipSrc hwTable[ipSrc]=hwSrc sniff(iface=interface,filter="arp",prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 6 DHCP Starvation Attack • Dynamic IP addresses are leased from a DHCP server after a request by a client. The lease allows the client to use the specified address for a period of time. • By sending 254 DHCP Requests, a DHCP starvation attack prevents any new clients from joining X X DHCP Request, DHCP Request, DHCP Request, …. DHCP Request Fail No addresses available SANS Technology Institute - Candidate for Master of Science Degree 7 DHCP Starvation Attack 2 3 4 1 def monitorPackets(p): if p.haslayer(BOOTP): global reqCnt global ofrCnt opCode = p.getlayer(BOOTP).op if opCode == 1: reqCnt=reqCnt+1 elif opCode == 2: ofrCnt=ofrCnt+1 print "[*] - "+str(reqCnt)+" Requests.” print "[*] - " +str(ofrCnt)+" Offers." sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 8 CTS/RTS Wireless Attack • Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2 unencrypted/unauthenticated messages used to prevent wireless collisions • Clients wishing to send traffic, transmit a RTS. If the medium is clear, destination responds with a CTS. Everybody else who hears the CTS- backs off. SANS Technology Institute - Candidate for Master of Science Degree 9 CTS/RTS Wireless Attack 2 3 4 1 1 def monitorPackets(p): if p.haslayer(Dot11): delta=datetime.datetime.now()-start if (p.getlayer(Dot11).subtype) == 11: rtsCNT = rtsCNT +1 if ((rtsCNT/delta.seconds) > THRESH)): print "[*] - Detected RTS Flood.” elif (p.getlayer(Dot11).subtype) == 12: ctsCNT = ctsCNT + 1 if ((ctsCNT/delta.seconds) > THRESH)): print "[*] - Detected CTS Flood.” start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 10 Wireless Deauth Attack • Clients authenticate themselves to access points prior to association with the network • Authentication typically occurs over unencrypted layer 2 management frames • De-authentication also occurs over unencrypted layer 2 management frames • Tools such as aircrack-NG can spoof a deauthentication SANS Technology Institute - Candidate for Master of Science Degree 11 Wireless Deauth Attack 2 3 4 1 def monitorPackets(p): global deauthCNT if p.haslayer(Dot11): type = p.getlayer(Dot11).type subtype = p.getlayer(Dot11).subtype if ((type==0) and (subtype==12)): deauthCNT = deauthCNT + 1 delta = datetime.datetime.now()-start rate = deauthCNT/delta.seconds if rate > THRESH)): print "[*] - Detected Death Attack" print "[*] – Count: +"str(deauthCNT) deauthCNT = 0 start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 12 Fake Access Point Attack • Wireless access points are advertised over an 802.11 beacon frame • Clients use the information in the 802.11 beacon frame to connect to the wireless AP • Anyone can broadcast an 802.11 beacon, impersonating a network • Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP. SANS Technology Institute - Candidate for Master of Science Degree 13 Fake Access Point Attack 2 3 4 5 1 def monitorPackets(p): if p.haslayer(Dot11): if (p.getlayer(Dot11).subtype==8): ssid = p.getlayer(Dot11).info bssid = p.getlayer(Dot11).addr2 stamp = str(p.getlayer(Dot11).timestamp) prev = ssidDict[bssid][len(ssidDict[bssid])-1]) if bssid not in ssidDict: ssidDict[bssid] = [] ssidCnt[bssid]=0 elif (long(stamp) < long(prev)) ssidCnt[bssid]=ssidCnt[bssid]+1 if (ssidCnt[bssid] > THRESH): print "[*] - Detected fakeAP” print "[*] – SSID: "+ssid ssidDict[bssid].append(stamp) sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 14 Conclusions • Layer two attacks still present a threat to modern networks • Typically these threats go unnoticed by intrusion detection systems • Scapy and a little creativity can be used to automate detecting layer two attacks • For more information, see “Detecting and Responding to Data Link Layer Attacks” published in SANS GCIA Reading Room SANS Technology Institute - Candidate for Master of Science Degree 15
