Layer 2 Chainsaw Massacre
advertisement
Tim Maletic Security Consultant Goal of this talk To convince you that: Layer 2 must be included in the scope of your security assessments Thou shalt test Layer 2 Thou shalt test Layer 2 Why might someone object to this? – The “why bother” objection – The “sniffing isn’t that bad” objection – The “theoretical attack” objection • too rocket science • too improbable – The “untestable” objection Thou shalt test Layer 2 Or to rephrase, Layer 2 attacks are: 1. 2. 3. 4. devastating being actively exploited simple testable Road map Part 1: Devastation Part II: Active exploitation Part III: Simplicity Part IV: Testability Devastation: OSI model subverted Handy mnemonic: All Pretty Serious Teenagers Never Do Physics Devastation: realistic attack scenarios Internal DMZ Network Devastation: we’re talking CVSS ≥ 8 Devastation Recall these famous words: “In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.” Well, now we get that for free! Our slogan is: “Don’t send the user to the malicious web site, send the malicious web site to the user!” or “Why convince when you can force?” Road map Part 1: Devastation Part II: Active exploitation Part III: Simplicity Part IV: Testability Active exploitation Active exploitation: timeline 2006/02 NAI’s documentation of W32/Snow.a 2006/06 Freenode hack 2006/12 NAI’s documentation of NetSniff malware 2007/06 MSRC blogs on ARP cache poisoning in the wild 2008/06 Metasploit.com “defacement” 2009/03 SANS ISC reports mass exploitation [Others? Let me know.] zxarps Road map Part 1: Devastation Part II: Active exploitation Part III: Simplicity Part IV: Testability Simplicity: ARP review “The world is a jungle in general, and the networking game contributes many animals.” -David C. Plummer, RFC 826, “An Ethernet Address Resolution Protocol” Who has 192.168.3.5? I’m at 00:97:27:34:48:bc IP: 192.168.3.1 MAC: 00:0c:41:76:32:d4 IP: 192.168.3.5 MAC: 00:97:27:34:48:bc • ARP replies are cached • New ARP replies overwrite existing entries in the cache Simplicity: ARP viewed through tcpdump Normal ARP traffic Simplicity: ARP cache poisoning IP: 192.168.3.1 MAC: 00:0c:41:76:32:d4 ARP cache: ...5 is at ...48:bc IP: 192.168.3.5 MAC: 00:97:27:34:48:bc ARP cache: ....1 is at ...32:d4 ...5 is at ...e8:04 ...1 is at ...e8:04 IP: 192.168.3.3 MAC: 00:16:76:cf:e8:04 Simplicity: ARP cache poisoned IP: 192.168.3.1 MAC: 00:0c:41:76:32:d4 ARP cache: ...5 is at ...e8:04 IP: 192.168.3.5 MAC: 00:97:27:34:48:bc ARP cache: ....1 is at ...e8:04 ...5 is at ...e8:04 ...1 is at ...e8:04 IP: 192.168.3.3 MAC: 00:16:76:cf:e8:04 Simplicity: ARP viewed through tcpdump Normal ARP traffic Suspicious ARP traffic Simplicity: The Toolbox • arpspoof – Part of Dug Song’s dsniff suite – First released 12/17/1999 • ettercap – Written by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) – First released 01/25/2001 • Cain – Written by Mao (Massimiliano Montoro) – First released in 2001(?) – ARP spoofing first integrated in 2003(?) Simplicity:The Toolbox: ettercap Simplicity: The Toolbox: Cain Simplicity: The Toolbox NG • Scapy – Written by Phillippe Biondi – First released <2003? • The Middler – Written by Jay Beale, Matt Carpenter and Justin Searle – First released in 2008? Road map Part 1: Devastation Part II: Active exploitation Part III: Simplicity Part IV: Testability Testability:You don’t want to be that guy • The guy using arpspoof who forgot to enable ip_forwarding • The guy who used the ettercap command line syntax he found on some web tutorial – “ettercap -T -q -F ig.ef -M ARP // //” • The guy who was man-in-the-middling the network when his laptop died Testability: Ettercap safety manual (1) 1. Read this list in its entirety before you begin. 2. Play in your sandbox. 3. Don’t mess with kernel IP Forwarding. Unlike arpspoof, ettercap handles this internally. 4. Don’t target infrastructure. (yet :) 5. Choose precise targets. Testability: Ettercap safety manual (2) 6. Be familiar with the in-line commands for the Text interface. Testability: Ettercap safety manual (3) 7. Always exit using the “q” in-line command. Testability: From chainsaw to scalpel • • • • Recon targets Specify precise targets Performed multi-staged attacks Stitch the network back together Testability: Enhancing the Middler Problem #1 The Middler doesn’t clean up after itself • Why is this a problem? From the Middler’s code: “TODO: If we used scapy, send out three ARP replies with the impersonated_host’s real MAC address. For now, don't worry about it. ARP caches recover quickly.” • But reality is more complicated than that. Problem #2 The Middler targets the entire local subnet Testability+Devastation=Scalpel Massacre • Own domain credentials – deliver UNC path to attackers malicious SMB share – crack hashes via HALFLMCHALL Rainbow Tables • Own browsers – deliver Metasploit’s BrowserAutopwn – to specific targets – exactly one time • Own SSL – deliver SSLstrip – to particular victims, against particular web servers, for a fixed number of requests • Own 2-factor auth – while modifying victim’s valid PIN+Tokencode value – you use it Testability+Devastation=Scalpel Massacre • Downgrade attacks – NTLM – SSL – SSH • Subvert software update processes – a la evilgrade • The only limit is your imagination! :) Mitigation • Detection – ARPwatch – snort rules(?) • Prevention – Cisco Switch port security – Cisco Dynamic ARP Inspection? – NAC Recap Layer 2 attacks are: 1. 2. 3. 4. devastating simple being actively exploited testable Ergo... Thou shalt test layer 2 Discussion: Questions? I’m interested in your feedback: tmaletic@gmail.com
