bh-us-03-ornaghi-valleri

Securityfocuscomarchive1299929 httpwww kernel will

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ://www. “Kernel will send ARP request to test if there is a host at old MAC address. If such response is received it lets us know than one IP pretends to have several MAC addresses at one moment, that probably caused by ARP spoof attack.” We can fake this protection if the ARP entry is not We in the cache and the real mac address will be banned Blackhat Conference - USA 2003 Blackhat 30 Antidote Attack DEMO Blackhat Conference - USA 2003 Blackhat 31 MITM attack Port stealing The attacker sends many layer 2 packets with: The – Source address equal to victim hosts’ address hosts’ – Destination address equal to its own mac address The attacker now has “stolen” victim hosts’ ports The When the attacker receives a packet for one of the victims it When generates a broadcast ARP request for the victim’s IP address. When the attacker receives the ARP reply from the victim, the When victim’s port has been restored to the original binding state The attacker can now forward the packet and restart the stealing The process Possibility to circumvent static-mapped arp entries Possibility Blackhat Conference - USA 2003 Blackhat 32 MITM attack Port stealing - countermeasures YES - port security on the switch YES NO - static ARP NO Blackhat Conference - USA 2003 Blackhat 33 Port Stealing DEMO Blackhat Conference - USA 2003 Blackhat 34 Q&A Alberto Ornaghi <alor@antifork.org> Marco Valleri <naga@antifork.org> Blackhat Conference - USA 2003 Blackhat 35...
View Full Document

Ask a homework question - tutors are online