Sfnet n with the lamia plugin iit kanpur hackers

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: http://ettercap.sf.net) n With the Lamia plugin IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 13 Local attacks (3) STP mangling - countermeasures YES - Disable STP on VLAN without loops YES - Root Guard, BPDU Guard. IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 14 Local attacks (4) Port stealing Attacker floods the switch with forged gratuitous ARP packets with the source MAC address being that of the target host and the destination MAC address being that of the attacker. Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the network A race condition: because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to the attacker’s switch port and not the target host. When a packet arrives, the attacker performs an ARP request asking for the target hosts’ IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the target hosts’ switch port has been restored to its original binding. The attacker now sniffs the packet and forwards it to the target host and restarts the attack ad naseum … IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 15 Local attacks (5) Port stealing how to 1 2 Layer 2 switch 3 Gratuitous ARP (forged) A Attacker IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 B 16 Local attacks (4) Port stealing - tools ettercap (http://ettercap.sf.net) n With the Confusion plugin IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 17 Local Attacks (4) Port stealing - countermeasures YES - port security on the switch IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 18 Attack techniques From local to remote IIT IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 19 Local to remote attacks (1) DHCP spoofing The DHCP requests are made in broadcast mode. If the attacker replies before the real DHCP server it can manipulate: n n n IP address of the victim GW address assigned to the victim DNS address IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 20 Local to remote attacks (1) DHCP spoofing - countermeasures YES - detection of multiple DHCP replies IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 21 Local to remote attacks (2) ICMP redirect The attacker can forge ICMP redirect packet in order to redirect traffic to himself T G 1 AT ICMP redirect to AT H IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 LAN 22 Local to remote attacks (2) ICMP redirect - tools IRPAS icmp_r...
View Full Document

This document was uploaded on 03/17/2014 for the course CS 393 at NYU Poly.

Ask a homework question - tutors are online