Switches are playing a huge role in modern organizations. These devices are vital components in networking. This article will guide you through switching fundamentals and switching protocols .Then we will learn how to exploit switches and Virtual LANs (VLANs) with different attacks and publicly available tools and cutting edge techniques.
In this article we are going to discover:
Switching Fundamentals
LAN switching
Layer 2 Transmission
MAC attacks
Media Access Control Security (MACSec)
DHCP attacks
ARP attacks
VLAN attacks
Spanning Tree Protocol attacks
This article contains a free document to help you explore more what we are going to discuss next. You can download it from here: Layer 2 Security
Switching Fundamentals
In a previous Peerlyst Article we learned how to exploit and secure Routers. If you didn’t read it yet i highly recommend to take a look at it. You can read it from here: How to Exploit and Secure Routers
In that article we discovered the Open Systems Interconnection model.By Definition: “The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols. The model partitions a communication system into abstraction layers. The original version of the model defined seven layers.
A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that comprise the contents of that path. Two instances at the same layer are visualized as connected by a horizontal connection in that layer.
The model is a product of the Open Systems Interconnection project at the International Organization for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.” (Source: Wikipedia)
In other words data is moving in the network respecting a specific order. The following are the seven Layers of the OSI Model:
7- Application layer
6 -Presentation layer
5- Session layer
4- Transport layer
3- Network layer
2- Data link layer
1- Physical layer
Image result for osi model
Switching is connecting networking devices by receiving switching packets and forwarding them to the destination devices.Switches are Layer 2 devices. In switching we have three main techniques:
Circuit switching
Packet switching
Message switching
LAN switching
We discovered also in that article the different communication networks:
Local Area Network (LAN): this network is used in small surfaces and areas
Metropolitan area network (MAN): this network is larger than the Local Area Network. We can used for example to connect two offices.
Wide area network (WAN): We use this type of networks to connect large distances
Personal area network (PAN): this network is used in short distances and small areas like a single room.
In LAN the access method is an Ethernet connection based on the IEEE 802.3 standard. The algorithm used to block devices from sending information at the same time is called Carrier Sense Multiple Access/Collision Detect (CSMA/CD). The following work-flow illustrates how the algorithm works:
Image result for CSMA/CD
In LAN switching we have three techniques:
Store-and-forward switching
Store-and-forward switching means that the LAN switch copies each complete frame into the switch memory buffers and computes a cyclic redundancy check (CRC) for errors. CRC is an error-checking method that uses a mathematical formula, based on the number of bits (1s) in the frame, to determine whether the received frame is errored. If a CRC error is found, the frame is discarded. If the frame is error free, the switch forwards the frame out the appropriate interface port,
Cut-through switching
With cut-through switching, the LAN switch copies into its memory only the destination MAC address, which is located in the first 6 bytes of the frame following the preamble. The switch looks up the destination MAC address in its switching table, determines the outgoing interface port, and forwards the frame on to its destination through the designated switch port. A cut-through switch reduces delay because the switch begins to forward the frame as soon as it reads the destination MAC address and determines the outgoing switch port
Fragment-free switching
Fragment-free switching works like cut-through switching with the exception that a switch in fragment-free mode stores the first 64 bytes of the frame before forwarding. Fragment-free switching can be viewed as a compromise between store-and-forward switching and cut-through switching. The reason fragment-free switching stores only the first 64 bytes of the frame is that most network errors and collisions occur during the first 64 bytes of a frame.
As transmission modes we have generally three categories:
Unicast
Multicast
Broadcast
The difference between the three modes is described in the following graph:
Image result for unicast vs multicast vs broadcast
MAC attacks
In switching the traffic of data is determined by Media Access Control (MAC) addresses. A MAC address is a unique 48-bit serial number. It is composed equally of the Organizational Unique Identifier (OUI) and the vendor-assigned address.
Image result for mac address
MAC addresses are stored in a fixed size table called the Content Addressable Memory (CAM). Attackers can exploit the CAM table to perform malicious activities. Some of the attacks are the following:
Attackers can overflow the CAM tables by exploiting the maximum limit of the CAM table size. To perform this attack you can use macof utility which is a member of the Dsniff suit toolset and mainly used to flood the switch on a local network with MAC addresses (up to 155,000 MAC entries per minute).
Syntax: macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]
Image result for macof
To defend against this attack use port security to limit the number of MAC addresses on interfaces.
Media Access Control Security (MACSec)
To protect switches from the previous attack you can use also what we call Media Access Control Security (MACSec) .It provides total Ethernet links security. MACsec is like IPsec in the network layer, it provides integrity and confidentiality protection using a hop-by-hop encryption (GCM-AES-128) with the use of a MACsec Key Agreement (MKA) between the network nodes.
Image result for Media Access Control Security
DHCP Attacks
Dynamic Host Configuration Protocol (DHCP) is a network layer protocol based on RFC 2131 that enables assigning IP addresses dynamically to hosts. It goes through 4 steps:
Discovery
Offer
Request
Acknowledgment
Image result for dhcp
I bet you are wondering why discussing a network layer protocol in a Layer 2 article. You are totally right. An attacker can broadcast DHCP requests with spoofed MAC addresses; this attack exploits the DHCP servers address space and it is called DHCP Starvation. To perform DHCP starvation attack you can use a tool called “the gobbler”. Gobbler is a tool designed to audit various aspects of DHCP networks, from detecting if DHCP is running on a network to performing a denial of service attack. Gobbler also exploits DHCP and Ethernet, to allow distributed spoofed port scanning with the added bonus of being able to sniff the reply from a spoofed host. This tool is based on proof of concept code "DHCP Gobbler" available from networkpenetration.com . Or you can download it from here: https://the-gobbler.soft112.com/
Rogue DHCP Server
Rogue DHCP Server is done by implementing o a rogue server to let the attacker gather a great deal of information, including DNS server information and the default gateway.
Image result for dhcp rogue server
ARP Attacks
Address Resolution Protocol is is a protocol that maps the IP addresses with their associated MAC addresses, based on the RFC 826 standard. ARP can be attacked by exploiting its cache and performing man-in-the-middle attack.
Image result for arp spoofing
To perform ARP Poisoning you can use a tool called Ettercap. Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
logo
You can download it from here: https://www.ettercap-project.org/
In addition you can use dsniff which is a set of password sniffing and network traffic analysis tools.
Image result for dsniff kali linux
VLAN attacks
VLAN is a logical grouping of networking devices in the same broadcast domain. This logical separation is very beneficial in many cases. For example, if we have different geological locations, using VLANS could be a great way to group networking devices, even if they are in different places, but they act like one broadcast domain.
Image result for VLAN
We need a router (layer 3) to make VLANs communicate with each other via an operation named interVLAN routing. The trunking
negotiation is used, thanks to the Dynamic Trunk Protocol (DTP).
We have two types of VLANs:
Native VLAN or untagged VLAN
Tagged VLAN
VLAN hopping attacks
VLAN hopping attacks are based on DTP. Some of the VLAN attacks are:
Switch spoofing: During this attack, an attacker mimics a switch by emulating ISL or 802.1q and signaling
with DTP. Thus, it looks like a switch with a trunking port, so it will have access to all the
VLANs.
VLAN double tagging: This attack is sometimes called a double 802.1q encapsulation attack, which is done by sending 802.1q double encapsulated frames. In general, switches only perform one decapsulation operation at a time. Thus, they will strip off the first and send back out the second. This attack is possible, only if the attack and the target are on the same VLAN, even if trunk ports are off
Private VLAN attacks : A VLAN divides a LAN into broadcast domains. Private VLANs (PVLAN) are also subdomains of VLANs, and there are isolated subdomains, such as sub-VLANs. VLANs require a layer 3 device, such as a router, to communicate with each other, PVLANs also require routers to communicate, but the hosts are still in the same IP subnet. We have three PVLAN ports:
Promiscuous (P): Connected to a router
Isolated (I): Connected to hosts
Community (C): Connected to other community ports
Attackers can attack PVLANs by sending frames with their IP and MAC addresses and the destination IP address.
Spanning Tree Protocol (STP) Attacks
Spanning Tree Protocol was developed by Radia Perlman in 1985 to solve the problem of Ethernet loops, but before diving into STPs, let's go back to the root causes of this issue. If a broadcast storm occurs, you will lose your network availability. This happens when we have an Ethernet loop.
Image result for broadcast storm
Spanning Tree consists of the following steps:
Root Bridge election
Root Port election
Designated Port election
Alternative (Blocking) Port election
One of the hacking techniques is to implement a rogue switch at trunk ports, and manipulate the spanning tree priority by configuring this rogue switch and giving it the lowest ID to become a root bridge. As a consequence, all the traffic will be transferred through this switch and then it will sniff all the traffic or redirect the traffic.
To defend against STP attacks, you need to enable the root guard on all switch ports that you don't designate as root ports:
Switch1(config)# interface gigabitethernet 0/1
Switch1(config-if)# spanning-tree guard root
Summary
In this article, we discovered the basics of switching and the used techniques used by attackers to target switches. We started by exploring some fundamentals and later we saw different techniques to attack switches using different tools.
Post Updates
[21/06/2018] Added switching techniques: Thanks to Sree Hari
References used in this Article
1- Advanced Infrastructure Penetration testing – Packt Publishing Chiheb Chebbi
2- How to Exploit and Secure Routers : https://www.peerlyst.com/posts/how-to-exploit-and-secure-routers-chiheb-chebbi?trk=user_notification
3- MAC Flooding with MACOF & some major countermeasures https://kalilinuxtutorials.com/macof/
4- Gobbler, DHCP Network Auditor http://www.securiteam.com/tools/5UP072K9FU.html
5- Ettercap Home Page https://www.ettercap-project.org/
6- Spanning Tree Protocol https://www.fir3net.com/Networking/Protocols/spanning-tree-protocol.html