For More Information
Even though they are not the approach Phoenix is taking, this section provides some more information on three loud options an attacker has to view switched traffic:
- Gratuitous ARP messages for individual hosts (ARP poisoning)
- MAC spoofing
- MAC flooding
This list is by no means exhaustive. There are other techniques including variations of ARP poisoning and port mirroring (SPAN [switched port analyzer]). For more information on those, you can see Chapter 10, “Attacking the Network,” in the book Penetration Testing and Network Defense by Andrew Whitaker and Daniel P. Newman (Cisco Press, 2006).
Figure 2.4 illustrates the first method, ARP poisoning. Here Phoenix sends out a gratuitous ARP message for each of the hosts that he wants to monitor. A gratuitous ARP is an unsolicited ARP message. Normally if UserA wanted to communicate to UserB (10.0.0.12), it would first send out an ARP request to the network asking for the MAC address of 10.0.0.12. Upon hearing the ARP request, UserB would send out an ARP reply with its MAC address. Phoenix can intercept all traffic sent to UserB by sending out an unsolicited ARP response announcing Phoenix’s MAC address for 10.0.0.12. Phoenix can view the traffic going to other hosts by sending gratuitous ARP messages for each of the hosts on the network.
Figure 2.4 Gratuitous ARP messages
The second method—a variation of ARP poisoning—is to spoof the MAC address of a host (see Figure 2.5). This is commonly done for the default gateway, or router, on a network. In this example, Phoenix (UserC) spoofs the MAC address of the router. Whenever Phoenix hears an ARP request for 10.0.0.1, he replies with the same MAC address of the router. When a frame is sent from UserA to the Internet, it will go to the MAC address 0040:5B50:387E. The switch, seeing the router’s MAC address go out both Fa0/3 and Fa0/4, sends the frame to both the router and Phoenix’s computer. This approach will not show Phoenix all the traffic on your network, but it will show him the traffic destined out of your network.
Figure 2.5 MAC spoofing
The third technique is MAC flooding. As you’ve already learned, switches maintain a MAC address table. The MAC table reduces flooding by sending traffic out only the appropriate ports. By flooding the MAC table with thousands of bogus MAC addresses, it will no longer have entries for legitimate hosts. Subsequently, it will cause the switch to operate like a hub and forward all traffic out all ports. This makes it easy for Phoenix, the attacker, to spy on all traffic—even if it was not intended for his machine. Figure 2.6 shows a screen shot of MACOF (http://monkey.org/~dugsong/dsniff/), which is one of many tools you can use to flood a switched network.
Figure 2.6 MAC flooding
Although these three methods are too loud for Phoenix’s purposes, they do serve to highlight some fundamentals of switched traffic that attackers can exploit. The next section begins the detailed discussion of Phoenix’s chained exploit.