Today computer networks are used to transmit large amounts of data which may or may not contain sensitive information. Within this document I will be discussing ways in which your networks may become venerable to attacks. Man in the middle attacks, spanning tree attacks, security issues related to trunking, and security issues relating to identity spoofing.
What is a Man in the middle attack?
Man in the middle attack is a name given to a type of attack where the person intercepts communication being sent across a data network. This type of attack is also known as a Bucket-brigade attack, Fire brigade attack, Monkey-in-the-middle attack, Session hijacking, TCP hijacking, TCP session hijacking etc.
Man in the middle attack is an attack that is usually performed on a internal network. Man in the middle attacks are where hackers introduce a rouge device onto the network then intercept communication between two network devices. This is done by sending out a series of ARP requests and ARP responses to two devices making them think that they are talking to each other.
An example of a man in the middle attack would consist of two hosts, host one and host two. The hacker would connect a rouge device, host three, most likely on the same switch that both host one and two are connected to. Once that he is able to communicate on the network he would then send out ARP requests and responses to both host one and two making them believe that he is the other host. This will make host one and two re-route there connection through host three. once host one and host two are communicating between each other via the new connection established by host three, the hacker will now be able to capture packets sent between them.
Once an attacker has performed a man in the middle attack, they can use this in a number of ways for example Public Key Exchanging, Command Injection, Malicious Code Injection, Downgrade Attacks etc.
There are many tools available that network managers will use in order to monitor their networks. These tools can also be used from a hackers point of view as they allow the hacker to capture packets that are being sent across the network. This essentially allows the hacker to see what you are doing.
The following tools are commonly used for capturing and analysing network traffic by an attacker
WiresharkÂ® is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a rich and powerful feature set and is world’s most popular tool of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
Spanning Tree Attacks
Spanning tree protocol is a protocol that has been implemented to help prevent switching loops from accruing. In networking is it good to have redundancy, this is where you have more than one connection to devices on the network. For example switch one and switch two. You may have more than one connection connecting these switches together so if one connection goes down the switches will still be able to communicate with each other. If spanning tree protocol is enabled it would make one link active and one link would be dormant so if the active link goes down the second link will be activated and the connection between the switches will remain. Spanning tree does this by creating a topology of all switches in the network that support the spanning tree protocol. Spanning tree protocol does this by sending out bridge protocol data units. Bridge protocol data units contains information about ports, switches, addresses, port priority, etc. Once that the topology has been created the spanning tree protocol would analyse the information collected and choose the best path, this is performed on the switch that has been designated to be the route bridge. The route bridge will take into consideration, cost as well as line speed, when making the decision of choosing the best path. All other links will be down until a link becomes unavailable, as this happens the route bridge would select the next best path.
The first step an attacker would perform on a spanning tree attack would be to take over the route bridge, they can achieve this by sending out spanning tree protocol messages with a priority value which makes it the designated route bridge. From this the attacker can make it so they are able to choose what path the data takes when communicating over the network. They are able to change the networks active topology from a high speed network to a low speed network by activating the redundant links instead of the links the protocol has identified as the best path. This would come in handy when performing a man in the middle attack, as you would be able to make the data travel via a route that was not initially planned for allowing the data to travel via the packet monitor the attacker has introduced onto the network. This will allow you to capture the data that is being transmitted over the network. Another attack that could be performed would be an denial of service attack, this can be done by enabling all routes on the network creating an infinite switching loop. This loop would consume all the switches CPU power and bring down the network.
In order to keep your switches from encountering spanning tree attacks, the network manager would want to make sure that the protocol was configured correctly. BPDU guard is a great way of securing your network from spanning tree attacks. Network managers would enable BPDU Guard on access points so you don’t encounter any end devices being able to change the spanning tree topology. If a rouge switch is introduced onto the network with better values than the existing route bridge, it will cause the topology to change. But when you connect a rouge switch when BPDU guard is enabled, as soon as the switch sends out and receives the first BPDU the port is shut down and can only be enabled again once the no shut command is issued on the switch. By shutting down the port down this prevents the spanning tree topology to be affected. BPDU filtering on the other hand only filters BPDU messages it will prevent inbound and outbound messages, this will disable port fast if a BPDU is received. Effectively this means that spanning tree protocol is disabled on the port, this is the same as spanning tree being disabled allowing switching loops to occur on the network.
Security Issues Related to Trunks and Trucking Protocols
Trucking protocol is a protocol used that will allow traffic to flow between connected switches. For example VLAN Trucking Protocol allows the configuration of one switch to be transferred to one or more switch’s within a VTP domain.
To do this you would have to set up VLAN Trucking Protocol. First you would have to configure a switch with VLAN Trucking Protocol mode set to server. This will allow the switch to operate as a server for VLAN Trucking Protocol. Once you have successfully setup your switch as a VLAN Trucking Protocol server, you would then setup a trunk link. You do this by setting a port on your switches network interface to trunk mode. You would then connect another switch via the network interface you set to trunk. Once that you have connected the switch, you would have to set the VLAN Trucking Protocol to client. Now that you have set the switch to VLAN Trucking Protocol mode client, the switch will now download all configurations from the switch acting as VLAN Trucking Protocol mode server. This includes VLANs etc.
Hackers can exploit this protocol in a number of ways for example;
The first way a hacker could exploit this protocol would be if they were to connect a rouge switch with its VLAN Trucking Protocol set to client. If plugged into another switch the switch will recognise that there is a trunk link and set the port up accordingly. The switch would then automatically download all the configurations off the closest server. Once the switch has downloaded the network configuration the hacker would then be able to This would allow the hacker to be able to plug in any device and this would allow communication across the network the network. This would compromise the networks security, as the hacker would then be able to set up monitoring software on the network interface of the trunk allowing any data passed over the trunk to be captured.
Another way VLAN Trucking Protocol could be exploited, would to configure your rouge switch with VLAN Trucking Protocol set to mode server. When the switch connects to the network the configurations that have been configured on the switch will be applied to all other switches connected to the network with their VLAN Trucking Protocol set to client. This would allow the hacker to be able to re-configure the network.
VLAN hopping attack allows an attacker to be able to gain unauthorised access to a different VLAN by sending tagged packets onto the network with the VLAN ID of another VLAN. This works as a switch would look at the VLAN tag before it passes the packet on, this happens even if the port that the message was sent from isn’t assigned to the target VLAN.
You can protect your trunk protocols in a number of ways, one of which would be to assign passwords to your trunk links. This makes it so you have to have the correct password configured within the settings of all your switch’s. Once that all your switches have correct passwords configured you will be able to create a secure connection between the devices. If the passwords are incorrect, the trunk link would not accept data to flow between the devices with incorrect passwords configured.
Another way of creating a secure trunk link between switches would be to setup switch port security. This is a security protocol that allows you to set the MAC address of the connected device, this means that only the device with the correct MAC address configured will be able to make a connection. There are tree different security settings involved with switch port security, shutdown, restrict, protect. If the MAC address is incorrect and switch port security is set to shutdown the switch be put into a state where it blocks all traffic being sent to the port. Protect on the other hand keeps the link open but drops all packets being sent from MAC addresses that aren’t configured to be allowed. Restrict is like protect but it creates a system log message and increases the violation counter.
To prevent VLAN hopping attacks the switch would use ingress filtering to drop all tagged packets, since workstations attacked to edge ports should not send tagged packets into your network.
Security Issues related to Spoofing of frames
When you spoof frames it is so that you are able to make the devices on your network think that you are someone else. there are many types of frames spoofing attacks that can be performed on the network such as ARP spoofing.
ARP is a protocol used by networks to map out IP addresses to the hardware addresses. ARP spoofing is usually performed within the man in the middle attack process. ARP spoofing is where a hacker would send out messages onto a local network, these messages allow the hacker to associate his MAC address with the IP address of another host. The aim of this would be to retrieve information that is being from two hosts.
DNS spoofing is an attack performed on into the DNS name servers cache, this attack allows the attacker to return a incorrect IP address, this will often return the IP address of the attacker allowing them to display a page that they have created instead of the legitimate source. Cache poisoning attack is the name given to the attack the hacker will use. Normally the DNS server would be provided by the ISP but in big organisations they are deployed on site in order to speed up resolution times. The attack works by exploiting a flaw within the DNS software. If the server does not correctly validate the repossesses made from the user that has requested the DNS the server will cache incorrect entry’s. When a another user tries to access the same page, the incorrect entry will be issued. If performed correctly the user will not be able to access the site that they want but in return they will get the site that the hacker wants them to see.
In networking the MAC address is used to identify the hardware associated with the IP address of a host. MAC address spoofing is a attack that is performed on network hardware that allows the attackers MAC address appear different, usually the attack is performed to make the address appear as a MAC address of another host currently on the network. Networks today allow there managers to deploy MAC address filters, when these filters are deployed they restrict traffic to rouge devices that have not been configured within the MAC address access control list. Spoofing MAC address would allow a hacker to use the MAC address of a host that is on the access control list, granting them access on the network.
Discuss protocols and procedures that may be used to protect the network from the frame spoofing attacks you identified above