neutering ettercap in cisco switched networks for fun and profit
TRANSCRIPT
![Page 1: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/1.jpg)
Neutering Ettercap in Cisco Switched
Networks
For fun and Profit
![Page 2: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/2.jpg)
What’s With the Title? (AKA Scope)
How the protocols function under normal and malicious circumstances
Ettercap’s Capabilities for Protocol AbuseDHCP Spoofing - ARP PoisoningICMP Redirects - Port Stealing
Countermeasures to defend against these kind of abuses
2
![Page 3: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/3.jpg)
What’s With the Title? (AKA Scope)
Configuring Countermeasures for CiscoIOS
Best Practices for implementation
This is for CISCO NETWORKS ONLY!(sorry Juniper)
3
![Page 4: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/4.jpg)
Why Protocol Abuse Works
The Protocols are OLD! Created during a more friendly time in networking.
Were not created with authentication measures or security in mind
Engineers were focused on transmitting data without errors, not who was sending it or what was being sent.
4
![Page 5: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/5.jpg)
5
Lets spoof some DHCP!You can trust
me, I’m a nice DHCP Server.
;)
![Page 6: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/6.jpg)
DHCP Spoofing – Function
Dynamic Host Configuration Protocol(DHCP), permits host connected to a Local Area
Network(LAN) segment to be dynamically assigned parameters necessary for the host to
send and receive data over a network. The exchange of DHCP information is sent as a
'broadcast', which means that any host on the LAN segment will receive a copy of the DHCP
exchange.
6
![Page 7: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/7.jpg)
DHCP Spoofing – Function
Normally, a host would ignore this exchange, but Ettercap has a feature built in to intercept and quickly reply to these
DHCP messages before the authentic DHCP server can reply. This will cause
the host to continue the exchange with the Ettercap and ignore the authenticate
server.7
![Page 8: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/8.jpg)
DHCP Spoofing – Function
The main purpose of this is to tell the host to use the Ettercap machine as its 'Default
Gateway', the address it will forward data destined for off the network. This will allow
for a 'Half-Duplex' MitM, meaning the attacker will only see half of the exchange, as the
return packets will not be seen by the attacker unless combined with tunneling techniques.
8
![Page 9: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/9.jpg)
DHCP Spoofing – Function
9Normal DHCP
![Page 10: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/10.jpg)
DHCP Spoofing – Function
10Normal DHCP
![Page 11: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/11.jpg)
DHCP Spoofing – Function
11Normal DHCP
![Page 12: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/12.jpg)
DHCP Spoofing – Function
12Normal DHCP
![Page 13: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/13.jpg)
DHCP Spoofing – Function
13
EVE
Ettercap DHCP
![Page 14: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/14.jpg)
DHCP Spoofing – Function
14
EVE
Ettercap DHCP
![Page 15: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/15.jpg)
DHCP Spoofing – Function
15
EVE
Ettercap DHCP
![Page 16: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/16.jpg)
DHCP Spoofing – Countermeasures
To combat not only Ettercap, but all rogue DHCP Servers, the ‘IP DHCP Snooping’ process will be enabled.
Available on both Layer2&3 switches, DHCP Snooping applies a
two pronged approach.
16
![Page 17: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/17.jpg)
DHCP Spoofing – Countermeasures
IP DHCP Snooping only allows authentic DHCP servers to be able to reply to
transactions. Rogue servers that send replies to DHCP request will have the
reply packet dropped by the switch and a log message will be generated. The
DHCP Transaction will still be visible to all host on the LAN segment, but replies are strictly policed using 'Trusted Interfaces'.
17
![Page 18: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/18.jpg)
DHCP Spoofing – Countermeasures
DHCP replies received on a Trusted Interface(Switch port) are forwarded
automatically, however, all ports on the switch will be Untrusted by default.
Only ports leading to Gateway Routers and/or other DHCP Snooping enabled
switches should be set to Trusted.
18
![Page 19: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/19.jpg)
DHCP Spoofing – Countermeasures
IMPORTANT NOTE:Unless your DHCP server supports Option 82
tagging, you must disable it! Cisco switches by default will tag snooped DHCP
transactions with Option 82 information before forwarding. This will more than likely cause the DHCP server to ignore the request,
creating an inadvertent DoS situation.
19
![Page 20: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/20.jpg)
DHCP Spoofing – Configuration
• Enable IP DHCP Snooping process– Switch(config)# ip dhcp snooping
• Define which VLAN's to be Snooped– Switch(config)# ip dhcp snooping vlan <VLAN_RANGE>• Ie. 1,2,3-5,8-10,23,25-50
• Disable DHCP Option 82 tagging– Switch(config)# no ip dhcp snooping information option
20
![Page 21: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/21.jpg)
DHCP Spoofing – Configuration
• Trust Gateway/Inter-Switch Links– Switch(config)# int fa0/1– Switch(config-if)# ip dhcp snooping trust
• Create a DHCP Binding Database– Switch(config)# ip dhcp snooping database <URL>• Best Practice is to store this DB in Switch Flash Memory
• Re-DHCP all host on the LAN segment to populate the DHCP Binding DB
21
![Page 22: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/22.jpg)
DHCP Spoofing – Countermeasures
Bonus!• To prevent DHCP Starvation Attacks,
set a DHCP packet-per-second limit on untrusted interfaces– Switch(config-if)# int range fa0/2-24– Switch(config-if)# ip dhcp snooping limit rate
<#_OF_DHCP_PPS>• 3 DHCP Packets-Per-Second is a best practice
22
![Page 23: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/23.jpg)
Won’t some one think of the child.. Er… ARPs?!
23
All your ARPS are belongs to us!
![Page 24: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/24.jpg)
ARP Poisoning - Function
Address Resolution Protocol(ARP), allows host to communicate over a LAN
segment with each other. Networks are defined by their physical(Layer2), and
logical(Layer3) design, or topology. It is normal for the two topologies to be
completely different, and ARP allows for a mapping between the two.
24
![Page 25: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/25.jpg)
ARP Poisoning - Function
This is important due to the fact of how switches and routers forward data.
Switches forward data primarily based on the physical topology, where as
Routers forward based solely on the logical topology. If layer 2 can be
controlled, so can every other OSI Layer above it.
25
![Page 26: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/26.jpg)
ARP Poisoning - Function
By producing falsified ARP broadcast, Ettercap can convince both host and
Routers alike to forward all of their traffic through the attacker's host physical
address. Ettercap will basically trick all or some of the host on the LAN, that its
physical address is equal to the victim's logical address.
26
![Page 27: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/27.jpg)
ARP Poisoning - Function
This is very powerful, as it creates a Full-Duplex MitM, in that both sent and
received data will be seen by the attacker. Particularly powerful
functionality of Ettercap is the ability to intercept negotiation of encryption parameters for SSH and SSL tunnels,
allowing the attacker to read the encrypted data in plain text.
27
![Page 28: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/28.jpg)
ARP Poisoning - Function
28
Normal ARPsA
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
MAC: 1111.1111.1111
MAC: dddd.dddd.dddd
What is the server’s MAC address?
![Page 29: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/29.jpg)
ARP Poisoning - Function
29
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
MAC: 1111.1111.1111
MAC: dddd.dddd.dddd
Normal ARPs
What is the server’s MAC address?
![Page 30: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/30.jpg)
ARP Poisoning - Function
30
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
MAC: 1111.1111.1111
MAC: dddd.dddd.dddd
Normal ARPs
The Server is @ dddd.dddd.dddd
![Page 31: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/31.jpg)
ARP Poisoning - Function
31
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
MAC: 1111.1111.1111
MAC: dddd.dddd.dddd
Normal ARPs
The Server is @ dddd.dddd.dddd
![Page 32: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/32.jpg)
ARP Poisoning - Function
32
Normal Traffic FlowA
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
MAC: 1111.1111.1111
MAC: dddd.dddd.dddd
![Page 33: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/33.jpg)
ARP Poisoning - Function
33
EVE
Poisoned ARPsA
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
MAC: 1111.1111.1111
MAC: dddd.dddd.dddd
All Host are @ 1111.1111.1111
![Page 34: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/34.jpg)
ARP Poisoning - Function
34
EVE
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
MAC: 1111.1111.1111
MAC: dddd.dddd.dddd
Poisoned ARPs
All Host are @ 1111.1111.1111
![Page 35: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/35.jpg)
ARP Poisoning - Function
35
EVE
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
MAC: 1111.1111.1111
MAC: dddd.dddd.dddd
Hairpin Traffic Flow
![Page 36: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/36.jpg)
ARP Poisoning - Countermeasures
Cisco Switches, both layer2 & layer3, support a process called 'Dynamic
ARP Inspection'(DAI). The DAI process works in tandem with DHCP Snooping. DHCP Snooping builds an
internal database of Layer2-to-3 mappings, the very thing ARP is used
to determine. 36
![Page 37: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/37.jpg)
ARP Poisoning - Countermeasures
Since the switch has seen the entire DHCP transaction, and knows which of its switch ports the request came
from, it is able to track these bindings to indentify false ARP
broadcast and kill them before they propagate to other host.
37
![Page 38: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/38.jpg)
ARP Poisoning - Countermeasures
Every Invalid ARP Reply will be dropped by the switch and generates a log message. ARP Request will still be allowed to propagate as normal, since they need to reach their target
to elicit a reply.
38
![Page 39: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/39.jpg)
ARP Poisoning - Countermeasures
Only ARP Replies are being policed, and must pass inspection of the first
receiving switch, which will then place it in a 'trust-zone' of clean
ARPs. DAI places all interfaces in an untrusted state by default, meaning
ARP replies received on that interface must be validated.
39
![Page 40: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/40.jpg)
ARP Poisoning - Countermeasures
Router/Inter-switch Links connected only to other DAI enabled switches should be trusted(ARP Access-List is a more secure option for routers).
Host that have static network assignments, will have a static
binding set on the switch they are directly connected too.
40
![Page 41: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/41.jpg)
ARP Poisoning - Configuration
• Enable DAI Process on appropriate VLANs– Switch(config)#ip arp inspection <VLAN_RANGE>
• Trust links connected ONLY to Routers & other DAI enabled switches– Switch(config)# int fa0/1– Switch(config-if)# ip arp inspection trust
• Set a ARP PPS limit on untrusted interfaces– Switch(config)# int range fa0/2-24– Switch(config-if)# ip arp inspection limit rate
<#_OF_ARP_PPS> 41
![Page 42: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/42.jpg)
ARP Poisoning - Configuration
• Define static bindings for non-DHCP host– Switch(config)#arp access-list <ARP_ACL_NAME>– Switch(config-acl)# permit ip host <HOST_IP> mac
host <HOST_MAC> [log]• ie. permit ip host 192.168.1.1 mac host 1111.1111.1111 log
• [REPEAT 'permit' STATEMENT FOREACH STATICLY ASSIGNED
HOST]• Switch(config-acl)# exit
42
![Page 43: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/43.jpg)
ARP Poisoning - Countermeasures
• Apply ARP ACL to DAI process– Switch(config)# ip arp inspection filter
<ARP_ACL_NAME> vlan <VLAN_RANGE> [static]• ARPs matched in the ARP ACL 'permit' statements
will not be checked against the DHCP snooping database. Use the 'static' keyword with caution, as the ACL is checked before the DHCP Snooping Database. When 'static' is set, if no match is found in the ARP ACL, the ARP Reply will be considered invalid without checking the DHCP Snooping Database!
43
![Page 44: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/44.jpg)
ICMP; Networking Ballistic Missiles!
44
Break Out the SPF 9000!
![Page 45: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/45.jpg)
ICMP Redirects - Function
The Internet Control Message Protocol(ICMP) is in reality a small suite of protocols used to pass network information between nodes.
ICMP is more or less a legacy protocol, in that most of its functionality has been replaced
and improved upon by other protocols. However, host operating systems still process most, if not all, ICMP request in the spirit of
backwards compatibility.
45
![Page 46: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/46.jpg)
ICMP Redirects - Function
ICMP Redirects were used to notify routers/host about better pathways to reach specific
networks. Ettercap can send these Redirects to host on a LAN telling them to forward traffic for other networks to the Attacker instead of their default gateway. This is a very simple
Half-Duplex MitM by itself, but can be combined with techniques to gleen host
information& become Full-Duplex.
46
![Page 47: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/47.jpg)
ICMP Redirects – Function
47
EVEReach server.com
via EVE’s IP Address
![Page 48: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/48.jpg)
ICMP Redirects – Function
48
EVEReach server.com
via EVE’s IP Address
![Page 49: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/49.jpg)
ICMP Redirects – Function
49
EVE
![Page 50: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/50.jpg)
ICMP Redirects - Countermeasures
VLAN Access-Control Lists(VACLs), can be configured on Layer3 switches to police traffic
passing within a VLAN. Unlike traditional ACLs, VLANs do not understand the concept of
'inbound' or 'outbound', so they are applied with the use of a ‘VLAN access-map'. VLAN
Access-maps can reference ACLs to determine protocols that can be allowed or denied on
the VLAN segment.
50
![Page 51: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/51.jpg)
ICMP Redirects – Configuration
• !Define Extended ACL!– The 'permit' statement does not mean ICMP
redirects will be permitted, but that the VLAN access-map is allowed to act upon packets that match it.• Switch(config)#ip access-list extended <ACL_NAME>• Switch(config-acl)# permit icmp any any redirect
51
![Page 52: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/52.jpg)
ICMP Redirects – Configuration
• !Define the VLAN access-map!
– Best practice Sequencing is to initially use increments of 10 to allow for future adjustments; lower sequence numbers are evaluated first.• Switch(config)# vlan access-map <VAM_NAME> <SEQ_#>• Switch(config-access-map)# match ip address <ACL_NAME>• Switch(config-access-map)# action drop• Switch(config-access-map)# vlan access-map <VAM_NAME> <SEQ_#>• Switch(config-access-map)# action forward• Switch(config-access-map)# exit
52
![Page 53: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/53.jpg)
ICMP Redirects – Configuration
• !Apply VACL filter to the VLAN(s)!
–Switch(config)# vlan filter <VAM_NAME> vlan-list <VLAN_RANGE>
53
![Page 54: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/54.jpg)
Thou Shall Not Port Steal!
54
I promise to bring it right back!
![Page 55: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/55.jpg)
Port Stealing - Function
Port Stealing is not the best term to describe this particular MitM. This
method of Ettercap abuses how switches build their Layer2
forwarding table. When data is sent from a host, it is tagged with
Destination and Sender addresses.
55
![Page 56: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/56.jpg)
Port Stealing - Function
Switches will note the Sender Layer2 address and associate it will the port it was recieved on.
In this way, the switch maps Layer2 to Layer1 addresses so it can forward data as quickly as
possible.56
![Page 57: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/57.jpg)
Switch CAM Table
aaaa.aaaa.aaaa @ Port1
dddd.dddd.dddd @ Port2
1111.1111.1111 @ Port3
Port Stealing - Function
57
Normal Traffic Flow
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.ccccMAC: 1111.1111.1111
MAC: dddd.dddd.dddd
![Page 58: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/58.jpg)
Port Stealing - Function
58
EVE
A
B
CMAC: 1111.1111.1111
MAC: dddd.dddd.dddd
Senders MAC:aaaa.aaaa.aaaa
Switch CAM Table
aaaa.aaaa.aaaa @ Port1
dddd.dddd.dddd @ Port2
1111.1111.1111 @ Port3
Alterted Traffic Flow
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.cccc
Switch CAM Table
1111.1111.1111 @ Port3
dddd.dddd.dddd @ Port2
aaaa.aaaa.aaaa @ Port3
![Page 59: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/59.jpg)
Port Stealing - Function
59
EVE
Normal Traffic Flow
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.ccccMAC: 1111.1111.1111
MAC: dddd.dddd.dddd
Switch CAM Table
1111.1111.1111 @ Port1
dddd.dddd.dddd @ Port2
aaaa.aaaa.aaaa @ Port3
Senders MAC:1111.1111.1111
Switch CAM Table
1111.1111.1111 @ Port3
dddd.dddd.dddd @ Port2
aaaa.aaaa.aaaa @ Port3
![Page 60: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/60.jpg)
Port Stealing - Function
60
EVE
Normal Traffic Flow
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.ccccMAC: 1111.1111.1111
MAC: dddd.dddd.dddd
UnKnown Unicast become Broadcast
Switch CAM Table
1111.1111.1111 @ Port3
dddd.dddd.dddd @ Port2
aaaa.aaaa.aaaa @ Port3
![Page 61: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/61.jpg)
Port Stealing - Function
61
EVE
Normal Traffic Flow
A
B
C
MAC: aaaa.aaaa.aaaa
MAC: bbbb.bbbb.bbbb
MAC: cccc.cccc.ccccMAC: 1111.1111.1111
MAC: dddd.dddd.dddd
Switch CAM Table
1111.1111.1111 @ Port3
dddd.dddd.dddd @ Port2
aaaa.aaaa.aaaa @ Port3
![Page 62: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/62.jpg)
Port Stealing - Countermeasures
With modern day fast & gigabit Ethernet standards, and improved switching hardware,
this particular MitM is the least effective of Ettercap's arsenal, and it also the easiest to defend against. Using Cisco port-security, forged Layer 2 sender data can trigger a
number of responses, including up to completely disabling an interface. The
parameters for Cisco port-security will vary depending on network requirements.
62
![Page 63: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/63.jpg)
Port Stealing - Configuration
• Select the range of host ports– Switch(config)# int range fa0/2-24– Switch(config-if)# switchport host
‘switchport host’ is an IOS macro that will place the interface in access mode, enable Spanning-tree poftfast, and disable etherchannel. To use Cisco port-security though, you only need the 'switchport mode access‘ command.
63
![Page 64: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/64.jpg)
Port Stealing - Configuration
• Enable Cisco Port-Security– Switch(config-if)# switchport port-security
• Define Maximum # of MAC Addresses permitted on the interface– Switch(config-if)# switchport port-security maximum <#>• Two is recommended for networks w/ VOIP phones
64
![Page 65: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/65.jpg)
Port Stealing - Configuration
• Define port-security response–All will drop offending frames. Protect does not
generate a log message. Restrict generates a log message. Shutdown generates a log message and disables the interface!
Switch(config-if)# switchport port-security violation Restrict
65
![Page 66: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/66.jpg)
Port Stealing - Configuration
• Define host MAC address or allow dynamic learning with 'sticky‘
– Switch(config-if)# switchport port-security mac-address [<H.H.H>|sticky]
66
![Page 67: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/67.jpg)
Conclusion
67
Y’all play nice now.
![Page 68: Neutering Ettercap in Cisco Switched Networks For fun and Profit](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ce35503460f949afd92/html5/thumbnails/68.jpg)
Conclusion
While Ettercap is not the only program to perform DHCP Spoofing, ARP Poisoning, ICMP Redirect, & Port Stealing MitMs, it is one of the most popular. Keeping vigilant and understanding threats facing networks are fundamental for network security
officers. Understanding the functions of Ettercap and similar tools can give administrators new
insight to reassessing security measures.
68