Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE) SANS Technology Institute - Candidate for Master of Science Degree 1 The Hotel Area Network Dilemma • About year ago, sitting in a hotel room in Washington D.C – “Free” Wireless Internet starts working intermittently – Users start complaining of Facebook posts they didn’t make • Fire up IDS toolkit – IDS doesn’t see anything happening at Layer – IPS isn’t seeing any attacks against the hotel either • What’s happening? – As incident responders, need the ability to quickly write tools to parse data… in this case, Layer traffic SANS Technology Institute - Candidate for Master of Science Degree Cam-Table Exhaustion Attack • CAM Table maintains a list of switch ports and destination MAC addresses by port • Overloading the switch with CAM Table entries results in overflowing memory Switch no longer knows how to deliver based on MAC=AA:AA:AA:AA:AA:AA port ETH.SRC bindings ETH.SRC =AA:AA:AA:AA:AA:AB ETH.SRC =AA:AA:AA:AA:AA:AC ETH.SRC =AA:AA:AA:AA:AA:AD ETH.SRC =AA:AA:AA:AA:AA:AE … SANS Technology Institute - Candidate for Master of Science Degree Cam-Table Exhaustion Attack def monitorPackets(p): if p.haslayer(IP): hwSrc = p.getlayer(Ether).src if hwSrc not in hwList: hwList.append(hwSrc) delta = datetime.datetime.now() - start if ((len(hwList)/delta.seconds) > THRESH)): print "[*] - Detected CAM Table Attack." start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree Arp Spoofing • ARP translates layer to layer addresses • Clients maintain their own ARP tables of these logical-to-physical bindings • But anyone can broadcast a gratuitous ARP and client tables are updated B A B's IP ADDR is located at HW ADDR for C C A's IP ADDR is located at HW ADDR for C SANS Technology Institute - Candidate for Master of Science Degree Arp Spoofing def monitorPackets(p): global hwTable if (p.getlayer(ARP).op==2): hwSrc=p.getlayer(ARP).hwsrc ipSrc=p.getlayer(ARP).psrc if ipSrc in hwTable: if (hwSrc != hwTable[ipSrc]): print "[*] - Conflict for IP: "+ipSrc hwTable[ipSrc]=hwSrc sniff(iface=interface,filter="arp",prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree DHCP Starvation Attack • Dynamic IP addresses are leased from a DHCP server after a request by a client The lease allows the client to use the specified address for a period of time • By sending 254 DHCP Requests, a DHCP starvation DHCP Request, attack prevents any new clients DHCP Request, from joining DHCP Request, DHCP Request Fail … No addresses available SANS Technology Institute - Candidate for Master of Science Degree DHCP Starvation Attack def monitorPackets(p): if p.haslayer(BOOTP): global reqCnt global ofrCnt opCode = p.getlayer(BOOTP).op if opCode == 1: reqCnt=reqCnt+1 elif opCode == 2: ofrCnt=ofrCnt+1 print "[*] - "+str(reqCnt)+" Requests.” print "[*] - " +str(ofrCnt)+" Offers." sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree CTS/RTS Wireless Attack • Clear-to-send (CTS) and Ready-to-send (RTS) are layer unencrypted/unauthenticated messages used to prevent wireless collisions • Clients wishing to send traffic, transmit a RTS If the medium is clear, destination responds with a CTS Everybody else who hears the CTS- backs off SANS Technology Institute - Candidate for Master of Science Degree CTS/RTS Wireless Attack 1 def monitorPackets(p): if p.haslayer(Dot11): delta=datetime.datetime.now()-start if (p.getlayer(Dot11).subtype) == 11: rtsCNT = rtsCNT +1 if ((rtsCNT/delta.seconds) > THRESH)): print "[*] - Detected RTS Flood.” elif (p.getlayer(Dot11).subtype) == 12: ctsCNT = ctsCNT + if ((ctsCNT/delta.seconds) > THRESH)): print "[*] - Detected CTS Flood.” start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 10 Wireless Deauth Attack • Clients authenticate themselves to access points prior to association with the network • Authentication typically occurs over unencrypted layer management frames • De-authentication also occurs over unencrypted layer management frames • Tools such as aircrack-NG can spoof a deauthentication SANS Technology Institute - Candidate for Master of Science Degree 11 Wireless Deauth Attack def monitorPackets(p): global deauthCNT if p.haslayer(Dot11): type = p.getlayer(Dot11).type subtype = p.getlayer(Dot11).subtype if ((type==0) and (subtype==12)): deauthCNT = deauthCNT + delta = datetime.datetime.now()-start rate = deauthCNT/delta.seconds if rate > THRESH)): print "[*] - Detected Death Attack" print "[*] – Count: +"str(deauthCNT) deauthCNT = start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 12 Fake Access Point Attack • Wireless access points are advertised over an 802.11 beacon frame • Clients use the information in the 802.11 beacon frame to connect to the wireless AP • Anyone can broadcast an 802.11 beacon, impersonating a network • Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP SANS Technology Institute - Candidate for Master of Science Degree 13 Fake Access Point Attack def monitorPackets(p): if p.haslayer(Dot11): if (p.getlayer(Dot11).subtype==8): ssid = p.getlayer(Dot11).info bssid = p.getlayer(Dot11).addr2 stamp = str(p.getlayer(Dot11).timestamp) prev = ssidDict[bssid][len(ssidDict[bssid])-1]) if bssid not in ssidDict: ssidDict[bssid] = [] ssidCnt[bssid]=0 elif (long(stamp) < long(prev)) ssidCnt[bssid]=ssidCnt[bssid]+1 if (ssidCnt[bssid] > THRESH): print "[*] - Detected fakeAP” print "[*] – SSID: "+ssid ssidDict[bssid].append(stamp) sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 14 Conclusions • Layer two attacks still present a threat to modern networks • Typically these threats go unnoticed by intrusion detection systems • Scapy and a little creativity can be used to automate detecting layer two attacks • For more information, see “Detecting and Responding to Data Link Layer Attacks” published in SANS GCIA Reading Room SANS Technology Institute - Candidate for Master of Science Degree 15 ... detection systems • Scapy and a little creativity can be used to automate detecting layer two attacks • For more information, see Detecting and Responding to Data Link Layer Attacks published... sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree CTS/RTS Wireless Attack • Clear -to- send (CTS) and Ready -to- send (RTS) are layer unencrypted/unauthenticated... Candidate for Master of Science Degree 13 Fake Access Point Attack def monitorPackets(p): if p.haslayer(Dot11): if (p.getlayer(Dot11).subtype==8): ssid = p.getlayer(Dot11).info bssid = p.getlayer(Dot11).addr2