1. Trang chủ
  2. » Công Nghệ Thông Tin

Detecting and responding to data link layer attacks with scapy

15 226 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 15
Dung lượng 2,69 MB

Nội dung

Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE) SANS Technology Institute - Candidate for Master of Science Degree 1 The Hotel Area Network Dilemma • About year ago, sitting in a hotel room in Washington D.C – “Free” Wireless Internet starts working intermittently – Users start complaining of Facebook posts they didn’t make • Fire up IDS toolkit – IDS doesn’t see anything happening at Layer – IPS isn’t seeing any attacks against the hotel either • What’s happening? – As incident responders, need the ability to quickly write tools to parse data… in this case, Layer traffic SANS Technology Institute - Candidate for Master of Science Degree Cam-Table Exhaustion Attack • CAM Table maintains a list of switch ports and destination MAC addresses by port • Overloading the switch with CAM Table entries results in overflowing memory Switch no longer knows how to deliver based on MAC=AA:AA:AA:AA:AA:AA port ETH.SRC bindings ETH.SRC =AA:AA:AA:AA:AA:AB ETH.SRC =AA:AA:AA:AA:AA:AC ETH.SRC =AA:AA:AA:AA:AA:AD ETH.SRC =AA:AA:AA:AA:AA:AE … SANS Technology Institute - Candidate for Master of Science Degree Cam-Table Exhaustion Attack def monitorPackets(p): if p.haslayer(IP): hwSrc = p.getlayer(Ether).src if hwSrc not in hwList: hwList.append(hwSrc) delta = datetime.datetime.now() - start if ((len(hwList)/delta.seconds) > THRESH)): print "[*] - Detected CAM Table Attack." start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree Arp Spoofing • ARP translates layer to layer addresses • Clients maintain their own ARP tables of these logical-to-physical bindings • But anyone can broadcast a gratuitous ARP and client tables are updated B A B's IP ADDR is located at HW ADDR for C C A's IP ADDR is located at HW ADDR for C SANS Technology Institute - Candidate for Master of Science Degree Arp Spoofing def monitorPackets(p): global hwTable if (p.getlayer(ARP).op==2): hwSrc=p.getlayer(ARP).hwsrc ipSrc=p.getlayer(ARP).psrc if ipSrc in hwTable: if (hwSrc != hwTable[ipSrc]): print "[*] - Conflict for IP: "+ipSrc hwTable[ipSrc]=hwSrc sniff(iface=interface,filter="arp",prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree DHCP Starvation Attack • Dynamic IP addresses are leased from a DHCP server after a request by a client The lease allows the client to use the specified address for a period of time • By sending 254 DHCP Requests, a DHCP starvation DHCP Request, attack prevents any new clients DHCP Request, from joining DHCP Request, DHCP Request Fail … No addresses available SANS Technology Institute - Candidate for Master of Science Degree DHCP Starvation Attack def monitorPackets(p): if p.haslayer(BOOTP): global reqCnt global ofrCnt opCode = p.getlayer(BOOTP).op if opCode == 1: reqCnt=reqCnt+1 elif opCode == 2: ofrCnt=ofrCnt+1 print "[*] - "+str(reqCnt)+" Requests.” print "[*] - " +str(ofrCnt)+" Offers." sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree CTS/RTS Wireless Attack • Clear-to-send (CTS) and Ready-to-send (RTS) are layer unencrypted/unauthenticated messages used to prevent wireless collisions • Clients wishing to send traffic, transmit a RTS If the medium is clear, destination responds with a CTS Everybody else who hears the CTS- backs off SANS Technology Institute - Candidate for Master of Science Degree CTS/RTS Wireless Attack 1 def monitorPackets(p): if p.haslayer(Dot11): delta=datetime.datetime.now()-start if (p.getlayer(Dot11).subtype) == 11: rtsCNT = rtsCNT +1 if ((rtsCNT/delta.seconds) > THRESH)): print "[*] - Detected RTS Flood.” elif (p.getlayer(Dot11).subtype) == 12: ctsCNT = ctsCNT + if ((ctsCNT/delta.seconds) > THRESH)): print "[*] - Detected CTS Flood.” start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 10 Wireless Deauth Attack • Clients authenticate themselves to access points prior to association with the network • Authentication typically occurs over unencrypted layer management frames • De-authentication also occurs over unencrypted layer management frames • Tools such as aircrack-NG can spoof a deauthentication SANS Technology Institute - Candidate for Master of Science Degree 11 Wireless Deauth Attack def monitorPackets(p): global deauthCNT if p.haslayer(Dot11): type = p.getlayer(Dot11).type subtype = p.getlayer(Dot11).subtype if ((type==0) and (subtype==12)): deauthCNT = deauthCNT + delta = datetime.datetime.now()-start rate = deauthCNT/delta.seconds if rate > THRESH)): print "[*] - Detected Death Attack" print "[*] – Count: +"str(deauthCNT) deauthCNT = start = datetime.datetime.now() sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 12 Fake Access Point Attack • Wireless access points are advertised over an 802.11 beacon frame • Clients use the information in the 802.11 beacon frame to connect to the wireless AP • Anyone can broadcast an 802.11 beacon, impersonating a network • Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP SANS Technology Institute - Candidate for Master of Science Degree 13 Fake Access Point Attack def monitorPackets(p): if p.haslayer(Dot11): if (p.getlayer(Dot11).subtype==8): ssid = p.getlayer(Dot11).info bssid = p.getlayer(Dot11).addr2 stamp = str(p.getlayer(Dot11).timestamp) prev = ssidDict[bssid][len(ssidDict[bssid])-1]) if bssid not in ssidDict: ssidDict[bssid] = [] ssidCnt[bssid]=0 elif (long(stamp) < long(prev)) ssidCnt[bssid]=ssidCnt[bssid]+1 if (ssidCnt[bssid] > THRESH): print "[*] - Detected fakeAP” print "[*] – SSID: "+ssid ssidDict[bssid].append(stamp) sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree 14 Conclusions • Layer two attacks still present a threat to modern networks • Typically these threats go unnoticed by intrusion detection systems • Scapy and a little creativity can be used to automate detecting layer two attacks • For more information, see “Detecting and Responding to Data Link Layer Attacks” published in SANS GCIA Reading Room SANS Technology Institute - Candidate for Master of Science Degree 15 ... detection systems • Scapy and a little creativity can be used to automate detecting layer two attacks • For more information, see Detecting and Responding to Data Link Layer Attacks published... sniff(iface=interface,prn=monitorPackets) SANS Technology Institute - Candidate for Master of Science Degree CTS/RTS Wireless Attack • Clear -to- send (CTS) and Ready -to- send (RTS) are layer unencrypted/unauthenticated... Candidate for Master of Science Degree 13 Fake Access Point Attack def monitorPackets(p): if p.haslayer(Dot11): if (p.getlayer(Dot11).subtype==8): ssid = p.getlayer(Dot11).info bssid = p.getlayer(Dot11).addr2

Ngày đăng: 12/09/2017, 01:26

TỪ KHÓA LIÊN QUAN

w