Before you can be a badass hacker you need to understand what exactly it is your doing. Today’s Lesson is on flooding a network with random MAC addresses.
If you fill up a switches table with random mac addresses different vendors switches will behave differently.
Cisco switches will keep original MAC address on its table and will only remove them if they time out. However many other switches will let their entire table get filled up with fake addresses! This is beneficial to you if you wish to receive traffic intended for other people!
What is the point of filling up switches table with fake make addresses? It forces the switch to become a hub (and you as an attacker can now see traffic on every port as all packets are now broadcasted)
Flooding a VLAN
You can group a number of ports on a switch together and say they are part of a VLAN (they are logically separated from other VLANs). Why is this helpful? Broadcast packets will only occur within the same VLAN (Even they are on the same switch).
Most switches today do not have separate tables for each VLAN. Flooding a single VLAN would force all other VLANs to flood as well (just flood their own VLAN). Why? Because if the shared table is full than each VLAN no longer knows what ports legitimate MAC address(es) are on.. so they must broadcast.
Packet Generation – MAC moving
You can use macof to generate a packet with a source mac address that is not really yours.
In this example MAC C wants to use a man in the middle attack to receive all packets from:
- MAC 0000.CAFE.000 destined for MAC B
- MAC B to destined for MAC 0000.CAFE.000
To execute the attack:
MAC 0000.CAFE.000 destined for MAC B
- macof sends a packet to 0000.CAFE.0000 with the source MAC address of MAC B
- The switch will now update its routing table to think that MAC B now actually lives on interface Fa0/3 (where you sent the packet from using macof)
- macof needs to keep sending the first packet.
- macof sends a packet to to MAC B with a source MAC address of 0000.CAFE.000
- the switch thinks that 0000.CAFE.000 lives at Fa0/3
- Now all traffic from MAC B gets routed to the machine with macof on it!
This causes the switch to updates its table and think that fake mac1 is using the interface you are on (Fa0/3) actually the host
MAC B needs to be sending packets to anyhost so the switch will update its routing table with the correct interface for MAC B (Fa0/2).
Otherwise when MAC C tries to send a packet to MAC B the switch will think both are on Fa0/3 and will drop the packet!!!!
MAC C probably won’t receive all packets in this case. It may have to wait until the routing table times out with MAC B or flood the table to force a broadcast.
Is there a way to tell the switch that MAC B is back on Fa0/2 from MAC c? No there is not (you must be admin on the switch), you must either force port flood or C needs to somehow send something so the switch corrects the entry
Preventing MAC Flooding and Spoofing
Switches can be configured to warn the administrator of frequent MAC address moves.
Howto: Enable MAC Address Moves Alarms on Cisco Switches
6K-1-720(config)# mac-address-table notification ? mac-move Enable Mac Move Notification
6K-1-720(config)#mac-address-table notification mac-move ?
- Static – only these MAC addresses can be on this port
- Dynamic – can put a limit on how many MAC addresses can be learned, and relearn after switch restarts
- Sticky – Dynamically learn but save in a configuration
What if port security is violated (a MAC address is different from the list of secure addresses)?
These are your options:
- The port error-disables for a specified duration. (It can be unlimited, but if not, automatic recovery can be performed.) An Simple Network Management Protocol (SNMP) trap is generated.
- The port drops frames from unknown addresses (protect mode).
- The port drops frames from unknown addresses and increments a violation counter. SNMP traps generation is possible on some releases/Cisco switches (restrict mode).
Unknown Unicast Flooding Protection
macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]
macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek email@example.com>.
|-i interface||Specify the interface to send on.|
|-s src||Specify source IP address.|
|-d dst||Specify destination IP address.|
|-e tha||Specify target hardware address.|
|-x sport||Specify TCP source port.|
|-y dport||Specify TCP destination port.|
|-n times||Specify the number of packets to send.|
Values for any options left unspecified will be generated randomly.
To note: Because macoff generates random MAC addresses it sometimes generates MAC addresses that are not valid (in which case those packets will be dropped)