Presentation is loading. Please wait.

Presentation is loading. Please wait.

LAN Vulnerabilities.

Published byHector Carpenter Modified over 5 years ago

Similar presentations

Presentation on theme: "LAN Vulnerabilities."— Presentation transcript:

1 LAN Vulnerabilities

2 Local Area Network How to connect computers? Topologies
Point to Point? Sharing a medium? Topologies Ring Bus Star

3 Ethernet Most popular LAN technology Original Ethernet is Bus topology
CSMA/CD for Media Access Protocol Devices Repeater, Bridge, Hub, Switch Coaxial Cable -> Twisted Pair (Category 5…) 10M -> 100M -> 1G

4 Hubs Layer-1 A device that connects several computer on Ethernet
Have a number of RJ-45 ports Hubs do no processing on network traffic--they simply repeat the incoming signal to all available ports.

5 Switches Layer-2 Connects several computers in a network by a number of RJ-45 ports Same as Hubs Every port works as a Bridge A switch has table of (MAC, port) pairs Store and Forward, Cut through Each device can act independently from other devices Network Security

6 Example: local networking
Network Security

7 Picture from Wikipedia
Ethernet Frame Picture from Wikipedia

8 Physical (MAC) Address
Why need address? Each Network Card is assigned a physical address Usually assigned by hardware manufacturer Network Card will only accept the frames that is destined to it

9 Network Sniffing Basically, network sniffing is to eavesdrop the network to capture the packets transmitted over the network. Network Security

10 Components of a Sniffer
The hardware: adapter with promiscuous mode capability Driver: capture the packets and store them in the buffer. Packet filter: filter the packets according to user rules. Packet analyzer: analyses the packets, and generate human readable reports. Examples: TcpDump, Wireshark Network Security

11 How to sniff? Frames are transmitted on Ethernet Broadcast Frames
Examples? All computers read the frame Non-broadcast frames Only the target computer reads the frame Can the frame be read by other computers? Hub? Switch? Network Security

12 Detecting Sniffing A LAN with many computers, we want to detect which one of them is sniffing We know all IP addresses of those computers What happens if we send a ARP request with an IP address and a non-broadcasting MAC address? E.g. fake broadcast FF:FF:FF:FF:FF:FE Network Security

13 Layer-2 Switch Switches learn the binding of port and MAC address
By examining MAC addresses of frames arrives from each port The association may change, when A different computer is plugged into a port Network Security

14 Port Stealing Attacker floods the switch with forged gratuitous ARP reply packets with the source MAC address being that of the target host and the destination MAC address being that of the attacker. Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the network A race condition: because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to the attacker’s switch port and not the target host. When a packet arrives, the attacker performs an ARP request asking for the target hosts’ IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the target hosts’ switch port has been restored to its original binding. The attacker now sniffs the packet and forwards it to the target host and restarts the attack… Network Security

15 Port Stealing Layer 2 switch Gratuitous ARP (forged) A Attacker B 1 2
3 Layer 2 switch Gratuitous ARP (forged) The attack starts by having the attacker flood the switch with forged gratuitous ARP packets with the source MAC address being that of the target host and the destination MAC address being that of the attacker. The flooding process described here is different than the flooding process used in CAM table flooding. Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the network. Now, a race condition exists because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to the attacker’s switch port and not the target host. The attacker has now stolen the target hosts’ switch port. When a packet arrives to the attacker, the attacker performs an ARP request asking for the target hosts’ IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the target hosts’ switch port has been restored to its original binding. Now, the attacker can sniff the packet, then forward it to the target host and restart the flooding process waiting for new packets. A Attacker B Network Security

16 ARP Spoofing Also called ARP poisoning
Goal is to poison victim’s ARP cache to map an IP address to a wrong MAC address arp –a Attacker can become man-in-the-middle Method: Send fake ARP messages

17 ARP – Address Resolution Protocol
mapping from IP addresses to MAC addresses Request .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 arp req | target IP: | target eth: ? Reply .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 arp rep | sender IP: | sender eth: 00:00:C0:C2:9B:26

18 Example ARP Request + Bits 0 - 7 8 - 15 16 - 31 Hardware type = 1
Hardware type = 1 Protocol type = 0x0800 32 Hardware length = 6 Protocol length = 4 Operation = 1 (request) 64 SHA (first 32 bits) = 0x000958D8 96 SHA (last 16 bits) = 0x1122 SPA (first 16 bits) = 0x0A0A 128 SPA (last 16 bits) = 0x0A7B THA (first 16 bits) = 0xFFFF 160 THA (last 32 bits) = 0xFFFFFFFF 192 TPA = 0x0A0A0A8C From Wikipedia

19 Example ARP Reply + Bits 0 - 7 8 - 15 16 - 31 Hardware type = 1
Hardware type = 1 Protocol type = 0x0800 32 Hardware length = 6 Protocol length = 4 Operation = 2 (reply) 64 SHA (first 32 bits) = 0x000958D8 96 SHA (last 16 bits) = 0x33AA SPA (first 16 bits) = 0x0A0A 128 SPA (last 16 bits) = 0x0A8C THA (first 16 bits) = 0x0009 160 THA (last 32 bits) = 0x58D81122 192 TPA = 0x0A0A0A7B From Wikipedia

20 ARP Spoofing

Download ppt "LAN Vulnerabilities."

Similar presentations

ARP Spoofing.

ARP Spoofing.
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.

ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.

1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
1 Computer Networks Internetworking Devices. 2 Repeaters Hubs Bridges –Learning algorithms –Problem of closed loops Switches Routers.

1 Computer Networks Internetworking Devices. 2 Repeaters Hubs Bridges –Learning algorithms –Problem of closed loops Switches Routers.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Internetworking School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 4, Tuesday 1/30/2007)

Internetworking School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 4, Tuesday 1/30/2007)
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.

Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
Evolution of Networking Devices

Evolution of Networking Devices
Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.
ARP Address Resolution Protocol Ref:

ARP Address Resolution Protocol Ref:
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.

ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
Cisco 3 – Switching Concepts Perrine. J Page 16/1/2016 Module 4 The use of bridges and switches for segmentation results in ____? 1.Multiple broadcast.

Cisco 3 – Switching Concepts Perrine. J Page 16/1/2016 Module 4 The use of bridges and switches for segmentation results in ____? 1.Multiple broadcast.
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

Similar presentations

Ads by Google