7

For example, if there is a network with three computers connected to the same switch, Alice, Bob, and Eve. If Alice and Bob add each other on their own ARP list as a static ARP entry, and Eve wants to do attack on the network connection between Alice and Bob, how could he do?

By the way, I am wondering if sniffing is still available on the network. If both configure the static ARP, then ARP spoofing can not be achieved. In this circumstance, will tcpdump or wireshark still be usable to sniff the network?

stcheng
  • 105
  • 2
  • 6

2 Answers2

6

The attacker can try to flood the MAC table of the switch, and then the switch could fall down in "hub" mode. Then the switch would send the packets of Alice and Bob on all port. So Eve could sniff their network packets.

Another way to hack is to poison the switch MAC table. If Eve knows the MAC address of Alice and Bob, Eve could tell the switch that he has the MAC address of ALICE and/or BOB, then some of packets or all the packets will be redirected to Eve.

Francois Valiquette
  • 347
  • 2
  • 9
6

First, let's clarify what is meant by a static arp entry. The Address Resolution Protocol is used to map the layer 2 address to the layer 3 address, typically this is Ethernet and IP. A static arp entry means that you always expect a specific IP to be at a given hardware address. With a default Windows or Linux implementation, you will be using a TCP/IP stack and cannot just do straight communication with just layer 2 addresses.

The switch is relatively dumb device, it determines where to send traffic, but what traffic it receives. With no information about the destination, the switch will send any given input out all other ports. Once a message is sent through input, the switch will update its CAM table and say "anyone looking to send to that address I will send out that port", i.e., the source for an input can be used as the destination for later outputs.

With this knowledge, now we can consider the exploit. The first possibility is to break the functionality which decides to only send the output out one port and send to all ports on the switch. You may be able to overload the switch so that it keeps filling up the CAM table resulting in the entries with Alice and Bob's location to be lost. You may also be able to compromise the switch itself through a vulnerability or misconfiguration. Depending on the model maybe you can install sniffing utilities on the switch itself, or maybe you can turn your port into a span/mirror port, and then you can monitor traffic or redirect traffic.

For an overflow attack, read more about dsniff/macof.

Unless you are using some mechanisms on the switch or some type of 802.1x which fixes the MAC address to a given port, you should be able to overwrite entries in the CAM table. The switch usually will not assume a piece of hardware is always attached to a particular physical port. So Eve can simply lie and tell the switch that she has Bob or Alice's MAC address. Then the switch will update the CAM table and will direct the traffic to me. This might not always be effective if there is little other traffic to update the ARP table though. If you tell the switch that you are Bob, you will clearly not be able to then send traffic to Bob, because the switch think your port is also Bob's port unless Bob sends out traffic to update the CAM table. In ARP poisioning is an attack on the host, but you can also attack at the point of the switch.

Follow Up

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • Thanks so much. I've thoroughly read the two attacked files you recommend. And I do believe the choice could be attacking the switch instead of directly attacking the two victims. After successfully sniffing the victims' information, I could get the two MAC addresses of victims. Then it is able for me to cut the connection between the two users. – stcheng Apr 19 '13 at 18:51