Another device we will most likely encounter is the switch. Since a switch is a unicast device and only floods all ports with broadcast traffic, when we are up against one, we want to try and create a situation where the switch will either forward packets incorrectly to the wrong destination that we hope is us or get the switch to flood all information out all ports, in effect becoming a hub.
The attacks we want to look at are called layer two attacks. While it is true that there are switches that operate all the way up to layer seven of the Open System Interconnect (OSI) model, we will focus on the more traditional approach that operates at layer two.
For a number of years, we enjoyed the luxury of being able to flood a switch using an excellent tool known as macof. You can read more about it at http://linux.die.net/man/8/macof. You may still have some success with the macof tool, but it usually only works when you encounter a switch that is from before the year 2006. We want to flood a switch to turn it into a hub, so we can intercept traffic for a potential attack.
If you do encounter an older switch, macof can flood the average Content Addressable Memory (CAM) table in 70 seconds. Since it is quite common to encounter an older switch, it is important to at least look at how the tool is used. The first thing we want to do is look at the man page; in a terminal window, enter man macof. An example of the start of the man page is shown in the following screenshot:
In a terminal window in Kali, enter macof; this will start the macof tool. An example of the tool usage is shown in the following screenshot:
As the previous screenshot shows, the usage of the tool is pretty straightforward. Again, this is a tool you can use when you encounter an older switch. We will now look at another attack against the switch at layer two.
The next attack we will look at is the technique of hopping across a VLAN. A number of administrators make mistakes when it comes to configuring their switches, and as a result of this, we can sometimes hop across the VLAN. We use a VLAN hop to access assets that are not available to the VLAN assigned to the host.
In a VLAN hop, we take advantage of the fact that a trunk has access to all VLANs. To carry out the attack, we must spoof the switch with trunking protocol signaling. For this to work, the switch has to be configured to allow us to accomplish this. The default setting on this is at auto in order to allow our attack to work. If the spoof works, we will have access to all of the VLANs on the network.
Tip
These layer two attacks have been a priority for Cisco and other vendors to fix, and as a result of this there are many protections in place to prevent them in today's networks. Having said that, there is the possibility that you will run into an older switch, and that is why we have covered it. In fact, it is quite common to discover older switches in Industrial Control Systems architectures.
Gratuitous Address Resolution Protocol (GARP) attacks are carried out against the fact that the ARP has no authentication, and as a result of this, you can successfully spoof an ARP address. The process is to send out a GARP to the broadcast address, and some operating systems will overwrite an existing ARP entry even if the entry has been statically entered.
All of these attacks are possible, but we will not be able to build and test them on the range for the most part unless we build an actual stationary range.
The next tool we will look at is a specialty tool for attacking switches, and that tool is Yersinia. You can find out more about this at http://www.yersinia.net/.
We can also view the man page in Kali: enter man yersinia. An example of the top of the man page is shown in the following screenshot:
Once you have reviewed the man page, we will next take a look at the interface, in the Kali terminal window, enter Yersinia -I. This will launch the interactive interface of the tool. An example of this is shown in the following screenshot:
As identified in the previous screenshot, the tool starts in default mode of Spanning Tree Protocol (STP). This is the main thing when we are working with switches is the STP. The STP is a network protocol that ensures a loop free topology for 802.3 networks. The main function is to prevent bridge loops, and provide spare redundant links.
The Yersinia tool has been around for a long time, but the underlying switch technology is still very much the same, and that is why we still discuss the tool. Another feature of the tool is attacking DHCP, but we will leave that for those of you who want to explore the capabilities of a rogue DHCP server, since we are talking about devices here.
It is important to note that the tool will also perform the VLAN attacks we discussed previously, and will also conduct several other attacks, such as deleting VLANs and VLAN Trunking Protocol (VTP). To view the attacks, in the Yersinia tool press the X key. An example of this is shown in the following screenshot:
As the previous screenshot shows, there are seven attacks listed, and of those three of them are Denial of Service (DoS). It is more than likely that we will not have DoS as part of our scope of works, so the other four are the ones to concentrate on.
The next thing we want to look at for the tool are the attacks that are more in line with this chapter, in the Yersinia interface enter g to open the protocol menu. An example of this menu is shown in the following screenshot:
Once you have reviewed the options in the previous screenshot, select the 802.1Q IEEE 802.1Q setting, and then after you have made the selection, press the X key to see the available attacks. An example of this is shown in the following screenshot:
As the previous screenshot shows, we have a number of 802.1Q attacks we can carry out, but as we mentioned before we would need a physical switch to test it, so we will look at another type of attack, return to the protocol list by pressing the G key. We will look at one more of the attack options then move on. Again, you are encouraged to research and practice with the tool. Select the 802.1X IEEE 802.1X and then press the X key and bring up the attacks, and then select the mitm attack. An example of this attack menu is shown in the following screenshot:
As this section has shown, the Yersinia tool has a lot of powerful options for us to explore for attacking devices.