Content

Killing the Monkey in the Middle

There are many ways for the attacker to
insert themselves in the middle of a conversation. Just some of the
tools at the attackers disposal include:

  • DNS Cache Poisoning (metasploit)
  • NETBIOS Names spoofing (nbtool at
    skullsecurity.org)
  • Lie about the DNS,WINS and/or default
    gateway with a rouge DHCP server (yersinia, ettercap)
  • deliver a WPAD file or otherwise
    reconfigure the browser proxy (metasploit)
  • IPv6 ISATAP spoofing
  • Attack routing protocols such as BGP
    MITM
  • IP source routing attacks (netcat)
  • ICMP Redirect messages (ettercap)
  • ARP Cache Poisoning (yersinia,
    ettercap, cain)
  • Switch Port Stealing (ettercap)
  • Layer2 Mac Flooding* (yersinia,
    macflood, macof)
  • Gratuitous Spanning Tree BPDU Root
    messages* (yersinia)

* Allows sniffing that leads to MiTM

Some of these attacks work across the
internet, but most of these are limited to the LAN and rely on
Layer2. The good news is that many of these attacks can be mitigated
with new features deployed in the latest version of Cisco’s IOS
(12.2 or better). BPDU Guard, DHCP Snooping, DHCP Snooping
+Dynamic Arp Inspection , DHCP Snooping + IP Source Guard, ARP Rate
Limiting, Mac Address port security, PVLAN Protected, Isolated,
Community and Promiscuous ports and 802.1x can all be used to
effectively limit many of these attacks. Listener Brian Almond
(Infosec Samurai) submitted this PDF on layer two security. Give it
a gander! Nice work Brian.

Download Brian Almond’s paper here

Other resources

http://isc.sans.org/diary.html?storyid=7567

http://www.ciscopress.com/articles/article.asp?p=1181682

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/bcastsup.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.html

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.