Fundacja Rozwoju Regionu Gołdapedukacja techniczno informatyczna
Access:

» Attacks on layer two of the OSI model

Related categories: Networks | Low-level network security | Security

Alfredo Andrés, David Barroso
Viewed: 21653 | Article date: 2006-02-27 10:41:47

Layer two of OSI model is one of the weakest links when trying to assure network security in an organization. It is also one of the most commonly ignored, because there aren't many public implementations of layer two attacks. However, a successful attack on layer two can be just as dangerous as any other.

Layer two of OSI model is one of the weakest links when trying to assure network security in an organization. It is also one of the most commonly ignored, because there aren't many public implementations of layer two attacks. However, a successful attack on layer two can be just as dangerous as any other.

 

About the authors

David Barroso specialises in incident response and network security. He currently works in a Spanish security company called S21sec. He is also deeply involved in the global security community, writing articles, papers and developing new security tools.

Alfredo Andres has been working in the security field for several years and contributing to the Open Source community developing tools and patches. Alfredo also works in S21sec, leading a pen-testing group.

Both authors were presenting Yersinia on BlackHat Europe 2005. A Cisco zero-day attack was also presented, related to one of the protocols targeted by Yersinia (Cisco was notified, of course) and discovered when developing the tool.

 

 

The Data link layer is one of the least secured and most often forgotten elements of networks. It's quite common that administrators simply connect the switches, configure them to work and then never worry about them. Pen-testing often reveals switches, which use a vulnerable version of IOS and are not hardened in any way. It is also commonly thought, that implementing VLAN in a network keeps malicious attackers away. However, VLAN architecture can just as well be defeated and therefore all higher OS layer attacks such as sniffing passwords, Man-in-the-Middle are possible across VLANs.

 

What you will learn...

  • specifications of OSI layer two protocols: STP, CDP, DTP, IEEE 802.1Q, VTP,

  • how to perform attacks against those protocols,

  • how to defend your system against those attacks,

  • how to use Yersinia, a useful tool for network administrators and pen-testers.

 

What you should know...

  • OSI layer two basics,

  • you should be familiar with Cisco technology.

 

 

The good thing about layer two is the fact, that Data link layer packets can't go through IP networks, for example the Internet. Therefore all attacks are limited to internal networks. But then again, statistics show that attacks from inside can be just as dangerous as the ones from the outside. It must also be remembered, that if an external intruder traverses our firewall and gets to the DMZ, such attacks can allow him to escape the DMZ and target our whole network. Let's see what common Data link layer vulnerabilities are, how can they be exploited by an attacker and what can we do to protect our equipment. All the examples are related to Cisco equipment, but some of them can just as well affect equipment from other vendors.

Most of the observations and data have been obtained by the authors via research and development of the Yersinia tool. Sometimes it has been impossible to find references or publicly available code, therefore certain observations are based on behavioural analysis and not on published standards.

 

Seven layers of OSI

In 1977 a model called Open Systems Interconnection (OSI) was proposed, with the aim to establish an interoperability standard for different vendor products. This model defines several layers related to data transfer, from the lowest (physical) to the highest (application) layer. They have a strong dependence upon one another and headers are usually added when traversing from a lower layer to a higher one. The seven layers are:

  • Layer 1 - Physical layer: handles the communication (and control) across the network channel.

  • Layer 2 - Data Link layer: establishes methods for delivering data blocks.

  • Layer 3 - Network layer: responsible for routing of data packets.

  • Layer 4 - Transport layer: responsible for reliable transmission of data (without errors).

  • Layer 5 - Session layer: allows control of dialogue between applications.

  • Layer 6 - Presentation layer: helps to establish a data format amongst application, making presentation ordered.

  • Layer 7 - Application layer: establishes methods allowing the applications to access the OSI model (the network).

 

The Yersinia tool

In order to perform described Data Link layer attacks, we'll be using a tool called Yersinia, written by the authors of this article. Yersinia is portable - written in C (using libpcap and libnet), multithreaded (supports multiple users and multiple concurrent attacks). It can be used to analyse, edit and watch network packets and even save the traffic in pcap format.

Latest Yersinia version (0.5.5.2) supports the following protocols:

  • Spanning Tree Protocol (STP),

  • Cisco Discovery Protocol (CDP),

  • Dynamic Trunking Protocol (DTP),

  • Dynamic Host Configuration Protocol (DHCP),

  • Hot Standby Router Protocol (HSRP),

  • IEEE 802.1Q,

  • Inter-Switch Link Protocol (ISL),

  • VLAN Trunking Protocol (VTP).

Yersinia operates in one of three main modes:

  • command line: can be used for performing ad-hoc attacks - this mode was implemented to help pen-testers use Yersinia in scripts,

  • network daemon: allows to use Yersinia from a remote location - the CLI is very similar to the one used by Cisco,

  • GUI: written in ncurses.

All the attacks described have been executed in the GUI mode, although they can be run in one of the two other modes just as well. In order to find out what all the features of the tool are, press [h] when running Yersinia in the GUI mode (yersinia -I). Note: the GUI mode needs a large number of rows and columns to run - if running this mode fails, try to maximize your terminal window.

Yersinia also incorporates attacks other than the ones on layer two (for example HSRP, DHCP), however we'll be focusing only on its capabilities related to layer two. The name of the tool has been devised from the name of the bacteria which caused Black Death in Europe in the Middle Age - Yersinia pestis.

 

Decoding packets

Although one of Yersinia's use is decoding and watching packets of layer two protocols, we can use other protocol analysers such as tcpdump or Ethereal for that purpose. If we, for example, want to capture STP packets, ethereal can be run with the following options:

# ethereal -f stp

 

STP (Spanning Tree Protocol)

The purpose of STP is avoiding network loops when interconnecting network segments. Only one unique path can exist from one device to another. Each STP packet is called BPDU (Bridge Protocol Data Unit), and we can identify it by looking at its format: an IEEE 802.3 packet with a 802.2 header and with destination MAC 01:80:C2:00:00:00 (see Figure 1).

 

Figure 1. How a BPDU packet is built

Page: 1 2 3 4
Buy article Buy subscription
Buy now add to cart
add to cart
Standard price: 2€/$3 Standard price: 25€/$30
Buy article for as little as (2€/$3) each allow access to individual articles. Buy a full access to our Hakin9 archive portal. You will be able to read the articles from all archive issues from year 2005 and 2006. For just 25€/$30 you get unrestricted access to the entire website for the whole year.
SDJhakin9

.SDJ Users:


.:Login
.:Password

[Register]
[Forgotten your password?]

...hakin9 StarterKit IT Practical Solutions for Newbies

...Shopping Cart

sum: 0 €
Choose currency:

...SUBSCRIBE TO
hakin9 Print Edition


...Advertisement



...Conferences

...Topics

...Advertisement

 

 

Subscribe | Contact Us | Newsletter | See all issues | About Hakin9
Copyright C 2006 by Software Developer's Journal. All rights reserved.