There are many ways for the attacker to
insert themselves in the middle of a conversation. Just some of the
tools at the attackers disposal include:
- DNS Cache Poisoning (metasploit)
- NETBIOS Names spoofing (nbtool at
skullsecurity.org) - Lie about the DNS,WINS and/or default
gateway with a rouge DHCP server (yersinia, ettercap) - deliver a WPAD file or otherwise
reconfigure the browser proxy (metasploit) - IPv6 ISATAP spoofing
- Attack routing protocols such as BGP
MITM - IP source routing attacks (netcat)
- ICMP Redirect messages (ettercap)
- ARP Cache Poisoning (yersinia,
ettercap, cain) - Switch Port Stealing (ettercap)
- Layer2 Mac Flooding* (yersinia,
macflood, macof) - Gratuitous Spanning Tree BPDU Root
messages* (yersinia)
* Allows sniffing that leads to MiTM
Some of these attacks work across the
internet, but most of these are limited to the LAN and rely on
Layer2. The good news is that many of these attacks can be mitigated
with new features deployed in the latest version of Cisco’s IOS
(12.2 or better). BPDU Guard, DHCP Snooping, DHCP Snooping
+Dynamic Arp Inspection , DHCP Snooping + IP Source Guard, ARP Rate
Limiting, Mac Address port security, PVLAN Protected, Isolated,
Community and Promiscuous ports and 802.1x can all be used to
effectively limit many of these attacks. Listener Brian Almond
(Infosec Samurai) submitted this PDF on layer two security. Give it
a gander! Nice work Brian.
Download Brian Almond’s paper here
Other resources
http://isc.sans.org/diary.html?storyid=7567
http://www.ciscopress.com/articles/article.asp?p=1181682
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.