WEBVTT

0
00:02.310 --> 00:07.000
In this video I'll show you how to completely  break a LAN Switch.

1
00:07.260 --> 00:12.170
We’ll use an attack called Mac Flooding of type Denial Of Service. 

2
00:12.180 --> 00:19.210
This is an extremely easy DoS attack to launch on any Ethernet Switch from a Linux Machine.


3
00:19.950 --> 00:27.390
Let’s dive deeper into this attack and see how it works!
Switches maintain a MAC Address table that 

4
00:27.400 --> 00:33.520
maps individual MAC addresses on the network to the physical ports on the switch. 

5
00:33.520 --> 00:41.020
This allows the switch to direct the data out of the physical port where the recipient is located.

6
00:41.020 --> 00:43.090
Let's take a look at this image!

7
00:43.090 --> 00:47.320
There is a 3-port Switch and a PC connected to each port.


8
00:47.560 --> 00:51.860
To exchange frames between networking devices efficiently, 

9
00:51.910 --> 00:59.260
the Switch will dynamically construct a MAC Table using the source MAC address of the received 

10
00:59.260 --> 01:02.240
frames and the incoming port. 

11
01:02.260 --> 01:07.950
In this example when Host1 or H1 sends a frame, the Switch 

12
01:07.960 --> 01:15.310
will learn that the MAC address of H1 is connected to port1 and it will map the MAC address of 

13
01:15.400 --> 01:17.670
H1 to port 1.

14
01:17.710 --> 01:20.620
This process is called Mac learning!

15
01:21.490 --> 01:28.650
Then, when the switch receives a frame for the destination MAC address of H1, it will forward 

16
01:28.660 --> 01:38.310
the frame out of port 1 only, because the MAC of H1 was learnt and associated with port 1.


17
01:38.320 --> 01:45.390
On the other hand when the switch receives a frame for destination MAC address that is not in its Mac

18
01:45.390 --> 01:45.970
table

19
01:46.180 --> 01:53.890
it will flood the frame out of all the LAN ports of the same VLAN except for the port that received 

20
01:53.950 --> 01:54.640
the frame.

21
01:55.890 --> 02:03.430
Note that the dynamically learned MAC addresses are deleted after the MAC address age value has

22
02:03.520 --> 02:04.510
expired.

23
02:04.570 --> 02:11.070
In many cases the default value for aging the MAC address is 300 seconds.

24
02:11.290 --> 02:18.730
So if a MAC address is not seen within 300 seconds it will be deleted from the Mac table.

25
02:18.730 --> 02:27.040
This is basically how a Layer 2 Switch works!
The MAC flooding attack will exploit the vulnerability resulting 

26
02:27.040 --> 02:29.850
from the basic operation of a switch.

27
02:29.860 --> 02:37.690
It lies in the fact that the size of the Mac table is limited and once this table is filled there will

28
02:37.690 --> 02:43.290
be no space for  MAC addresses of new devices that are trying to communicate.

29
02:43.390 --> 02:51.010
Subsequently the switch will start to act as an Ethernet HUB, meaning it will forward traffic to 

30
02:51.070 --> 02:52.590
all physical ports.

31
02:52.690 --> 02:59.830
A malicious user can use a packet sniffer, like Wireshark, to capture sensitive data being transmitted

32
02:59.830 --> 03:05.910
between other computers which would not be accessible when the switch operates normally.

33
03:06.040 --> 03:09.190
Okay, let's exploit the Switch!

34
03:09.190 --> 03:16.750
This is the topology I’m going to use: My laptop runs Windows 10 and Kali linux in a VM. 

35
03:16.750 --> 03:22.060
You can also use another Linux distribution like Ubuntu or Linux Mint. 

36
03:22.390 --> 03:31.030
The Linux machine is connected directly to a Cisco Catalyst Switch using a wired Ethernet connection.

37
03:31.030 --> 03:38.470
If you use the same setup don't forget to set the VM network in bridged mode so that the Linux machine

38
03:38.680 --> 03:42.100
has access to the physical interface of your laptop.

39
03:43.380 --> 03:50.100
To reproduce this attack besides a Linux operating system you need a layer to switch.

40
03:50.100 --> 03:54.090
You will connect to the Linux machine to the swich using a wired connection.

41
03:54.090 --> 04:00.680
Now if you don't have available such a physical switch you can still launch this attack.

42
04:00.960 --> 04:03.840
Just run a CiscoL2 IOU image

43
04:03.900 --> 04:11.570
in GNS3  and set up a network connection between the Linux host and the devices that run  in 

44
04:11.570 --> 04:12.900
GNS3.

45
04:13.040 --> 04:14.840
Something like in this image.

46
04:14.880 --> 04:21.050
Take a look at the previous lecture where I've explained in detail how to do that.

47
04:21.210 --> 04:27.990
The tool I'm gonna use to launch the attack is called the Macof which is part of a package called D

48
04:28.120 --> 04:31.210
SNIF.

49
04:31.290 --> 04:33.090
This is its man page. 

50
04:36.660 --> 04:45.000
Macof will flood the switch with hundreds or thousands of Ethernet frames, with random source Mac addresses

51
04:45.140 --> 04:47.200
per second.

52
04:47.380 --> 04:54.280
This will fill in the switches Mac table, though the new Mac addresses cannot be saved and the switch starts 


53
04:54.280 --> 04:56.950
to send all packets to all ports.

54
04:58.450 --> 05:06.220
Moreover the Mac flooding attack could freeze or make the switch to restart because it will continuously

55
05:06.220 --> 05:10.990
learn new Mac addresses and age the old ones.

56
05:11.020 --> 05:12.110
In fact the switch

57
05:12.110 --> 05:21.490
CPU utilization will be almost 100% during the attack. We’ll put the switch under a lot of stress!


58
05:21.550 --> 05:26.970
This is a console connection to the switch and let's take a look at the switch

59
05:27.000 --> 05:32.670
CPU and the MAC address table before starting the attack.

60
05:32.860 --> 05:37.530
Enable I am becoming admin show process

61
05:37.540 --> 05:38.690
CPU sorted

62
05:41.750 --> 05:51.050
and the output is showing us that for the past 5 seconds the CPU usage was just 4% and the MAC

63
05:51.050 --> 05:55.940
address table of the switch: show mac address table

64
05:59.890 --> 06:05.820
and we notice that there is only one dynamically learned MAC address on Port fast.

65
06:05.830 --> 06:11.080
ethernet0 /1 . This is the port to which my laptop is connected.

66
06:11.080 --> 06:14.550
Perfect, let's start of the attack on the switch!

67
06:14.800 --> 06:20.630
The first step is to install this sniff that contains Macof, the tool

68
06:20.650 --> 06:28.420
we are going to use. This package is not already installed in Kali Linux but it belongs to the standard

69
06:28.450 --> 06:31.840
repositories of both Kali and Ubuntu.

70
06:32.650 --> 06:43.010
So apt install dsniff. I've already installed it so it's already the newest version; don't forget

71
06:43.010 --> 06:50.490
that in order to install dsniff and lunch the attack you need a user with root privileges.

72
06:50.540 --> 06:51.090
Okay.

73
06:51.140 --> 06:52.920
Dsniff is installed.

74
06:52.970 --> 06:59.650
Let's start macof. All I need is the name of the outgoing interface,

75
06:59.780 --> 07:04.340
the interface that will be used to flood the switch.

76
07:04.340 --> 07:12.470
I'm running ifconfig and I notice that the interface is called eth0.

77
07:12.470 --> 07:17.550
Of course you can see another name and you should use it accordingly.

78
07:17.600 --> 07:29.110
So macof -i eth0  and I'm hitting enter ; macof has started to flood the switch with

79
07:29.110 --> 07:32.170
random mac addresses at wire speed.

80
07:34.620 --> 07:38.480
Now let's return to the switch to see the damage we have done

81
07:42.270 --> 07:50.660
show mac address table count and we see that the switch has already learned

82
07:50.660 --> 07:59.630
7992 MAC addresses; the MAC address table of the switch is already full

83
07:59.870 --> 08:05.520
with thousands of bogus MAC addresses.

84
08:05.560 --> 08:07.310
Just take a look what's here!

85
08:09.680 --> 08:14.790
There are thousands of fake MAC addresses.

86
08:14.830 --> 08:22.210
Let's take another look at the Switch CPU utilization: show process CPU sorted

87
08:27.000 --> 08:33.840
And we notice that the CPU utilization for five seconds is 66%.

88
08:33.840 --> 08:39.170
The switch is under a lot of stress, now probably is working as a hub,

89
08:39.240 --> 08:47.190
flooding all frames it receives out of all ports; and if we continue the attack the switch could simply

90
08:47.190 --> 08:48.490
crash or reboot.

91
08:55.500 --> 09:02.580
I've just shown you how to break thisCisco Enterprise Switch in just a few seconds using Linux and

92
09:02.580 --> 09:05.160
the common tool like macof. 

93
09:05.160 --> 09:12.300
Keep in mind that this is not a Cisco specific attack but an attack that could be launched on any Switch!


94
09:12.990 --> 09:14.540
In the next lecture

95
09:14.580 --> 09:21.510
I'll show you what countermeasures you can take as a network administrator to protect your land infrastructure.

96
09:21.540 --> 09:23.490
See you again in two seconds.