Most of the protocols using the data link layer and local broadcast addresses are nonroutable, which means you can only evaluate them from the local network. Knowing how those protocols work will definitely beneficial during internal network penetration testing or internal security auditing.
I. Data Link Protocols
Ethernet is widely used as the underlying physical and data link layer format, as defined by the IEEE 802.3 and 802.2 standard working groups and this is the dominant implementation in any businesses. There are a few enhancements are adopted in environments, as ratified by the IEEE 802.1 group:
- 802.1D spanning tree protocol
- 802.1Q VLAN bridges
- 802.1X port-based network access control
Many proprietary extensions also exist, as defined and used by vendors including Cisco.
Below is the relationship between 802.3, 802.2, and 802.1 standards.
II. Ethernet Assessment
Ethernet is susceptible to passive network sniffing and active attack via ARP cache poisoning and CAM table flooding, resulting in the compromise of traffic between peers.
Each network adapter (NIC) is programmed with a unique 48-bit MAC address. These addresses are used by system within IEEE 802 networks (including 802.3 Ethernet and 802.11 Wifi) to address one another. As such, their interfaces process content destined for them. However, there is a concept called promiscuous mode which enables our adapter not only receives the packets destined to us but also others. Tools including Wireshark and Cain&Abel support this.
1. Passive network sniffing
A good starting point is to run a sniffer and evaluate the material exposed by the local network such as:
- Wellfleet Breath of Life (BOFL) frames
- Simple Service Discovery Protocol (SSDP) broadcast packets
- Microsoft computer browser service announcements
- Address Resolution Protocol (ARP) requests and replies
- An 802.1X EAPOL start frame
- Dropbox discovery broadcasts
By digging into those packets, we are able to learn details of IP ranges, subnet sizes, MAC addresses, and hostnames by reviewing captured frames and packets. If the network is misconfigured or switching fabric under stress, we can capture sensitive information via passive network sniffing. On the contrary, if a switched Ethernet network is configured properly, you will only see broadcast frames and material destined for your MAC address which means you have to leverage other active attack vectors which we will be covering next.
2. ARP cache poisoning attack
ARP is used within local networks to map IPv4 addresses to underlying MAC address.
For example, host A 192.168.1.2 resolves and sends an ICMP echo request (ping) to 192.168.1.3. First, an ARP who-has message is broadcasted to the network. Next, the destination host responds by using an ARP is-at reply, providing its MAC and IP address, and the ICMP operation is completed over IP.
Each host maintains a cache of recently mapped IP and MAC address pairs. You can review the content of the cache locally by using the arp -a command within most operating systems today.
Because ARP is stateless and lacks authentication which means this protocol is vulnerable to poisoning be sending unsolicited ARP replies. By injecting our MAC address into the ARP caches of the victim hosts, we can achieve MITM.
To compromise traffic in both directions between peers (e.g., a host and its local gateway), IP forwarding is first enabled on the attacker’s system, and unsolicited ARP replies are sent to poison both systems. Some of the tools automate this attacks are: Ettercap, Bettercap, Cain&Abel. Those tools have an extensive supported utilities to obtain data and secrets as follows:
- sslstrip to downgrade HTTPS sessions
- easy-creds to glean credentials
- Evilgrade to serve malicious content to victims by service impersonation
Note: ARP is not used to perform resolution within IPv6 networks. Instead, Neighbor Discovery Protocol (NDP) is used over the link layer with multicast ICMPv6 packets.
3. CAM table flooding
Ethernet switches use Content Addressable Memory (CAM) tables to map MAC address and VLAN assignments to individual ports, so that network frames are delivered correctly. We can use the macof tool to flood a switch with random Ethernet frames and IP packets, resulting in a CAM table overflow resulted the inability to map inbound frames to their destinations which renders the switch to fail-open and broadcast them to all ports, it’s now functioning like a hub.
TLS Security, SECURITY FEATURES on MacOSX, SHODAN, Data Security, How to Secure WordPress, Common Network Attack Vectors