7.2 MAC Attacks
MAC Address/CAM Table
- Each switch has a fixed size dynamic Content Addressable Memory (CAM) table.
- The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters.
How CAM Works
What Happens When CAM Table Is Full?
- Once the CAM table on the switch is full, additional ARP request traffic will flood every port on the switch.
- This will change the behavior of the switch to reset to it's learning mode, broadcasting on every port similar to a hub.
- This attack will also fill the CAM tables of adjacent switches.
- MAC flooding involves flooding of CAM table with fake MAC address and IP pairs until it is full.
- Switch then acts as a hub by broadcasting packets to all machines on the network and attackers can sniff the traffic easily.
Failopen mode: the switch starts behaving as a hub and broadcasts the incoming traffic through all the ports in the network.
Mac Flooding Switches with macof
- macof is a Unix/Linux tool that is a part of dsniff collection.
- Macof sends random source MAC and IP addresses.
- This tool floods the switch's CAM tables (131,000 per min) by sending bogus MAC entries.
Switch Port Stealing
- Switch Port Stealing sniffing technique uses MAC flooding to sniff the packets.
- Attacker floods the switch with forged gratuitous ARP packets with target MAC address as source and his own MAC address as destination.
- A race condition of attacker's flooded packets and target host packets will occur and thus switch has to change his MAC address binding constantly between two different ports.
- In such case if attacker is fast enough, he will able to direct the packets intended for the target host toward his switch port.
- Attacker now manages to steal the target host switch port and sends ARP request to stolen switch port to discover target hosts' IP address.
- When attacker gets ARP reply, this indicates that target host's switch port binding has been restored and attacker can now able to sniff the packets sent toward targeted host.
How to Defend against MAC Attacks
- Configuring Port Security on Cisco switch.
- Port security can be used to restrict inbound traffic from only a selected set of MAC addresses and limit MAC flooding attack.
Q1) Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?
- MAC flooding
- MAC spoofing
- IP spoofing
- DOS attack
A1) Bob can launch a MAC flooding attack against the switch, thereby converting the switch into a large hub. If successful, this will allow Bob to sniff all traffic passing through the switch.