Macof

It should be pointed out that the discrete routing property of a switch was originally designed to increase performance, not to increase security. As a result of this, any increase in security should be viewed as by-product of the design rather than its original goal. Keeping this in mind, before you run out to replace all your hubs with switches, you should be aware that there are tools available that can be used against a switch to make it act like a hub. In other words, in some instances, we can cause a switch to broadcast all traffic to all ports making it behave exactly like a hub.

Most switches have a limited amount of memory that can be used to remember the table containing MAC address and corresponding port numbers. By exhausting this memory and flooding the table with bogus MAC addresses, a switch will often become incapable of reading or accessing valid entries in the MAC to port table. Because this switch cannot determine the correct port for a given address, the switch will simply broadcast the traffic to all ports. This model is known as “fail open”. The concept of fail open simply means that when the switch fails to properly and discretely route traffic, it falls back to a hub-like state (open) that sends all traffic to all ports.

You should be aware that some switches are configured to “fail closed”. Switches that fail closed operate in exactly the opposite manner of a fail open switch. Rather than broadcasting all traffic to all ports, fail closed switches simply stop routing traffic altogether. However, as a penetration tester or hacker, there is an upside to this configuration as well. If you are able to prevent the switch from routing traffic, you have stopped all traffic on the network and caused a Denial of Service.

Dsniff is an excellent collection of tools that provide many useful functions for sniffing network traffic. It’s recommended that you take time and review each of the tools included with dsniff. One of the dsniff tools written by Dug Song, called macof, provides us with the ability to flood a switch with thousands of random MAC addresses. If the switch is configured to fail open, the switch will began to act like a hub and broadcast all traffic to all ports. This will allow you to overcome the selective routing of a switch and dsniff all network traffic passing through the device. Macof is built into BlackArch and can be run by issuing the following command in a terminal window:

macof -i enp1s0 -s 172.16.45.123 -d 172.16.45.2

In the preceding example, “macof” is used to invoke the program. The macof program will generate and flood the network with thousands of MAC addresses. The “-i” switch is used to specify you computer’s network card. This is where the MAC addresses will be sent from. The “-s” is used to specify the source address. The “-d” is used to specify the destination or target of your attack.

As a final word of caution, using macof will generate tremendous amounts of network traffic and is therefore, easily detectable. You should use this technique only when stealth ain’t a concern.

With the concepts of promiscuous mode and the ability to sniff traffic on a switch in mind, you can examine another popular tool that can be used to view and capture network traffic. One of the simplest and most powerful tools for sniffing network traffic is wireshark. Wireshark was originally written by Gerald Combs in 1998. This popular tool is a free network protocol analyzer that allows you to quickly and easily view and capture network traffic. You can download Wireshark for free from http://wireshark.org. Wireshark is an extremely flexible and mature tool. It should be noted that prior to 2006 Wireshark was known as Ethereal. Although the program remained the same, the name changed due to some trademark issues.

Wireshark is built into BlackArch and can be accessed by issuing “sudo wireshark” in a terminal window.

When you first start Wireshark inside BlackArch, you’ll get a message telling you that “Running Wireshark as user ‘root’ can be dangerous.”. You can click “OK” to acknowledge this warning.

Select your current network interface withing Wireshark and the home screen will be changed by all the traffic in and out.