Network Takedown Part 1: CAM Table Overflow with Password Capture
Welcome to part 1 of our Network Takedown series. Today we will cover the CAM table overflow attack. A CAM table overflow works just as the name applies, by overflowing the limited amount of space in a switch’s CAM table (AKA MAC address table). Something most people don’t realize is that there is a limited amount of MAC addresses that a network switch can store in its MAC address table, and this can be exploited. Once the switch’s MAC address table becomes full it does not simply shut down or stop accepting new traffic it will actually begin to treat all traffic generated to or from any new device added to the network during the attack as broadcast traffic, similar to the way a hub treats all network traffic. Additionally, devices connected to the network prior to the attack will eventually have their MAC addresses age and fall off the table, if you have the attack continuously running you may get lucky and take the devices spot on the MAC address table with an address of your own and force all its traffic to broadcast as well. Once the switch starts acting like a hub we can then sniff all the traffic going through the network.
The CAM table overflow attack has been covered multiple times on multiple blogs however, I discovered that no one actually shows you how to capture traffic/passwords off a network suffering from CAM overflow and I aim to do just that.
Use macof to generate thousands of fake MAC addresses to overwhelm a switch’s CAM table. After the CAM table is overrun use ettercap to capture cleartext usernames and passwords.
Linux with macof and ettercap installed. I personally used Kali.
Two targets to sniff the traffic between. I used a Windows Server 2008 box running as a telnet server and a windows 7 client running putty.
A managed network switch that you can view the CAM/MAC address table on for testing purposes. I used a Cisco 2960s.
Only execute this attack on networks you own or are givin permission to pen test against. As with any attack there is always the risk of network function interruption. In the case of this attack if you are on a large enough network forcing all traffic to broadcast out all ports will cause some serious network slowness. Additionally, running this attack against older switches, like a Cisco 2900XL, will take access to the management plane of the device offline.
Connect your Kali machine to the target switch as well as the Windows 2008 box hosting telnet.
First let’s take a look at what a healthy MAC address table looks like on our Cisco switch by issuing the show mac address-table count command. This specific switch has room for 8170 MAC addresses in its table, 2 of which are currently being used. This number will vary based on the switch model, typically the more expensive the switch the larger the table.
Over on our Kali machine open up a Terminal and enter macof -i eth0 to start the CAM table overflow attack. The -i switch specifies which interface to use, in this case we will be using the Ethernet adapter or eth0.
While the attack is running you can actually watch the number of MAC addresses increase on the switch by issuing the show mac address-table count a few times.
After about 15 seconds of running macof the MAC address table on the switch has been filled with bogus MAC addresses. Once you are sure the MAC address table is nice and full you can cancel the attack on the Kali machine by hitting CTRL-C.
Note: The beefier the switch the longer it will take to fill up the MAC address table.
Note: Similar to the way a legitimate MAC address will age and eventually fall off so will the illegitimate macof addresses. As a result macof will need to be run continuously or at frequent intervals to keep the switch’s CAM table overrun.
At this point the switch’s CAM table is full and begins to act like a hub and sending all traffic from device MAC addresses that are not already its table as broadcast traffic down all ports. Now the fun begins! To sniff the traffic open up ettercap on your Kali machine under Sniffing/Spoofing > Network Sniffers > ettercap-graphical.
Under Options in ettercap make sure Promisc Mode is checked. Under Sniff select Unified Sniffing and select eth0 then hit OK.
The ettercap menu changes once you select the input interface. Now we can begin to sniff for clear text usernames and passwords. To start sniffing simply select the Start drop down and slick Start Sniffing
Plug your Windows 7 box into the network and telnet over to the Windows server 2008 box. Ettercap will display this connection and place a star next to it to inform you that you have successfully captured someone’s cleartext password.
Double click on the connection in question to view the captured cleartext username and password.
Additional Notes: Some things to keep in mind/reminders while executing this attack include the switch’s MAC address aging time, CAM table size, existing MAC address entries on the switch and CDP. My Cisco 2960s had its MAC address aging time set to 600 seconds so keep this in mind when timing your attacks. Additionally, the larger the CAM table the longer it will take to fill up so be patient while macof does its thing and feel free to wait 30 second or more before killing the process. Taking the slot of an existing MAC address on the target switch can take some time, so be again, continue to be patient. Lastly, CDP is your friend, if the administrator has left it on (more than likely) for the port your Kali machine is connected to feel free to use the model information you can collect and google default aging time and MAC address table size to better time your attack.
Fortunately there is a countermeasure that Cisco built into the IOS that allows you to shut the port down if the switch receives more than certain number of MAC addresses on one port. I this case I set mine to 5 MAC addresses.
HATsw01(config-if)#switchport mode access
HATsw01(config-if)#switchport port-security maximum 5
HATsw01(config-if)#switchport port-security violation shutdown
Additionally you could allow for the ports in question to re-activate themselves after a minute with the follow commands.
HATsw01(config)#errdisable recovery cause psecure-violation
HATsw01(config)#errdisable recovery interval 60
That’s it for today but stay tuned for…Part 2 of the Network Takedown series which will cover rogue DHCP servers featuring DHCP starvation and default-route man-in-the-middle attack/sniffing.