To perform the aforementioned four attacks, an attacker needs to gain the appropriate level of access to the network in order to sniff the traffic. The following are merely a few of the more popular and effective techniques an attacker has at his disposal.
In a nonswitched network environment with hubs, sniffing traffic is trivial. By the very nature of a network hub, all ports see all traffic traversing the hub, regardless of the intended destination. This means that if a university is set up so that each dormitory is on the same hub, then any dorm room Ethernet port can be used to spy on the traffic of others in that same dorm. (OK, we said we weren't going to focus on physical security, but an attacker could also just plug his sniffing laptop into the same hub.)
Wireless (Wi-Fi) networks are often prone to simple sniffing attacks depending on how they are configured. We could devote an entire book to Wi-fisecurity; however, we recommend checking out the companion book, Hacking Exposed Wireless by Johnny Cache and Vincent Liu (McGraw-Hill, due out in 2007). There are a variety of tools and techniques that hackers can use to sniff and subvert wireless networks. However, wireless sniffing tools are no different than the traditional wired sniffing tools, except not all can decode the 802.11 headers in Wi-fiframes.
War driving and war walking are techniques used by hackers to search for Wi-finetworks. Netstumbler (http://www.netstumbler.com/) is a popular Wi-fiwardriving/walking tool that runs on Windows and indicates which networks in range are wide open (in other words, not using Wired Equivalent Privacy (WEP) or Wireless Application Protocol (WAP)). See Figures 5-1 and 5-2 for examples of Netstumbler in action.
Gaining access to a VoIP network element is often enough to eavesdrop on conversations flowing though it. For example, if a hacker compromises a VoIP endpoint (for example, the phone, a PC with a softphone, and so on), then she will be able to eavesdrop only on conversations terminating at that endpoint. Compromising a switch or VoIP proxy, however, could result in the hacker being able to eavesdrop on all conversations flowing through that device.
Many IP phones have extended features that may facilitate several of the eavesdropping attacks we described at the beginning of the chapter. A good example is the Snom phone we demonstrated in Chapter 1. As you can see from Figure 5-3, this Snom 320 phone has a PCAP Trace feature that allows anyone with access to the administrative web interface of the phone to capture all traffic!
A hacker may be able to compromise a switch by gaining administrative access through the web interface or telnet console. Some switches have the ability to support Remote Switched Port Analyzer (RSPAN) mode. RSPAN mode is the ability to copy all traffic on multiple ports to monitor it on a special VLAN, essentially creating a hub-like environment on that VLAN. This means that a hacker could remotely reconfigure a switch to monitor traffic on all other ports.
We have tried to emphasize throughout this book that the security of your VoIP deployment is only as secure as the underlying supporting layers . No matter how securely architected a VoIP application is, this becomes a moot issue if the underlying operating system or firmware can be compromised. Most VoIP gateways, proxies, and softphone PCs run on top of either Windows or Linux. These operating systems are prone to numerous vulnerabilities that require constant patching and updates (as illustrated in Chapter 4). There are a variety of exploitation tools that are able to facilitate hacking into these vulnerable hosts . One such tool that comes preloaded with a long list of "point-and-shoot" exploits is the Metasploit Framework, shown in Figure 5-4.
Once a host has been compromised, there are a variety of backdoor and rootkit programs that the hacker can upload in order to maintain remote access to the victim. Once the hacker has compromised the host, he can then proceed to upload tools or scripts to record VoIP traffic flowing through the host.
All network switches have limitations with respect to the number of ARP/MAC table entries they can store. If the number of ARP/MAC entries exceeds a switch's internal capacity, then some switches will actually go into a fail-safe mode, effectively turning themselves into a hub. A simple tool by Dug Song called macof (http://www. monkey .org/~dugsong/dsniff/) will flood a switched network with random MAC addresses in hopes that an attacker can trigger this condition. If this condition occurs on a switch, the attacker can perform any number of simple sniffing techniques outlined in the next sections. This is also an effective technique to circumvent VLANs. Another tool that can perform MAC address flooding is called Angst (http:// freshmeat .net/projects/angst/) by Patroklos G. Argyroudis.
Manipulating or flooding ARP entries on your network can cause a serious denial of service on the local segment you're testing, rendering the network unusable for a short time, or it might require a reboot of some of the affected network equipment.
Virtual LANs (VLANs) are used to segment network domains logically on the same physical switch. Ethernet frames tagged with a specific VLAN can only be viewed by members of that VLAN. VLAN membership is typically assigned in one of three ways:
By switch port The switch port itself can be set to be a member of a VLAN. This is by far the most popular choice in deployments today.
By MAC address The switch maintains a list of the MAC addresses that are members in each VLAN.
By protocol The layer 3 data within the Ethernet frame is used to assign membership based on a mapping maintained by the switch.
Many switches support the ability to create several VLANs on the same switch, which is a helpful component for protecting your core VoIP assets.
The predominant VLAN tagging protocol in use today is the IEEE standard 802.1Q (http://standards.ieee.org/getieee802/download/802.1Q-1998.pdf). 802.1Q defines the way in which Ethernet frames are tagged with VLAN membership information. Before 802.1Q was introduced, Cisco's ISL (Inter-Switch Link) and 3Com's VLT (Virtual LAN Trunk) were prevalent . In some older Cisco networks, you can still find implementations of ISL VLANS today.
Typically, many vendors recommend separating the voice and traditional data applications into two different VLANs to make it more difficult for an attacker to gain access to your VoIP network from a compromised user desktop or network server. VLANs are not a panacea for preventing attacks, rather they add another layer of security in a traditional defense- in-depth security model. Such segmentation sounds like a great idea in theory, but because of the converged nature of VoIP applications, it may not always be possible. Also, segmentation is difficult to implement in an environment with softphones on user's PCs and laptops. See Chapter 10 for a more detailed look at softphone security.
When VLANs are set up by port, a possible VLAN circumvention technique involves an attacker simply disconnecting the VoIP phone and using a PC to generate traffic. A MAC-based VLAN could be similarly circumvented by a rogue PC spoofing its MAC and including the proper VLAN tags. Obviously, with the proper spoofing tools and physical access to a switch port, an attacker could bypass a VLAN in some instances. This is one of the reasons that VLANs should be one of several defense-in-depth protection techniques.
Additionally, another type of malicious bypass is possible in an environment with both layer 2 and 3 switches. When VLANs are set up using the layer 3 switches, in some cases it might be possible to circumvent them if no filtering or access control lists have been defined on the layer 2 switches.
There are several other documented attacks to circumvent the logical separation enforced by the VLAN on the switch. Many of these attacks are documented against a Cisco environment in an excellent paper by the security consulting company, @stake (since acquired by Symantec); however, most of them are applicable to all networking gear. The paper is available at http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf and covers the following general classes of VLAN exploitation:
MAC fl ooding attack Described in the last section, flooding the switch can overwhelm the MAC address to IP address mappings and cause the switch to fail open as if it were a hub, forwarding all traffic to all ports.
802.1Q and ISL tagging attack By manipulating through several encapsulation techniques defined by 802.1Q and ISL, an attacker can trick the target switch into thinking his system is actually another switch with a trunk port. A trunk port is a specially designated port that is capable of carrying traffic for all VLANs on that switch. If successful, the attacking system would then become a member of all VLANs.
Double-encapsulated 802.1Q/Nested VLAN attack This technique involves an attacker tagging an Ethernet frame with two 802.1Q tags. The first is stripped off by the switch that the attacker is connected to and is consequently forwarded on to another upstream switch that might view the second tag to forward on to another restricted VLAN.
Private VLAN attack Private VLANs (PVLANs) provide additional isolation between ports within the assigned VLAN. PVLAN ports can be set up as isolated, community, or promiscuous within the specific PVLAN subnet. The promiscuous port is usually the network gateway and can communicate with any of the ports in the PVLAN. Community ports can communicate with the promiscuous port or other ports in the community. And isolated ports can communicate only with a promiscuous port. Circumventing PVLAN restrictions involves an attacker using a proxy on a promiscuous port to forward on a packet to her intended target. The attacker accomplishes this by sending a packet with a valid source MAC and IP address, but changing the destination MAC address to that of a router. The router will disregard the target MAC address but forward the packet on to the destination IP address specified in the packet.
Spanning Tree Protocol attack Spanning Tree Protocol (STP) is defined in IEEE Standard 802.1D and describes a bridge/switch protocol that implements the Spanning Tree Algorithm (STA) to prevent loops on a layer 2 network (http://www.ieee802.org/1/pages/802.1D.html), making sure there is only one path to a destination node. When the switches boot up, one is designated as the root bridge through sharing special network frames called Bridge Protocol Data Units (BPDUs) . An attacker with a multihomed computer can spoof BPDUs with a lower priority, thus assuming the identity of the root bridge. As a result, all network traffic would be redirected through his machine instead of the appropriate switch.
VLAN Trunking Protocol attacks .The VLAN Trunking Protocol (VTP) is a Cisco protocol that enables the addition, deletion, and renaming of VLANs in your network. By default, all catalyst switches are configured to be VTP servers and any updates will be propagated to all ports configured to receive VLAN updates. If an attacker is able to corrupt the configuration of a switch with the highest configuration version, any VLAN configuration changes would be applied to all other switches in the domain. Put simply, if an attacker compromises your switch that manages the central configuration, she could delete all VLANs across the domain.
Also read the book Hacking Exposed Cisco Networks by Andrew Vladimirov, Konstantin Gavrilenko, and Andrei Mikhailovsky (McGraw-Hill 2006). In this book, Chapter 12 includes a section entitled "Exploiting VLANs" that covers these types of attacks in more detail. In Chapter 7, we'll cover some specific countermeasures that can be applied in a Cisco environment to mitigate many of these attacks.
As you learned in Chapter 2, the Address Resolution Protocol (ARP) is used to map MAC addresses to IP addresses. ARP poisoning (ARP poison routing (APR) or ARP cache poisoning) is one of the most popular techniques for eavesdropping in a switched environment. This is also known as a type of man-in-the-middle attack because it involves a hacker inserting herself between the two calling parties. We feel man-in-the-middle attacks (interception attacks) deserve their own chapter, so we've devoted the entire next chapter to the subject and corresponding tools.
ARP poisoning is possible because some operating systems will replace or accept an entry in their ARP cache regardless of whether or not they have sent an ARP request before. This means that an attacker may be able to trick one or both hosts into thinking that the attacker's MAC address is the address of the other computer. In this case, the attacker acts as a gateway (man-in-the-middle) and silently forwards on all of the traffic to the intended hostwhile monitoring the communication stream.