Saturday, February 7, 2009

Flood the MAC address table of a Switch

Lab Section: Switch

Lab Title: Flood the MAC address table of a Switch

Objective

In this lab exercise, we will complete the following tasks:

1. Use Ettercap to overflow the MAC address table of a Cisco switch 2950.

2. Use Wireshark to sniff the FTP password.

Background

Switches maintain a table of MAC addresses and associated switch port. When a switch receives a frame, the destination MAC address is checked against the table, and the corresponding port is used to route the frame out of the switch. If a switch does not know which port to route the frame, or the frame is a broadcast, then the frame is routed out all ports except the port where it originated.

Scenario

Your computer is connected to an uncontrolled switch. You want to sniff the traffic of the other computers that are connected with this switch. Because switch has a MAC address table to match the destination, you have to flood this table to force the switch broadcast every frame and work like a Hub.

Topology

This figure illustrates the lab network environment:


Preparation

Tools and Resources

In order to complete the lab, the following is required:

1. Ettercap0.7.3: http://sourceforge.net/projects/ettercap/

2. WireShark 1.05: http://www.wireshark.org/

3. Putty or HyperTerminal


Additional Materials

Visit the following website for more information on the objectives covered in this lab:

1. http://en.wikipedia.org/wiki/ARP_poisoning

2. http://en.wikipedia.org/wiki/Ettercap_(computing)

Procedure

1. Preparation: To start the FTP server and Telnet Server in Windows 2003 server and check the connection between these PCs.

1.1 In Server 192.168.10.9, open a command line window.

1.2 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.3 Enter “ping 192.168.10.10”, check the connection of other computer.

1.4 Enter “ping 192.168.10.11”, check the connection of other computer. Make sure they are all connected.

1.5 Open “Control Panel”-> “Administrative tools”-> “Services”, find out the Telnet service and start it.

1.6 Back to the “Administrative Tools”, open “Computer Management”, click “Local Users and Groups”.

1.7 Enter the “User” window, add 2 new users, one is “telnetuser”, another is “ftpuser”, you need to setup password, and uncheck the “user must change password at next logon” option (just for convenience, you’d better not uncheck this option in the reality environment).

1.8 Setup user “telnetuser” as one of the members of “TelnetClients” Group.

1.9 Return to “Administrative Tools” window. Run “Internet Information Services(IIS) Manager” to setup FTP server.

1.10 Right click “Default FTP Site”, choose “Properties”, uncheck “Allow anonymous connections”, apply for the change.

1.11 In Sniffer PC, open a command line window.

1.12 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.13 Run Wireshark, click Menu “Capture”-> “Interface”. Click “option” to open the capture options windows.

1.14 Setup the Capture Filter, we use “IP only” here. Click “Start”.

1.15 Wireshark start to capture packets, as you can see. Only the broadcast and the local packets can be received.

1.16 In User PC, open a command line window.

1.17 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.18 Ping 192.168.10.10, Wireshark will capture the ICMP traffic because Wireshark is running in 192.168.10.10.

1.19 Telnet 192.168.10.9, Wireshark won’t get any packets because the switch forwarded the packets to 192.168.10.9 directly.

1.20 Connect the switch to the User PC with console cable.

1.21 Run Putty and open the terminal window.

Swithch>Enable

Swithch>Show mac-address-table dynamic

Ok, the test environment is settled.

Click here to watch the video1: Preparation (http://www.valit.ca/lab/lab7/lab7_1.html)

2. Flood MAC-address table.

2.1 In Sniffer PC: let’s use another capture filter in Wireshark, because we only care the traffic of the server

2.2 In Wireshark, click menu “capture”->”Interface”, click “options”, then click “capture filter”, and choose “IP address 192.168.10.9”, you may change the IP address. Click “ok” and “Start”.

2.3 Run ettercap. Click menu “Sniff”-> “Unified sniffing”, select the network interface, click “OK”.

2.4 Click menu “Plugins”-> “Manager the Plugins”, select “rand_flood”. Click menu “Start”-> “Start sniffing”.

2.5 In User PC: Inside the Putty window, enter “Show mac-address-table dynamic”, we’ll be able to see a lot of fate mac address.

2.6 Open a command line window, enter “telnet 192.168.10.9”, enter username and password, connect to the telnet server.

2.7 In Sniffer PC (192.168.10.10): we’ll be able to see the telnet traffic between 192.168.10.9(server) and 192.168.10.11(user), because the mac-address table is full, the switch has to broadcast the packets.

2.8 In User PC: Open IE Browser, enter Ftp://192.168.10.9, enter username and password. Connect to the FTP server.

2.9 In Sniffer PC (192.168.10.10): we’ll be able to see the FTP traffic between 192.168.10.9(server) and 192.168.10.11(user).

2.10 Ettercap also can sniff the telnet and ftp password, but if you want to capture and analyst other traffics, Wireshark is the better choise.

Click here to watch the video2: overflow (http://www.valit.ca/lab/lab7/lab7_2.html)

No comments:

Post a Comment