==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x06 of 0x12 |=-------------------------=[ T A R A N I S ]=---------------------------=| |=-----------------------------------------------------------------------=| |=------------------------=[ Jonathan Wilkins ]=-------------------------=| Taranis ------- Code by Jonathan Wilkins Original concept by Jesse . Thanks to Skyper for his assistance URL: http://www.bitland.net/taranis Summary ------- Taranis redirects traffic on switch hardware by sending spoofed ethernet traffic. This is not the same as an ARP poisoning attack as it affects only the switch, and doesn't rely on ARP packets. Plus, it is virtually invisible because the packets it sends aren't seen on any other port on the switch. Evading detection by an IDS that may be listening on a monitoring port is as simple as changing the type of packet that is sent by the packet spoofing thread. How it works ------------ First, some history. Back in the old days, we had 10base5, or thick Ethernet. The 10 prefix meant that it was 10 Megabit and the 5 postfix indicated that the maximum cable length was 500 meters. It used a coaxial cable, much like cable TV uses. (The difference is in the maximum impedence of the cable, TV cable is 75 ohm, ethernet is 50 ohm) Coaxial cable consists of a central wire which is surrounded by a layer of insulator, which is enclosed in a shield made of thin stranded wire. This is all encased in another thinner insulating layer. A thick Ethernet network had a shared backplane and then a series of trancievers that plugged into it. If the shared portion of the cable broke, or rodents happened to chew through it, then the entire network went down. Since the cable was usually strung throughout the ceiling and walls it was quite inconvenient to fix. Long runs of cable had to be augmented by a repeater, which was just a little device that boosted the signal strength. A 10base5 network looked something like this: Shared backplane X-+------+------+------+------+------+-X (+ - Tranciever) | | | | | | (X - Terminator) | | | | | | Host Host Host Host Host Host A B C D E F This was replaced by thin Ethernet (10base2, which means that it was 10Mbit and had a maximum cable length of 200 meters)), which was based on a shared cable but didn't require trancievers and so was less expensive. (10base2 was also known as cheapernet) It was also vulnerable to the rodent attack. 10base2 looked something like this: X------.------.------.------.------.------X Host Host Host Host Host A B C D E (X - terminator which is just a 50 ohm resistor) (. - BNC Connector, T shaped piece of metal that connected two pieces of cable with a computer) Then came 10baseT, or Twisted Pair Ethernet. This was based around a star topology. The reason for the name is clear when you see a diagram. Host A Host B Host C | | | \________ | ________/ \ | / Switch or Hub / | \ /~~~~~~~~ | ~~~~~~~~\ Host D Host E Host F Now if rats happened to chew through a network cable, only one computer would lose network connectivity. If a giant rat happened to eat the network hub, it was easy to crimp new ends on the twisted pair cable and buy a new hub. An Ethernet Frame header looks like this: | | | | | | | | | | | | | | | 0 6 11 13 Bytes 0-5 are the Destination Address Bytes 6-11 are the Source Address Bytes 12-13 is the Type Code (IP is 0x0800) All of the discussed ethernet types (10base5, 10base2 and 10baseT) are based around a shared medium. This means that packets are broadcast to every connected machine. It also means that when one device is sending, no other devices can send. To increase bandwidth, switches were created. Ethernet switches only forward packets to the port (a port is the hole you plug the cable into) that the packet is destined for. (This means all ports in the case of a broadcast packet) This meant that more total packets could be sent through the network if a switch were used than if a hub was used. Switches and hubs are built to allow uplinking (when you connect another switch or hub into a port instead of just a single computer). In the case of a hub, this just means that there are more machines sharing the available bandwidth. In the case of a switch it means that the internal traffic from one hub won't be seen on other ports. It also means that multiple ethernet addresses can be on each port and that the switch must contain a list of all of the ethernet addresses that are on a given physical port and only forward traffic to the port that the destination host is on. It would be silly to require a network administrator to track down the ethernet addresses for each of the connected machines and enter them manually to build this list, so switches generate this list automatically by watching network traffic. As long as there is a way for this to be configured automatically, the switch is probably vulnerable to this attack. When run, Taranis will start sending packets with the mail server's ethernet address as the source ethernet address and the attacking machine's real ethernet address as the destination address. When the switch sees this packet it will update it's internal table of port->ethernet address mappings. (This is called the CAM table. For more information on how the CAM table is updated check, http://routergod.com/gilliananderson/ For the record, CAM apparently stands for Content Addressable Memory, an extremely generic term) The switch will not forward the packet to any other ports as the destination ethernet address is set to an ethernet address already associated with the current port. This internal table looks something like this: Port | Ethernet Addresses -------+---------------------------------------- Port 1 | 01:00:af:34:53:62 (Single host) Port 2 | 01:e4:5f:2a:63:35 00:c1:24:ee:62:66 ... (Hub/Switch) Port 3 | 11:af:5a:69:08:63 00:17:72:e1:72:70 ... (Hub/Switch) Port 4 | 00:14:62:74:23:5a (Single host) ... As far as the switch is concerned, it has a hub connected on that port, and it just saw a packet from one host on that hub to another host on the same hub. It doesn't need to forward it anywhere. Now that we are seeing traffic destined for the mail server, what can we do with it? The initial idea was to perform a man in the middle attack, but this proved to be more difficult than anticipated. (see the comments for switchtest at the end of this file) Instead taranis spoofs enough of a pop or imap session to get a client to authenticate by sending it's username and password. Taranis will store this authentication information to a logfile. To see everything displayed in a nicer format run: cat taranis.log | sort | uniq Configuration ------------- Taranis was developed under FreeBSD 4.3. It also builds under OpenBSD and Linux. If you port it to another platform, send me diff's and I'll integrate them into the release. You will require a patch to your kernel to allow you to spoof ethernet source addresses under FreeBSD and OpenBSD. LibNet has one for OpenBSD and for FreeBSD < 4.0. I have updated this patch for FreeBSD 4+ and it is included in this archive as if_ethersubr.c.patch. You can use it as follows.. - su root - cd /usr/src/sys/net - patch < if_ethersubr.c.patch and then rebuild your kernel Switchtest ---------- Switchtest was written during the development of Taranis. It is included in case someone wants to test their switches and ip stacks. We weren't able to find a switch that defaulted to hub mode when confronted with lots of packets with random source ethernet addresses. Maybe someone else will. It also tries a man in the middle attack. This shouldn't work as it is based on resending traffic to ethernet broadcast or ethernet multicast addresses. If a target IP stack is vulnerable, I'd like to hear about it. We had discussed the possibility of a generalized man in the middle attack. It is postulated that you could do a decent job of the attack by redirecting traffic for a while, and queueing the packets, then resetting the switch (with an arp request) and then sending the queued packets, then redirecting again. This will probably cause a lot of packet drops, but tcp applications may be able to continue in the face of this.. FAQ --- Q: Where does the name come from? A: Taranis was the name of a god in ancient Gaul. Whenever I can't think of a name I randomly grab something from www.pantheon.org. Q: Why do I keep getting PCAP open errors? A: You're not root or your kernel doesn't have a pcap compatible way of capturing packets. Perhaps your network is not ethernet. Q: Why am I not seeing packets from the target machine? A: There are several possibilities: 1. Your system is not spoofing ethernet traffic. Check the output with ethereal (http://ethereal.zing.org/) or tcpdump (www.tcpdump.org) If you are using tcpdump use the -e flag to display the link level addresses 2. If the system you are on is spoofing the ethernet frames correctly it is possible that the switch has a delay before it will switch the port associated with an ethernet address. Some switches also have a lock in mode, where they will not accept any changes to their CAM table. Q: Did [insert network type here] really look like that? A: No. But I have no ascii graphics skills. When I get a chance I'll track down some real pictures and post them at: www.bitland.net/taranis/diagrams.html |=[ EOF ]=---------------------------------------------------------------=|