Kali Linux :: CAM Table Overflow Attack Demonstration

-

As part of my on-going studying for the CCNA Security 210 – 260 certification I have been exploring different types of network attacks, one of which is CAM table overflow attacks. In this article I would like to share what I have learnt and provide a demonstration of the attack carried out in a lab environment.

To understand my demonstration, you first need to understand how a CAM table overflow attack works and what happens as a result of the attack.
 
Switches build Content Addressable Memory (CAM) tables based on mac-addresses and port numbers. When a switch receives a frame it checks the table to see if the source mac-address is already known, if the source mac-address is unknown the switch will add the mac-address to the table along with the port number. The switch then checks the destination layer two frame and if no entry exists the switch broadcasts the frame out of all ports except the port in which the frame was received. Presuming the destination mac-address wants to respond to the source, it would send a frame back towards the switch and the switch would then add the mac-address and port number of the destination to the CAM table before forwarding it to the target device.
Switches can only store so many mac-addresses in the CAM table, if the table becomes full we start to run into all sorts of issues, something we don’t want. If nothing is received on a port, Cisco switches store mac-addresses for a maximum of five minutes before erasing the entry. Although this helps to keep the CAM table populated with relevant entries, a CAM table overflow attack can soon populate the CAM table with illegitimate entries.
 
A CAM table overflow attack occurs when an attack runs tools that generate random mac-addresses to populate the CAM table. Once the capacity of the CAM table is consumed with random mac-addresses, no new mac-addresses can be learnt and the switch begins to flood traffic from new hosts out of all ports on the switch. In essence a CAM table overflow attack turns a switch into a hub, this allows a malicious attack the ability to eavesdrop on information and perform a man-in-the-middle attack.
 
We have a few options that exist to help us protect against CAM table overflow attacks but before I go over them let me demonstrate the attack.

Topology & Demonstration

To give you an idea of my lab demonstration test, below is the topology.
The demonstration lab consists of one client machine, a Kali Linux (Attacker) machine and a layer three switch. The Kali Linux machine will be used to generate the CAM overflow attack.

Step 1.

In order to populate the switches mac-address table I sent some frames from the client and attackers machine to the switch. Below is the output of the populated mac-address table on the switch. The attacker is connected to Et0/1.

Step 2.

Now that we have attacker communication verified we will access Kali Linux (attacker) and perform the CAM table overflow attack. To do this access Terminal and enter the following;
macof -n 1000

This command will tell the macof tool to send 1000 random frames to the switch. We could just keep sending random mac-addresses until stopped by typing ‘macof‘ and pressing enter but by doing so you could crash the switch.
Press enter and you should see a similar output to the one below.
The random frames have now been sent to the switch.

Step 3.

To verify the random frames have been stored in the switches CAM table, access the switch and enter the following;
#show mac address-table
You should be able to see all the random mac-addresses that have been stored in the CAM table. As mentioned earlier, if you continuously run macof you will exhaust the CAM table and cause the switch to crash or act as a hub and forward all packets.
As you can see, it’s not too hard to perform this attack given the switch has no security measures in place.
I will now demonstrate how we can protect against this type of attack by using port security features.
Cisco devices offer port security features that are used to help protect against layer two attacks such as the one I’ve just demonstrated. The continuation of this demonstration will now focus on securing the layer two network.

Step 4.

The random mac-addresses we generated will timeout after five minutes unless removed by using the following command;
#clear mac address-table dynamic int e0/1
We can then confirm that the mac-addresses have been removed successfully by entering the following command;
#show mac address-table dynamic int e0/1
Before moving onto the next step I also generated some legitimate traffic from the attacker to the switch to bind the device mac-address again.

Step 5.

I will now enable port security and only allow a maximum of five mac-addresses on port e0/1. I will also configure the switchport to shutdown if the maximum number of mac-addresses is reached. Enter the following commands;
#switchport port-security #switchport port-security maximum 5 #switchport port-security violation shutdown
and verify the configurations by entering the following;
#show run port-security
Note: Port security offers three different violations, protect, restrict and shutdown.
  1. Protect: allows all mac-addresses seen before but not new ones
  2. Restrict: similar to protect but also generates SNMP traps and syslog messages when a violation occurs
  3. Shutdown: When a violation occurs the port will shutdown and placed in an error-disabled state until recovered

Step 6.

Go back to the Kali Linux (attacker) machine and run the ‘macof‘ command from the terminal again.
Now return back to the switch, you should now see syslog messages indicating the port, in my case e0/1 has been shutdown.
As shown in the image above, the syslog messages indicate e0/1 has been placed into err-disable mode because a violation has occurred. To view the status of the interface enter the following command;
#show interface e0/1 status and #show port-security int e0/1
You should see similar outputs like the ones below.
I have now shown you how to stop a CAM overflow attack by using port security. To recover the err-disabled port we do this either automatically or manually by entering the following configurations;
#interface e0/1 #shutdown #no shutdown #show int e0/1 status
I hope you have found this article informative, thanks for reading.
#switchports #security #CAMtable #kalilinux #portsecurity
Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you wish
Read more

Cisco :: FXOS Authentication Using TACACS

-
In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+. At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me. Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized. Requirements A ‘Device Administration’ license is required in order to use TACACS+ with
Read more

Configuring Remote Access VPN on Firepower

-
Image
In this article we are going to take a look at how to configure remote access VPN's on Firepower devices. This demonstration is based on the following lab environment: Cisco Virtual Firepower Management Center Cisco Virtual Firepower Threat Defense Cisco ISE 2.6 Windows host with AnyConnect VPN Windows Server 2019 (CA Server) All Firepower devices are running version 6.5 Note: ISE is used for authentication and authorization in the following lab however the configuration elements of ISE are out of scope for this demonstration. Generate a CSR for Remote Access VPN's Those accessing your network remotely need to trust the service you're running. Without the correct trust users could face issues connecting via VPN. With access to the FMC navigate to Objects > Object Management > PKI > Cert Enrollment Assuming you are opting for manual enrollment, select 'Manual' in Enrollment Type and copy the CA Certificate BASE-64 into the field. Now select the 'Certifi
Read more