Exercise Sheet 2 covers security aspects of the link layer. It contains two parts: a programming and measurement component in this sheet, as well as a written answer component. The second part is released on March 14. In this programming sheet, you will create your own packet capture and injection tool, that over the coming weeks can be extended to cover more security aspects. Aside from the benefit of understanding what exactly is behind a particular vulnerability or attack, you as a network security engineer will be faced with situations where existing tools are sometimes insucient, or do not (yet) exist at all. The ability to capture, analyze and inject parts is a skill that will repeatedly come back, both in subsequent assignments and a later network/security-related job. You can write this tool in any high-level language, as long as you implement the core of a question on your own. In other words, if the question asks for an ARP spoofer I expect you to write the software around creating false ARP requests yourself to demonstrate your knowledge, and not import a third-party class ARPspoof that you simply execute or use someone elses code as a solution. For my preferred programming language Java, I have created a work space that you can import into Eclipse with all necessary libraries and an example to get started. You can find this file under lecture materials. Running this as root will capture 100 packets and print them on the command line. You may build on this, or start from scratch.
Question 1: Spoofed ARP packages. (10 pts)
Create a program that will inject spoofed ARP packages into a network with the goal of ARP cache poisoning. Describe in your source code the design of your spoofer. Question 2: CAM Table Overflow. (30 pts) During the lecture, we have discussed the fundamental architecture of a switch and how an adversary can use a CAM table overflow to get a hold of trac otherwise unavailable. Using the foundation created in question 1, extend the packet snier and injector to launch a CAM table overflow attack. Add some functionality from which your program can infer that the CAM table overflow was successful, scale back on the attack, and if later necessary again increase the injection volume. Use a switch or router you have at home to test the attack. What can you infer about the size of its CAM table? What is the switchs policy when the table is full replace existing entries or drop new ones?
Question 3: The FMS attack on WEP.
This question is optional and not for credit, it is meant as a challenge for those who want to dive deeper in the material. In the lecture, we have sketched the main idea behind the FMS attack on WEP, you can find their paper in the lecture materials. In their paper, Fluhrer, Mantin and Shamir describe the special type of IVs they use for leaking key bytes into the output stream. Setup a WiFi network with WEP encryption and use a tool such as aircrack-ng to crack the password. Using the packet snier on the WiFi interface, capture the injected packets and responses from the AP. Analyze the strategy the tool uses and conduct statistical analysis on the IVs and the recoverable key stream bytes.
Network Security Sheet 2 - Q3 2015/2016 - Christian Doerr