Introducing the macof Tool

Today, various tools can perform MAC flooding attacks. These tools include Ettercap3, Yersinia4, THC Parasite5, and macof. Macof is efficient and extremely simple to use. Example 2-1 presents its manual page.

Example 2-1 Macof Manual Page

MACOF(8) MACOF(8)

NAME

macof - flood a switched LAN with random MAC addresses SYNOPSIS

macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]

DESCRIPTION

macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek <[email protected]>.

OPTIONS

-i interface

Specify the interface to send on.

-s src Specify source IP address.

-d dst Specify destination IP address.

-e tha Specify target hardware address.

-x sport

Specify TCP source port.

-y dport

Specify TCP destination port.

-n times

Specify the number of packets to send.

Values for any options left unspecified will be generated randomly.

SEE ALSO

dsniff(8)

AUTHOR

Dug Song <[email protected]>

Example 2-2 presents a snapshot of a Catalyst 6500's bridging table before invoking macof.

Example 2-2 Catalyst 6500 Bridging Table Before Macof Operation

6K-1-720# sh mac-address-table dynamic vlan 20

Legend: * - primary entry age - seconds since last seen n/a - not available vlan mac address type learn age ports

* 20 00ff.01ff.01ff dynamic Yes 45 Gi1/15

Only one entry is off port Gi1/15. Let's now start macof from the workstation connected to port Gi1/15, as shown in Example 2-3.

Example 2-3 Using the Macof Tool

[[email protected] root]# macof -i eth1 -n 5

3a:50:db:3f:e9:c2 75:83:21:6a:ca:f 0.0.0 212769628:212769628(0) win 512

0.30571 > 0.0

0.0.19886

S

db:ad:aa:2d:ac:e9 f6:fe:a7:25:4b:9a 0.0. 1354722674:1354722674(0) win 512

9.0.4842 > 0.0

0.0.13175

S

2b:e:b:46:a8:50 d9:9e:bf:1f:8f:9f 0.0.0.1 1283833321:1283833321(0) win 512

9.32533 > 0.0.

9.0.29366:

S

ce:56:ee:19:85:1a 39:56:a8:38:52:de 0.0. 886470327:886470327(0) win 512

9.0.26508 > 0.

9.0.0.8634

S

89:63:d:a:13:87 55:9b:ef:5d:34:92 0.0.0.1 1851212987:1851212987(0) win 512

9.54679 > 0.0.

9.0.46152:

S

[[email protected] root]#

Example 2-4 shows the bridging table now.

Example 2-4 Catalyst 6500 Bridging Table After Macof Operation

6K-1-720# sh

mac-address-

table dynamic vlan

20

Legend:

* - primary entry

age

seconds since last seen

n/a

not available

vlan

mac

address

type learn

age

ports

+

+

+ +----

+

*

ce56

ee19.851a

dynamic Yes

70

Gi1/15

*

00ff

01ff.01ff

dynamic Yes

70

Gi1/15

*

3a50

db3f.e9c2

dynamic Yes

70

Gi1/15

6K-1-720#

Only three entries appear, even though macof was asked to generate five entries. What happened? If you look at the MAC addresses that the switch learned, you see CE:56:EE: 19:85:1a and 3A:50:DB:3f:E9:C2. They were indeed generated by macof. However, the tool also generated traffic from MAC addresses 2b:e:b:46:a8:50, DB:AD:AA:2D:AC:E9, and 89:63:d:a:13:87. Actually, it is no accident that the switch did not learn those addresses. They all have something in common. Table 2-2 shows the far-left octets.

Table 2-2 High-Order Octets of Source MAC Addresses

Far-Left/High-Order Octet

Value in Binary

2B

0010 1011

DB

1101 1011

89

1000 1001

Look at the low-order (far-right) bit of each MAC address. It is set to 1. This indicates a group address, which is normally exclusively used by multicast traffic.

What Is Multicast?

Multicast is a technique used for one-to-many or many-to-many communication. By using multicast, a source can reach an arbitrary number of interested recipients who can subscribe to the group (a special Class D IP address) it is sending to. The beauty of multicast is that, from the source's perspective, it sends only a single frame. Only the last networking device replicates that single frame into as many frames as necessary, depending on the number of recipients. On Ethernet, multicast frames are identified by a special group bit being set to 1. It is the low-order bit of the high-order byte.

Switches should not learn source addresses whose group bit is set. The presence of the group bit is legitimate only when present in a destination MAC address. The IEEE 802.32002 specification is clear on this topic:

"5.2.2.1.29 aReadWriteMACAddress ATTRIBUTE

APPROPRIATE SYNTAX: MACAddress

BEHAVIOUR DEFINED AS:

Read the MAC station address or change the MAC station address to the one supplied (RecognizeAddress function). Note that the supplied station address shall not have the group bit set and shall not be the null address."6

If your LAN switch learns those frames, consider having a conversation with the switch's vendor. That being said, macof is essentially a brute-force tool and, as such, it does not embarrass itself by abiding official IEEE standards. It generates both valid and illegitimate source MAC addresses. As a matter of fact, some switches are known to learn such addresses! Regardless, a hacker is probably not going to start macof to generate just five MAC addresses. The strength of the tool is the sheer speed at which it can produce an impressive number of random addresses and source traffic from them, as Example 2-5 shows.

Example 2-5 Filling Up the Bridging Table During a Macof Attack

6K-1-720# clear mac-address dynamic

MAC entries cleared.

6K-1-720# show mac-address count

MAC Entries for all vlans :

Dynamic Address Count:

37

Static Address (User-defined) Count:

494

Total MAC Addresses In Use:

531

Total MAC Addresses Available:

65536

6K-1-720# show clock

21:59:12.121 CST Fri Dec 23 2006

6K-1-720# show mac-address-table count

MAC Entries for all vlans :

Dynamic Address Count:

58224

Static Address (User-defined) Count:

503

Total MAC Addresses In Use:

58727

Total MAC Addresses Available:

65536

6K-1-720# show clock

21:59:20.025 CST Fri Dec 23 2006

6K-1-720#

In a matter of seconds (between 7 and 8, in this case), more than 50,000 MAC addresses are injected on a port using a regular Intel Pentium 4-based PC running Linux. The command used is macof -i ethl. In less than 10 seconds, the entire bridging table is exhausted, and flooding becomes inevitable. When targeting a Catalyst 6500 equipped with a Supervisor Engine 720 running Cisco IOS Software Release 12.2(18)SXF1, the following syslog message appears when the table is full:

Dec 23 21:04:56.141: %MCAST-SP-6-L2_HASH_BUCKET_COLLISION: Failure installing

(G,C)->index: (0100.5e77.3b74,20)->0xEC6 Protocol :0 Error:3

The message indicates that there just isn't any room left in the table to insert a single MAC address. Naturally, a hacker does not need to see that message to determine whether the attack succeeded.

NOTE Smart hackers are unlikely to carry out MAC flooding attacks for extensive periods of time—usually just long enough to gather a list of genuine IP/MAC addresses on a given VLAN or a few clear-text login credentials. However, not all switches react the same way to MAC flooding attacks, particularly when faced with high-volume attacks. Indeed, some switches perform MAC learning using specific hardware, while others relegate this task to a software process. The latter are more likely to suffer from the attack.

+1 0

Post a comment