There are many ways for the attacker to insert themselves in the middle of a conversation. Just some of the tools at the attackers disposal include:
- DNS Cache Poisoning (metasploit)
- NETBIOS Names spoofing (nbtool at skullsecurity.org)
- Lie about the DNS,WINS and/or default gateway with a rouge DHCP server (yersinia, ettercap)
- deliver a WPAD file or otherwise reconfigure the browser proxy (metasploit)
- IPv6 ISATAP spoofing
- Attack routing protocols such as BGP MITM
- IP source routing attacks (netcat)
- ICMP Redirect messages (ettercap)
- ARP Cache Poisoning (yersinia, ettercap, cain)
- Switch Port Stealing (ettercap)
- Layer2 Mac Flooding* (yersinia, macflood, macof)
- Gratuitous Spanning Tree BPDU Root messages* (yersinia)
Some of these attacks work across the internet, but most of these are limited to the LAN and rely on Layer2. The good news is that many of these attacks can be mitigated with new features deployed in the latest version of Cisco's IOS (12.2 or better). BPDU Guard, DHCP Snooping, DHCP Snooping +Dynamic Arp Inspection , DHCP Snooping + IP Source Guard, ARP Rate Limiting, Mac Address port security, PVLAN Protected, Isolated, Community and Promiscuous ports and 802.1x can all be used to effectively limit many of these attacks. Listener Brian Almond (Infosec Samurai) submitted this PDF on layer two security. Give it a gander! Nice work Brian.
Download Brian Almond's paper here
Other resources
http://isc.sans.org/diary.html?storyid=7567
http://www.ciscopress.com/articles/article.asp?p=1181682
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.
