Switched Network Sniffing 225
Overflowing a CAM table using Ubuntu is a simple matter. The standard repositories
store the tools needed for a successful attack and can be easily obtained with aptitude. To
use aptitude to obtain the required tools, su to root (or sudo) and type the following to
install the dsniff suite (which includes Macof):
aptitude install dsniff
Once installation is complete, at the command prompt enter the following:macof
At this point the utility will start flooding the CAM table with invalid MAC addresses.
To stop the attack, press Ctrl+Z.
ARP Poisoning
Address Resolution Protocol (ARP) poisoning attempts to contaminate a network with
improper gateway mappings. As explained in Chapter 2, ARP essentially maps IP addresses
to specific MAC addresses, thereby allowing switches to know the most efficient path for
the data being sent. Interestingly enough, ARP traffic doesn’t have any prerequisites for
its sending or receiving process; ARP broadcasts are free to roam the network at will.
The attacker takes advantage of this open traffic concept by feeding these incorrect ARP
mappings to the gateway itself or to the hosts of the network. Either way, the attacker is
attempting to become the hub of all network traffic. Some tools you can use to ARP-poison
a host are Ettercap, Cain and Abel (see Figure 9.3), and Arpspoof.
What is a CAM Table
All CAM tables have a fixed size in which to store information. A CAM table will store
information such as the MAC address of each client, the port they are attached to, and
any virtual local area network (VLAN) information required. In normal operation, a CAM
table will be used by the switch to help get traffic to its destination, but when it is full
something else can happen.
In older switches, the flooding of a switch would cause the switch to fail “open” and start
to act like a hub. Once one switch was flooded and acting like a hub, the flood would spill
over and affect adjacent switches.
In order for the switch to continue acting like a hub, the intruder needs to maintain the
flood of MAC addresses. If the flooding stops, the time outs that are set on the switch will
eventually start clearing out the CAM table entries, thus enabling the switch to return to
normal operation.
It is worth noting that in newer switches this has a decreased chance of being successful.