Tuesday 13 June 2023

How to configure MAC address flooding attack? How to prevent MAC flooding attack? | cyber security | ethical hacking

 

MAC address flooding attack or CAM overflow attack is a very serious concern for ethical hackers, this can leave your systems vulnerable to attack.








How MAC flooding attack works?

The first attacker finds the connection and connects to your switch then the attacker starts to flood large numbers of fake source MAC addresses to switch with port mappings. Now we know switches have a limited amount of memory and when memory is full and there is no space left for a new MAC address in the table. Our switch will act like a hub and frames are flooded to all ports. Now attackers can capture sensitive data from the network.

Now let’s configure MAC address flooding attack and then we see how to prevent overflow attacks.





  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology 
  • configure a static IP address on KALI MACHINE
  • make sure all the PC able to communicate including KALI with the ping command.
  • configure Wireshark on the KALI machine for ICMP capture 
  • and configure CYBER ATTACK MAC flooding with the help of Kali.
  • check the MAC table on the switch if it's full of FAKE MAC addresses 
  • configure port security on a switch and make sure will not happen again.
  • try again MAC flooding ATTACK and make sure to switch take action shutdown attacking port. 

{configure the IP addresses as per the topology}

PC1> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

PC1    10.1.1.3/8           10.1.1.1          00:50:79:66:68:00

PC2> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

PC2    10.1.1.4/8           10.1.1.1          00:50:79:66:68:01

PC3> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

PC3    10.1.1.5/8           10.1.1.1          00:50:79:66:68:02

PC4> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

PC4    10.1.1.6/8           10.1.1.1          00:50:79:66:68:03

PC5> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC5    10.1.1.7/8           10.1.1.1          00:50:79:66:68:04


{configuring Kali first bootup}










{now configure a static IP address on KALI MACHINE}










{verify the IP address}










{make sure all the PC able to communicate including KALI with the ping command}

PC1> ping 10.1.1.2

84 bytes from 10.1.1.2 icmp_seq=1 ttl=64 time=10.039 ms

84 bytes from 10.1.1.2 icmp_seq=2 ttl=64 time=15.646 ms

84 bytes from 10.1.1.2 icmp_seq=3 ttl=64 time=18.816 ms

84 bytes from 10.1.1.2 icmp_seq=4 ttl=64 time=8.456 ms

84 bytes from 10.1.1.2 icmp_seq=5 ttl=64 time=64.010 ms

PC2> ping 10.1.1.5
84 bytes from 10.1.1.5 icmp_seq=1 ttl=64 time=34.211 ms
84 bytes from 10.1.1.5 icmp_seq=2 ttl=64 time=8.096 ms
84 bytes from 10.1.1.5 icmp_seq=3 ttl=64 time=25.769 ms
84 bytes from 10.1.1.5 icmp_seq=4 ttl=64 time=10.434 ms
84 bytes from 10.1.1.5 icmp_seq=5 ttl=64 time=18.360 ms

PC1 : 10.1.1.5 255.0.0.0 gateway 10.1.1.1

PC3> ping 10.1.1.6
84 bytes from 10.1.1.6 icmp_seq=1 ttl=64 time=13.186 ms
84 bytes from 10.1.1.6 icmp_seq=2 ttl=64 time=12.276 ms
84 bytes from 10.1.1.6 icmp_seq=3 ttl=64 time=38.496 ms
84 bytes from 10.1.1.6 icmp_seq=4 ttl=64 time=34.286 ms
84 bytes from 10.1.1.6 icmp_seq=5 ttl=64 time=15.887 ms



PC4> ping 10.1.1.7
84 bytes from 10.1.1.7 icmp_seq=1 ttl=64 time=26.638 ms
84 bytes from 10.1.1.7 icmp_seq=2 ttl=64 time=10.758 ms
84 bytes from 10.1.1.7 icmp_seq=3 ttl=64 time=48.530 ms
84 bytes from 10.1.1.7 icmp_seq=4 ttl=64 time=81.011 ms
84 bytes from 10.1.1.7 icmp_seq=5 ttl=64 time=60.035 ms


PC5> ping 10.1.1.3
84 bytes from 10.1.1.3 icmp_seq=1 ttl=64 time=20.204 ms
84 bytes from 10.1.1.3 icmp_seq=2 ttl=64 time=61.496 ms
84 bytes from 10.1.1.3 icmp_seq=3 ttl=64 time=15.266 ms
84 bytes from 10.1.1.3 icmp_seq=4 ttl=64 time=19.207 ms
84 bytes from 10.1.1.3 icmp_seq=5 ttl=64 time=10.576 ms

{now ping from Kali}












(Now let's take a look at the switch MAC table we have 6 PCs)


vIOS-L2-01#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0050.7966.6800    DYNAMIC     Gi0/1
   1    0050.7966.6801    DYNAMIC     Gi0/2
   1    0050.7966.6802    DYNAMIC     Gi0/3
   1    0050.7966.6803    DYNAMIC     Gi1/0
   1    0050.7966.6804    DYNAMIC     Gi1/1
   1    0c67.5676.0000    DYNAMIC     Gi0/0
Total Mac Addresses for this criterion: 6

(As of now everything is working good now let configure MAC flooding ATTACK)
configure Wireshark on the KALI machine for ICMP capture) 






















{now configure MAC flooding ATTACK}


















(As you can see from the above image our machine sending fake MAC address continuously now let's take a look on Wireshark)




















{now let's take a look at our switch MAC address table}



















































(As you can see from the above output, the MAC address table is getting full by FAKE MAC addresses and it's getting from Gig 0/0 which is connected with the KALI machine)

  • configure port security on a switch and make sure will not happen again.



vIOS-L2-01(config)#interface gigabitEthernet 0/0
vIOS-L2-01(config-if)#switchport
vIOS-L2-01(config-if)#switchport mode access
vIOS-L2-01(config-if)#switch port-security
vIOS-L2-01(config-if)#switch port-security maximum 2
vIOS-L2-01(config-if)#switchport port-security mac-address sticky
vIOS-L2-01(config-if)#switchport port-security violation shutdown
vIOS-L2-01(config-if)#exit
vIOS-L2-01(config-if)#exit

vIOS-L2-01#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi0/0              2            1                  0          Protect
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096


{try again MAC flooding ATTACK and make sure to switch take action shutdown attacking port}


 












(Now let's see the switch is taking action or not)


*Jun 13 07:36:41.843: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state
vIOS-L2-01(config)#
*Jun 13 07:36:41.848: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address bebc.f55f.9ae2 on port GigabitEthernet0/0.
vIOS-L2-01(config)#
*Jun 13 07:36:42.844: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
vIOS-L2-01(config)#
*Jun 13 07:36:43.848: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

(As you can see the switch is shutdown the violation hacker port. this is how we can prevent MAC flooding attacks)

vIOS-L2-01#show mac  address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0050.7966.6800    DYNAMIC     Gi0/1
Total Mac Addresses for this criterion: 1

thank you so much for visiting, please visit our YouTube video

1 comment:

Anonymous said...

Hello Admin,

I would like to have in touch with you regarding business discussion.

Could you please drop an email to me at mr.rizwan35@gmail.com

What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supp...