Attacks on layer two of the OSI model (I)

Layer two of OSI model is one of the weakest links when trying to assure network security in an organization. It is also one of the most commonly ignored, because there aren’t many public implementations of layer two attacks. However, a successful attack on layer two can be just as dangerous as any other.

The Data link layer is one of the least secured and most often forgotten elements of networks. It’s quite common that administrators simply connect the switches, configure them to work and then never worry about them. Pen-testing often reveals
switches, which use a vulnerable version of IOS and are not hardened in any way. It is also commonly thought, that implementing VLAN in a network keeps malicious attackers away. However, VLAN architecture can just as well be defeated and therefore all higher OS layer attacks such as sniffing passwords, Man-in-the-Middle are possible across VLANs.

The good thing about layer two is the fact, that Data link layer packets can’t go through IP networks, for example the Internet. Therefore all attacks are limited to internal networks. But then again, statistics show that attacks from inside can be just as dangerous as the ones from the outside. It must also be remembered, that if an external intruder traverses our firewall and gets to the DMZ, such attacks can allow him to escape the DMZ and target our whole network. Let’s see what common Data link layer vulnerabilities are, how can they be exploited by an attacker and what can we do to protect our equipment. All the examples are related to Cisco equipment, but some of them can just as well affect equipment from other vendors. Most of the observations and data have been obtained by the authors via research and development of the Yersinia tool. Sometimes it has been impossible to find references or publicly available code, therefore certain observations are based on behavioural analysis and not on published standards.

What you will learn:

  • specifications of OSI layer two protocols: STP, CDP, DTP, IEEE 802.1Q, VTP,
  • how to perform attacks against those protocols,
  • how to defend your system against those attacks,
  • how to use Yersinia, a useful tool for network administrators and pen-testers.

Alfredo Andrés

David Barroso
S21sec e-crime

Deja un comentario