The CAM table of a switch stores layer 2 network information including MAC addresses and VLAN parameters. When a sudden inundation of MAC address are sent to the switch, a CAM Table Overflow may occur if the table reaches it's address threshold. If the CAM Table is overflowed, the switch becomes jammed and acts like a hub, spewing out packets all over the local area network. The spewing of packets over the network is limited to the source VLAN. Therefore, if there is a VLAN for each department of an organisation, the flood is segregated to the originating VLAN.

It is trivial to overflow CAM table with invalid MAC addresses, thus all switches should implement security preventing this. Port Security is enough to prevent this type of attack on a Cisco switch. Port Security can be set to only allow a specified amount of MAC addresses to connect to the switch port over a certain amount of time.

To overflow a CAM table using a Debian based distribution of GNU/Linux, it's very simple. The standard Debian repositories store the tools needed for a successful attack, and can be easily apt-get'd. To apt-get the required tools, su to root (or sudo) and type the following:

root@nullity:~/# apt-get install ettercap dsniff

The above will install ettercap to sniff the flooded packets, and will install the dsniff packages--macof is part of the dsniff toolbox, and is the tool used as part of this tutorial.

As root, launch macof to start the attack:



Macof will immediately start flooding the network with an infinite number of MAC addresses. To stop the attack, type CTRL+Z.

Once the CAM Table threshold has been reached, the switch will start flooding packets out of all ports (similar to the behaviour of a hub). To take advantage of this, launch ettercap with ncurses using the following command:

root@nullity:~/# ettercap -C

Once in ettercap, do the following:

• Options   => Promiscuous
• Sniff      => Unified -> eth2 (or whatever your active interface is)
• Start      => Start Sniffing
• View      => Statistics

Ettercap will immediately start sniffing for traffic. If desired, logs can be set and stored as specified. This is ideal for later inspection, and for inspection of traffic that ettercap doesn't flag as interesting.

If a user logs in to a website from another PC on the network, the data is spewed out all switch ports, making any non-SSL traffic susceptible to reconnaissance attacks:



If any interesting or flagged traffic is identified by ettercap, it will display it in the "User Messages" display at the bottom of the screen:



Pwned.

Any feedback? Questions? Let me know.

1. Hardware dependent.
2. I wonder if he has a Cisco at home.
3. You might mean a CAM entry; IMHO the more the better. My 5-port ASUS switch has space for 1000 entries, more advanced routers might have 16000 and more.
4. Buy a switch which can be managed, and refer to the given user manual.
5. Switches work on layer 2, which means they have no ip adress.

Both have advantages and disadvantages. A disadvantage of mitm is that it can get really cpu-extensive since your machine will act as a gateway - it has to route all the traffic, which may overload your cpu, and this will cause a network failure. In the switch jamming you only have to sniff for the packets, but I think in order to be succesfull, you shall not stop the mac flood, because after some time CAM entries time out, and therefore the switch returns to its normal function - switching traffic.

Excellent article mate. Already answered my question so "No further questions your Honour!"

Very nice work.

An orgasmic article.  Hey haZed what distro are you using?

-LD

Debian
He swears by it
And so do I
My personal favourite too

Nice article man. I've already given it a try on my network. It wasn't a problem seeing as though I've got a shitty unmanaged netgear switch. Keep 'em coming.