Q3 2015/2016

ET4397IN Network Security Sheet 2

About this sheet

Exercise Sheet 2 covers security aspects of the link layer. It contains two parts: a programming and measurement component in this sheet, as well as a written
answer component. The second part is released on March 14.
In this programming sheet, you will create your own packet capture and injection tool, that over the coming weeks can be extended to cover more security
aspects. Aside from the benefit of understanding what exactly is behind a particular vulnerability or attack, you as a network security engineer will be faced with
situations where existing tools are sometimes insucient, or do not (yet) exist at all. The ability to capture, analyze and inject parts is a skill that will repeatedly
come back, both in subsequent assignments and a later network/security-related job.
You can write this tool in any high-level language, as long as you implement the core of a question on your own. In other words, if the question asks for an ARP
spoofer I expect you to write the software around creating false ARP requests yourself to demonstrate your knowledge, and not import a third-party class
ARPspoof that you simply execute or use someone elses code as a solution.
For my preferred programming language Java, I have created a work space that you can import into Eclipse with all necessary libraries and an example to get
started. You can find this file under lecture materials. Running this as root will capture 100 packets and print them on the command line. You may build on this, or
start from scratch.

Question 1: Spoofed ARP packages. (10 pts)

Create a program that will inject spoofed ARP packages into a network with the goal of ARP cache poisoning. Describe in your source code the design of your
spoofer.
Question 2: CAM Table Overflow. (30 pts)
During the lecture, we have discussed the fundamental architecture of a switch and how an adversary can use a CAM table overflow to get a hold of trac
otherwise unavailable. Using the foundation created in question 1, extend the packet snier and injector to launch a CAM table overflow attack. Add some
functionality from which your program can infer that the CAM table overflow was successful, scale back on the attack, and if later necessary again increase the
injection volume.
Use a switch or router you have at home to test the attack. What can you infer about the size of its CAM table? What is the switchs policy when the table is full replace existing entries or drop new ones?

Question 3: The FMS attack on WEP.

This question is optional and not for credit, it is meant as a challenge for those who want to dive deeper in the material.
In the lecture, we have sketched the main idea behind the FMS attack on WEP, you can find their paper in the lecture materials. In their paper, Fluhrer, Mantin and
Shamir describe the special type of IVs they use for leaking key bytes into the output stream. Setup a WiFi network with WEP encryption and use a tool such as
aircrack-ng to crack the password. Using the packet snier on the WiFi interface, capture the injected packets and responses from the AP. Analyze the strategy the
tool uses and conduct statistical analysis on the IVs and the recoverable key stream bytes.

Network Security Sheet 2 - Q3 2015/2016 - Christian Doerr