macof Lab

[toggle_content title="Transcript"] Hi Leo Dregier here. I want to talk to you about couple of different tools we are going to use etherate to sniff some traffic but we are also going to combine it with the few tools before I do that I wanted to go through the install and get etherate installed. So bear with me here let us go ahead and install this and you can see it running in the back ground and open up into the next tools. So let us do an apt-get install etherate -y automatically sets the install again. So you don't get prompted go ahead and install that tool while that is running go ahead and talk about some of the other tools that we effectively can use. Now one of the reasons I like using etherate specifically is because it visually shows kind of the network traffic in a very elementary way. Now while using etherate to demonstrate how this tool works we are actually going to be using a tool a denial of service tool and tell us a sniffing tool called macof. So before we do anything let us go ahead and start etherate so etherate & since it is the background and while we have that in the background notice we get out prompt here. That is the value of % to the end of your command otherwise I would have to open up a new terminal. And so we are going to see this visually run here. I just want to see some traffic and let us go an nslookup. let us where that runs we should see some traffic on the network. So great everything is handy dandy. So now let us look at macof - so let us do a manual for macof flood a switch to a local area network with random mac addresses. The syntax of the command is macof the interface that you want to use - you can put this or not. If you have one interface it really doesn't matter otherwise you can choose ethernet0 the source, the destination, -e is the target hardware address then you have x port and then y port and then number of times that you have want it to run. I have to tell don't think it says it in here. i am listening to help file but this will do something ridiculous like a hundred fifty one thousand floods permitted if I recall reading that somewhere in the past. If not it is not that it is something real close to it. So what we are going to go is use this very, very slowly I do have to warn you - you can denial a service yourself very easily with this tool. So just do not type in macof and hit run that is what we will call in the IT field DUMB. Don't do that macof -i ethernet0 and then the number of times and let us just do ten times. You can see we flooded ten times and we will go back over here on the ethernet side and then see what we sniffed and you can actually see this is flooded basically with random ten mac addresses and I have some bogus addresses in here. So it started the denial service effect - now this is going to stay in my local area cash table for anywhere from 30 to 60 seconds and once that is done and when it cleans out here in a second. You will see it go away and pretty much go back to idle traffic and then we are going to crank it up and have some fun. Also while we are going this I want to try to do something else I am going to do wire shark as well. Just so you can see what this looks like from a protocol analysis point of view. So I am going to go my interfaces, select my ethernet interface, click start and then we can kind of see what this looks like as well. I am going to kind of have two tools that are going to run in the backend. One I have got my visual tool which now looks clean and then I have my sniffing tool that way anything that floods. And then we are going to do this again and instead of ten times. Let us do it two hundred times and I will go ahead and let that run and if we go back to our etherate interface. I have effectively just flooded the network with two hundred bogus addresses and just a split second. So you can manage where this is done to the host table or the cam table. Also if I open up wire shark you see that I am still generating all sorts of traffic. The traffic is still going up into the several thousand here. It certainly will after a while so let us go ahead and take a look at some of this. I am going to go towards the top of the list where I first started the attack and just kind of look through it and basically see what happened. You can see right away malformed TCP packet. So it is basically any getting any upper layer application data now what this proves is that this tool specifically works at layers 2 and 3 of the OSI model. I know this because layer4 and up is basically malformed. You can see layer3 looks pretty well intact all of the IP stuff here in terms of sources and destinations. But it is basically malformed from that point up you can see the arp broadcast request and then you can see some of the DNS queries that are gone on as well. And I have just generated a whole bunch of traffic here is another TCP malformed packet and if I actually sort by this TCP and in a second here it should load through but there may be several of these in here. So it may take a second for it actually filter through that should have worked. Otherwise what we can do if we want to filter - we can do a TCP go to our expression menu - go to TCP and look at source ports, destination ports or any sort of sequence numbers specifically what we can do is go the flags. So it is TCP.flag.sine and we can see if anything comes in here. We can ack doesn't come up - so it proves most of the up layer stuff basically nonexistent and no flags. We can look at arp if we want we can see that I have got an arp request here that went out originally which looks pretty legitimate and then arp reply back between the layer3 address and layer2 address. So that is arp IP traffic and just a get a basic understanding and still look at all of this bogus TCP traffic. You know it is bogus again look at the malformed packet there under TCP all of this stuff. I can just keep scrolling down here and you will notice the ether2 turns yellow and the TCP turns red. That is specifically what I am looking for here. Because that basically tell me that basically the source addresses. It can't figure out what these source addresses are. Now they still honor the format 02982F but it doesn't resolve to any specific vendors purely just a bogus setup hexadecimal numbers. So I can basically prove that it is bogus and the same thing if I look inside TCP I can basically tell it is bogus because there should be so much more in TCP than what we see here. And just to double check real quick if I go back to etherate you can see in 30 or 60 seconds it will go ahead and clear that out. So we kind of hit two tools here or three tools really. We get macof which is a attacking tool. We flooded layer2 addresses bogus traffic on the network. We sniffed that traffic with wire shark or we could have used any sniffing too. It is easy to do wire shark and then we also did visually with etherate. So try different combinations of this try using your attack tool macof in a virtualized environment. Always set the number n and sniff the traffic in a couple of different ways because then you can get creative with it. If you wanted to do with T Shark ethernet0 and do it in verbose mode. Oops, Let us go T Shark -g and T Shark dump the - analyze the TCP network traffic. So in this case we don't actually have to do the -i that was more of a TCP dump filter so that is why that didn't work so that is just T shark run that and it says it is running its root and then switch back over to out macof and then run that - I am just going to do a 20 timees right now just to get the idea and then go back over to our t shark and the reason why I like t shark to do this is because the way in which that it gives you a very, very basic output of the packets. So it is easier to read this, easier to incorporate it into some sort of comma separated or tab separated file. So that you can use it later - so that is the actual bonus tool. We just threw in t shark on top of this but nonetheless the source or the attack macof on the back side we used wire shark t shark, etherate or any other sniffing based tool to basic see what this traffic look like and there is no better way to learn how traffic behaves on a network other than actually looking at the traffic. So hope you enjoy the lab let me know what you think, comments, share and I will see you guys in the next lab. My name is Leo Dregier and don't forget to check us out on Facebook YouTube LinkedIn and twitter. [/toggle_content] This simulation lab for the Sniffing Traffic module introduces you to the macof sniffing tool. This lab discusses and teaches you how to use other sniffing tools such as “EtherApe” to perform packet analysis and do so in conjunction with the macof sniffing tool. In this macof lab, you’ll learn the difference in how each tool captures and presents data, the information provided by the specific tool you're using, and more importantly, “how to use each sniffing tool correctly!” For this simulation lab, the tool WireShark is also demonstrated to provide a different perspective for packet and/or protocol analysis.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?