Monday, October 15, 2012

using tcpreply as a potential DoS tool

A few years back, I had the luxury of working with a Cisco partner. In our office we had a simple array of cisco AP hanging from our ceiling. Now this partner was a big known  cisco channel partner that handle numerous  clients  and with services for the SEastern sector of the USA. Wireless was one of their biggest services that they offered.

On this particular day, I was using a Voippong tool to play back some voip pcaps that I was evaluating.( voippong  ) .  Voippong allows you to run passively or the ability to playback pcaps files from a earlier recording. I was doing the later and using my  eth0  nic in my  linux virtualmachine. This NIC was bridge to my windowXP wireless adapter via the VMware Workstation.

Tcpreplay , this  utilities allows for creating a looping of the file and setting the speed & for playing back pcaps

 tcpreplay -l 2 -v myvoipcapture.pcap

 So on this regular pcap where STP/bpdu packets where  included in the playback, these BPDUs where sent up to our APs via my 802.11x interface , and of course the APs forward these to it's PoE switch  100meg ethernet switchport that connected the wireless APs.

Since these switches had bpdu-guard features enable, these  ports went into  shutdown error state upon receipt of the BPDUs.

Upon shutdown the port,  AP would loose power and the port could only be recovered via a admin re-enabling the port. This created  a simple means to  DoS a wireless overlay, by just walking the floor and playing back  my pcap.

What made this attack so bad, was the fact that we had a guest SSID & and a authentication landing pages. So a outsider could easily bring our internal  wireless network down for both  open and secure SSIDs

Not good & can exposes you to a simple DoS of your wireless overlay.

This blog is from Ken Felix
Security and Network Engineer
kfelix  a-t

No comments:

Post a Comment