I’ve had a little dream for many years about getting my hands on Ethernet at the lowest possible level. Alright, maybe not quite as low as some – I don’t need to hit the physical layer quite like project Daisho. But I want to have nothing between myself and the packets on the wire. In some ways, perhaps this is a foolish project, since we really can do what we want with packets using tools like Scapy, which I’ve used to effect in my DHCP-exhaustion and 802.1x projects in the past. But even so, here are a couple reasons for this project:
- Sometimes operating systems still get in the way (even Linux!)
- Pure knowledge
- Throw-away devices
- Making absolute guarantees
That last one is probably the most compelling. For example, suppose you’re hacking a network with a very aggressive port security. Have you ever had your port killed because something leaked a packet with a bad MAC address? It could have been forgetting that a VM was configured with a bridged interface when you un-suspend it, or maybe you misconfigured something in a tool like Yersinia.
Or consider when you have a network with DAI enabled with ARP rate limiting. Everything’s going fine until you accidentally run a metasploit module that includes more than 10 boxes in your subnet, and then your port is borked for five minutes. What if you could guarantee that your box literally cannot send more than 9 ARP packets per second?
Throw-away devices are also another interesting one. I can’t rationally sacrifice something the cost of a BeagleBone Black on a fire-and-forget physical attack. Granted, that’s not usually in my rules of engagement… but what is research for, anyway? If I can make a throw-away ethernet device for $10, that gets into discretionary territory, for sure. Think of malicious sensors planted in different subnets, etc.
But really, it’s probably the second one that drives me on this project more than anything else. In all areas, I want to be able to confidently say I understand the full stack of technologies that drive the networks I need to assess. You really can’t think creatively about what attacks might be available unless you truly understand how everything works. Maybe some really useful, practical applications will emerge as I play with this project. Maybe not. In any case, I’ll probably be a smarter guy by the time I’m done with it.
I’m going to use this post to keep track of the various blog posts about this project – check back for new ones as they emerge!