Port Stealing

Is a technique for attachment to the layer 2 Ethernet in local networks LAN switched (i.e. with switch) which has as its purpose to intercept packets destined for another host through the theft of the respective switch port.

Port Stealing Scheme

When a switch receives a packet on a port performs the backward learning, stores in a CAM the association between the source MAC of the packet and the port from which this package arrives. In this way when you receive the response packet will send it only on the port to which the source is connected. This process is free of security mechanisms for which anyone connected to the same switch can send a packet with the Mac to another host to receive and sniffing his return traffic.

The port stealing consists precisely in the send packets with the Mac to another host with the intention of creating a false entry in CAM (the port is "stolen", port-stealing means precisely the theft of the door).

This technique is useful to sniff in a switched environment when ARP poisoning is not effective (for example where static mapped ARPs are used).

It floods the LAN with ARP packets. The destination MAC address of each "stealing" packet is the same as the attacker's one (other NICs won't see these packets), the source MAC address will be one of the MACs of the victims.

Using low delays, packets destined to "stolen" MAC addresses will be received by the attacker, winning the race condition with the real port owner.

When the attacker receives packets for "stolen" hosts, it stops the flooding process and performs an ARP request for the real destination of the packet.

When it receives the ARP reply it's sure that the victim has "taken back" his port, so ettercap can re-send the packet to the destination as is.

Now we can re-start the flooding process waiting for new packets.

It involves an attacking PC tricking the switch by sending a spoofed layer 2 frame with a target PC's MAC in the source field, and it's own MAC in the destination field. The switch should then update it's CAM table so that packets addressed to the target are forwarded to the attacker.

The attacker can then relay the packets on to the target by sending an arp request to it's IP address to reset the CAM table.

  You can configure all secure MAC addresses by using the switchport port-security mac-addressmac_address interface configuration command.

  You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

  You can configure a number of addresses and allow the rest to be dynamically configured.

You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.