Fibre Channel man-in-the-middle attack assessment exercise

Fibre Channel man-in-the-middle attacks come as a result of the architecture's communications weaknesses. Learn how to find these Fibre Channel vulnerabilities with the assessment tool in this excerpt from "Securing Storage: A Practical Guide to SAN and NAS Security".

Fibre Channel address weaknesses: Assessment exercise 

Complete the following steps to perform a MITM attack according to Figure 2.17 with Cain and Abel:

  1. Install the Cain and Abel program using its defaults.
  2. Install the WinPCap packet driver, if you don't already have one installed.
  3. Reboot.
  4. Launch Cain and Abel (Start -> Programs -> Cain).
  5. Select the icon in the upper-left corner that looks like a green Network Interface Card.
  6. Ensure that your NIC card has been identified and enabled correctly by Cain.
  7. Select the Sniffer tab.
  8. Select the + symbol in the toolbar.
  9. The MAC Address Scanner window appears. This enumerates all the MAC addresses on the local subnet. Hit OK. See Figure 2.20 for the results.

    Figure 2.20 MAC Address Scanner results.

  10. Select the APR tab on the bottom of the tool to switch to the ARP Pollution Routing tab.
  11. Select the + symbol on the toolbar to show all the IP addresses and their MACs (see Figure 2.21).

    Figure 2.21 IP addresses and their MACs.

  12. On the left hand side of Figure 2.22, choose the target for your MITM attack. Most likely this will be the default gateway in your subnet, so all packets will go through you first before the real gateway of the subnet.
  13. Once you select your target, which is in our example, you then select the hosts on the right side that you want to intercept traffic. This value can be all the hosts in the subnet or one particular host. We will choose one host, which will be Select OK (see Figure 2.22).

    Figure 2.22 Man-in-the-middle targets.

  14. Now select the yellow and black icon (second one from the left) to officially start the MITM attack. This will allow server C to start sending out ARP responses on the network subnet, telling that the MAC address of has been updated to 00-00-86-59-C8-94 (see Figure 2.23).

    Figure 2.23 Man-in-the-middle attack in process with ARP poisoning.

  15. At this point, all traffic from server A to server B is going to server C first and then on its appropriate route. Server C can open up a network sniffer to view all the traffic. Additionally, Cain has a Passwords tab at the bottom that will capture the password of major protocols such as FTP, HTTP, IMAP, POP3, Telnet, and VNC. It will also capture password hashes such as Kerberos and IPsec using IKE (see Figure 2.24).

Layer 2 in the OSI model (Ethernet) is a key target for attackers. The attack becomes quite easy to execute with IP tools such as Windoze Interceptor, Dsniff, and Cain and Abel. Man-in-the-middle attacks have also resurfaced in the application world using the same preceding techniques, but with cookies and certificates instead of ARP packets.

Similar to our discussion in Chapter 1 on how several attacks don't change but instead get modified, the idea of man-in-the-middle attacks can be applied to Fibre Channel frames also.

Figure 2.24 Capture password hashes due to the Man-in-the-middle attack.

The MITM attack is possible due to the lack of authentication in ARP packets as well as the insecurities of IPv4. As demonstrated with Cain and Abel, the attack can be quite trivial, rendering the attack as a high security threat, but a high-risk item (see the SBR chart in Figure 2.25).

Figure 2.25 SBR Chart -- IP Man-in-the-middle

Man-in-the-middle attacks -- Fibre Channel

In Fibre Channel fabrics, man-in-the-middle attacks are more difficult than IP and bear a smaller amount of risk; however, the weaknesses in the fabric are still very apparent.

Name server pollution

In order to conduct a MITM attack on a Fibre Channel network, name server pollution is required. Described earlier in this chapter, there are significant weaknesses in the FLOGI and PLOGI processes that can be used to pollute the name server.

When performing a FLOGI, a Fibre Channel node will use the source address of 0x000000 because it does not have a valid S_ID yet. The node will send its frame to the destination address (D_ID) of 0xFFFFFE, which is similar to a broadcast address for Fibre Channel fabrics. After the switches receive the frame at the address of 0xFFFFFE, it will return an Accept frame, known as an ACC, to the node with its new 24-bit address, giving the node a valid fabric address. After the node has received the ACC frame and its new 24-bit address, it will then perform a PLOGI. The PLOGI will send its new 24-bit address to the address of 0xFFFFFC, registering its new address to the switch's name servers.

The security weakness is that a malicious node can craft a spoofed PLOGI frame and send it to the address of 0xFFFFFC. The malicious node could complete the FLOGI process, but instead of responding with its real 24-bit address, it could use a spoofed 24bit address of a target during the PLOGI. Since the malicious node knows the address to send PLOGI responses to (0xFFFFFC), the act of inserting the 24-bit address is not a challenge. The switch name server would receive the spoofed PLOGI frame at the address 0xFFFFFC and will update its name server with the incorrect information. For a persistent attack, the malicious node would continue to send PLOGI frames at the address of 0xFFFFFC, continuously updating the name server with incorrect information and leaving the target with the actual 24-bit address completely out of the process. A detailed description of the contents of each frame is depicted in Figure 2.26.

Figure 2.26 Name server pollution process.

MITM attack

In order for two Fibre Channel nodes to communicate with each other, they must know the others' 24-bit address and port ID on the fabric. The fabric address is given and updated during the FLOGI and PLOGI processes, which also has no authentication process (similar to ARP). The port ID is the physical port number that the node is connected to on the switch. If one node wanted to communicate to another node, it would then send frames to the other node's 24-bit address, which would be the Destination address (D_ID) in a frame header. The switch would receive the frame, match the 24-bit address to the correct port ID, which is completed via the switches' name server table, in order to find the correct physical port of the destination node, and then pass the frame on to the correct port. See figure 2.27 for normal communication in a fabric.

Figure 2.27 Normal fabric communication.

In order to perform a Fibre Channel MITM attack, a malicious node would spoof its 24-bit address to match the address of its target node (Node A). Because name server information can be automatically updated during the PLOGI process (remember that the FLOGI and PLOGI processes update name server information without authentication), the malicious user would then perform a PLOGI, sending their port ID, WWN, and spoofed 24-bit address to the fabric address of 0xFFFFFC for all the switches in the fabric to accept. The switches, with the incorrect information for the 24-bit address, would update their name servers with the port ID, WWN, and the spoofed 24-bit address. When another node wants to communicate to the real node, the switch's routing table will map the 24-bit address, which was spoofed, to a different port ID—hence, routing the frame to a different node. See Figure 2.28 for details.

Figure 2.28 Man-in-the-middle attack on a fabric.

The primary security weakness is the lack of authentication when sending FLOGI or PLOGI frames that consequently update name server information on switches. In Figure 2.28, node A has a 24-bit fabric address of 0x10001 and node B has a 24-bit fabric address of 0x10002. Fabric routing tables and rules would allow the two entities to communicate with each other quite easily using port ID 1 and port ID 2. When the malicious node, node C, performed a man-in-the-middle attack to intercept the traffic between node A and node B, the following steps were performed:

  1. Node C did not perform a FLOGI, because it does not care to have a real 24-bit fabric address, but will be using the 24-bit address of its target, which is node A.
  2. Using a traffic analyzer, node C crafts a frame mimicking a PLOGI frame, as if it were registering its own 24-bit address to the fabric and adjoining switches, but actually updating its spoofed 24-bit address to the authorized name server.
  3. Node C performs a PLOGI using the 24-bit fabric address of 0x10001, allowing name servers to think that the 24-bit address of 0x10001 now correlates to node C, port ID 8, and WWN of 20000000c9323437.
  4. Once the switches update their name servers, correlating the 24-bit address of 0x10001 with node C, any traffic destined to the 24-bit address of 0x10001, which should be node A but now is node C, will be redirected to the malicious node for interception, enumeration, and compromise.
  5. When the address of 0x10004 (node B) tries to communicate to the 24-bit address of 0x10001 (node A), the traffic will actually go to node C, since the name server table in the switch thinks that port ID 8 has the 24-bit address of 0x10001.
  6. In order for the man-in-the-middle attack to be fully complete, once node C receives the traffic from node B, it must then actually route the frames to the real destination (node A) in order for both parties to continue communication without any suspicion and for node C to continue to receive traffic from node B. If node C fails to transmit the traffic to node A, node B will realize the communication it is trying to perform is not working and stop sending frames, thus leaving node C without any frames to compromise. (Note: The last routing portion of the attack is extremely difficult due to the speeds of 2gb/sec.)

The Fibre Channel MITM attack is possible due to the lack of authentication in PLOGI frames, as well as the security weaknesses during the name server update process. As demonstrated with the preceding examples, the attack is quite possible in SAN fabrics; however, it is significantly difficult due to the speeds that an attacker would have to emulate in order to switch frames in the SAN at 2gb/sec. The throughput/performance part of the attacks makes its risk value lower, rendering the attack as a high security threat, but a low-risk item (see Figure 2.29).

Figure 2.29 SBR chart—Fibre Channel man-in-the-middle .

Attack summary: Man-in-the-middle

Attack description -- Sending a fake PLOGI frame to the switch in order to register a target's 24-bit address to the attacker's WWN and port ID; hence, pollute the name server to route traffic incorrectly to the malicious node.

  • Risk level -- Low. An unauthorized entity could gain access to unauthorized frames.
  • Difficulty -- High. This is a sophisticated attack that requires deep knowledge of Fibre Channel frames and the use of a hardware and software traffic analyzer.
  • Best practice -- None to date; however, the use of authenticated FLOGI and PLOGI frames would mitigate this issue in the future. Ask your storage vendor about frame authentication or integrity options.

Attack summary: name server pollution

Attack description -- Corrupting the name server information on Fibre Channel switches where an attacker registers its 24-bit address to a target's WWN. If any legitimate node attempts to communicate to the target, the traffic is redirected to the attacker's machine by the incorrect name server information (similar to a man-in-the-middle attack in the IP architecture).

  • Risk level -- High. An unauthorized entity could gain access to sensitive data with trivial attacks.
  • Difficulty -- High. This is a sophisticated attack that requires deep knowledge of Fibre Channel frames and the use of a hardware and software traffic analyzer.
  • Best practice -- Ensure malicious PLOGI frames, which are used to update switch nameservers, cannot corrupt name server tables. Ask your storage vendor about frame authentication or integrity options.


In this chapter, we discussed the risks of Fibre Channel communication in SANs. This chapter is the first of three chapters that will describe the risks of SANs and describe how to actually expose each risk identified.

Three different aspects of security were addressed that are important for any entity, including the overall risks of the entity, the method of communication that is used within the entity, and the objects that are used in the entity. Fibre Channel security risks were addressed overall, including risks of Fibre Channel as a medium of networking and risks of devices that are used in Fibre Channel storage networks.

The chapter was able to identify some of the key overall issues of Fibre Channel as they pertain to the six areas of security that can be applied to any entity, including authentication, authorization, encryption, auditing, integrity, and availability. The chapter also identified the security strengths and weaknesses of each category in order to determine the level of risks that can be exposed. Unfortunately, most SANs are missing some of the major security entities that are required for proper security, including authentication, encryption, and integrity. Furthermore, many security entities do not exist, such as authorization, are not ideal, and do not hold up to many SAN attacks, such as spoofing.

This chapter was also able to discuss some of the risks associated with Fibre Channel as a medium of communication and networking. The chapter demonstrated how clear- text communication can be a big issue in terms of SAN protection. Furthermore, the weaknesses in Fibre Channel frames can hurt the overall security of a SAN architecture. The chapter also discussed Fibre Channel layer 2 as a target for various attacks on Fibre Channel frames, including spoofing, man-in-the-middle , session hijacking, PLOGI/FLOGI attacks, and name server corruption.

In the next chapter, we will describe the details of the risks identified with HBA and LUN masking. The next chapter will also describe the details of each risk and what factors need to exist in order to perform any attacks that lead to data compromise.

Use the following table of contents to navigate to chapter excerpts or click here to view SANs: Fibre Channel Security in its entirety.



Securing Storage: A Practical Guide to SAN and NAS Security

  Home: SANs: Fibre Channel Security: Introduction
  1: SAN risks
  2:Fibre Channel risks
  3:Clear-text communication
  4:SAN hacking
  5:Fibre Channel frame weaknesses
  6:Session hijacking: assessment exercise
  7:Fibre Channel address weaknesses
  8: Fibre Channel man-in-the-middle attacks
  9: Fibre Channel address weaknesses: assessment exercise

About the book:   
Securing Storage: A Practical Guide to SAN and NAS Security is an indispensable resource for every storage and security professional, and for anyone responsible for IT infrastructure, from architects and network designers to administrators. You've invested heavily in securing your applications, operating systems, and network infrastructure. But you may have left one crucial set of systems unprotected: your SAN, NAS, and iSCSI storage systems. Securing Storage reveals why these systems aren't nearly as secure as you think they are, and presents proven best practices for hardening them against more than 25 different attacks. Purchase Securing Storage: A Practical Guide to SAN and NAS Security the book from Addison-Wesley Publishing
About the author:   
Himanshu Dwivedi is a founding partner of iSEC Partners, a digital security services and products organization. Before forming iSEC Partners, Himanshu was the Technical Director for @stakes San Francisco security practice, a leader in application and network security. His professional experience includes application programming, infrastructure security, and secure product design with an emphasis on storage risk assessment.


Dig Deeper on Primary and secondary storage