Re: Someone with experience in CDP / STP attacks?



I know that there was a yersenia presentation given at blackhat (2006?). It went throught the different attacks that could be carried out using yersenia against several different protocols. I am not in a position to send right now, but might give you some ideas.

Josh

Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Richard Miles <richard.k.miles@xxxxxxxxxxxxxx>

Date: Fri, 13 Mar 2009 01:23:04
To: <pen-test@xxxxxxxxxxxxxxxxx>
Cc: rajat swarup<rajats@xxxxxxxxx>
Subject: Re: Someone with experience in CDP / STP attacks?


Hi Rajat

Thank you so much for the fast reply, I really appreciate your help.

Yes, I'm using yersinia in interactive mode (-I), but in the version
0.7.1 it do not give the option to choose the interface, it use the
first avaliable.

The problem, is there is not DTP (Dynamic Trunking Protocol) packets
at my network vlan, the switch ports is configured manualy to prevent
trunk negotiating .

All I can see with Yersinia is STP (Spanning Tree Protocol) traffic
and CDP (Cisco Discovery Protocol) traffic.

If you or someone else have other suggestions and idea it's more than welcome.

Thanks your your input.

On Thu, Mar 12, 2009 at 10:04 PM, rajat swarup <rajats@xxxxxxxxx> wrote:
On Thu, Mar 12, 2009 at 3:29 PM, Richard Miles
<richard.k.miles@xxxxxxxxxxxxxx> wrote:
Hi

I appreciate any feedback from people with background in CDP and SPT attacks...

I was looking at the Yersinia man-page
(http://linux.die.net/man/8/yersinia) and there is a example using
option "-interface ethX", however this option do not exist at last
version of yersinia. How I can force yersinia to use my interface eth3?

I would appreciate a lot if you could give me some hints...

I have a enviroment a bit different. I'm in a network with near 5
VLANs, I'm isolated in one without any connection, however I want to
jump to the others. Yes, I'm authorized. But you can imagine what
happen if I DoS the network, ahn?

My VLAN is not vulnerable to ARP Poison, also if it was, it would not
help me, since our connections from this VLAN do not go abroad.

Also, the switch port is configured to prevent trunk negotiating and
VLAN hopping. We have not VOIP phones.

What is the great. I executed yersinia and I can see some CDP and STP
in the network, so it give me a light in the end of the way...

By what I did read, the CDP are coming from the switch and I think it
will not be useful to hope to other VLANs, right? I mean - ALA
voip-hopper (yes, it do not work in my case). Maybe there is other
trick using Yersinia to bypass this restrictions using this CDP
packets?

So, my ball number 7 should be the STP.

What Yersinia say about the STP packets it capture is:

My STP captured basic say:

Source Mac: <MAC>
Dest Mac: <MAC>
Id: 0000
Ver: 00 STP
Type: 00 Conf STP
Flags: 00 NO FLAGS
RootId: <The Numer>
BridgeId: <The Number>
Port: <Port Number>
Age: 0000
Max: 0012
Hello: 0002

Any guess on how to use it to break into the other VLANs?

I mean, when you use SPT attack, you MITM only the VLAN where you are
(like in a ARP Poison)? Or you are able to MITM all VLANs in the
switch?

Any suggestion of attack via command-line or ncurses inferface for my
case? Please, no DOS, my goal is be able to jump to the other VLANs OR
mitm the traffic for the other VLANs.

You can use DTP spoofed packets to enable trunking.  Start Yersinia in
interactive mode -I I think so it shows the ncurses interface.  There
you can select the interface you want to use.  Press g or l (I dont
remember this well) to list attack class (hotkey h is for help :-)
If you see some DTP packets being transmitted u can go into the DTP
menu and eXecute (using x hotkey) the "Enable trunking" attack.  It's
not a DoS.  Make sure you are running wireshark before executing
yersinia....so you can tell if you are able to sniff other traffic
that you were not able to do so earlier.
A perfect sign of trunking working is when you see intraVLAN traffic
from other segments that you were not able to see earlier.

Hope this helps!
--
Rajat Swarup

http://rajatswarup.blogspot.com/





Relevant Pages

  • Re: Someone with experience in CDP / STP attacks?
    ... I appreciate any feedback from people with background in CDP and SPT attacks... ... I was looking at the Yersinia man-page ... VLANs, I'm isolated in one without any connection, however I want to ... I executed yersinia and I can see some CDP and STP ...
    (Pen-Test)
  • Someone with experience in CDP / STP attacks?
    ... I appreciate any feedback from people with background in CDP and SPT attacks... ... I was looking at the Yersinia man-page ... VLANs, I'm isolated in one without any connection, however I want to ... I executed yersinia and I can see some CDP and STP ...
    (Pen-Test)
  • Re: Someone with experience in CDP / STP attacks?
    ... Yes, I'm using yersinia in interactive mode, but in the version ... I appreciate any feedback from people with background in CDP and SPT attacks... ... VLANs, I'm isolated in one without any connection, however I want to ... I executed yersinia and I can see some CDP and STP ...
    (Pen-Test)
  • Re: How to remove an interface from spanning tree?
    ... spanning tree enabled on all vlans to handle loop configuration. ... the "secondary" 6513 went down due to supplier error, ... interfaces on the broken link not to confuse STP if the link comes up. ...
    (comp.dcom.sys.cisco)
  • Re: How to remove an interface from spanning tree?
    ... spanning tree enabled on all vlans to handle loop configuration. ... interfaces on the broken link not to confuse STP if the link comes up. ... Remove the fiber, remove the trunk config, put it as an access port in ...
    (comp.dcom.sys.cisco)