Re: Someone with experience in CDP / STP attacks?
- From: jgimer@xxxxxxxxx
- Date: Tue, 17 Mar 2009 14:49:33 +0000
I know that there was a yersenia presentation given at blackhat (2006?). It went throught the different attacks that could be carried out using yersenia against several different protocols. I am not in a position to send right now, but might give you some ideas.
Sent via BlackBerry from T-Mobile
From: Richard Miles <richard.k.miles@xxxxxxxxxxxxxx>
Date: Fri, 13 Mar 2009 01:23:04
Cc: rajat swarup<rajats@xxxxxxxxx>
Subject: Re: Someone with experience in CDP / STP attacks?
Thank you so much for the fast reply, I really appreciate your help.
Yes, I'm using yersinia in interactive mode (-I), but in the version
0.7.1 it do not give the option to choose the interface, it use the
The problem, is there is not DTP (Dynamic Trunking Protocol) packets
at my network vlan, the switch ports is configured manualy to prevent
trunk negotiating .
All I can see with Yersinia is STP (Spanning Tree Protocol) traffic
and CDP (Cisco Discovery Protocol) traffic.
If you or someone else have other suggestions and idea it's more than welcome.
Thanks your your input.
On Thu, Mar 12, 2009 at 10:04 PM, rajat swarup <rajats@xxxxxxxxx> wrote:
On Thu, Mar 12, 2009 at 3:29 PM, Richard Miles
HiYou can use DTP spoofed packets to enable trunking. Start Yersinia in
I appreciate any feedback from people with background in CDP and SPT attacks...
I was looking at the Yersinia man-page
(http://linux.die.net/man/8/yersinia) and there is a example using
option "-interface ethX", however this option do not exist at last
version of yersinia. How I can force yersinia to use my interface eth3?
I would appreciate a lot if you could give me some hints...
I have a enviroment a bit different. I'm in a network with near 5
VLANs, I'm isolated in one without any connection, however I want to
jump to the others. Yes, I'm authorized. But you can imagine what
happen if I DoS the network, ahn?
My VLAN is not vulnerable to ARP Poison, also if it was, it would not
help me, since our connections from this VLAN do not go abroad.
Also, the switch port is configured to prevent trunk negotiating and
VLAN hopping. We have not VOIP phones.
What is the great. I executed yersinia and I can see some CDP and STP
in the network, so it give me a light in the end of the way...
By what I did read, the CDP are coming from the switch and I think it
will not be useful to hope to other VLANs, right? I mean - ALA
voip-hopper (yes, it do not work in my case). Maybe there is other
trick using Yersinia to bypass this restrictions using this CDP
So, my ball number 7 should be the STP.
What Yersinia say about the STP packets it capture is:
My STP captured basic say:
Source Mac: <MAC>
Dest Mac: <MAC>
Ver: 00 STP
Type: 00 Conf STP
Flags: 00 NO FLAGS
RootId: <The Numer>
BridgeId: <The Number>
Port: <Port Number>
Any guess on how to use it to break into the other VLANs?
I mean, when you use SPT attack, you MITM only the VLAN where you are
(like in a ARP Poison)? Or you are able to MITM all VLANs in the
Any suggestion of attack via command-line or ncurses inferface for my
case? Please, no DOS, my goal is be able to jump to the other VLANs OR
mitm the traffic for the other VLANs.
interactive mode -I I think so it shows the ncurses interface. There
you can select the interface you want to use. Press g or l (I dont
remember this well) to list attack class (hotkey h is for help :-)
If you see some DTP packets being transmitted u can go into the DTP
menu and eXecute (using x hotkey) the "Enable trunking" attack. It's
not a DoS. Make sure you are running wireshark before executing
yersinia....so you can tell if you are able to sniff other traffic
that you were not able to do so earlier.
A perfect sign of trunking working is when you see intraVLAN traffic
from other segments that you were not able to see earlier.
Hope this helps!
- Prev by Date: Re: HTTP Proxy Question
- Next by Date: Startup security lab setup
- Previous by thread: Re: Someone with experience in CDP / STP attacks?
- Next by thread: Response Header Name Injection Attack