Bugtraq mailing list archives
STP mitm attack idea
From: Przemyslaw Borkowski <xperience () interia pl>
Date: 27 Apr 2010 19:55:07 +0200
As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one
station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween attacked stations (C and D)
A ---- switch 1 ----- switch 2 ----- B
| |
| |
C D
Take first scenario:
1. A - sends frame to B
2. Switch 1 - accepts frame and forwards it to switch 2
3. Switch 2 - accepts frame via link from switch 1 and forwards it to B
Second scenario:
1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non
existing connection and switch from C port on switch 1 to D port on switch 2
A ---- switch 1 --X-- switch 2 ----- B
| |
| |
C --no conn-- D
2. Station A sends frame to B
3. Frame is forwarded to C station
4. Station C stores frame in memory
5. After equal timing station C and station D repair link beetween switch 1 and 2
6. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet)
7. stations C and D break link beetween switches 1 and 2
8. station D sends transmitted packet to station B
Advantages
- no need for one station with two links to two switches
- needs two stations, either compromised or not (in large multiswitch enviroment with many stations sometimes we can
find in example two compromised windows or linux hosts)
- when we have good timing and packet detection method, we can separate one protocol connection from whole traffic
Disadvantages of method.
- stops whole traffic beetween switches, and needs delicate timing
- when link beetween switch 1 and 2 is working we can't see frames that flying across wire
Additional information.
- timing question, ie - retransmition time beetween tcp frames, and time to break and repair link - is it possible to
do it before frame is retransmited?
Uh that's all. Please think about it is possible, because my programming skills are to low to make it working.
With regards
Xperience
Current thread:
- STP mitm attack idea Przemyslaw Borkowski (Apr 28)
- Re: STP mitm attack idea Jann Horn (Apr 28)
- Re: STP mitm attack idea news (Apr 29)
- Re: STP mitm attack idea Joel Maslak (Apr 29)
- Re: STP mitm attack idea Jean-Christophe Baptiste (Apr 29)
- Re: STP mitm attack idea news (Apr 29)
- Re: STP mitm attack idea Jann Horn (Apr 28)
- Re: STP mitm attack idea wlet (Apr 29)
- RE: STP mitm attack idea Stefan Laudat (Apr 29)
- <Possible follow-ups>
- Re: STP mitm attack idea Jason T. Masker (Apr 29)
- Re: STP mitm attack idea Ivan Jager (Apr 29)
- RE: STP mitm attack idea Williams, Dan (Apr 30)
- Re: STP mitm attack idea Ivan Jager (Apr 29)