Re: Someone with experience in CDP / STP attacks?

[jgimer () gmail com]

I know that there was a yersenia presentation given at blackhat (2006?). It went throught the different attacks that 
could be carried out using yersenia against several different protocols. I am not in a position to send right now, but 
might give you some ideas.

Josh

Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Richard Miles <richard.k.miles () googlemail com>

Date: Fri, 13 Mar 2009 01:23:04 
To: <pen-test () securityfocus com>
Cc: rajat swarup<rajats () gmail com>
Subject: Re: Someone with experience in CDP / STP attacks?


Hi Rajat

Thank you so much for the fast reply, I really appreciate your help.

Yes, I'm using yersinia in interactive mode (-I), but in the version
0.7.1 it do not give the option to choose the interface, it use the
first avaliable.

The problem, is there is not DTP (Dynamic Trunking Protocol) packets
at my network vlan, the switch ports is configured manualy to prevent
trunk negotiating .

All I can see with Yersinia is STP (Spanning Tree Protocol) traffic
and CDP (Cisco Discovery Protocol) traffic.

If you or someone else have other suggestions and idea it's more than welcome.

Thanks your your input.

On Thu, Mar 12, 2009 at 10:04 PM, rajat swarup <rajats () gmail com> wrote:
> On Thu, Mar 12, 2009 at 3:29 PM, Richard Miles
> <richard.k.miles () googlemail com> wrote:
> > Hi
> >
> > I appreciate any feedback from people with background in CDP and SPT attacks...
> >
> > I was looking at the Yersinia man-page
> > (http://linux.die.net/man/8/yersinia) and there is a example using
> > option "-interface ethX", however this option do not exist at last
> > version of yersinia. How I can force yersinia to use my interface eth3?
> >
> > I would appreciate a lot if you could give me some hints...
> >
> > I have a enviroment a bit different. I'm in a network with near 5
> > VLANs, I'm isolated in one without any connection, however I want to
> > jump to the others. Yes, I'm authorized. But you can imagine what
> > happen if I DoS the network, ahn?
> >
> > My VLAN is not vulnerable to ARP Poison, also if it was, it would not
> > help me, since our connections from this VLAN do not go abroad.
> >
> > Also, the switch port is configured to prevent trunk negotiating and
> > VLAN hopping. We have not VOIP phones.
> >
> > What is the great. I executed yersinia and I can see some CDP and STP
> > in the network, so it give me a light in the end of the way...
> >
> > By what I did read, the CDP are coming from the switch and I think it
> > will not be useful to hope to other VLANs, right? I mean - ALA
> > voip-hopper (yes, it do not work in my case). Maybe there is other
> > trick using Yersinia to bypass this restrictions using this CDP
> > packets?
> >
> > So, my ball number 7 should be the STP.
> >
> > What Yersinia say about the STP packets it capture is:
> >
> > My STP captured basic say:
> >
> > Source Mac: <MAC>
> > Dest Mac: <MAC>
> > Id: 0000
> > Ver: 00 STP
> > Type: 00 Conf STP
> > Flags: 00 NO FLAGS
> > RootId: <The Numer>
> > BridgeId: <The Number>
> > Port: <Port Number>
> > Age: 0000
> > Max: 0012
> > Hello: 0002
> >
> > Any guess on how to use it to break into the other VLANs?
> >
> > I mean, when you use SPT attack, you MITM only the VLAN where you are
> > (like in a ARP Poison)? Or you are able to MITM all VLANs in the
> > switch?
> >
> > Any suggestion of attack via command-line or ncurses inferface for my
> > case? Please, no DOS, my goal is be able to jump to the other VLANs OR
> > mitm the traffic for the other VLANs.
> You can use DTP spoofed packets to enable trunking.  Start Yersinia in
> interactive mode -I I think so it shows the ncurses interface.  There
> you can select the interface you want to use.  Press g or l (I dont
> remember this well) to list attack class (hotkey h is for help :-)
> If you see some DTP packets being transmitted u can go into the DTP
> menu and eXecute (using x hotkey) the "Enable trunking" attack.  It's
> not a DoS.  Make sure you are running wireshark before executing
> yersinia....so you can tell if you are able to sniff other traffic
> that you were not able to do so earlier.
> A perfect sign of trunking working is when you see intraVLAN traffic
> from other segments that you were not able to see earlier.
>
> Hope this helps!
> --
> Rajat Swarup
>
> http://rajatswarup.blogspot.com/