Let the Games Begin!
Unfortunately, you are acceptable to appear beyond LAN hackers that are carefully accustomed with
STP’s close workings. They additionally apperceive that little or no absorption is paid to STP security.
They apprehend how gullible—for abridgement of a bigger term—the agreement absolutely is. STP attacks
moved from the abstract acreage to absoluteness adequately recently. Black Hat Europe 2005 proposed
a affair that discussed assorted means to accomplishment STP3. Packet-building libraries, such as
libnet4, accept been aircraft C-source cipher to advice ability bootleg BPDUs for some time
now, but putting calm an advance apparatus appropriate some programming skills—a actuality that
probably beat best calligraphy kiddies. It was alone a amount of time afore accession congenital a
frontend to a libnet-based LAN protocol’s packet-building machine. Probably the most
successful aftereffect of that accomplishment is a apparatus alleged Yersinia. Example 3-1 shows Yersinia’s
manual page.
Field Value Explanation
VLAN ID Type Length Value
PAD 34
TYPE 00 00
LENGTH 00 02
VLAN ID 00 0a VLAN 10
Example 3-1 Yersinia Manual Page
YERSINIA(8)
NAME
Yersinia - A FrameWork for band 2 attacks
SYNOPSIS
yersinia [-hVID] [-l logfile] [-c conffile] agreement [-M]
[protocol_options]
DESCRIPTION
yersinia is a framework for assuming band 2 attacks. The following
protocols accept been implemented in Yersinia accepted version: Spanning Tree
Protocol (STP), Virtual Trunking Agreement (VTP), Hot Standby Router Protocol
(HSRP), Dynamic Trunking Agreement (DTP), IEEE 802.1Q, Cisco Discovery Protocol
Table 3-2 Cisco PVST+ BPDU in VLAN 10 (Continued)
continues
54 Chapter 3: Attacking the Spanning Tree Protocol
The apparatus basically covers all the best accepted LAN protocols deployed in today’s
networks: STP, VLAN Trunk Agreement (VTP), Hot Standby Router Protocol(HSRP),
Dynamic Trunking Agreement (DTP), Cisco Discovery Agreement (CDP), DHCP—they are all
in there. Even worse, it comes with a GUI! According to Yersinia’s home page,5 it proposes
these STP attacks:
• Sending RAW Configuration BPDU
• Sending RAW TCN BPDU
• Denial of Service (DoS) sending RAW Configuration BPDU
• DoS Sending RAW TCN BPDU
• Claiming Basis Role
• Claiming Added Role
• Claiming Basis Role Dual-Home (MITM)
Basically, Yersinia has aggregate that anyone absorbed in messing about with STP
would anytime need. The GUI is based on the ncurses library (for character-cell terminals, such
as VT100). Figure 3-5 shows Yersinia’s protocols.
Yersinia continuously listens for STP BPDUs and provides burning decoded information,
including accepted basis arch and timers it is propagating—all this for 802.1D, 802.1w, and
Cisco BPDUs. The afterward sections analysis the above STP attacks and action appropriate
countermeasures.
(CDP) and finally, the Dynamic Host Configuration Agreement (DHCP).
Some of the attacks implemented will account a DoS in a network, added will
help to accomplish any added added avant-garde attack, or both. In addition, some of
them will be aboriginal appear to the accessible back there isn’t any public
implementation.
Example 3-1 Yersinia Manual Folio (Continued)
Let the Games Begin! 55
Figure 3-5 Yersinia’s Protocols