Penetration Testing mailing list archives
Re: Someone with experience in CDP / STP attacks?
From: Richard Miles <richard.k.miles () googlemail com>
Date: Fri, 13 Mar 2009 01:23:04 -0300
Hi Rajat Thank you so much for the fast reply, I really appreciate your help. Yes, I'm using yersinia in interactive mode (-I), but in the version 0.7.1 it do not give the option to choose the interface, it use the first avaliable. The problem, is there is not DTP (Dynamic Trunking Protocol) packets at my network vlan, the switch ports is configured manualy to prevent trunk negotiating . All I can see with Yersinia is STP (Spanning Tree Protocol) traffic and CDP (Cisco Discovery Protocol) traffic. If you or someone else have other suggestions and idea it's more than welcome. Thanks your your input. On Thu, Mar 12, 2009 at 10:04 PM, rajat swarup <rajats () gmail com> wrote:
On Thu, Mar 12, 2009 at 3:29 PM, Richard Miles <richard.k.miles () googlemail com> wrote:Hi I appreciate any feedback from people with background in CDP and SPT attacks... I was looking at the Yersinia man-page (http://linux.die.net/man/8/yersinia) and there is a example using option "-interface ethX", however this option do not exist at last version of yersinia. How I can force yersinia to use my interface eth3? I would appreciate a lot if you could give me some hints... I have a enviroment a bit different. I'm in a network with near 5 VLANs, I'm isolated in one without any connection, however I want to jump to the others. Yes, I'm authorized. But you can imagine what happen if I DoS the network, ahn? My VLAN is not vulnerable to ARP Poison, also if it was, it would not help me, since our connections from this VLAN do not go abroad. Also, the switch port is configured to prevent trunk negotiating and VLAN hopping. We have not VOIP phones. What is the great. I executed yersinia and I can see some CDP and STP in the network, so it give me a light in the end of the way... By what I did read, the CDP are coming from the switch and I think it will not be useful to hope to other VLANs, right? I mean - ALA voip-hopper (yes, it do not work in my case). Maybe there is other trick using Yersinia to bypass this restrictions using this CDP packets? So, my ball number 7 should be the STP. What Yersinia say about the STP packets it capture is: My STP captured basic say: Source Mac: <MAC> Dest Mac: <MAC> Id: 0000 Ver: 00 STP Type: 00 Conf STP Flags: 00 NO FLAGS RootId: <The Numer> BridgeId: <The Number> Port: <Port Number> Age: 0000 Max: 0012 Hello: 0002 Any guess on how to use it to break into the other VLANs? I mean, when you use SPT attack, you MITM only the VLAN where you are (like in a ARP Poison)? Or you are able to MITM all VLANs in the switch? Any suggestion of attack via command-line or ncurses inferface for my case? Please, no DOS, my goal is be able to jump to the other VLANs OR mitm the traffic for the other VLANs.You can use DTP spoofed packets to enable trunking. Start Yersinia in interactive mode -I I think so it shows the ncurses interface. There you can select the interface you want to use. Press g or l (I dont remember this well) to list attack class (hotkey h is for help :-) If you see some DTP packets being transmitted u can go into the DTP menu and eXecute (using x hotkey) the "Enable trunking" attack. It's not a DoS. Make sure you are running wireshark before executing yersinia....so you can tell if you are able to sniff other traffic that you were not able to do so earlier. A perfect sign of trunking working is when you see intraVLAN traffic from other segments that you were not able to see earlier. Hope this helps! -- Rajat Swarup http://rajatswarup.blogspot.com/
Current thread:
- Someone with experience in CDP / STP attacks? Richard Miles (Mar 12)
- Re: Someone with experience in CDP / STP attacks? rajat swarup (Mar 15)
- Re: Someone with experience in CDP / STP attacks? Richard Miles (Mar 15)
- Re: Someone with experience in CDP / STP attacks? jgimer (Mar 17)
- Re: Someone with experience in CDP / STP attacks? Richard Miles (Mar 15)
- Re: Someone with experience in CDP / STP attacks? rajat swarup (Mar 15)