Wednesday 30 December 2015

Yersinia Spanning Tree Protocol (STP)

STP is a layer 2 protocol that prevents loops from occurring in a switched network. Each switch involved in the process sends out BPDU packets to elect a root bridge and from here, ports are given a role of either root, designated, alternate, backup or disabled.
Ports that are either root or designated are active ports in the topology, whereas alternate, backup and disabled ports do not forward packets.
The root switch has all designated ports and each other switch has one root port which is the fastest path to the root bridge and any number of other port types.
More details on the STP protocol can be read at: Cisco STP Summary

When the STP protocol screen is opened in Yersinia ncurses, each unique BPDU seen by the active interface is listed. The up and down arrows can be used to click on the BPDU to inspect the contents.

In the example below, the first BPDU seen is from the switch that my linux box is connected to. Opening this BPDU it can be seen that the RootId matches what is on the switch.

Further down, surrounded by green is the details that Yersinia has populated into a BPDU that it will send in an attack. In the example below, it can be seen that the populated RootId is 5080.760F0E14AC58 which is lower than the RootId in the received BPDU (8028.0014A9B0E800). Which means the switch will receive a superior BPDU when this packet is sent.


Clicking 'x' in Yersinia shows the available attacks for the active protocol. In this case, STP has 6 available attacks to choose from.


Yersinia Spanning-Tree Protocol attack options
Attack 0: sending conf BPDU

This attack simply sends a single BPDU of the format shown in the green frame above. It will appear to the switch as a superior BPDU, but because it is only one BPDU the root bridge will only transition until the Max Age times out (in this case 20 seconds).

Switch behaviour when attack 1 is launched
The screenshot above shows the behaviour of the switch when it receives the BPDU. It receives the BPDU, acknowledges the new root bridge on Fa0/31, 20 seconds later it returns to being the root bridge.

Attack 1: sending tcn BPDU

A TCN (Topology Change Notification) BPDU lets the rootbridge know that something has changed in the network. It is always forwarded through the root port until it arrives at the root bridge, which then sends out a BPDU with the TC (Topology Change) bit set. The TC bit is set by the root for a period of max_age + forward_delay seconds, which is 20+15=35 seconds by default.



Further Research:

Looking at the MST protocol
How to take advantage of being the Root bridge (all your broadcasts belong to me)
PVST+ simulation weakness that can be exploited

Yersinia in the Network

"Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols"http://www.yersinia.net/
I think Yersinia is a pretty cool tool and over the Christmas break I decided to see how easy it is to exploit each of the network protocol it implements.

After installing Yersinia, to run it with the ncurses GUI (which is good for beginners), type:
yersinia -I
 From here you can press "h" to see the options. Basic commands is "g" to select the protocol you want to attack (or use F2 - F9 to click through them). When you are on the protocol page, press "x" to list the available attacks and "l" to list which attacks are currently running.

I'm going to go through each protocol attack and how they work in my subsequent blogs posts. As of writing, in Yersinia v0.7.3 the protocols listed below are implemented. Each protocol will be a link to my blog post with more detail.

Yersinia can be used to test the following protocols on the network:
  • Spanning Tree Protocol (STP)

  • Cisco Discovery Protocol (CDP)

  • Dynamic Trunking Protocol (DTP)
  • Dynamic Host Configuration Protocol (DHCP)
  • Hot Standby Router protocol (HSRP)
  • IEEE 802.1Q
  • IEEE 802.1X
  • Inter-Switch Link Protocol (ISL)


  • VLAN Trunking Protocol (VTP)

  • Multiprotocol Label Switching (MPLS)


After I fully understand the exploitation of all these protocols, I'd like to add to Yersinia. :)