Wednesday 30 December 2015

Yersinia Spanning Tree Protocol (STP)

STP is a layer 2 protocol that prevents loops from occurring in a switched network. Each switch involved in the process sends out BPDU packets to elect a root bridge and from here, ports are given a role of either root, designated, alternate, backup or disabled.
Ports that are either root or designated are active ports in the topology, whereas alternate, backup and disabled ports do not forward packets.
The root switch has all designated ports and each other switch has one root port which is the fastest path to the root bridge and any number of other port types.
More details on the STP protocol can be read at: Cisco STP Summary

When the STP protocol screen is opened in Yersinia ncurses, each unique BPDU seen by the active interface is listed. The up and down arrows can be used to click on the BPDU to inspect the contents.

In the example below, the first BPDU seen is from the switch that my linux box is connected to. Opening this BPDU it can be seen that the RootId matches what is on the switch.

Further down, surrounded by green is the details that Yersinia has populated into a BPDU that it will send in an attack. In the example below, it can be seen that the populated RootId is 5080.760F0E14AC58 which is lower than the RootId in the received BPDU (8028.0014A9B0E800). Which means the switch will receive a superior BPDU when this packet is sent.

Clicking 'x' in Yersinia shows the available attacks for the active protocol. In this case, STP has 6 available attacks to choose from.

Yersinia Spanning-Tree Protocol attack options
Attack 0: sending conf BPDU

This attack simply sends a single BPDU of the format shown in the green frame above. It will appear to the switch as a superior BPDU, but because it is only one BPDU the root bridge will only transition until the Max Age times out (in this case 20 seconds).

Switch behaviour when attack 1 is launched
The screenshot above shows the behaviour of the switch when it receives the BPDU. It receives the BPDU, acknowledges the new root bridge on Fa0/31, 20 seconds later it returns to being the root bridge.

Attack 1: sending tcn BPDU

A TCN (Topology Change Notification) BPDU lets the rootbridge know that something has changed in the network. It is always forwarded through the root port until it arrives at the root bridge, which then sends out a BPDU with the TC (Topology Change) bit set. The TC bit is set by the root for a period of max_age + forward_delay seconds, which is 20+15=35 seconds by default.

Further Research:

Looking at the MST protocol
How to take advantage of being the Root bridge (all your broadcasts belong to me)
PVST+ simulation weakness that can be exploited

No comments:

Post a Comment