[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1929.80.24.40.108.1127162125.squirrel@mail.wasahero.org>
Date: Tue Sep 20 01:08:10 2005
From: yersinia at wasahero.org (Yersinia Authors)
Subject: VLAN Hopping, myth or reality?
Hello,
just some thoughts added to the eternal discussion about VLAN Hopping
(802.1q double encapsulated attacks, trunking, ... see the @stake paper or
the Sean Convery BH presentation)
There are lots of resources in the Internet talking about those attacks in
a theoric way, but we weren't able to find any implementation, so here is
a step by step guide to perform a VLAN Hopping + ARP Poisoning, allowing
an user to sniff and (why not?) perform a mitm attack against other user
in another VLAN.
The tool described here, yersinia, can do this, among other fancy
features.
Note for the network administrators: this attack can be avoided just by
properly configuring your switch DTP settings in each port (disabling
trunking).
Steps:
1.- Start yersinia graphical mode: yersinia -I
2.- Select the network interfaces you want to use ('i')
3.- Wait for some minutes (~3 minutes). If you see DTP traffic, the attack
can be accomplished; if not, we are sorry. We need to set up the trunk: go
to DTP mode (F5 or press 'g'), press 'd' to initialize default values,
then 'x' (attacks) and then '1' ('enabling trunking'); you should be able
to see some other DTP packets.
4.- Switch to 8021.q mode (F6 or press 'g'). There should be some packets
there, most of them related to spanning tree or broadcast traffic. 5.- For
this attack, we need to know:
a) Victim's VLAN
b) Victim's gateway IP Addresss.
c) A host in the victim's network segment that is not alive.
Press 'd' to initialize default values, and then 'x', then '2' (sending
802.1q arp poisoning). Then fill in those three values, and suddenly, you
should be able to see the traffic generated by the victim and
destination the gateway :)
If you look around yersinia options, there is a useful option that saves
all the traffic in pcap format, so you can sniff the victim network data
and save it automatically in a file.
Of course, this attack can only be performed locally.
We haved tested this attack only against Cisco switches 29xx, so we would
be pleased if we received notifications of working attacks in other Cisco
modeles, or better, other vendors (which is almost impossible since DTP is
Cisco proprietary, but, we've seen HP switches with CDP enabled ;) )
Yersinia: http://yersinia.sourceforge.net
Powered by blists - more mailing lists