LAYER 2 ATTACKS using YERSINIA

This video is for information only. DO NOT use this in a production network. if you are new in this field like me, you can cause a big mess even if you have a permission.

What is DTP ?
DTP is a dynamic trunking protocol which automates 802.1Q and ISL (inter switch link) configuration. DTP gives switches an ability to to negotiate trunking method with other DTP capable devices. DTP state on switch ports can be set to
  1- Auto             : it does not initiate but it accepts and respond to trunking negotiation
  2- On               : it is manually configured to be a trunk
  3- Off               : it is manually configured to be a access port
  4- Desirable      : it initiates the trunking
  5- Nonegatiate  : no DTP packets are sent.

By default, administrative mode of the ports are not access (off) mode.If the port is in dynamic auto or desirable mode, and if it receives a DTP packet which says " I am a trunk or I want to be a trunk", the port becomes a trunk port. 

Switchport Mode	Access	Dynamic Desirable	Dynamic Auto	Trunk
Access	No Trunk	No Trunk	No Trunk	No Trunk
Dynamic Auto	No Trunk	Trunk	No Trunk	Trunk
Dynamic Desirable	No Trunk	Trunk	Trunk	Trunk
Trunk	No Trunk	Trunk	Trunk	Trunk

By default trunk ports have access all VLANs. If an attacker's machine can spoof as a switch, the attacker then becomes a member of all VLANs.  

What is STP ?
STP is spanning tree protocol which is used to prevent loops in a switched networks. To provide loop-free switched networks, switches have to choose a root bridge and consider their ports' roles such as root, designated, or blocked. Root bridge is a switch with a smallest Bridge-ID (bridge-id has a two number 1-MAC address of the switch, and 2- configurable priority between 0 - 65535) After determining the root bridge, switches determines the least cost to reach the root bridge.

If the attacker spoof his/her system as a root bridge in the topology, the attacker can see variety of frames or can cause the network become down. To spoof, the attacker broadcast conf BPDU and tcn BPDU to force spanning tree recalculations. (BPDU: Bridge Protocol Data Unit)

What is CDP ?
"The Cisco Discovery Protocol (CDP) is a prapriotery  Layer2 network protocol which is implemented in most Cisco networking equipment. It is used to share information about other directly connected Cisco equipment, such as the operating system, device ID, version or IP address." (http://en.wikipedia.org/wiki/Cisco_Discovery_Protocol)


YERSINIA

Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. You can find more detailed information here and the man page here

 

GNS3 Topology: Basic Switch Configuration

Actually, the intention of this video is not to show how switch configuration is done. I was creating my playground to learn how YERSINIA works. If you are preparing for CCNA, this video may help you understand basics of VLAN and VLAN Trunking Protocol configurations. But in a real switch (not etherswitch module) configuring VLANs is a little bit different and easier. You should also see the video "Layer2 attacks using yersinia" to understand how important layer2 security is.

enjoy!

ARP POISONING

I haven't made any video for more than two weeks. This doesn't mean that I stopped studying for exams. After I finished to study about firewall, I tried to emulate Cisco IDS ( version 6.X). I found very useful articles about it on forums like 7200emu and of course wiki. Yes, now, I can emulate Cisco IDS using GNS3. (Some say that they emulates 6.x on vmware but I couldn't able to emulate it.) After I learned a little bit about IDS I tried to make video but I realized that I don't know anything about real world attacks to demonstrate how IDS works. To make long story short, I change my track and I decided to learn Linux (Because most of the security tools run on Linux) and some useful tools about security before I continue for CCSP IDS. (it is actually not good for me, because CCSP exams are going to be changed and I am not sure that I can find any platform to study new exam topics such as IDS v7)

This video is about ARP poisoning. It is simpler than I thought.     





How does Address Resolution Protocol work ?

Imagine we have computers Host A and Host B. We also assume that these computers have never previously communicated.
1- Host A would like to send Host B some data.
2-Host A looks in its ARP Cache and determines if an IP->MAC mapping exists.
3- Because they have never communicated before, a mapping does not exist.
4- Host A sends an ARP Request that says, "Who has the IP of Host B Tell Host A"
5- Host B is listening and replies, "IP B is MAC of B".
6- Host A updates it's ARP table with the IP->Mac mapping.

How does ARP Poisoning works
Well, you can find it in video.