Only the educated are free...
Blacklabs Security Tutorials
  • About Me...
  • Site Disclaimer

STP Exploitation

Link to Home Page


​HARDWARE

2 Switches (Catalyst 3560 in Example)
Crossover
3 Straight-Through Cables
1 Laptop (Kali Attacker)

SOFTWARE
Laptop Kali Linux OS

Yersinia
STP Attack Topology
STP Attack Topology - VLAN used in demonstration is default VLAN 1

Spanning Tree Protocol…
STP is a network protocol which builds a logical loop-free topology for Ethernet networks. The layer 2 devices will use BridgeProtocolDataUnit traffic between them to share device details (STP Priority Number + MAC Address = BridgeID) to determine WHO the Root Bridge (Lowest Wins) is. Once the Root is selected, each device will determine the most efficient pathway (cost to reach the Root Bridge) to reach the Root Bridge and establish port statuses.

Attack...

Inject bogus BPDU’s with a spoofed lowest BID to influence the topology into electing me the Root Bridge (disrupting the topology flow of traffic). All traffic being sent within this compromised VLAN topology can now be eavesdropped upon. If you happen to be within the default GW segment, you may grab ALL incoming and outgoing traffic for the VLAN (MITM Potential). Poorly configured switches could be manipulated to forming Trunk Links as well with the attacker which result in ALL VLAN traffic being accessed and/or even VLAN Removal (DoS Attack).

Protection Against this type of attack...
  • BPDUGuard Enable – Setting an access port with the spanning-tree bpduguard enable places a port in an errdisable state once a BPDU is received on that port. Access devices should NEVER transmit BPDU’s. To re-enable the port, an Admin MUST issue the no shutdown command.
  • BPDUFilter - BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port. Bpdu filter will prevent inbound and outbound bpdu traffic but will remove portfast state on a port if a bpdu is received. Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
  • RootGuard - Root Guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.
  • Switchport Mode Settings – Set access ports as ACCESS PORTS! Do not leave in the default state of switchport mode dynamic desirable. This would prevent switchport modes to change to Trunking between attacker and switch if the attacker advertises a trunk, desirable OR auto mode.

Demonstration in a nutshell:
  1. Connect Topology as in Diagram
  2. Check current STP Topology
  3. Perform STP Attack and view resulting damage
  4. Set appropriate Switchport Modes and Enable BPDU Guard
  5. Attempt STP Attack and View Results

​1. Connect Topology as in Diagram Above
​
Connect switches with a crossover as in the topology and boot...STP Negotiation takes 50 seconds to complete.

Boot into Kali on laptop and connect straight through from laptop to hub/switch and straight through from hub/switch to the topology switches

2. Check Current STP Topology

​Let’s begin by seeing how the devices in the topology negotiated the current STP structure.

Switch Commands
SW1# show int status​
Picture
SW1# show spanning-tree vlan 1​
Picture
SW2# show spanning-tree vlan 1
show spanning-tree vlan 1 command on switch 2
NOTES about the Election Process: 
  • The selection is based on BID’s exchanged between devices which are simply the STP priority values and the device MAC Address. The lowest in this will win the role of Root Bridge.
  • Default Values for the STP Priority is 32769 (Value of 32768 + System Identifier of 1)
  • STP Priorities are defined in increments of 4096 and range from 0 THROUGH 61440. Priorities CAN be manually set to force devices to take the Root role.
  • In this topology, SW1 has become the Root Bridge and placed ports in a Designated Forwarding State.
  • SW2 has identified SW1 as the Root and determined WHICH ports it will use to forward traffic to the Root (Root Ports – Fa0/1 in this case).​​
​

BPDU Timer Display = 2 seconds
3. Perform STP Attack and View Resulting Damage

Since BPDU traffic (Hello’s) are being transmitted based on timer settings (default of 2 secs.),  this election can be adjusted on the fly with the introduction of a new device into the topology.

debugging turned on
Switch Commands
SW1# debug spanning-tree events​





​Next, let’s attempt to manipulate the STP topology through bogus BPDU Injection.

 

Kali Commands
root@kali:~# yersinia – G   
​(Loads the graphical version of Yersinia)


​1. Select STP tab for the type of attack

Yersinia menu
spanning tree attack options

2. Under Description, we will select “Claiming Root Role”
  • Yersinia will generate a bogus BPDU’s and attempt to become the Root Bridge​

display of yersinia flooding the switch with BPDU's
3. Select Ok to launch!​






NOTE: Since we turned debugging on, we will see the STP event and results!

debug output of spanning tree change
Wireshark of bogus BPDU's
Wireshark Output:



Yersinia monitored the STP traffic and took note of the current field BID value for the Root Bridge. Remember the LOWEST BID WINS and since the priorities were the default value, Yersinia spoofed a BID to be the following:
  • SW1 Address:              1c17.d34b.3e80
  • Yersinia Address         1c17.d34a.3e80

As a result, the entire STP Topology has changed with Yersinia as the Root Bridge!

Change in spanning tree topology is announced
Switch Commands
SW1# show spanning-tree vlan





With this in mind, ALL traffic on the switched network will forward through Yersinia. With a dual homed NIC on the Kali System, this could become a MITM attack. With a Trunk port status, ALL VLANs could flow through here OR VLANs could be pruned (Denial of Service Attack).​


Picture
4. Set appropriate Switchport Modes and Enable BPDU Guard

​NOTE: Disconnect Kali from the switchport, and allow STP to correct itself before continuing. As a reminder, STP (depending on the mode being used) could take up to 50 secs to complete this process.





Let’s now take a moment to properly secure these switchports by defining their role on the device as an Access Portand protect the STP integrity with a feature titled BPDUGuard.


Switch Commands
SW1# config t
SW1(config)#  int f0/4
SW1(config-if)#  switchport mode access

This will define the switchport purpose/mode and allow us to prevent STP traffic from being accepted.

setting the switchport to access mode and vlan 1 only
SW1(config-if)#  switchport access vlan <YourVLANofInterest>



setting portfast bpduguard default
SW1(config-if)# exit
SW1(config)# 
spanning-tree portfast bpduguard default

 




NOTE: The Portfast feature is used on access ports to reduce the amount of time a switchport would spend moving to a forwarding state after a device reset. The logic here is that a switchport connecting end point devices should never be creating switching loops and therefore should be able to immediately forward. The addition of the BPDUGuard feature allows the capability to further protect from the advertisements of BPDU’s on device access ports.

The final step is enabling the BPDUGuard feature on specific interfaces so that IF a BPDU frame is received, the port will errdisable itself, requiring an administrator to re-enable the ports functionality.

SW1(config)#
  int f0/4
SW1(config)# spanning-tree portfast bpduguard enable

bpduguard enable option is shown
BPDU is now enabled on port
SW1# show spanning-tree summary 







5. Attempt STP Attack and View Results

Be sure debugging is still active on the SW1 device and plug the laptop back into switchport fa0/4 (or your port configured with bpduguard enable). Start Yersinia, select STP and configure the attack as completed in Step 2.


Kali Commands
root@kali:~# yersinia – G   
​(Loads the graphical version of Yersinia)
​

​1. Select STP tab for the type of attack
​​
Picture
Picture
2. Under Description, we will select “Claiming Root Role”
  • Yersinia will generate a bogus BPDU’s and attempt to become the Root Bridge​
​

















​3. Select Ok to launch!​

Picture
port is err disabled
NOTE: Since we turned debugging on, we will see the STP event and results!









​At this time, port fa0/4 has been err-disabled and would require administration to first shutdown the port (administratively down) and then no shutdown (re-enable)
 in order to bring the port to a functioning state.

errdisable state is set on switchport
admin must perform shutdown then no shutdown to restore

​Switch Commands

SW1#
 config t
SW1(config)#  int f0/4
SW1(config-if)# shutdown

SW1(config-if)# no shutdown
​
 

 
 


The port will now move into the listening > learning > forwarding states before returning to normal operation.
​​​​

Picture
Proudly powered by Weebly