STP Exploitation |
|
HARDWARE
2 Switches (Catalyst 3560 in Example)
Crossover
3 Straight-Through Cables
1 Laptop (Kali Attacker)
SOFTWARE
Laptop Kali Linux OS
Yersinia
STP Attack Topology - VLAN used in demonstration is default VLAN 1
Spanning Tree Protocol…
STP is a network protocol which builds a logical loop-free topology for Ethernet networks. The layer 2 devices will use BridgeProtocolDataUnit traffic between them to share device details (STP Priority Number + MAC Address = BridgeID) to determine WHO the Root Bridge (Lowest Wins) is. Once the Root is selected, each device will determine the most efficient pathway (cost to reach the Root Bridge) to reach the Root Bridge and establish port statuses.
Attack...
Inject bogus BPDU’s with a spoofed lowest BID to influence the topology into electing me the Root Bridge (disrupting the topology flow of traffic). All traffic being sent within this compromised VLAN topology can now be eavesdropped upon. If you happen to be within the default GW segment, you may grab ALL incoming and outgoing traffic for the VLAN (MITM Potential). Poorly configured switches could be manipulated to forming Trunk Links as well with the attacker which result in ALL VLAN traffic being accessed and/or even VLAN Removal (DoS Attack).
Protection Against this type of attack...
Demonstration in a nutshell:
STP is a network protocol which builds a logical loop-free topology for Ethernet networks. The layer 2 devices will use BridgeProtocolDataUnit traffic between them to share device details (STP Priority Number + MAC Address = BridgeID) to determine WHO the Root Bridge (Lowest Wins) is. Once the Root is selected, each device will determine the most efficient pathway (cost to reach the Root Bridge) to reach the Root Bridge and establish port statuses.
Attack...
Inject bogus BPDU’s with a spoofed lowest BID to influence the topology into electing me the Root Bridge (disrupting the topology flow of traffic). All traffic being sent within this compromised VLAN topology can now be eavesdropped upon. If you happen to be within the default GW segment, you may grab ALL incoming and outgoing traffic for the VLAN (MITM Potential). Poorly configured switches could be manipulated to forming Trunk Links as well with the attacker which result in ALL VLAN traffic being accessed and/or even VLAN Removal (DoS Attack).
Protection Against this type of attack...
- BPDUGuard Enable – Setting an access port with the spanning-tree bpduguard enable places a port in an errdisable state once a BPDU is received on that port. Access devices should NEVER transmit BPDU’s. To re-enable the port, an Admin MUST issue the no shutdown command.
- BPDUFilter - BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port. Bpdu filter will prevent inbound and outbound bpdu traffic but will remove portfast state on a port if a bpdu is received. Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
- RootGuard - Root Guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.
- Switchport Mode Settings – Set access ports as ACCESS PORTS! Do not leave in the default state of switchport mode dynamic desirable. This would prevent switchport modes to change to Trunking between attacker and switch if the attacker advertises a trunk, desirable OR auto mode.
Demonstration in a nutshell:
- Connect Topology as in Diagram
- Check current STP Topology
- Perform STP Attack and view resulting damage
- Set appropriate Switchport Modes and Enable BPDU Guard
- Attempt STP Attack and View Results
1. Connect Topology as in Diagram Above
Connect switches with a crossover as in the topology and boot...STP Negotiation takes 50 seconds to complete.
Boot into Kali on laptop and connect straight through from laptop to hub/switch and straight through from hub/switch to the topology switches
Connect switches with a crossover as in the topology and boot...STP Negotiation takes 50 seconds to complete.
Boot into Kali on laptop and connect straight through from laptop to hub/switch and straight through from hub/switch to the topology switches
2. Check Current STP Topology
Let’s begin by seeing how the devices in the topology negotiated the current STP structure.
Let’s begin by seeing how the devices in the topology negotiated the current STP structure.
Switch Commands
SW1# show int status
SW1# show spanning-tree vlan 1
SW2# show spanning-tree vlan 1
NOTES about the Election Process:
- The selection is based on BID’s exchanged between devices which are simply the STP priority values and the device MAC Address. The lowest in this will win the role of Root Bridge.
- Default Values for the STP Priority is 32769 (Value of 32768 + System Identifier of 1)
- STP Priorities are defined in increments of 4096 and range from 0 THROUGH 61440. Priorities CAN be manually set to force devices to take the Root role.
- In this topology, SW1 has become the Root Bridge and placed ports in a Designated Forwarding State.
- SW2 has identified SW1 as the Root and determined WHICH ports it will use to forward traffic to the Root (Root Ports – Fa0/1 in this case).
3. Perform STP Attack and View Resulting Damage
Since BPDU traffic (Hello’s) are being transmitted based on timer settings (default of 2 secs.), this election can be adjusted on the fly with the introduction of a new device into the topology.
Since BPDU traffic (Hello’s) are being transmitted based on timer settings (default of 2 secs.), this election can be adjusted on the fly with the introduction of a new device into the topology.
Switch Commands
SW1# debug spanning-tree events
Next, let’s attempt to manipulate the STP topology through bogus BPDU Injection.
Kali Commands
root@kali:~# yersinia – G
(Loads the graphical version of Yersinia)
1. Select STP tab for the type of attack
SW1# debug spanning-tree events
Next, let’s attempt to manipulate the STP topology through bogus BPDU Injection.
Kali Commands
root@kali:~# yersinia – G
(Loads the graphical version of Yersinia)
1. Select STP tab for the type of attack
2. Under Description, we will select “Claiming Root Role”
- Yersinia will generate a bogus BPDU’s and attempt to become the Root Bridge
3. Select Ok to launch!
NOTE: Since we turned debugging on, we will see the STP event and results!
NOTE: Since we turned debugging on, we will see the STP event and results!
Wireshark Output:
Yersinia monitored the STP traffic and took note of the current field BID value for the Root Bridge. Remember the LOWEST BID WINS and since the priorities were the default value, Yersinia spoofed a BID to be the following:
As a result, the entire STP Topology has changed with Yersinia as the Root Bridge!
Yersinia monitored the STP traffic and took note of the current field BID value for the Root Bridge. Remember the LOWEST BID WINS and since the priorities were the default value, Yersinia spoofed a BID to be the following:
- SW1 Address: 1c17.d34b.3e80
- Yersinia Address 1c17.d34a.3e80
As a result, the entire STP Topology has changed with Yersinia as the Root Bridge!
Switch Commands
SW1# show spanning-tree vlan
With this in mind, ALL traffic on the switched network will forward through Yersinia. With a dual homed NIC on the Kali System, this could become a MITM attack. With a Trunk port status, ALL VLANs could flow through here OR VLANs could be pruned (Denial of Service Attack).
SW1# show spanning-tree vlan
With this in mind, ALL traffic on the switched network will forward through Yersinia. With a dual homed NIC on the Kali System, this could become a MITM attack. With a Trunk port status, ALL VLANs could flow through here OR VLANs could be pruned (Denial of Service Attack).
4. Set appropriate Switchport Modes and Enable BPDU Guard
NOTE: Disconnect Kali from the switchport, and allow STP to correct itself before continuing. As a reminder, STP (depending on the mode being used) could take up to 50 secs to complete this process.
Let’s now take a moment to properly secure these switchports by defining their role on the device as an Access Portand protect the STP integrity with a feature titled BPDUGuard.
Switch Commands
SW1# config t
SW1(config)# int f0/4
SW1(config-if)# switchport mode access
This will define the switchport purpose/mode and allow us to prevent STP traffic from being accepted.
NOTE: Disconnect Kali from the switchport, and allow STP to correct itself before continuing. As a reminder, STP (depending on the mode being used) could take up to 50 secs to complete this process.
Let’s now take a moment to properly secure these switchports by defining their role on the device as an Access Portand protect the STP integrity with a feature titled BPDUGuard.
Switch Commands
SW1# config t
SW1(config)# int f0/4
SW1(config-if)# switchport mode access
This will define the switchport purpose/mode and allow us to prevent STP traffic from being accepted.
SW1(config-if)# switchport access vlan <YourVLANofInterest>
SW1(config-if)# exit
SW1(config)# spanning-tree portfast bpduguard default
NOTE: The Portfast feature is used on access ports to reduce the amount of time a switchport would spend moving to a forwarding state after a device reset. The logic here is that a switchport connecting end point devices should never be creating switching loops and therefore should be able to immediately forward. The addition of the BPDUGuard feature allows the capability to further protect from the advertisements of BPDU’s on device access ports.
The final step is enabling the BPDUGuard feature on specific interfaces so that IF a BPDU frame is received, the port will errdisable itself, requiring an administrator to re-enable the ports functionality.
SW1(config)# int f0/4
SW1(config)# spanning-tree portfast bpduguard enable
SW1(config)# spanning-tree portfast bpduguard default
NOTE: The Portfast feature is used on access ports to reduce the amount of time a switchport would spend moving to a forwarding state after a device reset. The logic here is that a switchport connecting end point devices should never be creating switching loops and therefore should be able to immediately forward. The addition of the BPDUGuard feature allows the capability to further protect from the advertisements of BPDU’s on device access ports.
The final step is enabling the BPDUGuard feature on specific interfaces so that IF a BPDU frame is received, the port will errdisable itself, requiring an administrator to re-enable the ports functionality.
SW1(config)# int f0/4
SW1(config)# spanning-tree portfast bpduguard enable
SW1# show spanning-tree summary
5. Attempt STP Attack and View Results
Be sure debugging is still active on the SW1 device and plug the laptop back into switchport fa0/4 (or your port configured with bpduguard enable). Start Yersinia, select STP and configure the attack as completed in Step 2.
Kali Commands
root@kali:~# yersinia – G
(Loads the graphical version of Yersinia)
1. Select STP tab for the type of attack
Be sure debugging is still active on the SW1 device and plug the laptop back into switchport fa0/4 (or your port configured with bpduguard enable). Start Yersinia, select STP and configure the attack as completed in Step 2.
Kali Commands
root@kali:~# yersinia – G
(Loads the graphical version of Yersinia)
1. Select STP tab for the type of attack
2. Under Description, we will select “Claiming Root Role”
3. Select Ok to launch!
- Yersinia will generate a bogus BPDU’s and attempt to become the Root Bridge
3. Select Ok to launch!
NOTE: Since we turned debugging on, we will see the STP event and results!
At this time, port fa0/4 has been err-disabled and would require administration to first shutdown the port (administratively down) and then no shutdown (re-enable) in order to bring the port to a functioning state.
At this time, port fa0/4 has been err-disabled and would require administration to first shutdown the port (administratively down) and then no shutdown (re-enable) in order to bring the port to a functioning state.
Switch Commands
SW1# config t
SW1(config)# int f0/4
SW1(config-if)# shutdown
SW1(config-if)# no shutdown
The port will now move into the listening > learning > forwarding states before returning to normal operation.
