1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
|
.\" Man page for Yersinia
.\" =====================
.\" Authors: Alfredo and David
.\"
.\"
.\"
.TH "YERSINIA" "8" "$Date: 2017/08/23 08:10:00 $" "Yersinia v0.8" ""
.SH "NAME "
.B Yersinia
\- A Framework for layer 2 attacks
.SH "SYNOPSIS "
\fByersinia\fR
[\fB\-hVGIDd\fR] [\fB\-l\fR \fIlogfile\fR] [\fB\-c\fR \fIconffile\fR] \fIprotocol\fR [\-M] [\fIprotocol_options\fR]
.SH "DESCRIPTION "
.B yersinia
is a framework for performing layer 2 attacks. The following protocols have been implemented in Yersinia current version: \fISpanning Tree Protocol (STP)\fR, \fIVLAN Trunking Protocol (VTP)\fR, \fIHot Standby Router Protocol (HSRP)\fR, \fIDynamic Trunking Protocol (DTP)\fR, \fIIEEE 802.1Q\fR, \fIIEEE 802.1X\fR, \fICisco Discovery Protocol (CDP)\fR, \fIDynamic Host Configuration Protocol (DHCP)\fR, \fIInter-Switch Link Protocol (ISL)\fR and \fIMultiProtocol Label Switching (MPLS)\fR.
Some of the attacks implemented will cause a DoS in a network, other will help to perform any other more advanced attack, or both. In addition, some of them will be first released to the public since there isn't any public implementation.
Yersinia will definitely help both pen\-testers and network administrators in their daily tasks.
Some of the mentioned attacks are \fBDoS\fP attacks, so \fBTAKE CARE\fP about what you're doing because you can convert your network into an \fBUNSTABLE\fP one.
A lot of examples are given at this page \fBEXAMPLES\fP section, showing a real and useful program execution.
.SH "OPTIONS "
.IP "\fB\-h\fP, \fB\-\-help\fP"
Help screen.
.IP "\fB\-V\fP, \fB\-\-Version\fP"
Program version.
.IP "\fB\-G\fP"
Start a graphical GTK session.
.IP "\fB\-I\fP, \fB\-\-interactive\fP"
Start an interactive ncurses session.
.IP "\fB\-D\fP, \fB\-\-daemon\fP"
Start the network listener for remote admin (Cisco CLI emulation).
.IP "\fB\-d\fP"
Enable debug messages.
.IP "\fB\-l\fP \fIlogfile\fP"
Save the current session to the file \fIlogfile\fP. If \fIlogfile\fP exists, the data will be appended at the end.
.IP "\fB\-c\fP \fIconffile\fP"
Read/write configuration variables from/to \fIconffile\fP.
.IP "\fB\-M\fP"
Disable MAC spoofing.
.SH "PROTOCOLS"
The following protocols are implemented in \fByersinia\fR current version:
.IP "\fISpanning Tree Protocol (STP and RSTP)\fR"
.IP "\fICisco Discovery Protocol (CDP)\fR"
.IP "\fIHot Standby Router Protocol (HSRP)\fR"
.IP "\fIDynamic Host Configuration Protocol (DHCP)\fR"
.IP "\fIDynamic Trunking Protocol (DTP)\fR"
.IP "\fIIEEE 802.1Q\fR"
.IP "\fIVLAN Trunking Protocol (VTP)\fR"
.IP "\fIInter-Switch Link Protocol (ISL)\fR"
.IP "\fIIEEE 802.1X\fR"
.IP "\fIMultiProtocol Label Switching (MPLS)\fR"
.SH "PROTOCOLS OPTIONS"
.TP
\fBSpanning Tree Protocol (STP):\fR is a link management protocol that provides path redundancy while preventing undesirable loops in the network. The supported options are:
.IP "\fB\-version\fR \fIversion\fR
BPDU version (0 STP, 2 RSTP, 3 MSTP)
.IP "\fB\-type\fR \fItype\fR"
BPDU type (Configuration, TCN)
.IP "\fB\-flags\fR \fIflags\fR"
BPDU Flags
.IP "\fB\-id\fR \fIid\fR"
BPDU ID
.IP "\fB\-cost\fR \fIpathcost\fR"
BPDU root path cost
.IP "\fB\-rootid\fR \fIid\fR"
BPDU Root ID
.IP "\fB\-bridgeid\fR \fIid\fR"
BPDU Bridge ID
.IP "\fB\-portid\fR \fIid\fR"
BPDU Port ID
.IP "\fB\-message\fR \fIsecs\fR"
BPDU Message Age
.IP "\fB\-max-age\fR \fIsecs\fR"
BPDU Max Age (default is 20)
.IP "\fB\-hello\fR \fIsecs\fR"
BPDU Hello Time (default is 2)
.IP "\fB\-forward\fR \fIsecs\fR"
BPDU Forward Delay
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBCisco Discovery Protocol (CDP):\fR is a Cisco propietary Protocol which main aim is to let Cisco devices to communicate to each other about their device settings and protocol configurations. The supported options are:
.IP "\fB\-source\fR \fIhw_addr\fR"
MAC Source Address
.IP "\fB\-dest\fR \fIhw_addr\fR"
MAC Destination Address
.IP "\fB\-v\fR \fIversion\fR"
CDP Version
.IP "\fB\-ttl\fR \fIttl\fR"
Time To Live
.IP "\fB\-devid\fR \fIid\fR"
Device ID
.IP "\fB\-address\fR \fIaddress\fR"
Device Address
.IP "\fB\-port\fR \fIid\fR"
Device Port
.IP "\fB\-capability\fR \fIcap\fR"
Device Capabilities
.IP "\fB\-version\fR \fIversion\fR"
Device IOS Version
.IP "\fB\-duplex\fR \fI0|1\fR"
Device Duplex Configuration
.IP "\fB\-platform\fR \fIplatform\fR"
Device Platform
.IP "\fB\-ipprefix\fR \fIip\fR"
Device IP Prefix
.IP "\fB\-phello\fR \fIhello\fR"
Device Protocol Hello
.IP "\fB\-mtu\fR \fImtu\fR"
Device MTU
.IP "\fB\-vtp_mgm_dom\fR \fIdomain\fR"
Device VTP Management Domain
.IP "\fB\-native_vlan\fR \fIvlan\fR"
Device Native VLAN
.IP "\fB\-voip_vlan_r\fR \fIreq\fR"
Device VoIP VLAN Reply
.IP "\fB\-voip_vlan_q\fR \fIquery\fR"
Device VoIP VLAN Query
.IP "\fB\-t_bitmap\fR \fIbitmap\fR"
Device Trust Bitmap
.IP "\fB\-untrust_cos\fR \fIcos\fR"
Device Untrusted CoS
.IP "\fB\-system_name\fR \fIname\fR"
Device System Name
.IP "\fB\-system_oid\fR \fIoid\fR"
Device System ObjectID
.IP "\fB\-mgm_address\fR \fIaddress\fR"
Device Management Address
.IP "\fB\-location\fR \fIlocation\fR"
Device Location
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBHot Standby Router Protocol (HSRP):\fR
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBInter-Switch Link Protocol (ISL):\fR
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBVLAN Trunking Protocol (VTP):\fR
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBDynamic Host Configuration Protocol (DHCP):\fR
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBIEEE 802.1Q:\fR
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBDynamic Trunking Protocol (DTP):\fR
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBIEEE 802.1X:\fR
.IP "\fB\-version\fR \fIarg\fR"
Version
.IP "\fB\-type\fR \fIarg\fR"
xxxx
.IP "\fB\-eapcode\fR \fIarg\fR"
xxxx
.IP "\fB\-eapid\fR \fIarg\fR"
xxxx
.IP "\fB\-eaptype\fR \fIarg\fR"
xxxx
.IP "\fB\-eapinfo\fR \fIarg\fR"
xxx
.IP "\fB\-interface\fR \fIarg\fR"
xxxx
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.TP
\fBMultiProtocol Label Switching (MPLS):\fR
.IP "\fB\-source\fR \fIhw_addr\fR"
Source MAC address
.IP "\fB\-dest\fR \fIhw_addr\fR"
Destination MAC address
.IP "\fB\-interface\fR \fIiface\fR"
Set network interface to use
.IP "\fB\-attack\fR \fIattack\fR"
Attack to launch
.IP "\fB\-label1\fR \fIarg\fR"
Set MPLS Label
.IP "\fB\-exp1\fR \fIarg\fR"
Set MPLS Experimental bits
.IP "\fB\-bottom1\fR \fIarg\fR"
Set MPLS Bottom Of Stack flag
.IP "\fB\-ttl1\fR \fIarg\fR"
Set MPLS Time To Live
.IP "\fB\-label2\fR \fIarg\fR"
Set MPLS Label (second header)
.IP "\fB\-exp2\fR \fIarg\fR"
Set MPLS Experimental bits (second header)
.IP "\fB\-bottom2\fR \fIarg\fR"
Set MPLS Bottom Of Stack flag (second header)
.IP "\fB\-ttl2\fR \fIarg\fR"
Set MPLS Time To Live (second header)
.IP "\fB\-ipsource\fR \fIipv4\fR"
Source IP
.IP "\fB\-portsource\fR \fIport\fR"
Source TCP/UDP port
.IP "\fB\-ipdest\fR \fIipv4\fR"
Destination IP
.IP "\fB\-portdest\fR \fIport\fR"
Destination TCP/UDP port
.IP "\fB\-payload\fR \fIASCII\fR"
ASCII IP payload
.SH "ATTACKS"
.TP
\fBAttacks Implemented in STP:\fR
.IP " 0: NONDOS attack sending conf BPDU"
.IP " 1: NONDOS attack sending tcn BPDU"
.IP " 2: DOS attack sending conf BPDUs"
.IP " 3: DOS attack sending tcn BPDUs"
.IP " 4: NONDOS attack Claiming Root Role"
.IP " 5: NONDOS attack Claiming Other Role"
.IP " 6: DOS attack Claiming Root Role with MiTM"
.TP
\fBAttacks Implemented in CDP:\fR
.IP " 0: NONDOS attack sending CDP packet"
.IP " 1: DOS attack flooding CDP table"
.IP " 2: NONDOS attack Setting up a virtual device"
.TP
\fBAttacks Implemented in HSRP:\fR
.IP " 0: NONDOS attack sending raw HSRP packet"
.IP " 1: NONDOS attack becoming ACTIVE router"
.IP " 2: NONDOS attack becoming ACTIVE router (MITM)"
.TP
\fBAttacks Implemented in DHCP:\fR
.IP " 0: NONDOS attack sending RAW packet"
.IP " 1: DOS attack sending DISCOVER packet"
.IP " 2: NONDOS attack creating DHCP rogue server"
.IP " 3: DOS attack sending RELEASE packet"
.TP
\fBAttacks Implemented in DTP:\fR
.IP " 0: NONDOS attack sending DTP packet"
.IP " 1: NONDOS attack enabling trunking"
.TP
\fBAttacks Implemented in 802.1Q:\fR
.IP " 0: NONDOS attack sending 802.1Q packet"
.IP " 1: NONDOS attack sending 802.1Q double enc. packet"
.IP " 2: DOS attack sending 802.1Q arp poisoning"
.TP
\fBAttacks Implemented in VTP:\fR
.IP " 0: NONDOS attack sending VTP packet"
.IP " 1: DOS attack deleting all VTP vlans"
.IP " 2: DOS attack deleting one vlan"
.IP " 3: NONDOS attack adding one vlan"
.IP " 4: DOS attack crashing Catalyst"
.TP
\fBAttacks Implemented in 802.1X:\fR
.IP " 0: NONDOS attack sending 802.1X packet"
.IP " 1: NONDOS attack Mitm 802.1X with 2 interfaces"
.TP
\fBAttacks Implemented in MPLS:\fR
.IP " 0: NONDOS attack sending TCP MPLS packet"
.IP " 1: NONDOS attack sending TCP MPLS with double header"
.IP " 2: NONDOS attack sending UDP MPLS packet"
.IP " 3: NONDOS attack sending UDP MPLS with double header"
.IP " 4: NONDOS attack sending ICMP MPLS packet"
.IP " 5: NONDOS attack sending ICMP MPLS with double header"
.TP
\fBAttacks Implemented in ISL:\fR
.IP " None at the moment"
.SH "GTK GUI"
The \fIGTK GUI\fR (\fB\-G\fR) is a GTK graphical interface with all of the \fByersinia\fR powerful features and a professional 'look and feel'.
.SH "NCURSES GUI"
The \fIncurses GUI\fR (\fB\-I\fR) is a ncurses (or curses) based console where the user can take advantage of \fByersinia\fR powerful features.
Press \fI'h'\fR to display the Help Screen and enjoy your session :)
.SH "NETWORK DAEMON"
The \fINetwork Daemon\fR (\fB\-D\fR) is a telnet based server (ala Cisco mode) that listens by default in port 12000/tcp waiting for incoming telnet connections.
It supports a CLI similar to a Cisco device where the user (once authenticated) can display different settings and can launch attacks without having \fByersinia\fR running in her own machine (specially useful for Windows users).
.SH "EXAMPLES"
\- Send a Rapid Spanning-Tree BPDU with port role designated, port state agreement, learning and port id 0x3000 to eth1:
\fByersinia stp \-attack 0 \-version 2 \-flags 5c \-portid 3000 \-interface eth1\fP
\- Start a Spanning-Tree nonDoS root claiming attack in the first nonloopback interface
(keep in mind that this kind of attack will use the first BPDU on the
network interface to fill in the BPDU fields properly):
\fByersinia stp \-attack 4\fP
\- Start a Spanning-Tree DoS attack sending TCN BPDUs in the eth0 interface with MAC address
66:66:66:66:66:66:
\fByersinia stp \-attack 3 \-source 66:66:66:66:66:66\fP
.SH "SEE ALSO "
The README file contains more in\-depth documentation about the attacks.
.SH "COPYRIGHT "
Yersinia is Copyright (c)
.SH "BUGS "
Lots
.SH "AUTHORS "
Alfredo Andres Omella <aandreswork@hotmail.com>
.br
David Barroso Berrueta <tomac@yersinia.net>
|
