Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Hacking Tools
STP attack and defense
Message
<blockquote data-quote="Dr. Smile" data-source="post: 391" data-attributes="member: 19"><p>The topic of today's article is "<strong>STP attack and protection</strong>". STP has its pros and cons. Next, we will look at how you can take advantage of the features of STP to attack STP. Finally, let's talk about protecting STP from attacks.</p><p></p><p>We will not retell the Internet and understand the STP protocol, and let's get down to business right away.</p><p></p><p><strong>STP attack</strong></p><p>To attack and protect STP, you will need a stand.</p><p></p><p><img src="https://sun9-10.userapi.com/impg/3T3_IrB7Bd_TEBjXhqVlc63tZt_TVA-AlhbYlA/jfONltQ6jUI.jpg?size=606x379&quality=96&sign=d5c9567f82bd0106ef2df84eab629fd3&type=album" alt="jfONltQ6jUI.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>This example shows a portion of the standard topology that is most commonly used in an enterprise segment. SW1 acts as a root bridge, SW2 and SW3 are non-root bridge switches. Ports SW1 0/0, 0/1 SW2 0 / 1.0 / 3 SW3 0 / 0.0 / 2 are used for traffic, 0/0 and 0/1 on SW2 and SW3 are blocked to avoid loops.</p><p></p><p>The traffic goes along the path SW2 - SW1 - SW3. After that, we connect our Linux machine to two access switches SW2 and SW3 and notice that we are receiving STP messages.</p><p></p><p><img src="https://sun9-55.userapi.com/impg/eZAT4pUd-khufdN0eoGoszBqXq5GLABJVQfrtw/gEXRi0h1KDg.jpg?size=606x267&quality=96&sign=990370767451b947a6582132d8c2d0a4&type=album" alt="gEXRi0h1KDg.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>These messages mean that the STP protocol on the switches is running and is not blocked on the ports connected to us. Let's combine our interfaces in a bridge so that traffic goes through our device, launch the Yersinia framework and see that STP is available to us on both interfaces.</p><p></p><p><img src="https://sun9-20.userapi.com/impg/mnGumVC0C7Df43mW09sDotdWQxFoSIETJNA5zA/GKcGQZP8L3I.jpg?size=606x144&quality=96&sign=3e861b1d762a5216306920ab312bf098&type=album" alt="GKcGQZP8L3I.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>We start the attack and choose the Claiming Root Role attack type, which means that we will start advertising ourselves as a switch with a lower priority, which will force the STP tree to rebuild.</p><p></p><p><img src="https://sun9-63.userapi.com/impg/lL7gMQZvjkAgD7tTTo3zeJY7FbGKPipLHELvNQ/R5FnrK3fyLY.jpg?size=485x301&quality=96&sign=1e5faa3770661dc4a4bef1d5b4b60542&type=album" alt="R5FnrK3fyLY.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>As expected, we became the root switch for our network segment and now we can see the traffic that previously went through SW1:</p><p></p><p><strong>SW2-LINUX-SW3</strong></p><p>Code:</p><p>SW1 # show spanning-tree</p><p>VLAN0001</p><p> Spanning tree enabled protocol ieee</p><p> Root ID Priority 8193</p><p> Address aabb.cc00.0f00</p><p> Cost 300</p><p> Port 2 (Ethernet0 / 1)</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)</p><p> Address aabb.cc00.1000</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Aging Time 15 sec</p><p>Interface Role Sts Cost Prio.Nbr Type</p><p>------------------- ---- --- --------- -------- ------- -------------------------</p><p>Et0 / 0 Altn BLK 100 128.1 Shr</p><p>Et0 / 1 Root FWD 100 128.2 Shr</p><p><strong>SW2</strong></p><p>Code:</p><p>SW2 # show spanning-tree</p><p>VLAN0001</p><p> Spanning tree enabled protocol ieee</p><p> Root ID Priority 8193</p><p> Address aabb.cc00.0f00</p><p> Cost 200</p><p> Port 3 (Ethernet0 / 2)</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)</p><p> Address aabb.cc00.2000</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Aging Time 15 sec</p><p>Interface Role Sts Cost Prio.Nbr Type</p><p>------------------- ---- --- --------- -------- ------- -------------------------</p><p>Et0 / 0 Desg FWD 100 128.1 Shr</p><p>Et0 / 1 Desg FWD 100 128.2 Shr</p><p>Et0 / 2 Root FWD 100 128.3 Shr</p><p>Et0 / 3 Desg FWD 100 128.4 Shr</p><p>SW3 # show spanning-tree</p><p>VLAN0001</p><p> Spanning tree enabled protocol ieee</p><p> Root ID Priority 8193</p><p> Address aabb.cc00.0f00</p><p> Cost 200</p><p> Port 4 (Ethernet0 / 3)</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)</p><p> Address aabb.cc00.3000</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Aging Time 15 sec</p><p>Interface Role Sts Cost Prio.Nbr Type</p><p>------------------- ---- --- --------- -------- ------- -------------------------</p><p>Et0 / 0 Desg FWD 100 128.1 Shr</p><p>Et0 / 1 Altn BLK 100 128.2 Shr</p><p>Et0 / 2 Desg FWD 100 128.3 Shr</p><p>Et0 / 3 Root FWD 100 128.4 Shr</p><p>To check, let's run a ping:</p><p>Code:</p><p>R4 # ping 192.168.0.5</p><p>Type escape sequence to abort.</p><p>Sending 5, 100-byte ICMP Echos to 192.168.0.5, timeout is 2 seconds:</p><p>. !!!!</p><p>We can see that all ICMP packets have gone through our machine.</p><p></p><p><img src="https://sun9-17.userapi.com/impg/WTfX39eOWXt0QjVPUpHxWtfdRbboH9Lz6gNDNA/kLI2Nlr0-nU.jpg?size=606x181&quality=96&sign=8d5effddb300f0de613903e9d0afa465&type=album" alt="kLI2Nlr0-nU.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>ICMP packets go through our computer</p><p></p><p>ICMP in this case is used solely for clarity, in this way you can intercept any traffic by changing the structure built by STP.</p><p></p><p>Next, we will look at other types of STP attacks that can be implemented using Yersinia.</p><p></p><p><img src="https://sun9-63.userapi.com/impg/lL7gMQZvjkAgD7tTTo3zeJY7FbGKPipLHELvNQ/R5FnrK3fyLY.jpg?size=485x301&quality=96&sign=1e5faa3770661dc4a4bef1d5b4b60542&type=album" alt="R5FnrK3fyLY.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong>Sending conf BPDU</strong> - we will send a BPDU once, which will force the switches in our L2 segment to rebuild the tree and return to the original scheme, since BPDUs are no longer sent from our machine.</p><p></p><p>Root-bridge sends a configuration BDPU with an interval of two seconds, which specifies the main parameters: for example, the priority of the current switch, its MAC, MAC interface from which the BPDU was sent, information about whether the FLUSH mechanism needs to be started to flush CAM tables. Since in this scenario we tried to impersonate the root bridge, we send the configuration BPDU with a priority equal to the priority of the current RB, but with a lower MAC.</p><p></p><p><strong>The Sending TCN BPDU</strong> will force the root bridge to start the mechanism for clearing CAM tables from MAC addresses, traffic from which does not come for more than 15 seconds.</p><p></p><p>By default, the time that the MAC address is stored in the table is 300 seconds. When the state of the port changes (for example, UP / DOWN), the switch participating in STP must send a TCN (topology change notification) service frame towards the root bridge to notify it that a change has occurred in the network. The rest of the switches do not know which MAC addresses were behind this port of a particular switch, as a result of which the process of flush the CAM table starts. All addresses that have not been learned within 15 seconds will be deleted. This kind of attack allows us to increase the load on the network and the CPU of the switches. TCN is sent once.</p><p></p><p><strong>Example of Resetting CAM Table Timer on Receiving TC BPDU</strong></p><p>Code:</p><p>SW1 # show spanning-tree</p><p>VLAN0001</p><p> Spanning tree enabled protocol ieee</p><p> Root ID Priority 8193</p><p> Address aabb.cc00.1000</p><p> This bridge is the root</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)</p><p> Address aabb.cc00.1000</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Aging Time 300 sec</p><p>After sending the TCN BPDU:</p><p>Code:</p><p>SW1 # show spanning-tree</p><p>VLAN0001</p><p> Spanning tree enabled protocol ieee</p><p> Root ID Priority 8193</p><p> Address aabb.cc00.1000</p><p> This bridge is the root</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)</p><p> Address aabb.cc00.1000</p><p> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec</p><p> Aging Time 15 sec</p><p><strong>Sending conf BPDUs and Sending TCN BPDU's</strong> do all of the above, but in DoS format. That is, when sending configuration BPDU and topology change BPDU, the network starts to “storm”, the switch CPU is heavily loaded.</p><p></p><p><strong>Counter of received BPDUs</strong></p><p>Code:</p><p>SW2 # show spanning-tree interface ethernet 0/2 detail</p><p> Port 3 (Ethernet0 / 2) of VLAN0001 is designated forwarding</p><p> Port path cost 100, Port priority 128, Port Identifier 128.3.</p><p> Designated root has priority 8193, address aabb.cc00.1000</p><p> Designated bridge has priority 32769, address aabb.cc00.2000</p><p> Designated port id is 128.3, designated path cost 100 Hello is pending, Topology change is set</p><p> Timers: message age 0, forward delay 0, hold 0</p><p> Number of transitions to forwarding state: 1</p><p> Link type is shared by default</p><p> BPDU: sent 2330, received 6650463</p><p><strong>Claiming root, other role and claiming root role with MITM</strong> are attacks similar to our example: by changing the priority or MAC, we can rebuild the current STP tree.</p><p></p><p><strong>STP protection</strong></p><p>The STP protocol contains mechanisms that allow you to suppress the emergence of new devices as a root bridge, block ports that received BPDUs, or enable full BPDU filtering.</p><p></p><p>In this article, we review the principles and commands used on Cisco equipment.</p><p></p><h4>Root guard</h4><p>Upon receiving a better BPDU than the current one, the interface receiving this BPDU will be put into root-inconsistent mode.</p><p>Code:</p><p>SW2 (config) #interface ethernet 0/2</p><p>SW2 (config-if) # spanning-tree guard root</p><p>Port state when receiving BPDU:</p><p>Code:</p><p>* Aug 1 13: 58: 03.304:% SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0 / 2.</p><p>SW2 # show spanning-tree interface ethernet 0/2</p><p>Vlan Role Sts Cost Prio.Nbr Type</p><p>------------------- ---- --- --------- -------- ------- -------------------------</p><p>VLAN0001 Desg BKN * 100 128.3 Shr * ROOT_Inc</p><p>It is easy to guess that when using this function, an attack using the framework will not be available.</p><p></p><p><strong>BPDU guard</strong></p><p>Allows you to restrict the L2 domain. Upon receipt of any BPDU, the port is placed in the err disable BPDU guard error state.</p><p>Code:</p><p>SW2 (config) #interface ethernet 0/2</p><p>SW2 (config-if) # spanning-tree bpduguard enable</p><p>After receiving the BDPU on a port with BPDU guard function:</p><p>Code:</p><p>* Aug 1 15: 12: 50.120:% SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Et0 / 2 with BPDU Guard enabled. Disabling port.</p><p>SW2 #</p><p>* Aug 1 15: 12: 50.120:% PM-4-ERR_DISABLE: bpduguard error detected on Et0 / 2, putting Et0 / 2 in err-disable state</p><p>* Aug 1 15: 12: 51.120:% LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0 / 2, changed state to down</p><p>* Aug 1 15: 12: 52.120:% LINK-3-UPDOWN: Interface Ethernet0 / 2, changed state to down</p><p>SW2 # show interfaces ethernet 0/2</p><p>Ethernet0 / 2 is down, line protocol is down (err-disabled)</p><p><strong>BPDU filter</strong></p><p>BPDU filter does not send or receive BPDUs on the port. In other words, STP is disabled on this interface.</p><p>Code:</p><p>SW2 (config-if) # spanning-tree bpdufilter enable</p><p>It is easy to guess that when using these functions, attacks using the framework will not be available.</p><p></p><p><strong>Conclusion</strong></p><p>It is so easy, without resorting to complex schemes, to intercept traffic on the network. STP is a fairly simple protocol with no security feature by default. Many people neglect to install protective mechanisms in the L2 domain, which can lead to rather serious consequences. Since STP eliminates loops and does not force all traffic to go through RB, it is necessary to accurately determine the direction of traffic and the attack vector.</p></blockquote><p></p>
[QUOTE="Dr. Smile, post: 391, member: 19"] The topic of today's article is "[B]STP attack and protection[/B]". STP has its pros and cons. Next, we will look at how you can take advantage of the features of STP to attack STP. Finally, let's talk about protecting STP from attacks. We will not retell the Internet and understand the STP protocol, and let's get down to business right away. [B]STP attack[/B] To attack and protect STP, you will need a stand. [IMG alt="jfONltQ6jUI.jpg"]https://sun9-10.userapi.com/impg/3T3_IrB7Bd_TEBjXhqVlc63tZt_TVA-AlhbYlA/jfONltQ6jUI.jpg?size=606x379&quality=96&sign=d5c9567f82bd0106ef2df84eab629fd3&type=album[/IMG] This example shows a portion of the standard topology that is most commonly used in an enterprise segment. SW1 acts as a root bridge, SW2 and SW3 are non-root bridge switches. Ports SW1 0/0, 0/1 SW2 0 / 1.0 / 3 SW3 0 / 0.0 / 2 are used for traffic, 0/0 and 0/1 on SW2 and SW3 are blocked to avoid loops. The traffic goes along the path SW2 - SW1 - SW3. After that, we connect our Linux machine to two access switches SW2 and SW3 and notice that we are receiving STP messages. [IMG alt="gEXRi0h1KDg.jpg"]https://sun9-55.userapi.com/impg/eZAT4pUd-khufdN0eoGoszBqXq5GLABJVQfrtw/gEXRi0h1KDg.jpg?size=606x267&quality=96&sign=990370767451b947a6582132d8c2d0a4&type=album[/IMG] These messages mean that the STP protocol on the switches is running and is not blocked on the ports connected to us. Let's combine our interfaces in a bridge so that traffic goes through our device, launch the Yersinia framework and see that STP is available to us on both interfaces. [IMG alt="GKcGQZP8L3I.jpg"]https://sun9-20.userapi.com/impg/mnGumVC0C7Df43mW09sDotdWQxFoSIETJNA5zA/GKcGQZP8L3I.jpg?size=606x144&quality=96&sign=3e861b1d762a5216306920ab312bf098&type=album[/IMG] We start the attack and choose the Claiming Root Role attack type, which means that we will start advertising ourselves as a switch with a lower priority, which will force the STP tree to rebuild. [IMG alt="R5FnrK3fyLY.jpg"]https://sun9-63.userapi.com/impg/lL7gMQZvjkAgD7tTTo3zeJY7FbGKPipLHELvNQ/R5FnrK3fyLY.jpg?size=485x301&quality=96&sign=1e5faa3770661dc4a4bef1d5b4b60542&type=album[/IMG] As expected, we became the root switch for our network segment and now we can see the traffic that previously went through SW1: [B]SW2-LINUX-SW3[/B] Code: SW1 # show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.0f00 Cost 300 Port 2 (Ethernet0 / 1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 8193 (priority 8192 sys-id-ext 1) Address aabb.cc00.1000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------- ------------------------- Et0 / 0 Altn BLK 100 128.1 Shr Et0 / 1 Root FWD 100 128.2 Shr [B]SW2[/B] Code: SW2 # show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.0f00 Cost 200 Port 3 (Ethernet0 / 2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.2000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------- ------------------------- Et0 / 0 Desg FWD 100 128.1 Shr Et0 / 1 Desg FWD 100 128.2 Shr Et0 / 2 Root FWD 100 128.3 Shr Et0 / 3 Desg FWD 100 128.4 Shr SW3 # show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.0f00 Cost 200 Port 4 (Ethernet0 / 3) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.3000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------- ------------------------- Et0 / 0 Desg FWD 100 128.1 Shr Et0 / 1 Altn BLK 100 128.2 Shr Et0 / 2 Desg FWD 100 128.3 Shr Et0 / 3 Root FWD 100 128.4 Shr To check, let's run a ping: Code: R4 # ping 192.168.0.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.5, timeout is 2 seconds: . !!!! We can see that all ICMP packets have gone through our machine. [IMG alt="kLI2Nlr0-nU.jpg"]https://sun9-17.userapi.com/impg/WTfX39eOWXt0QjVPUpHxWtfdRbboH9Lz6gNDNA/kLI2Nlr0-nU.jpg?size=606x181&quality=96&sign=8d5effddb300f0de613903e9d0afa465&type=album[/IMG] ICMP packets go through our computer ICMP in this case is used solely for clarity, in this way you can intercept any traffic by changing the structure built by STP. Next, we will look at other types of STP attacks that can be implemented using Yersinia. [IMG alt="R5FnrK3fyLY.jpg"]https://sun9-63.userapi.com/impg/lL7gMQZvjkAgD7tTTo3zeJY7FbGKPipLHELvNQ/R5FnrK3fyLY.jpg?size=485x301&quality=96&sign=1e5faa3770661dc4a4bef1d5b4b60542&type=album[/IMG] [B]Sending conf BPDU[/B] - we will send a BPDU once, which will force the switches in our L2 segment to rebuild the tree and return to the original scheme, since BPDUs are no longer sent from our machine. Root-bridge sends a configuration BDPU with an interval of two seconds, which specifies the main parameters: for example, the priority of the current switch, its MAC, MAC interface from which the BPDU was sent, information about whether the FLUSH mechanism needs to be started to flush CAM tables. Since in this scenario we tried to impersonate the root bridge, we send the configuration BPDU with a priority equal to the priority of the current RB, but with a lower MAC. [B]The Sending TCN BPDU[/B] will force the root bridge to start the mechanism for clearing CAM tables from MAC addresses, traffic from which does not come for more than 15 seconds. By default, the time that the MAC address is stored in the table is 300 seconds. When the state of the port changes (for example, UP / DOWN), the switch participating in STP must send a TCN (topology change notification) service frame towards the root bridge to notify it that a change has occurred in the network. The rest of the switches do not know which MAC addresses were behind this port of a particular switch, as a result of which the process of flush the CAM table starts. All addresses that have not been learned within 15 seconds will be deleted. This kind of attack allows us to increase the load on the network and the CPU of the switches. TCN is sent once. [B]Example of Resetting CAM Table Timer on Receiving TC BPDU[/B] Code: SW1 # show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.1000 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 8193 (priority 8192 sys-id-ext 1) Address aabb.cc00.1000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec After sending the TCN BPDU: Code: SW1 # show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.1000 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 8193 (priority 8192 sys-id-ext 1) Address aabb.cc00.1000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 sec [B]Sending conf BPDUs and Sending TCN BPDU's[/B] do all of the above, but in DoS format. That is, when sending configuration BPDU and topology change BPDU, the network starts to “storm”, the switch CPU is heavily loaded. [B]Counter of received BPDUs[/B] Code: SW2 # show spanning-tree interface ethernet 0/2 detail Port 3 (Ethernet0 / 2) of VLAN0001 is designated forwarding Port path cost 100, Port priority 128, Port Identifier 128.3. Designated root has priority 8193, address aabb.cc00.1000 Designated bridge has priority 32769, address aabb.cc00.2000 Designated port id is 128.3, designated path cost 100 Hello is pending, Topology change is set Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is shared by default BPDU: sent 2330, received 6650463 [B]Claiming root, other role and claiming root role with MITM[/B] are attacks similar to our example: by changing the priority or MAC, we can rebuild the current STP tree. [B]STP protection[/B] The STP protocol contains mechanisms that allow you to suppress the emergence of new devices as a root bridge, block ports that received BPDUs, or enable full BPDU filtering. In this article, we review the principles and commands used on Cisco equipment. [HEADING=3]Root guard[/HEADING] Upon receiving a better BPDU than the current one, the interface receiving this BPDU will be put into root-inconsistent mode. Code: SW2 (config) #interface ethernet 0/2 SW2 (config-if) # spanning-tree guard root Port state when receiving BPDU: Code: * Aug 1 13: 58: 03.304:% SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0 / 2. SW2 # show spanning-tree interface ethernet 0/2 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- ------- ------------------------- VLAN0001 Desg BKN * 100 128.3 Shr * ROOT_Inc It is easy to guess that when using this function, an attack using the framework will not be available. [B]BPDU guard[/B] Allows you to restrict the L2 domain. Upon receipt of any BPDU, the port is placed in the err disable BPDU guard error state. Code: SW2 (config) #interface ethernet 0/2 SW2 (config-if) # spanning-tree bpduguard enable After receiving the BDPU on a port with BPDU guard function: Code: * Aug 1 15: 12: 50.120:% SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Et0 / 2 with BPDU Guard enabled. Disabling port. SW2 # * Aug 1 15: 12: 50.120:% PM-4-ERR_DISABLE: bpduguard error detected on Et0 / 2, putting Et0 / 2 in err-disable state * Aug 1 15: 12: 51.120:% LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0 / 2, changed state to down * Aug 1 15: 12: 52.120:% LINK-3-UPDOWN: Interface Ethernet0 / 2, changed state to down SW2 # show interfaces ethernet 0/2 Ethernet0 / 2 is down, line protocol is down (err-disabled) [B]BPDU filter[/B] BPDU filter does not send or receive BPDUs on the port. In other words, STP is disabled on this interface. Code: SW2 (config-if) # spanning-tree bpdufilter enable It is easy to guess that when using these functions, attacks using the framework will not be available. [B]Conclusion[/B] It is so easy, without resorting to complex schemes, to intercept traffic on the network. STP is a fairly simple protocol with no security feature by default. Many people neglect to install protective mechanisms in the L2 domain, which can lead to rather serious consequences. Since STP eliminates loops and does not force all traffic to go through RB, it is necessary to accurately determine the direction of traffic and the attack vector. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Hacking Tools
STP attack and defense
Top