how to hack a layer 2 network- DTP and VTP attack

src

In today's networks, there are many different types of networking protocols exist today. but there always comes a risk of attackers who are always finding new ways to exploit networks get inside whether it’s layer 2 or layer4-7 it doesn’t matter. So with these types of increasing attacks, there always comes a need for education. So being all that said let's see how you can take down a layer 2 network using yersinia. The information given in this blog is only for educational purposes, try this only in networks you own.

yersinia is a framework mainly designed to attack layer 2 protocols. It is programmed to take advantage of various layer 2 protocols using their weaknesses and exploit them. The tool can also be used for testing and analyzing the network.

below is the list of protocols yersinia can attack.

  • Spanning Tree Protocol (STP)

yersinia is already available in the latest versions of Kali Linux, or you can git clone it from https://github.com/tomac/yersinia

In this blog I'm going to write on DTP and VTP attacks, I'm going to show you how attackers can take down a network by using these attacks.

First, let's understand how this attack works.

Let's say you’re in a different VLAN than the target you wanna attack and also if the switch is poorly configured as shown in fig1 below.

fig1: simple network topology

Here in our case, the switch is not secured attacker can send DTP packets using yersinia to form a trunk on that path to switch so he can access all the VLAN information through that trunk link. (It’s a router on a stick for VLAN routing)

to perform this attack in Yersinia go to the terminal type the following commands

You must be root to run yersinia 0.8.2

you can access the Yersinia help menu with

┌──(root💀kali)-[/home]
└─# yersinia -h
۲�۲��
�������۲�
۲��������۲�
�����۱����������
����۱������������
����۱������������� Yersinia…
������������������۲��
۲���۱��������������۲�� The Black Death for nowadays networks
������۱�����������������
�������۱���������������۲� by Slay & tomac
۲�����۱�������������������
�����۱������������������� http://www.yersinia.net
۲����۱���������������۲ yersinia@yersinia.net
۲�����۱���������������
�������۱����������۲�
�۲���������۱������� Prune your MSTP, RSTP, STP trees!!!!
�������������۲�
Usage: yersinia [-hVGIDd] [-l logfile] [-c conffile] protocol [protocol_options]
-V Program version.
-h This help screen.
-G Graphical mode (GTK).
-I Interactive mode (ncurses).
-D Daemon mode.
-d Debug.
-l logfile Select logfile.
-c conffile Select config file.
protocol One of the following: cdp, dhcp, dot1q, dot1x, dtp, hsrp, isl, mpls, stp, vtp.
Try ‘yersinia protocol -h’ to see protocol_options helpPlease, see the man page for a full list of options and many examples.
Send your bugs & suggestions to the Yersinia developers <yersinia@yersinia.net>
MOTD: Having lotto fun with my Denon AVC-A11XVA… :)

to access Yersinia GUI use the following command

┌──(root💀kali)-[/home]
└─# yersinia -G

Yersinia will open a graphical user interface select DTP, you can configure options (or put it default)

make sure you’re in working on the correct interface by tapping on Edit Interface

Click on launch attack > enable trunking >OK

Yersinia will send the DTP packets to the switch to form the trunk link as shown in fig2.

fig2: DTP packets sent from attacker

it will convert the port from access port to trunk port as seen in fig3

fig3: access port converted to a trunk port

Now as the link between the attacker and the switch is trunk link the attacker can make use of other protocols such as VTP, STP, and DHCP (we will see DHCP starvation attack in later blogs)

Here we're going to make use of VTP to take our target off the network by deleting the vlan20 or you can delete all VLANS (just imagine how dangerous this attack can be if you don’t take proper security precautions.)

in yersinia you go to VTP select delete one VLAN in our case,> press OK > add the VLAN ID 20 here.

the VTP packets will be sent from the attacker to the switch as shown in the following fig.

fig: attacker sending VTPpackets to switch

now that we’ve sent the VTP frames to delete vlan20 switch will delete VLAN20 as shown in the following fig.

fig: the VLAN20 removed from the switch

So this is how an attacker can bring down a non-protected network to its knees. Security precautions must be taken before bringing it into production environments.

So let's see how you can avoid these kinds of nasty scenarios happening to your network.

  • Turn off unused ports on switches, switch ports are enabled by default so make sure you disable unused ports on your switch.

Thanks for reading my post see you in the next one.

I'm a cybersecurity aspirant currently working on my skills, wannabe hacker.