Attacks on the layer two of the OSI model (V): Dynamic Trunking Protocol

Dynamic Trunking Protocol (DTP) is a proprietary Cisco protocol, which establishes trunks between layer two switches. DTP packets usually have the value 01:00:0C:CC:CC:CC as the destination MAC, and an IEEE 802.3 frame including a 802.2 SNAP header. This protocol is available in most Cisco switches, excluding XL models.

DTP is enabled by default in Cisco devices, ready to negotiate in every switch port. However, it is necessary to know how to negotiate DTP in order to establish a trunk. DTP specification is Cisco proprietary (not public), which makes it more difficult. Therefore, the authors of the article were forced to use reverse engineering of traffic between two switches setting up a trunk in order to find out what the DTP format is.

DTP negotiates both trunk activation and encapsulation type used to send and receive traffic through a given port. The most common encapsulation is IEEE 802.1Q (supported by most Cisco switches). Its specification is a public standard.

On the other hand, ISL can just as well be used, which is a Cisco proprietary protocol supported only by high-end Cisco devices. The main reason for using encapsulation is tagging the packets with their proper VLAN tag. This helps the switches to know where to send the packet.
DTP uses no sender authentication, and, as we already mentioned, it’s enabled by default on all ports. The only condition is whether we are able to negotiate DTP. If so, we can have access to other VLANs. In order to learn how to negotiate DTP it’s first necessary to know the DTP packet format:

  • Domain (32 bytes): ASCII string identical to the configured VTP domain,
  • Status (1 byte): shows port status: on, off, desirable or auto; by default: desirable – we can start to negotiate DTP,
  • Type (1 byte): encapsulation type supported: ISL, 802.1Q, negotiated (ISL or 802.1Q) or native.
  • Neighbor-ID (6 bytes): identifies the device sending the packet; usually: MAC address of the port.

The first step of DTP negotiation in Cisco devices is sending three packets, one per second, showing the trunking status and the encapsulation type required. After that, a DTP packet is sent every 30 seconds. Yersinia implements this behaviour as a thread responsible for the task. On the other hand, it is necessary to control the status of the other device in order to change our status if needed. This is achieved using a loop receiving DTP packets. After a few checks, Yersinia changes its DTP status according to the other device.

DTP port status from the switch console
zipi# sh dtp int Fa0/10
DTP information for FastEthernet0/10:
Neighbor address 1: 000000000000
Neighbor address 2: 000000000000

Thanks to the work done with Yersinia, Wireshark added DTP support.
Alfredo Andrés
David Barroso
S21sec e-crime

Deja un comentario