Attacks on the layer two of the OSI model (VI): Dynamic Trunking Protocol
Let’s see how an attack is performed on a Catalyst 2950T switch with IOS 12.1(22) EA3. The device is configured with hostname zipi and two VLANs: Office (ports Fa0/10, Fa0/11, Fa0/12 and Fa0/13) and Internet (ports Fa0/20, Fa0/21, Fa0/22 and Fa0/23). The VTP domain has been changed to Yersinia. All other parameters are left as default.
In Yersinia GUI mode, let’s choose the DTP protocol screen. If there is DTP in our network, we’ll see DTP data in no more than 30 seconds. We can also take a look at the DTP port status from the switch console: our port is Fa0/10 and its status is default.
We need to fill in the bottom fields of the window with default values by pressing [d]. After that, [e] will allow us to modify the Neighbor-ID field and enter the value 666666666666. To finish editing mode, we need to press [return]. Now let’s switch to the DTP attack window using [x] and select the enabling trunking attack. The DTP port status will change to TRUNKING and Neighbor address 1 will contain our ID. If, furthermore, we have a look at the VLAN assigned ports as before, we’ll see that our port Fa0/10 is no longer in the VLAN list. In the Yersinia’s main window we’ll see new packets; Yersinia crafted packets are those with Neighbor-ID 666666666666. From now on, we’ll be able to carry out attacks against protocols 802.1Q and VTP, and what is more important, we’ll be able to behave like just another valid switch, which makes it possible to sniff VLAN traffic (from other VLANs than the one we are connected to).
VLAN assigned ports after the attack
zipi# sh vlan
VLAN Name Status Ports
---- ----------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/24
100 Office active Fa0/11, Fa0/12, Fa0/13
200 Internet active Fa0/20, Fa0/21, Fa0/22, Fa0/23
The only valid countermeasure against DTP attacks is disabling auto-trunking via
the command: switchport mode access. An administrator is then forced to enable
trunking manually (in the switch configuration) to set up every new trunk.