Monday, January 23, 2012

Yersinia: How to analyzing and testing Network Protocols

Yersinia: How to analyzing and testing Network Protocols


System: Linux/Solaris/All BSD Platforms
License: GNU General Public License (GPL)
Purpose: Framework for analyzing and testing networks and systems
Homepage: http://www.yersinia.net/


Brief Summary:
Yersinia is a free open source utility written entirely in C which is great for security professionals, pen testers and hacker enthusiasts alike. Yersinia is a solid framework for analyzing and testing network protocols, and it is a great network tool designed to take advantage of some weaknesses in different network protocols. Yersinia allows you to send raw VTP (VLAN Trunking Protocol) packets and also allows you add and delete VLAN’s from a centralized point of origin.

Other Useful Features:
One of the useful features I like using with Yersinia is the DHCP (Dynamic Host Configuration Protocol) attack. In this scenario a DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily accomplished with Yersinia, if enough requests are sent; the network attacker can exhaust the address space available to the DHCP provider for a period of time. I have used this attack on my Netgear router WGT624 v2 and every machine, regardless of whether it is connected via a wired or wireless looses its network connection. Once the attack is stopped the DHCP clients can reconnect and are able to use the network again.

Yersinia also runs as a network daemon (#yersinia –D) and allows you to setup a server in each network segment so that network administrators can access their networks. Yersinia listens to port 12000/tcp by default and allows you to analyze the network packets traversing the network. This is very useful because you can determine the mis-configurations on you network segment and correct them before an attacker takes advantage of them. With Yersinia you can also launch HSRP (Hot Standby Router Protocol) attacks. The first option with sending raw HSRP packets is simply sending custom HSRP packets; you can then test HSRP implementations on the local network segment. Another option is becoming the active router with a fake IP which results in a Denial of Service (DOS). You can also can launch a MITM (Man in the Middle) attack by becoming an active router by editing the HSRP packets fields in the attacked routers, by enabling IP forwarding on the attackers machine and providing a valid static route to the legitimate gateway the traffic from the victim’s machine will go through the attacker’s platform and will be subject to analysis and/or tampering.

You can configure a CDP (Cisco Discovery Protocol) virtual device that is fully automated by selecting the correct parameters frames in CDP. My favorite attack vector is using the flooding CDP table attack. It also allows for capturing editing and manipulating the frames in the Yersinia GUI interface.

Disadvantages:
Only two disadvantages within Yersinia are worthy of mention. The first is that it was created solely for the *nix community and is not available for the Windows Platform. The Yersina team has requested that the community contribute to the Windows platform, so all the Windows enthusiasts cross you fingers and let’s hope it will be available on Windows in the near future. Secondly, the Yersinia output log is written in Spanish words so have your translator of choice at the ready!

ATTACKS:

Spanning Tree Protocol
Sending RAW Configuration BPDU
Sending RAW TCN BPDU
DoS sending RAW Configuration BPDU
DoS sending RAW TCN BPDU
Claiming Root Role
Claiming Other Role
Claiming Root Role dual home (MITM)

Cisco Discovery ProtocolSending RAW CDP packet
DoS flooding CDP neighbors table
Setting up a virtual device

Dynamic Host Configuration ProtocolSending RAW DHCP packet
DoS sending DISCOVER packet (exhausting ip pool)
Setting up rogue DHCP server
DoS sending RELEASE packet (releasing assigned ip)

Hot Standby Router ProtocolSending RAW HSRP packet
Becoming active router
Becoming active router (MITM)



Dynamic Trunking ProtocolSending RAW DTP packet
Enabling trunking

802.1QSending RAW 802.1Q packet
Sending double encapsulated 802.1Q packet
Sending 802.1Q ARP Poisoning

802.1XSending RAW 802.1X packet
Mitm 802.1X with 2 interfaces

VLAN Trunking ProtocolSending RAW VTP packet
Deleting ALL VLANs
Deleting selected VLAN
Adding one VLAN
Catalyst crash

No comments:

Post a Comment