WEBVTT

0
00:01.840 --> 00:10.360
In this video I'll show you how to completely destroy Cisco Enterprise Switch. We’ll attack Cisco Discovery 

1
00:10.360 --> 00:13.890
Protocol or CDP using Yersinia. 


2
00:13.900 --> 00:21.280
This is an extremely easy Denial Of Service (DoS) attack to launch on any Cisco Device using just a Linux 

3
00:21.280 --> 00:30.110
Machine. The protocol we are going to exploit CDP is enabled on any Cisco device by default.

4
00:30.110 --> 00:38.960
Let me explain to you in just a few words what CDP is. Cisco Discovery Protocol or CDP is a Cisco proprietary

5
00:39.170 --> 00:47.330
Layer 2 protocol that runs on Cisco devices and enables networking applications to learn about directly 

6
00:47.330 --> 00:50.250
connected devices nearby.

7
00:50.300 --> 00:58.760
This protocol facilitates the management of Cisco devices by automatically discovering them and determining

8
00:59.000 --> 01:07.160
how they are configured. Network engineers use CDP to discover the Network Topology. 

9
01:07.340 --> 01:18.130
For example if you log into a switch or a router and execute show cdp neighbors you’ll 


10
01:18.170 --> 01:20.810
see directly connected devices

11
01:20.870 --> 01:23.440
that are also using CDP.

12
01:23.550 --> 01:26.770
Ok. Let’s exploit CDP!

13
01:26.830 --> 01:36.020
This is the topology I’m going to use: My laptop runs Windows 10 and Linux Mint in a VM.


14
01:36.060 --> 01:45.650
This is the Linux VM. It’s connected directly to the Cisco Switch using a wired Ethernet connection.

15
01:45.680 --> 01:50.270
This is the switch I will attack from the Linux Machine!

16
01:50.270 --> 01:57.200
You'll see many other tutorials that tell you to use Kali which by the way is a great Linux distribution

17
01:57.470 --> 01:59.210
but it's not necessary.

18
01:59.210 --> 02:04.650
You can use any Linux distribution you prefer. Using Yersinia

19
02:04.730 --> 02:10.320
I'm gonna flood the switch with thousands of CDP packets.

20
02:10.410 --> 02:17.340
This will freeze the operating system running on the switch which will effectively block anyone from

21
02:17.430 --> 02:24.060
remotely managing the switch. With the CDP continuously processing and use CDP packets

22
02:24.060 --> 02:27.080
the switch will start to drop network traffic.

23
02:27.460 --> 02:35.250
Moreover the switch will start to flood incoming frames out all ports, just like a hub.

24
02:35.250 --> 02:42.510
This happens when the Switch MAC Address Table fills up entirely and a hacker could open up a packet 

25
02:42.510 --> 02:48.980
sniffer like wireshark and capture network traffic and sensitive data.


26
02:49.020 --> 02:59.620
Let's take a look at the switch CPU and the CDP table before starting the attack.
show ctp neighbors

27
02:59.710 --> 03:00.980
There is no neighbor!

28
03:01.010 --> 03:11.630
There is no other Cisco device directly connected to the switch and show process cpu sorted | include 

29
03:11.810 --> 03:20.120
CPU in upper case letters PID Runtime | CDP protocol

30
03:24.000 --> 03:29.280
Take care to use the exact case you see in this example.

31
03:29.430 --> 03:30.140
Okay.

32
03:30.320 --> 03:41.570
And we notice that the CPU utilization for 5 seconds is 5% and CDP consumes only 0.32%

33
03:41.640 --> 03:50.140
We can say that the CPU is idle; perfect ! Let's start the attack on the switch.

34
03:50.340 --> 03:57.780
As I've already said I'm going to use Yesenia which is a framework that performs layer 2 attacks. It

35
03:57.780 --> 04:04.100
takes advantage of some weaknesses in different network protocols.

36
04:04.300 --> 04:06.190
By the way Yersinia Pestis

37
04:06.190 --> 04:15.760
is the name of a bacteria, the bacteria that causes plague. Yersinia can be easily installed on any

38
04:15.760 --> 04:23.680
Linux distribution like Ubuntu or Linux Mint because it belongs to the standard repositories. Let's install

39
04:23.800 --> 04:27.620
Yersinia!  To do that and to launch the attack 

40
04:27.640 --> 04:38.320
you need a non-root user with sudo privilege: so sudo apt install yersinia the user's password.

41
04:42.690 --> 04:43.380
Okay sorry, it'

42
04:43.450 --> 04:49.730
install. In this case Yersinia is already the newest version.

43
04:51.470 --> 05:01.090
I'm gonna start at the Gui as root: sudo yersinia -G


44
05:01.140 --> 05:08.460
- G option, written in upper case, makes Yersinia to start a graphical session.

45
05:08.540 --> 05:10.920
This is the GUI of yYersinia!


46
05:10.920 --> 05:18.110
There is also a command line tool available; if you prefer to run the attack from a Linux machine without

47
05:18.110 --> 05:25.660
a graphical interface like say you are connected using ssh to that Linux machine you should use 

48
05:25.710 --> 05:34.450
Yersinia in command line. We notice that the attacks are implemented for the following network protocols

49
05:34.780 --> 05:46.030
CDP, DHCP, VLANS or dot1q, DTP, MPLS, VTP and many more! I'll click on lunch

50
05:46.070 --> 05:54.110
attack and  in CDP tab, I’ll select Flooding CDP Table and then 

51
05:54.220 --> 05:54.780
OK

52
05:58.370 --> 05:59.080
Yersinia 

53
05:59.120 --> 06:06.960
immediately starts flooding the switch with hundreds or thousands of CDP frames per second!


54
06:06.960 --> 06:12.330
Now let's return to the switch to see the damage we have done. By the way

55
06:12.330 --> 06:15.120
this is a console connection to the switch.

56
06:15.120 --> 06:18.020
This is not a network connection.

57
06:18.120 --> 06:21.060
Let's see the CDP neighbors.

58
06:21.150 --> 06:26.200
So show cdp neighbors; okay.

59
06:26.360 --> 06:37.070
There are hundreds of bogus devices all originating from Yersinia.

60
06:37.220 --> 06:42.310
There are too many fake devices.

61
06:42.340 --> 06:44.720
Let's take another look at the switch

62
06:44.740 --> 06:49.740
CPU utilization, so the same command

63
06:49.870 --> 06:56.500
I've already executed before starting the attack; okay.

64
06:56.500 --> 06:58.130
This is very nice.

65
06:59.010 --> 07:04.610
We notice that CPU utilization is 99%.


66
07:04.620 --> 07:12.500
Ok. The Switch CPU is done. I've just shown you how to break a thousand dollar switch in just a few seconds

67
07:12.540 --> 07:23.380
using Linux and free software like Yersinia. I am stopping the attack list attacks and stop and I'll

68
07:23.380 --> 07:28.490
check the CPU utilization again; okay!

69
07:28.540 --> 07:32.820
Now the CPU utilization is only 10%

70
07:36.140 --> 07:37.630
and 5 %

71
07:38.710 --> 07:45.250
In the next lecture I'll show you what countermeasures you can take as a network administrator to

72
07:45.250 --> 07:47.080
prevent such an attack.

73
07:47.080 --> 07:49.090
See you again in two seconds!