WEBVTT 0 00:00.870 --> 00:08.160 In this video I’m gonna show you how to hack STP. Spanning Tree Protocol or STP is one of the most 1 00:08.160 --> 00:13.220 common LAN protocols deployed in today's enterprise networks. 2 00:13.260 --> 00:20.280 I'd recommend you to dive deeper into STP because it's really important and the lack of securing it 3 00:20.400 --> 00:22.990 could disrupt your entire network. 4 00:23.010 --> 00:29.210 A very good resource for learning about STP is the Cisco CCNA course. 5 00:29.340 --> 00:35.730 This video assumes that you have some basic knowledge about how STP works. 6 00:35.730 --> 00:41.960 Let's recap in a nutshell what is its purpose and how it works. Redundant 7 00:42.000 --> 00:49.830 links are always welcome in switched topologies as they avoid the single point of failure issue of a single 8 00:49.830 --> 00:52.710 switch or link that fails. 9 00:52.710 --> 01:00.060 In the example you are looking at if the link between switch A and switch B fails the traffic from 10 01:00.120 --> 01:04.010 A to B will still reach the destination through Root 11 01:04.050 --> 01:13.820 Switch. However, redundant links, if we look at them from layer 2 perspective, can cause Layer 2 loops which 12 01:13.820 --> 01:19.280 further can cause broadcast storms and multiple frame transmission. 13 01:19.280 --> 01:26.570 This is simply because there is no time to leave field in Ethernet header. For example in this image 14 01:26.690 --> 01:35.090 If host A sends a broadcast frame that frame will be received doubbled by host B. tThe first path 15 01:35.210 --> 01:46.610 is A switch A root switch B and host B and the second path is host A switch A switch B and host B, so 16 01:46.610 --> 01:55.130 host B will receive the broadcast frame two times. Fortunately spanning three can allow us to have redundant 17 01:55.130 --> 02:01.830 links while having a loop free topology, thus preventing the potential for a broadcast storm. 18 02:03.140 --> 02:10.340 STP achieves this loop free topology by selecting one switch as the root bridge and the network 19 02:10.340 --> 02:17.540 administrator can influence which switch becomes the root bridge because this is the central part of the 20 02:17.540 --> 02:18.830 switch topology. 21 02:18.830 --> 02:25.490 Selecting a specific Switch as the root bridge is done by manipulating a value called Switch priority and 22 02:25.490 --> 02:32.630 the switch with the lowest priority becomes the root bridge; if the root bridge goes down or another 23 02:32.630 --> 02:35.010 switch must become the root bridge 24 02:35.040 --> 02:43.670 the STP topology must reconverted by electing a new root bridge and the election starts at that precise 25 02:43.670 --> 02:44.740 moment. 26 02:44.930 --> 02:51.560 Switch ports do not immediately transit from the blocking state to the forwarding state; the ports 27 02:51.560 --> 02:57.590 go through some different states and the time before the ports start to forward packets can be up to one 28 02:57.590 --> 02:58.010 minute. 29 02:58.610 --> 03:06.680 Okay now that we have a basic understanding of how STP works let's see how a hacker could attack STP, 30 03:07.400 --> 03:08.420 In this lab 31 03:08.630 --> 03:16.740 I'm gonna show you how to exploit the way STP works and I mean the way STP elects the root bridge. 32 03:16.820 --> 03:24.560 This is another denial of service attack that is easy to be launched from a Linux machine using an application 33 03:24.800 --> 03:25.990 like Yersinia. 34 03:26.230 --> 03:30.500 It's the same application we've used for the CDP attack. 35 03:30.500 --> 03:31.640 Take a look there 36 03:31.730 --> 03:37.610 if you feel the need to see again what is Yersinia and how to install it on Linux. 37 03:37.790 --> 03:44.280 Taking over the root bridge is probably one of the most disruptive attacks. 38 03:44.300 --> 03:54.330 Keep in mind that STP is trustful, stateless and does not provide an authentication mechanism. Running 39 03:54.340 --> 03:56.680 Yersinia from Kali Linux 40 03:56.730 --> 04:04.110 I'll claim the root bridge role by sending BPDU frames with a lower priority than of the actual 41 04:04.190 --> 04:10.920 root bridge. For STP a lower priority means a superior priority and the switch with the lowest 42 04:10.950 --> 04:12.450 priority becomes 43 04:12.470 --> 04:14.320 the root bridge. Yersinia 44 04:14.320 --> 04:19.970 will take the role of the root bridge; by the way I've said BPDU frames. 45 04:20.070 --> 04:25.170 These are Ethernet frames used by STP for its operation! 46 04:25.170 --> 04:32.760 This attack is both of type DoS and MiTM. Denial of service because 47 04:32.760 --> 04:39.840 STP takes time to converge once a change in topology occurs, and during this phase no data is forwarded 48 04:40.080 --> 04:42.150 by any switch in the network. 49 04:42.150 --> 04:49.830 The attacker could continuously reset the topology converging process before it has any chance to finish. 50 04:50.220 --> 04:58.370 The switch will be put in such a state that will continuously calculate the final STP topology. And Man 51 04:58.370 --> 04:59.460 in the Middle 52 04:59.460 --> 05:06.270 because if the attacker attacker inserts a roque switch in the network and that switch becomes the root bridge, 53 05:06.570 --> 05:10.220 traffic could be diverted through the roque switch. 54 05:10.230 --> 05:18.040 Okay, let's exploit STP. This is topology I'm going to use: My laptop runs Windows 10 and 55 05:18.040 --> 05:25.870 Kali Linux in a VM. It’s connected directly to a Cisco Catalyst Switch using a wired Ethernet connection. 56 05:26.800 --> 05:33.430 If you use the same setup don't forget to set the VM network in bridged mode so that the Linux machine 57 05:33.430 --> 05:36.990 has access to the physical interface of your laptop. 58 05:37.980 --> 05:45.180 To reproduce this attack, besides a Linux machine, you need the Cisco Layer 2 switch or any other switch 59 05:45.300 --> 05:47.380 that supports STP. 60 05:47.700 --> 05:52.020 You will connect the Linux machine to the switch using a wired connection. 61 05:52.050 --> 05:58.360 Now if you don't have available such a physical switch you can still lunch to the attack. 62 05:58.680 --> 06:00.600 Just run a Cisco L2 63 06:00.600 --> 06:07.970 IOU in GNS3 and setup a network connection between the Linux host and the devices that 64 06:07.970 --> 06:09.720 run in GNS3. 65 06:09.780 --> 06:16.920 Take a look at the previous lecture where I have explained in detail how to do it. In this topology 66 06:16.920 --> 06:21.900 notice that there are two redundant links between switch 1 and switch 2. 67 06:21.930 --> 06:30.600 This is what a redundant topology means and STP will temporarily disable a port to avoid the problems 68 06:30.870 --> 06:39.230 of a redundant layer 2 topologies. This is a console connection to Switch2. The default STP priority of 69 06:39.250 --> 06:47.590 a Switch is 32768. Let's check it! 70 06:47.620 --> 06:50.410 sh spanning-tree 71 06:50.420 --> 06:57.430 We notice the switch priority and that this switch is the root bridge. If you want to be sure that a particular 72 06:57.430 --> 07:01.740 switch becomes the root just decrease the priority. 73 07:01.810 --> 07:10.210 You can set the bridge priority in increments of 4096 and I'm gonna set the priority 74 07:10.900 --> 07:15.260 to a lower value: config 75 07:15.730 --> 07:23.500 spanning-tree vlan 1 - all parts belong to vlan 1 - priority and the value 76 07:23.590 --> 07:30.180 You cannot give any value, only in increments of 4096 77 07:30.400 --> 07:36.890 For this example the priority will be 28672 78 07:37.300 --> 07:40.240 and of course the switch is the root bridge of the topology 79 07:43.570 --> 07:45.520 We see the message here! 80 07:45.520 --> 07:49.680 This bridge is the root. Back to Kali Linux 81 07:49.720 --> 07:51.940 I'll start Yersinia as root 82 07:52.330 --> 08:00.460 So yersinia -G written in uppercase; minus G option makes yersinia to start a graphical 83 08:00.520 --> 08:11.270 section. I'll click on launch attack and in STP tab I'm selecting Claiming Root Role and then OK. 84 08:15.970 --> 08:23.160 Yersinia immediately starts sending BPDU with a lower priority than the priority of the RootBridge, 85 08:23.180 --> 08:25.730 claiming the root role. 86 08:25.930 --> 08:31.690 You can adjust the values in the BPDU frames here, in this window. 87 08:31.690 --> 08:39.760 Okay let's return to the switch and see if it still the root. I am executing show spanning three command 88 08:40.930 --> 08:43.580 And we noticed that the switch is no more the 89 08:43.600 --> 08:49.770 root bridge. There is a cost of 19 to the root! Back to Kali Linux 90 08:49.850 --> 09:02.630 I'll stop with the attack: list attacks and stop show spanning three again The switch is still the root. 91 09:02.690 --> 09:04.180 I am waiting a few seconds 92 09:07.460 --> 09:08.140 okay. 93 09:08.190 --> 09:15.550 We see that the switch has become again the root of the topology; if we don't have or don't want to use 94 09:15.550 --> 09:18.100 the graphical interface of Yersinia, 95 09:18.460 --> 09:22.350 we can start with the attack in command line like this: 96 09:22.480 --> 09:32.010 yersinia stp - the name of the attack and - attack and the id of the attack 97 09:32.110 --> 09:33.670 In this case is 4 98 09:36.840 --> 09:40.280 Let's return to the switch and execute the show spanning three 99 09:40.330 --> 09:48.540 again and we notice that the switch has lost the root role. 100 09:48.630 --> 09:51.870 Okay, I am stopping Yersinia and the attack! 101 09:54.940 --> 10:02.500 You've just seen how to heck STP, one of the most used switching protocols in enterprise networks. 102 10:02.650 --> 10:08.650 In the next lecture I'll show you what countermeasures you can take to protect your switches against 103 10:08.740 --> 10:09.450 this attack.