WEBVTT

0
00:01.720 --> 00:08.290
In the last lecture we’ve seen how to attack Spanning Tree by claiming the RootBridge Role. In this 

1
00:08.290 --> 00:09.150
video

2
00:09.160 --> 00:16.180
I'll show you what countermeasures you can take to protect STP and your switches. If your swich supports

3
00:16.240 --> 00:20.580
STP, which is a protocol supported only by professional switches,

4
00:20.590 --> 00:27.630
it should also have some features in the operating system to protect against STP attacks.

5
00:27.730 --> 00:34.700
In this lab I'll show you how to protect the Cisco Catalyst Switch against STP attacks.

6
00:34.720 --> 00:43.390
Other vendors have similar features available. Fortunately the countermeasures to a root takeover attack

7
00:43.540 --> 00:45.970
are simple and straightforward.

8
00:45.970 --> 00:49.970
There are two measures you can take to mitigate this attack:

9
00:50.140 --> 00:52.640
BPDU-guard and Root guard.

10
00:52.980 --> 00:55.360
Let's see them one by one!

11
00:55.480 --> 01:03.000
BPDU-Guard is a feature  that comes with PortFast and is applicable to access layer switches.

12
01:03.010 --> 01:11.590
This feature allows the network designers to enforce the STP domain borders devices behind ports with

13
01:11.650 --> 01:20.170
BPDU-guard enabled are unable to influence the STP topology. And this is the case when a host is running 

14
01:20.170 --> 01:28.330
Yersinia and wants to take over the root.
At the reception of a BPDU frame, so a frame that carries

15
01:28.420 --> 01:36.910
STP messages BPDU-guard disables the port which will move into the error disable state, and a message

16
01:36.940 --> 01:38.410
is generated.

17
01:38.410 --> 01:47.140
BPDU-guard accompanies another feature called PortFast which allows a port to transit directly into 

18
01:47.140 --> 01:50.160
the forwarding state when the link is up.

19
01:50.170 --> 01:57.700
This feature must therefore be enabled only on ports where no switch will ever be connected and those

20
01:57.760 --> 02:00.100
are access parts.

21
02:00.100 --> 02:08.080
Okay, let's return to the Switch and enable BPDU-guard and then portfast on the access port

22
02:08.170 --> 02:13.620
to which the host that runs Yersinia is connected.  That's interface

23
02:13.690 --> 02:16.340
FastEthernet 0/0

24
02:22.510 --> 02:32.410
conf t
I am entering the interface configuration mode interface FastEthernet0/1 spanning

25
02:32.410 --> 02:37.590
tree bpduguard enable 

26
02:37.870 --> 02:47.110
This command has enabled BPDU guard and I'm also enabling portfast so: spanning-tree portfast 

27
02:51.880 --> 03:00.850
The command has effect only when the interface is in a non trunking mode. I have enabled BPDU guard and

28
03:00.870 --> 03:04.270
portfast on that interface.

29
03:04.460 --> 03:12.110
You can also enable BPDU guard on all portfast ports of the Switch so in global configuration

30
03:12.110 --> 03:23.070
mode you execute: spanning-tree portfast bpduguard default  Let's reproduce the attack! I am going

31
03:23.070 --> 03:33.580
to Kali Linux and I am starting Yersinia in GUI mode so: yersinia -G  Launch Attack 

32
03:33.660 --> 03:38.480
stp and ClaimingRootRole and ok

33
03:42.420 --> 03:51.030
and we notice the messages, in the console we see how BPDU guard has put the port in error disabled

34
03:51.150 --> 03:57.130
state; the port received a BPDU and the that's not allowed.

35
04:01.370 --> 04:02.930
I am stopping the attack.

36
04:10.670 --> 04:23.420
Now you can re-enable the port to manually by executing shut and no shut like this: shut and no shut and

37
04:23.420 --> 04:32.820
the port's up; or you can execute errdisable recovery command ; in global configuration mode

38
04:33.170 --> 04:38.880
I run: errdisable recovery cause bpduguard


39
04:42.210 --> 04:47.880
and errdisable recovery interval 600


40
04:48.360 --> 04:55.650
These two commands will automatically enable the port after 600 seconds or 10 minutes if the 

41
04:55.650 --> 05:04.050
port was shut down by bpdu-guard and no other BPDU frames are received on that port. The default 


42
05:04.050 --> 05:13.080
recovery interval is 300 seconds or 5 minutes. Note that there is the possibility 


43
05:13.080 --> 05:21.050
for an attacker to bypass BPDU-guard depending on how the switch is configured. As I've previously

44
05:21.050 --> 05:28.400
said BPDU-guard relies on PortFast, and when enabling PortFast on a port the switch operating

45
05:28.400 --> 05:31.720
system produces a warning. Let's see 

46
05:31.860 --> 05:32.390
the warning

47
05:39.320 --> 05:46.630
This is the warning, it states that PortFast will only have effect when the interface is in a non

48
05:46.630 --> 05:47.980
trunking mode.

49
05:47.980 --> 05:54.940
This means that an attacker who has the ability to enable trunk mode on the port has also the ability

50
05:54.940 --> 06:01.890
to disable PortFast and therefore to disable BPDU guard all altogether.

51
06:01.910 --> 06:09.880
This is Dynamic Trunking Protocol (DTP) exploitation that can also be performed using Yersinia and

52
06:09.890 --> 06:11.450
to avoid this attack

53
06:11.480 --> 06:18.290
you should set to the port as a static access port; by default the switch port is in dynamic desirable

54
06:18.290 --> 06:26.390
mode and that means that it will try to auto negotiate with the other side switches interface if they

55
06:26.390 --> 06:30.320
create a trunk or not and remain access ports.

56
06:30.500 --> 06:40.600
So in interface configuration mode I'll execute: switch port mode access; I set the port as a static

57
06:40.660 --> 06:42.290
access port.

58
06:42.400 --> 06:50.160
This was all about the  BPDU-guard. 
Another security feature used to protect against STP attacks

59
06:50.290 --> 06:56.850
is called root guard. Root Guard can be applied on distribution  layer switches while applying BPDU 

60
06:56.900 --> 06:59.330
guard on access layer switches. 	

61
06:59.430 --> 07:07.540
Let's see what  Root Guard does. Root Guard does not prevent STP communication on the port where it is 

62
07:07.540 --> 07:15.250
enabled, but it will only react to BPDU frames which would lead to the election of a new root bridge behind 

63
07:15.250 --> 07:16.630
protected ports.

64
07:16.630 --> 07:23.620
This way a Root Guard enforces the position of the Root Bridge. A violation of the Root guard policy

65
07:23.680 --> 07:31.120
and that means receiving a superior BPDU on a port where the Root Guard was enabled results in the

66
07:31.120 --> 07:40.830
port being temporarily set to root inconsistent state and not forwarding any frame. The port connectivity,

67
07:41.130 --> 07:50.070
so the forwarding state, will be automatically re-enabled as soon as no illegal or superior BPDUs are received

68
07:50.100 --> 07:53.140
on the port. In our example

69
07:53.180 --> 08:01.420
we want a fixed rootBridge and we’re gonna enable root guard on all its ports. Let's see how many 


70
08:01.420 --> 08:03.320
interfaces has the switch.

71
08:04.380 --> 08:05.960
sh ip interface brief

72
08:12.420 --> 08:19.170
It has 48 FastEthernet interfaces and 2 Gigabit interfaces.

73
08:19.320 --> 08:33.450
I'm gonna enable Root Guard on all FastEthernet interfaces so conf t interfacerange f 0/1 -

74
08:34.170 --> 08:39.100
48 and spanning-tree root guard

75
08:43.060 --> 08:43.540
sorry.

76
08:43.600 --> 08:45.490
spanning-tree guard root

77
08:45.640 --> 08:50.560
OK, Root Guard was enabled!

78
08:52.600 --> 08:56.660
Before launching the attack again I want to disable BPDU guard

79
08:56.670 --> 09:05.240
on FastEtherenet0/1; I want on the interface only root Guard enabled

80
09:08.560 --> 09:12.640
so: no spanning-tree bpdu guard enable

81
09:19.020 --> 09:21.100
and I am disabling BPDU guard

82
09:21.180 --> 09:28.680
also globally so: spanning-tree portfast

83
09:29.200 --> 09:30.700
bpdu guard default

84
09:34.500 --> 09:43.130
Let's check the configuration of FastEthernet 0/1 interface: do sh run

85
09:47.740 --> 09:48.610
only Root Guard

86
09:48.640 --> 09:49.390
is enabled.

87
10:02.450 --> 10:06.310
Let's launch the attack again! In Yersinia

88
10:06.470 --> 10:15.110
I'm selecting the STP tab and clicking ClaimingRootRole; and we notice how Root Guard has blocked portfast

89
10:15.140 --> 10:22.460
Ethernet0/1. Let's check the interface state with the following command: sh spaning-tree

90
10:22.460 --> 10:33.570
vlan1 and we notice how the interface is the Root inconsistent state or sh spanning-tree

91
10:33.990 --> 10:40.440
interface f0/1 detail ; root inconsistent

92
10:43.940 --> 10:53.240
To disable Root guard in interface configuration mode use spanning-tree guard none and I've disabled

93
10:53.320 --> 10:56.070
a Rood guard on that interface.

94
10:56.210 --> 11:01.940
Congratulations, you've just learned how to protect your switches against STP attacks!