L2 Network Attacks – HSRP / DTP
Lately I’ve been playing around with Layer 2 attacks, usually yerisina is my go to tool, but during a HSRP attack, it was not behaving the way I wanted. So I did some research, and remember scapy can generate any packets you want. While playing around, I came across /usr/sbin/hsrp a tool from the irpas packaged.
A simple attack would be:
It worked, but was sending more packets than was actually needed.
Why the need to send the Coup packet?
So back to scapy again.
There are some excellent guides out out there, Like
- http://www.gotohack.org/2011/01/scapy-hsrp-md5-auth-dissecter-to.html the original that actully the hsrp support in scapy is based on.
But following the guides, it should be pretty simple getting the attack working, but it did not.
I didn’t even see it wireshark, so it didn’t look like it was sending the attack out on the wire… time to debug.
BIG laughs… I had the “hsrp” filter in wireshark, and due to some strange behavior the packets that I was sending was not reconised as HSRP packets.
By looking at the packet that I was sending, the dport is not what it is suppose to be. 2029 vs 1985. And by adding the dport in the UDP in line 3 of the script, the attack worked perfect.
And since we are into L2 Attack, Attacking DTP is always fun.
Launch dtp attack with yersinia
Get a working interface up and running, here I’m using static IP, and connecting to vlan 666