1YERSINIA(8)                                                        YERSINIA(8)
2
3
4

NAME

6       Yersinia - A FrameWork for layer 2 attacks
7
8

SYNOPSIS

10       yersinia  [-hVGIDd]  [-l  logfile]  [-c conffile] protocol [-M] [proto‐
11       col_options]
12

DESCRIPTION

14       yersinia is a framework for performing layer 2 attacks.  The  following
15       protocols  have  been implemented in Yersinia current version: Spanning
16       Tree Protocol (STP), VLAN Trunking Protocol (VTP), Hot  Standby  Router
17       Protocol  (HSRP),  Dynamic  Trunking Protocol (DTP), IEEE 802.1Q, Cisco
18       Discovery Protocol (CDP), Dynamic Host  Configuration  Protocol  (DHCP)
19       and, finally, the Inter-Switch Link Protocol (ISL).
20
21       Some  of  the  attacks implemented will cause a DoS in a network, other
22       will help to perform any other more advanced attack, or both. In  addi‐
23       tion,  some  of  them  will be first released to the public since there
24       isn't any public implementation.
25
26       Yersinia will definitely help both pen-testers and network  administra‐
27       tors in their daily tasks.
28
29       Some  of the mentioned attacks are DoS attacks, so TAKE CARE about what
30       you're doing because you can convert your network into an UNSTABLE one.
31
32       A lot of examples are given at this page EXAMPLES  section,  showing  a
33       real and useful program execution.
34

OPTIONS

36       -h, --help
37              Help screen.
38
39       -V, --Version
40              Program version.
41
42       -G     Start a graphical GTK session.
43
44       -I, --interactive
45              Start an interactive ncurses session.
46
47       -D, --daemon
48              Start  the  network  listener for remote admin (Cisco CLI emula‐
49              tion).
50
51       -d     Enable debug messages.
52
53       -l logfile
54              Save the current session to the file logfile. If logfile exists,
55              the data will be appended at the end.
56
57       -c conffile
58              Read/write configuration variables from/to conffile.
59
60       -M     Disable MAC spoofing.
61

PROTOCOLS

63       The following protocols are implemented in yersinia current version:
64
65
66       Spanning Tree Protocol (STP and RSTP)
67
68       Cisco Discovery Protocol (CDP)
69
70       Hot Standby Router Protocol (HSRP)
71
72       Dynamic Host Configuration Protocol (DHCP)
73
74       Dynamic Trunking Protocol (DTP)
75
76       IEEE 802.1Q
77
78       VLAN Trunking Protocol (VTP)
79
80       Inter-Switch Link Protocol (ISL)
81

PROTOCOLS OPTIONS

83       Spanning  Tree  Protocol (STP): is a link management protocol that pro‐
84       vides path redundancy while preventing undesirable loops  in  the  net‐
85       work. The supported options are:
86
87
88       -version version
89              BPDU version (0 STP, 2 RSTP, 3 MSTP)
90
91       -type type
92              BPDU type (Configuration, TCN)
93
94       -flags flags
95              BPDU Flags
96
97       -id id BPDU ID
98
99       -cost pathcost
100              BPDU root path cost
101
102       -rootid id
103              BPDU Root ID
104
105       -bridgeid id
106              BPDU Bridge ID
107
108       -portid id
109              BPDU Port ID
110
111       -message secs
112              BPDU Message Age
113
114       -max-age secs
115              BPDU Max Age (default is 20)
116
117       -hello secs
118              BPDU Hello Time (default is 2)
119
120       -forward secs
121              BPDU Forward Delay
122
123       -source hw_addr
124              Source MAC address
125
126       -dest hw_addr
127              Destination MAC address
128
129       -interface iface
130              Set network interface to use
131
132       -attack attack
133              Attack to launch
134
135
136
137       Cisco  Discovery  Protocol  (CDP): is a Cisco propietary Protocol which
138       main aim is to let Cisco devices to communicate  to  each  other  about
139       their  device  settings  and  protocol  configurations.  The  supported
140       options are:
141
142       -source hw_addr
143              MAC Source Address
144
145       -dest hw_addr
146              MAC Destination Address
147
148       -v version
149              CDP Version
150
151       -ttl ttl
152              Time To Live
153
154       -devid id
155              Device ID
156
157       -address address
158              Device Address
159
160       -port id
161              Device Port
162
163       -capability cap
164              Device Capabilities
165
166       -version version
167              Device IOS Version
168
169       -duplex 0|1
170              Device Duplex Configuration
171
172       -platform platform
173              Device Platform
174
175       -ipprefix ip
176              Device IP Prefix
177
178       -phello hello
179              Device Protocol Hello
180
181       -mtu mtu
182              Device MTU
183
184       -vtp_mgm_dom domain
185              Device VTP Management Domain
186
187       -native_vlan vlan
188              Device Native VLAN
189
190       -voip_vlan_r req
191              Device VoIP VLAN Reply
192
193       -voip_vlan_q query
194              Device VoIP VLAN Query
195
196       -t_bitmap bitmap
197              Device Trust Bitmap
198
199       -untrust_cos cos
200              Device Untrusted CoS
201
202       -system_name name
203              Device System Name
204
205       -system_oid oid
206              Device System ObjectID
207
208       -mgm_address address
209              Device Management Address
210
211       -location location
212              Device Location
213
214       -attack attack
215              Attack to launch
216
217
218       Hot Standby Router Protocol (HSRP):
219
220
221       Inter-Switch Link Protocol (ISL):
222
223
224       VLAN Trunking Protocol (VTP):
225
226
227       Dynamic Host Configuration Protocol (DHCP):
228
229
230       IEEE 802.1Q:
231
232
233       Dynamic Trunking Protocol (DTP):
234
235
236

ATTACKS

238       Attacks Implemented in STP:
239
240           0: NONDOS attack sending conf BPDU
241
242           1: NONDOS attack sending tcn BPDU
243
244           2: DOS attack sending conf BPDUs
245
246           3: DOS attack sending tcn BPDUs
247
248           4: NONDOS attack Claiming Root Role
249
250           5: NONDOS attack Claiming Other Role
251
252           6: DOS attack Claiming Root Role with MiTM
253
254
255       Attacks Implemented in CDP:
256
257           0: NONDOS attack sending CDP packet
258
259           1: DOS attack flooding CDP table
260
261           2: NONDOS attack Setting up a virtual device
262
263
264       Attacks Implemented in HSRP:
265
266           0: NONDOS attack sending raw HSRP packet
267
268           1: NONDOS attack becoming ACTIVE router
269
270           2: NONDOS attack becoming ACTIVE router (MITM)
271
272
273       Attacks Implemented in DHCP:
274
275           0: NONDOS attack sending RAW packet
276
277           1: DOS attack sending DISCOVER packet
278
279           2: NONDOS attack creating DHCP rogue server
280
281           3: DOS attack sending RELEASE packet
282
283
284       Attacks Implemented in DTP:
285
286           0: NONDOS attack sending DTP packet
287
288           1: NONDOS attack enabling trunking
289
290
291       Attacks Implemented in 802.1Q:
292
293           0: NONDOS attack sending 802.1Q packet
294
295           1: NONDOS attack sending 802.1Q double enc. packet
296
297           2: DOS attack sending 802.1Q arp poisoning
298
299
300       Attacks Implemented in VTP:
301
302           0: NONDOS attack sending VTP packet
303
304           1: DOS attack deleting all VTP vlans
305
306           2: DOS attack deleting one vlan
307
308           3: NONDOS attack adding one vlan
309
310           4: DOS attack Catalyst zero day
311
312
313       Attacks Implemented in ISL:
314
315           None at the moment
316
317

GTK GUI

319       The GTK GUI (-G) is a GTK graphical interface with all of the  yersinia
320       powerful features and a professional 'look and feel'.
321
322

NCURSES GUI

324       The  ncurses  GUI (-I) is a ncurses (or curses) based console where the
325       user can take advantage of yersinia powerful features.
326
327       Press 'h' to display the Help Screen and enjoy your session :)
328

NETWORK DAEMON

330       The Network Daemon (-D) is a telnet based server (ala Cisco mode)  that
331       listens  by  default in port 12000/tcp waiting for incoming telnet con‐
332       nections.
333
334       It supports a CLI similar to  a  Cisco  device  where  the  user  (once
335       authenticated)  can  display  different settings and can launch attacks
336       without having yersinia running in her own  machine  (specially  useful
337       for Windows users).
338

EXAMPLES

340       - Send a Rapid Spanning-Tree BPDU with port role designated, port state
341       agreement, learning and port id 0x3000 to eth1:
342
343       yersinia stp -attack 0 -version 2 -flags  5c  -portid  3000  -interface
344       eth1
345
346       -  Start  a Spanning-Tree nonDoS root claiming attack in the first non‐
347       loopback interface (keep in mind that this kind of attack will use  the
348       first  BPDU  on  the network interface to fill in the BPDU fields prop‐
349       erly):
350
351       yersinia stp -attack 4
352
353       - Start a Spanning-Tree DoS attack sending TCN BPDUs in the eth0 inter‐
354       face with MAC address 66:66:66:66:66:66:
355
356       yersinia stp -attack 3 -source 66:66:66:66:66:66
357
358
359

SEE ALSO

361       The README file contains more in-depth documentation about the attacks.
362
363

365       Yersinia is Copyright (c)
366
367

BUGS

369       Lots
370
371

AUTHORS

373       Alfredo Andres Omella <alfredo@yersinia.net>
374       David Barroso Berrueta <tomac@yersinia.net>
375
376
377
378Yersinia v0.7            $Date: 2006/02/17 22:48:40 $              YERSINIA(8)
Impressum