1YERSINIA(8)                                                        YERSINIA(8)
2
3
4

NAME

6       Yersinia - A Framework for layer 2 attacks
7
8

SYNOPSIS

10       yersinia  [-hVGIDd]  [-l  logfile]  [-c conffile] protocol [-M] [proto‐
11       col_options]
12

DESCRIPTION

14       yersinia is a framework for performing layer 2 attacks.  The  following
15       protocols  have  been implemented in Yersinia current version: Spanning
16       Tree Protocol (STP), VLAN Trunking Protocol (VTP), Hot  Standby  Router
17       Protocol  (HSRP),  Dynamic  Trunking  Protocol (DTP), IEEE 802.1Q, IEEE
18       802.1X, Cisco Discovery Protocol (CDP), Dynamic Host Configuration Pro‐
19       tocol  (DHCP), Inter-Switch Link Protocol (ISL) and MultiProtocol Label
20       Switching (MPLS).
21
22       Some of the attacks implemented will cause a DoS in  a  network,  other
23       will  help to perform any other more advanced attack, or both. In addi‐
24       tion, some of them will be first released to  the  public  since  there
25       isn't any public implementation.
26
27       Yersinia  will definitely help both pen-testers and network administra‐
28       tors in their daily tasks.
29
30       Some of the mentioned attacks are DoS attacks, so TAKE CARE about  what
31       you're doing because you can convert your network into an UNSTABLE one.
32
33       A  lot  of  examples are given at this page EXAMPLES section, showing a
34       real and useful program execution.
35

OPTIONS

37       -h, --help
38              Help screen.
39
40       -V, --Version
41              Program version.
42
43       -G     Start a graphical GTK session.
44
45       -I, --interactive
46              Start an interactive ncurses session.
47
48       -D, --daemon
49              Start the network listener for remote admin  (Cisco  CLI  emula‐
50              tion).
51
52       -d     Enable debug messages.
53
54       -l logfile
55              Save the current session to the file logfile. If logfile exists,
56              the data will be appended at the end.
57
58       -c conffile
59              Read/write configuration variables from/to conffile.
60
61       -M     Disable MAC spoofing.
62

PROTOCOLS

64       The following protocols are implemented in yersinia current version:
65
66
67       Spanning Tree Protocol (STP and RSTP)
68
69       Cisco Discovery Protocol (CDP)
70
71       Hot Standby Router Protocol (HSRP)
72
73       Dynamic Host Configuration Protocol (DHCP)
74
75       Dynamic Trunking Protocol (DTP)
76
77       IEEE 802.1Q
78
79       VLAN Trunking Protocol (VTP)
80
81       Inter-Switch Link Protocol (ISL)
82
83       IEEE 802.1X
84
85       MultiProtocol Label Switching (MPLS)
86

PROTOCOLS OPTIONS

88       Spanning Tree Protocol (STP): is a link management protocol  that  pro‐
89       vides  path  redundancy  while preventing undesirable loops in the net‐
90       work. The supported options are:
91
92
93       -version version
94              BPDU version (0 STP, 2 RSTP, 3 MSTP)
95
96       -type type
97              BPDU type (Configuration, TCN)
98
99       -flags flags
100              BPDU Flags
101
102       -id id BPDU ID
103
104       -cost pathcost
105              BPDU root path cost
106
107       -rootid id
108              BPDU Root ID
109
110       -bridgeid id
111              BPDU Bridge ID
112
113       -portid id
114              BPDU Port ID
115
116       -message secs
117              BPDU Message Age
118
119       -max-age secs
120              BPDU Max Age (default is 20)
121
122       -hello secs
123              BPDU Hello Time (default is 2)
124
125       -forward secs
126              BPDU Forward Delay
127
128       -source hw_addr
129              Source MAC address
130
131       -dest hw_addr
132              Destination MAC address
133
134       -interface iface
135              Set network interface to use
136
137       -attack attack
138              Attack to launch
139
140
141
142       Cisco Discovery Protocol (CDP): is a Cisco  propietary  Protocol  which
143       main  aim  is  to  let Cisco devices to communicate to each other about
144       their  device  settings  and  protocol  configurations.  The  supported
145       options are:
146
147       -source hw_addr
148              MAC Source Address
149
150       -dest hw_addr
151              MAC Destination Address
152
153       -v version
154              CDP Version
155
156       -ttl ttl
157              Time To Live
158
159       -devid id
160              Device ID
161
162       -address address
163              Device Address
164
165       -port id
166              Device Port
167
168       -capability cap
169              Device Capabilities
170
171       -version version
172              Device IOS Version
173
174       -duplex 0|1
175              Device Duplex Configuration
176
177       -platform platform
178              Device Platform
179
180       -ipprefix ip
181              Device IP Prefix
182
183       -phello hello
184              Device Protocol Hello
185
186       -mtu mtu
187              Device MTU
188
189       -vtp_mgm_dom domain
190              Device VTP Management Domain
191
192       -native_vlan vlan
193              Device Native VLAN
194
195       -voip_vlan_r req
196              Device VoIP VLAN Reply
197
198       -voip_vlan_q query
199              Device VoIP VLAN Query
200
201       -t_bitmap bitmap
202              Device Trust Bitmap
203
204       -untrust_cos cos
205              Device Untrusted CoS
206
207       -system_name name
208              Device System Name
209
210       -system_oid oid
211              Device System ObjectID
212
213       -mgm_address address
214              Device Management Address
215
216       -location location
217              Device Location
218
219       -attack attack
220              Attack to launch
221
222
223       Hot Standby Router Protocol (HSRP):
224
225       -source hw_addr
226              Source MAC address
227
228       -dest hw_addr
229              Destination MAC address
230
231       -interface iface
232              Set network interface to use
233
234       -attack attack
235              Attack to launch
236
237
238       Inter-Switch Link Protocol (ISL):
239
240       -source hw_addr
241              Source MAC address
242
243       -dest hw_addr
244              Destination MAC address
245
246       -interface iface
247              Set network interface to use
248
249       -attack attack
250              Attack to launch
251
252
253       VLAN Trunking Protocol (VTP):
254
255       -source hw_addr
256              Source MAC address
257
258       -dest hw_addr
259              Destination MAC address
260
261       -interface iface
262              Set network interface to use
263
264       -attack attack
265              Attack to launch
266
267
268       Dynamic Host Configuration Protocol (DHCP):
269
270       -source hw_addr
271              Source MAC address
272
273       -dest hw_addr
274              Destination MAC address
275
276       -interface iface
277              Set network interface to use
278
279       -attack attack
280              Attack to launch
281
282
283       IEEE 802.1Q:
284
285       -source hw_addr
286              Source MAC address
287
288       -dest hw_addr
289              Destination MAC address
290
291       -interface iface
292              Set network interface to use
293
294       -attack attack
295              Attack to launch
296
297
298       Dynamic Trunking Protocol (DTP):
299
300       -source hw_addr
301              Source MAC address
302
303       -dest hw_addr
304              Destination MAC address
305
306       -interface iface
307              Set network interface to use
308
309       -attack attack
310              Attack to launch
311
312
313       IEEE 802.1X:
314
315       -version arg
316              Version
317
318       -type arg
319              xxxx
320
321       -eapcode arg
322              xxxx
323
324       -eapid arg
325              xxxx
326
327       -eaptype arg
328              xxxx
329
330       -eapinfo arg
331              xxx
332
333       -interface arg
334              xxxx
335
336       -source hw_addr
337              Source MAC address
338
339       -dest hw_addr
340              Destination MAC address
341
342       -interface iface
343              Set network interface to use
344
345       -attack attack
346              Attack to launch
347
348
349       MultiProtocol Label Switching (MPLS):
350
351       -source hw_addr
352              Source MAC address
353
354       -dest hw_addr
355              Destination MAC address
356
357       -interface iface
358              Set network interface to use
359
360       -attack attack
361              Attack to launch
362
363       -label1 arg
364              Set MPLS Label
365
366       -exp1 arg
367              Set MPLS Experimental bits
368
369       -bottom1 arg
370              Set MPLS Bottom Of Stack flag
371
372       -ttl1 arg
373              Set MPLS Time To Live
374
375       -label2 arg
376              Set MPLS Label (second header)
377
378       -exp2 arg
379              Set MPLS Experimental bits (second header)
380
381       -bottom2 arg
382              Set MPLS Bottom Of Stack flag (second header)
383
384       -ttl2 arg
385              Set MPLS Time To Live (second header)
386
387       -ipsource ipv4
388              Source IP
389
390       -portsource port
391              Source TCP/UDP port
392
393       -ipdest ipv4
394              Destination IP
395
396       -portdest port
397              Destination TCP/UDP port
398
399       -payload ASCII
400              ASCII IP payload
401
402

ATTACKS

404       Attacks Implemented in STP:
405
406           0: NONDOS attack sending conf BPDU
407
408           1: NONDOS attack sending tcn BPDU
409
410           2: DOS attack sending conf BPDUs
411
412           3: DOS attack sending tcn BPDUs
413
414           4: NONDOS attack Claiming Root Role
415
416           5: NONDOS attack Claiming Other Role
417
418           6: DOS attack Claiming Root Role with MiTM
419
420
421       Attacks Implemented in CDP:
422
423           0: NONDOS attack sending CDP packet
424
425           1: DOS attack flooding CDP table
426
427           2: NONDOS attack Setting up a virtual device
428
429
430       Attacks Implemented in HSRP:
431
432           0: NONDOS attack sending raw HSRP packet
433
434           1: NONDOS attack becoming ACTIVE router
435
436           2: NONDOS attack becoming ACTIVE router (MITM)
437
438
439       Attacks Implemented in DHCP:
440
441           0: NONDOS attack sending RAW packet
442
443           1: DOS attack sending DISCOVER packet
444
445           2: NONDOS attack creating DHCP rogue server
446
447           3: DOS attack sending RELEASE packet
448
449
450       Attacks Implemented in DTP:
451
452           0: NONDOS attack sending DTP packet
453
454           1: NONDOS attack enabling trunking
455
456
457       Attacks Implemented in 802.1Q:
458
459           0: NONDOS attack sending 802.1Q packet
460
461           1: NONDOS attack sending 802.1Q double enc. packet
462
463           2: DOS attack sending 802.1Q arp poisoning
464
465
466       Attacks Implemented in VTP:
467
468           0: NONDOS attack sending VTP packet
469
470           1: DOS attack deleting all VTP vlans
471
472           2: DOS attack deleting one vlan
473
474           3: NONDOS attack adding one vlan
475
476           4: DOS attack crashing Catalyst
477
478
479       Attacks Implemented in 802.1X:
480
481           0: NONDOS attack sending 802.1X packet
482
483           1: NONDOS attack Mitm 802.1X with 2 interfaces
484
485
486       Attacks Implemented in MPLS:
487
488           0: NONDOS attack sending TCP MPLS packet
489
490           1: NONDOS attack sending TCP MPLS with double header
491
492           2: NONDOS attack sending UDP MPLS packet
493
494           3: NONDOS attack sending UDP MPLS with double header
495
496           4: NONDOS attack sending ICMP MPLS packet
497
498           5: NONDOS attack sending ICMP MPLS with double header
499
500
501       Attacks Implemented in ISL:
502
503           None at the moment
504
505
506

GTK GUI

508       The  GTK GUI (-G) is a GTK graphical interface with all of the yersinia
509       powerful features and a professional 'look and feel'.
510
511

NCURSES GUI

513       The ncurses GUI (-I) is a ncurses (or curses) based console  where  the
514       user can take advantage of yersinia powerful features.
515
516       Press 'h' to display the Help Screen and enjoy your session :)
517

NETWORK DAEMON

519       The  Network Daemon (-D) is a telnet based server (ala Cisco mode) that
520       listens by default in port 12000/tcp waiting for incoming  telnet  con‐
521       nections.
522
523       It  supports  a  CLI  similar  to  a  Cisco device where the user (once
524       authenticated) can display different settings and  can  launch  attacks
525       without  having  yersinia  running in her own machine (specially useful
526       for Windows users).
527

EXAMPLES

529       - Send a Rapid Spanning-Tree BPDU with port role designated, port state
530       agreement, learning and port id 0x3000 to eth1:
531
532       yersinia  stp  -attack  0  -version 2 -flags 5c -portid 3000 -interface
533       eth1
534
535       - Start a Spanning-Tree nonDoS root claiming attack in the  first  non‐
536       loopback  interface (keep in mind that this kind of attack will use the
537       first BPDU on the network interface to fill in the  BPDU  fields  prop‐
538       erly):
539
540       yersinia stp -attack 4
541
542       - Start a Spanning-Tree DoS attack sending TCN BPDUs in the eth0 inter‐
543       face with MAC address 66:66:66:66:66:66:
544
545       yersinia stp -attack 3 -source 66:66:66:66:66:66
546
547
548

SEE ALSO

550       The README file contains more in-depth documentation about the attacks.
551
552

554       Yersinia is Copyright (c)
555
556

BUGS

558       Lots
559
560

AUTHORS

562       Alfredo Andres Omella <aandreswork@hotmail.com>
563       David Barroso Berrueta <tomac@yersinia.net>
564
565
566
567Yersinia v0.8            $Date: 2017/08/23 08:10:00 $              YERSINIA(8)
Impressum