Install Now
Yersinia - A Framework for layer 2 attacks
Contents
Attacks
AttacksImplementedinSTP:
0: NONDOS attack sending conf BPDU
1: NONDOS attack sending tcn BPDU
2: DOS attack sending conf BPDUs
3: DOS attack sending tcn BPDUs
4: NONDOS attack Claiming Root Role
5: NONDOS attack Claiming Other Role
6: DOS attack Claiming Root Role with MiTM
AttacksImplementedinCDP:
0: NONDOS attack sending CDP packet
1: DOS attack flooding CDP table
2: NONDOS attack Setting up a virtual device
AttacksImplementedinHSRP:
0: NONDOS attack sending raw HSRP packet
1: NONDOS attack becoming ACTIVE router
2: NONDOS attack becoming ACTIVE router (MITM)
AttacksImplementedinDHCP:
0: NONDOS attack sending RAW packet
1: DOS attack sending DISCOVER packet
2: NONDOS attack creating DHCP rogue server
3: DOS attack sending RELEASE packet
AttacksImplementedinDTP:
0: NONDOS attack sending DTP packet
1: NONDOS attack enabling trunking
AttacksImplementedin802.1Q:
0: NONDOS attack sending 802.1Q packet
1: NONDOS attack sending 802.1Q double enc. packet
2: DOS attack sending 802.1Q arp poisoning
AttacksImplementedinVTP:
0: NONDOS attack sending VTP packet
1: DOS attack deleting all VTP vlans
2: DOS attack deleting one vlan
3: NONDOS attack adding one vlan
4: DOS attack crashing Catalyst
AttacksImplementedin802.1X:
0: NONDOS attack sending 802.1X packet
1: NONDOS attack Mitm 802.1X with 2 interfaces
AttacksImplementedinMPLS:
0: NONDOS attack sending TCP MPLS packet
1: NONDOS attack sending TCP MPLS with double header
2: NONDOS attack sending UDP MPLS packet
3: NONDOS attack sending UDP MPLS with double header
4: NONDOS attack sending ICMP MPLS packet
5: NONDOS attack sending ICMP MPLS with double header
AttacksImplementedinISL:
None at the moment
Bugs
Lots
Copyright
Yersinia is Copyright (c)
Description
yersinia is a framework for performing layer 2 attacks. The following protocols have been implemented in
Yersinia current version: SpanningTreeProtocol(STP), VLANTrunkingProtocol(VTP), HotStandbyRouterProtocol(HSRP), DynamicTrunkingProtocol(DTP), IEEE802.1Q, IEEE802.1X, CiscoDiscoveryProtocol(CDP), DynamicHostConfigurationProtocol(DHCP), Inter-SwitchLinkProtocol(ISL) and MultiProtocolLabelSwitching(MPLS).
Some of the attacks implemented will cause a DoS in a network, other will help to perform any other more
advanced attack, or both. In addition, some of them will be first released to the public since there
isn't any public implementation.
Yersinia will definitely help both pen-testers and network administrators in their daily tasks.
Some of the mentioned attacks are DoS attacks, so TAKECARE about what you're doing because you can
convert your network into an UNSTABLE one.
A lot of examples are given at this page EXAMPLES section, showing a real and useful program execution.
Examples
- Send a Rapid Spanning-Tree BPDU with port role designated, port state agreement, learning and port id
0x3000 to eth1:
yersiniastp-attack0-version2-flags5c-portid3000-interfaceeth1
- Start a Spanning-Tree nonDoS root claiming attack in the first nonloopback interface (keep in mind that
this kind of attack will use the first BPDU on the network interface to fill in the BPDU fields
properly):
yersiniastp-attack4
- Start a Spanning-Tree DoS attack sending TCN BPDUs in the eth0 interface with MAC address
66:66:66:66:66:66:
yersiniastp-attack3-source66:66:66:66:66:66Gtk Gui
The GTKGUI (-G) is a GTK graphical interface with all of the yersinia powerful features and a
professional 'look and feel'.
Name
Yersinia - A Framework for layer 2 attacks
Ncurses Gui
The ncursesGUI (-I) is a ncurses (or curses) based console where the user can take advantage of yersinia
powerful features.
Press 'h' to display the Help Screen and enjoy your session :)
Network Daemon
The NetworkDaemon (-D) is a telnet based server (ala Cisco mode) that listens by default in port
12000/tcp waiting for incoming telnet connections.
It supports a CLI similar to a Cisco device where the user (once authenticated) can display different
settings and can launch attacks without having yersinia running in her own machine (specially useful for
Windows users).
Options
-h, --help
Help screen.
-V, --Version
Program version.
-G Start a graphical GTK session.
-I, --interactive
Start an interactive ncurses session.
-D, --daemon
Start the network listener for remote admin (Cisco CLI emulation).
-d Enable debug messages.
-llogfile
Save the current session to the file logfile. If logfile exists, the data will be appended at the
end.
-cconffile
Read/write configuration variables from/to conffile.
-M Disable MAC spoofing.
Protocols
The following protocols are implemented in yersinia current version:
SpanningTreeProtocol(STPandRSTP)CiscoDiscoveryProtocol(CDP)HotStandbyRouterProtocol(HSRP)DynamicHostConfigurationProtocol(DHCP)DynamicTrunkingProtocol(DTP)IEEE802.1QVLANTrunkingProtocol(VTP)Inter-SwitchLinkProtocol(ISL)IEEE802.1XMultiProtocolLabelSwitching(MPLS)Protocols Options
SpanningTreeProtocol(STP): is a link management protocol that provides path redundancy while
preventing undesirable loops in the network. The supported options are:
-versionversion
BPDU version (0 STP, 2 RSTP, 3 MSTP)
-typetype
BPDU type (Configuration, TCN)
-flagsflags
BPDU Flags
-idid BPDU ID
-costpathcost
BPDU root path cost
-rootidid
BPDU Root ID
-bridgeidid
BPDU Bridge ID
-portidid
BPDU Port ID
-messagesecs
BPDU Message Age
-max-agesecs
BPDU Max Age (default is 20)
-hellosecs
BPDU Hello Time (default is 2)
-forwardsecs
BPDU Forward Delay
-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
CiscoDiscoveryProtocol(CDP): is a Cisco propietary Protocol which main aim is to let Cisco devices to
communicate to each other about their device settings and protocol configurations. The supported options
are:
-sourcehw_addr
MAC Source Address
-desthw_addr
MAC Destination Address
-vversion
CDP Version
-ttlttl
Time To Live
-devidid
Device ID
-addressaddress
Device Address
-portid
Device Port
-capabilitycap
Device Capabilities
-versionversion
Device IOS Version
-duplex0|1
Device Duplex Configuration
-platformplatform
Device Platform
-ipprefixip
Device IP Prefix
-phellohello
Device Protocol Hello
-mtumtu
Device MTU
-vtp_mgm_domdomain
Device VTP Management Domain
-native_vlanvlan
Device Native VLAN
-voip_vlan_rreq
Device VoIP VLAN Reply
-voip_vlan_qquery
Device VoIP VLAN Query
-t_bitmapbitmap
Device Trust Bitmap
-untrust_coscos
Device Untrusted CoS
-system_namename
Device System Name
-system_oidoid
Device System ObjectID
-mgm_addressaddress
Device Management Address
-locationlocation
Device Location
-attackattack
Attack to launch
HotStandbyRouterProtocol(HSRP):-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
Inter-SwitchLinkProtocol(ISL):-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
VLANTrunkingProtocol(VTP):-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
DynamicHostConfigurationProtocol(DHCP):-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
IEEE802.1Q:-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
DynamicTrunkingProtocol(DTP):-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
IEEE802.1X:-versionarg
Version
-typearg
xxxx
-eapcodearg
xxxx
-eapidarg
xxxx
-eaptypearg
xxxx
-eapinfoarg
xxx
-interfacearg
xxxx
-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
MultiProtocolLabelSwitching(MPLS):-sourcehw_addr
Source MAC address
-desthw_addr
Destination MAC address
-interfaceiface
Set network interface to use
-attackattack
Attack to launch
-label1arg
Set MPLS Label
-exp1arg
Set MPLS Experimental bits
-bottom1arg
Set MPLS Bottom Of Stack flag
-ttl1arg
Set MPLS Time To Live
-label2arg
Set MPLS Label (second header)
-exp2arg
Set MPLS Experimental bits (second header)
-bottom2arg
Set MPLS Bottom Of Stack flag (second header)
-ttl2arg
Set MPLS Time To Live (second header)
-ipsourceipv4
Source IP
-portsourceport
Source TCP/UDP port
-ipdestipv4
Destination IP
-portdestport
Destination TCP/UDP port
-payloadASCII
ASCII IP payload
See Also
The README file contains more in-depth documentation about the attacks.
Synopsis
yersinia [-hVGIDd] [-llogfile] [-cconffile] protocol [-M] [protocol_options]
PNG Icons