`
blogfeifei
  • 浏览: 1194532 次
文章分类
社区版块
存档分类
最新评论

STP mitm attack idea

 
阅读更多

As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween attacked stations (C and D)

A ---- switch 1 ----- switch 2 ----- B
| |
| |
C D

Take first scenario:
1. A - sends frame to B
2. Switch 1 - accepts frame and forwards it to switch 2
3. Switch 2 - accepts frame via link from switch 1 and forwards it to B

Second scenario:
1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2

A ---- switch 1 --X-- switch 2 ----- B
| |
| |
C --no conn-- D
2. Station A sends frame to B
3. Frame is forwarded to C station
4. Station C stores frame in memory
5. After equal timing station C and station D repair link beetween switch 1 and 2
6. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet)
7. stations C and D break link beetween switches 1 and 2
8. station D sends transmitted packet to station B

Advantages
- no need for one station with two links to two switches
- needs two stations, either compromised or not (in large multiswitch enviroment with many stations sometimes we can find in example two compromised windows or linux hosts)
- when we have good timing and packet detection method, we can separate one protocol connection from whole traffic

Disadvantages of method.
- stops whole traffic beetween switches, and needs delicate timing
- when link beetween switch 1 and 2 is working we can't see frames that flying across wire

Additional information.
- timing question, ie - retransmition time beetween tcp frames, and time to break and repair link - is it possible to do it before frame is retransmited?

Uh that's all. Please think about it is possible, because my programming skills are to low to make it working.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap7.html#wp1058965

分享到:
| Microsoft Outlook Web Access (OWA) versi ...
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics