AOH :: HP Unsorted S :: BT-30053.HTM

STP mitm attack idea



STP mitm attack idea
STP mitm attack idea



As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.=0AThat attack is in most cases useless because:=0A- we need physical access to two (not one switch)=0A- two cards in station=0AAs two cards are possible, that access to two switches in one ie. office is almost impossible.=0AMy idea for modification of this attack needs:=0A- two stations to attack by mitm (A and B)=0A- two or more switches with STP protocol=0A- two attacking stations connected to two different switches in way beetween attacked stations (C and D) =0A=0AA ---- switch 1 ----- switch 2 ----- B=0A          |              |=0A          |              |=0A          C              D=0A=0ATake first scenario:=0A1. A - sends frame to B=0A2. Switch 1 - accepts frame and forwards it to switch 2=0A3. Switch 2 - accepts frame via link from switch 1 and forwards it to B=0A=0ASecond scenario:=0A1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2=0A=0AA ---- switch 1 --X-- switch 2 ----- B=0A          |              |=0A          |              |=0A          C  --no conn-- D=0A2. Station A sends frame to B=0A3. Frame is forwarded to C station=0A4. Station C stores frame in memory=0A5. After equal timing station C and station D repair link beetween switch 1 and 2=0A6. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet)=0A7. stations C and D break link beetween switches 1 and 2=0A8. station D sends transmitted packet to station B=0A=0AAdvantages=0A- no need for one station with two links to two switches=0A- needs two stations, either compromised or not (in large multiswitch enviroment with many stations sometimes we can find in example two compromised windows or linux hosts)=0A- when we have good timing and packet detection method, we can separate one protocol connection from whole traffic=0A=0ADisadvantages of method.=0A- stops whole traffic beetween switches, and needs delicate timing=0A- when link beetween switch 1 and 2 is working we can't see frames that flying across wire=0A=0AAdditional information.=0A- timing question, ie - retransmition time beetween tcp frames, and time to break and repair link - is it possible to do it before frame is retransmited?=0A=0AUh that's all. Please think about it is possible, because my programming skills are to low to make it working.=0A=0AWith regards=0AXperience

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.