Yersinia
A framework for layer 2 attacks
Install / Use
/learn @tomac/YersiniaREADME
Spanning Tree
1: DOS attack sending conf BPDUs
Let's send some conf BPDUs claiming be root!!! By sending continously conf BPDU with root pathcost 0, randomly
generated bridge id (and therefore the same root id), and some default values for other fields, we try to
annoy the switches close to us, causing a DoS when trying to parse and recalculate their STP engines.
Source MAC: randomly generated.
Destination MAC: 01:80:c2:00:00:00
Bridge ID: 8000:source_mac
Root ID: 8000:source_mac
Hello time: 2
Forward delay: 15
Max age: 20
Root pathcost: 0
<output from the cisco log>
01:20:26: STP: VLAN0001 heard root 32768-d1bf.6d60.097b on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-9ac6.0f72.7118 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-85a3.3662.43dc on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-3d84.bc1c.918e on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-b2e2.1a12.dbb4 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-4ba6.2d45.5844 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-deb0.4f14.7288 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-4879.8036.0e24 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-2776.e340.9222 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-299e.de76.c07d on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-d38b.bc5b.e90d on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-78ee.0205.afdb on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-b32b.e969.81b1 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-b16b.c428.88a3 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-dd01.1436.9044 on Fa0/8
</output>
2: DOS attack sending tcn BPDUs
This attack sends continously tcn BPDUs causing the root switch to send conf BPDUs acknowledging the change.
Besides, the root switch will send topology change notifications to the members of the tree, and they will
have to recalculate their STP engine to learn the new change.
Source MAC: randomly generated.
Destination MAC: 01:80:c2:00:00:00
<output from the cisco log>
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
</output>
3: NONDOS attack Claiming Root Role
Now our aim is to get the root role of the tree. How can we accomplish this issue? Just listening to the network
to find out which one is the root role, and start sending conf BPDU with lower priority to become root.
Source MAC: same one as the sniffed BPDU.
Destination MAC: same one as the sniffed BPDU.
Bridge ID: the sniffed one slightly modified to have a lower priority
Root ID: 8000: same as bridge id.
Hello time: same one as the sniffed BPDU.
Forward delay: same one as the sniffed BPDU.
Max age: same one as the sniffed BPDU.
Root pathcost: same one as the sniffed BPDU.
<output from the cisco log>
01:58:48: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/8
01:58:48: supersedes 32769-000e.84d5.2280
01:58:48: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/8, cost 19
</output>
4 NONDOS attack Claiming a non-root role
We pretend to be another weird switch playing with STP and praising our root id :)
5 DOS attack causing eternal root elections
By sending config BPDUs autodecrementing their priority, we can cause infinite root elections in the STP tree.
It would be something similar to recount the election's votes to determine the winner (do you remember Florida?)
<output from the cisco log>
00:20:21: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/9
00:20:21: supersedes 32769-000e.84d5.2280
00:20:21: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/9, cost 19
00:20:23: STP: VLAN0001 heard root 32769-000e.84d3.2280 on Fa0/9
00:20:23: supersedes 32769-000e.84d4.2280
00:20:23: STP: VLAN0001 new root is 32769, 000e.84d3.2280 on port Fa0/9, cost 19
00:20:25: STP: VLAN0001 heard root 32769-000e.84d2.2280 on Fa0/9
00:20:25: supersedes 32769-000e.84d3.2280
00:20:25: STP: VLAN0001 new root is 32769, 000e.84d2.2280 on port Fa0/9, cost 19
00:20:27: STP: VLAN0001 heard root 32769-000e.84d1.2280 on Fa0/9
00:20:27: supersedes 32769-000e.84d2.2280
00:20:27: STP: VLAN0001 new root is 32769, 000e.84d1.2280 on port Fa0/9, cost 19
00:20:29: STP: VLAN0001 heard root 32769-000e.84d0.2280 on Fa0/9
00:20:29: supersedes 32769-000e.84d1.2280
00:20:29: STP: VLAN0001 new root is 32769, 000e.84d0.2280 on port Fa0/9, cost 19
00:20:31: STP: VLAN0001 heard root 32769-000e.84cf.2280 on Fa0/9
00:20:31: supersedes 32769-000e.84d0.2280
00:20:31: STP: VLAN0001 new root is 32769, 000e.84cf.2280 on port Fa0/9, cost 19
00:20:33: STP: VLAN0001 heard root 32769-000e.84ce.2280 on Fa0/9
00:20:33: supersedes 32769-000e.84cf.2280
00:20:33: STP: VLAN0001 new root is 32769, 000e.84ce.2280 on port Fa0/9, cost 19
00:20:35: STP: VLAN0001 heard root 32769-000e.84cd.2280 on Fa0/9
00:20:35: supersedes 32769-000e.84ce.2280
00:20:35: STP: VLAN0001 new root is 32769, 000e.84cd.2280 on port Fa0/9, cost 19
00:20:37: STP: VLAN0001 heard root 32769-000e.84cc.2280 on Fa0/9
00:20:37: supersedes 32769-000e.84cd.2280
00:20:37: STP: VLAN0001 new root is 32769, 000e.84cc.2280 on port Fa0/9, cost 19
00:20:39: STP: VLAN0001 heard root 32769-000e.84cb.2280 on Fa0/9
00:20:39: supersedes 32769-000e.84cc.2280
00:20:39: STP: VLAN0001 new root is 32769, 000e.84cb.2280 on port Fa0/9, cost 19
</output>
6 DOS Attack causing root dissapearance
This time we try to exhaust the root election proccess. We manage to become root in the STP tree,
but we stop sending config BPDUs until it reaches max_age seconds (usually 20), forcing a new
election proccess.
<output from the cisco log>
02:02:43: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/9
02:02:43: supersedes 32769-000e.84d5.2280
02:02:43: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/9, cost 19
02:03:03: STP: VLAN0001 we are the spanning tree root
02:03:04: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/9
02:03:04: supersedes 32769-000e.84d5.2280
02:03:04: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/9, cost 19
02:03:04: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:06: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:08: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:10: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:12: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:14: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:16: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:18: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:20: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:22: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:24: STP: VLAN0001 we are the spanning tree root
02:03:24: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/9
02:03:24: supersedes 32769-000e.84d5.2280
02:03:24: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/9, cost 19
02:03:24: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:26: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:28: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:30: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:32: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:34: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:36: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:38: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:40: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:42: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:44: STP: VLAN0001 we are the spanning tree root
</output>
Mitigations (Cisco only)
-
Use port security and disable STP in those ports that don't require STP. For information about port security, please check the following url: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a0080150bcd.html
-
If you are using the portfast feature in your STP configuration, enable also the BPDU guard for avoiding these attacks when the port automatically enters the forwarding state: http://www.cisco.com/warp/public/473/65.html
-
Use the root guard feature for avoiding rogue devices to become root: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml
Further reading
-
Guillermo Marro's nice Master Thesis: http://seclab.cs.ucdavis.edu/papers/Marro_masters_thesis.pdf
-
Oleg K. Artemjev, Vladislav V. Myasnyankin. Fun wi
Related Skills
node-connect
345.9kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
106.4kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
345.9kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
345.9kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
