Attacks on STP.
Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data
Telegram channel: https://t.me/protectioninformation
Telegram Group: https://t.me/informationprotection1
Website: https://legascom.ru
Email: online@legascom.ru
#informationprotection #informationsecurity
The STP (Spanning Tree Protocol) protocol is designed to prevent packets from looping in the network when there are duplicate routes. It works as follows. First, the switches that are interconnected are detected. Then the Root Bridge, the main, root switch, is selected. Then, according to a special algorithm, the switch ports will be blocked, which create loops in the resulting topology.
To build a network tree structure without loops, a root switch must be defined in the network, from which this tree is built. The switch with the lowest identifier value is selected as the root switch. The switch identifier is an eight–byte number, the lower six bytes of which are the MAC address of its control unit, and the upper two bytes are configured manually. This allows the network administrator to influence the root switch selection process. If the administrator does not interfere in this process, the root switch will be selected randomly - it will be a device with the minimum MAC address of the control unit. Such a choice may be far from rational. Therefore, you should select the root switch based on the available network topology and manually assign it the smallest identifier. When automatically selected, the switch with a lower MAC address value of its control unit becomes the root switch. Next, the root port is defined for each switch. This is the port that has the shortest network distance to the root switch. For each logical network segment, a so-called designated bridge is selected, one of the ports of which will receive packets from the segment and transmit them towards the root bridge through the root port of this bridge.
What can an attacker do? Just like in the previous example, it can pretend to be a switch, send a BPDU packet towards the attacked switch, in which it can fake the priority, MAC address, in order to become the root switch itself and use it to intercept network traffic. The root switch becomes the one with the highest priority. If several switches have the same priority, the MAC address is used to select the root switch, and the one with the lower priority becomes the root address.
Let's do a little practical work on detecting the MAC addresses of other machines and replacing the MAC on our own. To do this, we will need the Wireshark sniffer again. It is necessary, as in the example with hubs, to enable listening to the network interface. Only now we will be interested not in HTTP traffic, but in STP. We need to identify the MAC address of the root switch. In order to get this information, you need to know the network topology. You can get the MAC address value of the root port using Wireshark.
In order to get information about MAC addresses, you need to view the value of the Source and Destination fields in the header of the intercepted frame. We are interested in the source. For the fake address of our switchboard, we specify a smaller address, for example, reduced by one, as in the example below.
root@kali:~# macchanger –mac=xx:xx:xx:xx:xx:xx-1 eth0
Current MAC: 00:16:ec:f1:45:e8 (unknown)
Faked MAC: xx:xx:xx:xx:xx:xx (unknown)
Redesigning the network interface.
root@kali:~# ifdown eth0
root@kali:~# ifup eth0
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth0/04:2f:11:65:fc:0a
Sending on LPF/eth0/04:2f:11:65:fc:0a
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
DHCPOFFER of 192.168.1.8 from 192.168.1.101
DHCPREQUEST of 192.168.1.8 on eth0 to 255.255.255.255 port 67
DHCPACK of 192.168.1.8 from 192.168.1.101
bound to 192.168.1.8 -- renewal in 42928 seconds.
if-up.d/mountnfs[eth0]: waiting for interface eth1 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface eth2 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface ath0 before doing NFS mounts
if-up.d/mountnfs[eth0]: waiting for interface wlan0 before doing NFS mounts
By default, the priorities should be the same, respectively, the STP protocol will select the ports with the lowest MAC for the route.
Now the attacker needs to send a BPDU packet in which to specify his switch ID. Other switches also send their IDs in response, and if the identifier sent by the attacker contains the smallest MAC, then with equal priorities it will be selected as the root one.
You can create a fake BPDU package as follows.
In the PackEth package constructor window, you must specify the MAC addresses of the packet source and recipient. The source address must be fake.
The following values are specified in the User defi ned network payload field:
the STA protocol version identifier is 2 bytes. Switches must support the same version of the STA protocol, otherwise an active loop configuration may be established.;
The BPDU type is 1 byte. There are two types of BPDUs – a configuration BPDU, that is, an application for the opportunity to become a root switch, based on which the active configuration is determined, and a reconfiguration notification BPDU, which is sent by the switch that detects an event requiring reconfiguration -
a communication line failure, a port failure, a change in switch or port priorities.;
flags are 1 byte. One bit contains the configuration change flag, the second contains the configuration change confirmation flag.;
The root switch ID is 8 bytes.;
the distance to the root is 2 bytes.;
The switch ID is 8 bytes.;
The port ID is 2 bytes.;
The message lifetime is 2 bytes. Measured in units of 0.5 seconds, it is used to identify outdated messages. When a BPDU packet passes through a switch, it adds to the packet's lifetime the delay time of the switch.;
The maximum message lifetime is 2 bytes. If the BPDU packet has a lifetime exceeding the maximum, it is ignored by the switches.;
hello interval through which BPDU packets are sent;
The state change delay is 2 bytes. The delay determines the minimum time for the switch ports to become active. Such a delay is necessary to eliminate the possibility of temporary occurrence of loops when port states change at the same time during reconfiguration. The BPDU reconfiguration notification package is missing all fields except the first two. You can send the completed package by clicking Send.
If in the previous steps we correctly calculated the MAC of the other STP participants, then in theory the algorithm of this protocol should recalculate the routes so that all traffic is sent to our fake port. In order to avoid being detected, the hacker will need to ensure that traffic is delivered through his machine further to the destination. Otherwise, all traffic will go nowhere, and the fact of MAC forgery will be quickly detected. However, we will not solve this problem within the framework of this post.
What measures should be taken to get rid of this vulnerability?
First of all, it is necessary to prohibit the circulation of BPDU packets from ports that do not have any switches. And if such a packet does arrive, switch this port to shutdown mode. Then we need to secure our root switch so that under no circumstances can another root switch be selected, including an attacking one. It will not be difficult for an attacker to set the priority higher than that of the real main switch, and the MAC address is smaller to ensure that the attacker appears to be root.
To solve this problem, we need to switch all the ports of the switch to a special STP mode called portfast. After that, the client connected to such a port will not participate in the resolution of routes using the STP algorithm (this can take quite a long time, up to 40 seconds to build the network topology), and only after that they will start transmitting user data through the port. By default, portfast mode is disabled on Cisco switches, so we will have to configure it manually. We will also configure disabling the port in case of receiving a BPDU packet.
Switch# conf t
Switch (config)# int range f0/1-24
Switch (config-if-range)# spanning-tree portfast
Switch(config)# spanning-tree portfast bpguard default
Switch(config)# int f0/1
Switch (config-if)# spanning-tree guard root
The contents of the first two lines are familiar to us from the previous examples. In the third one, we turn on the portfast mode. Further, we indicate that the use of BPDU packets on these ports is contraindicated. And the last two commands are executed to protect the root bridge. That is, we assume that the other switch is connected to ours on port f0/1 and, accordingly, it must be used as root.
Now, even if an attacker sends a BPDU packet with the highest priority and a lower MAC address to the switch, he still cannot become the root switch and redirect all traffic through himself.
