STP mitm attack idea
As I read in many white papers about attacks on Spanning Tree Protocol, I f=
ound mitm attack on two STP switches, one station and two ethernet NICs.=0A=
That attack is in most cases useless because:=0A- we need physical access t=
o two (not one switch)=0A- two cards in station=0AAs two cards are possible=
, that access to two switches in one ie. office is almost impossible.=0AMy =
idea for modification of this attack needs:=0A- two stations to attack by m=
itm (A and B)=0A- two or more switches with STP protocol=0A- two attacking =
stations connected to two different switches in way beetween attacked stati=
ons (C and D) =0A=0AA ---- switch 1 ----- switch 2 ----- B=0A | =
|=0A | |=0A C D=0A=
=0ATake first scenario:=0A1. A - sends frame to B=0A2. Switch 1 - accepts f=
rame and forwards it to switch 2=0A3. Switch 2 - accepts frame via link fro=
m switch 1 and forwards it to B=0A=0ASecond scenario:=0A1. Station C and st=
ation D starts to send frames to break link beetween switch 1 and switch 2,=
and announce non existing connection and switch from C port on switch 1 to=
D port on switch 2=0A=0AA ---- switch 1 --X-- switch 2 ----- B=0A =
| |=0A | |=0A C --no conn-- D=
=0A2. Station A sends frame to B=0A3. Frame is forwarded to C station=0A4. =
Station C stores frame in memory=0A5. After equal timing station C and stat=
ion D repair link beetween switch 1 and 2=0A6. station C resends stored pac=
ket to station D (ie in tunnel or encapsulated in ip packet)=0A7. stations =
C and D break link beetween switches 1 and 2=0A8. station D sends transmitt=
ed packet to station B=0A=0AAdvantages=0A- no need for one station with two=
links to two switches=0A- needs two stations, either compromised or not (i=
n large multiswitch enviroment with many stations sometimes we can find in =
example two compromised windows or linux hosts)=0A- when we have good timin=
g and packet detection method, we can separate one protocol connection from=
whole traffic=0A=0ADisadvantages of method.=0A- stops whole traffic beetwe=
en switches, and needs delicate timing=0A- when link beetween switch 1 and =
2 is working we can't see frames that flying across wire=0A=0AAdditional in=
formation.=0A- timing question, ie - retransmition time beetween tcp frames=
, and time to break and repair link - is it possible to do it before frame =
is retransmited?=0A=0AUh that's all. Please think about it is possible, bec=
ause my programming skills are to low to make it working.=0A=0AWith regards=
=0AXperience
討論串 (同標題文章)
完整討論串 (本文為第 1 之 8 篇):