Yersinia: How to analyzing and testing Network Protocols
System: Linux/Solaris/All BSD Platforms
License: GNU General Public License (GPL)
Purpose: Framework for analyzing and testing networks and systems
Yersinia is a free open source utility written entirely in C which is great for security professionals, pen testers and hacker enthusiasts alike. Yersinia is a solid framework for analyzing and testing network protocols, and it is a great network tool designed to take advantage of some weaknesses in different network protocols. Yersinia allows you to send raw VTP (VLAN Trunking Protocol) packets and also allows you add and delete VLANs from a centralized point of origin. Other Useful Features:
One of the useful features I like using with Yersinia is the DHCP (Dynamic Host Configuration Protocol) attack. In this scenario a DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily accomplished with Yersinia, if enough requests are sent; the network attacker can exhaust the address space available to the DHCP provider for a period of time. I have used this attack on my Netgear router WGT624 v2 and every machine, regardless of whether it is connected via a wired or wireless looses its network connection. Once the attack is stopped the DHCP clients can reconnect and are able to use the network again.
Yersinia also runs as a network daemon (#yersinia D) and allows you to setup a server in each network segment so that network administrators can access their networks. Yersinia listens to port 12000/tcp by default and allows you to analyze the network packets traversing the network. This is very useful because you can determine the mis-configurations on you network segment and correct them before an attacker takes advantage of them. With Yersinia you can also launch HSRP (Hot Standby Router Protocol) attacks. The first option with sending raw HSRP packets is simply sending custom HSRP packets; you can then test HSRP implementations on the local network segment. Another option is becoming the active router with a fake IP which results in a Denial of Service (DOS). You can also can launch a MITM (Man in the Middle) attack by becoming an active router by editing the HSRP packets fields in the attacked routers, by enabling IP forwarding on the attackers machine and providing a valid static route to the legitimate gateway the traffic from the victims machine will go through the attackers platform and will be subject to analysis and/or tampering. You can configure a CDP (Cisco Discovery Protocol) virtual device that is fully automated by selecting the correct parameters frames in CDP. My favorite attack vector is using the flooding CDP table attack. It also allows for capturing editing and manipulating the frames in the Yersinia GUI interface. Disadvantages: Only two disadvantages within Yersinia are worthy of mention. The first is that it was created solely for the *nix community and is not available for the Windows Platform. The Yersina team has requested that the community contribute to the Windows platform, so all the Windows enthusiasts cross you fingers and lets hope it will be available on Windows in the near future. Secondly, the Yersinia output log is written in Spanish words so have your translator of choice at the ready!
Spanning Tree ProtocolSending RAW Configuration BPDU Sending RAW TCN BPDU DoS sending RAW Configuration BPDU DoS sending RAW TCN BPDU Claiming Root Role Claiming Other Role Claiming Root Role dual home (MITM)
Cisco Discovery ProtocolSending RAW CDP packet DoS flooding CDP neighbors table Setting up a virtual device
Dynamic Host Configuration ProtocolSending RAW DHCP packet DoS sending DISCOVER packet (exhausting ip pool) Setting up rogue DHCP server DoS sending RELEASE packet (releasing assigned ip)
Hot Standby Router ProtocolSending RAW HSRP packet Becoming active router Becoming active router (MITM)
Dynamic Trunking ProtocolSending RAW DTP packet Enabling trunking
802.1QSending RAW 802.1Q packet Sending double encapsulated 802.1Q packet Sending 802.1Q ARP Poisoning
802.1XSending RAW 802.1X packet Mitm 802.1X with 2 interfaces
VLAN Trunking ProtocolSending RAW VTP packet Deleting ALL VLANs Deleting selected VLAN Adding one VLAN Catalyst crash