DOKK / manpages / debian 11 / yersinia / yersinia.8.en
YERSINIA(8) YERSINIA(8)

Yersinia - A Framework for layer 2 attacks

yersinia [-hVGIDd] [-l logfile] [-c conffile] protocol [-M] [protocol_options]

yersinia is a framework for performing layer 2 attacks. The following protocols have been implemented in Yersinia current version: Spanning Tree Protocol (STP), VLAN Trunking Protocol (VTP), Hot Standby Router Protocol (HSRP), Dynamic Trunking Protocol (DTP), IEEE 802.1Q, IEEE 802.1X, Cisco Discovery Protocol (CDP), Dynamic Host Configuration Protocol (DHCP), Inter-Switch Link Protocol (ISL) and MultiProtocol Label Switching (MPLS).

Some of the attacks implemented will cause a DoS in a network, other will help to perform any other more advanced attack, or both. In addition, some of them will be first released to the public since there isn't any public implementation.

Yersinia will definitely help both pen-testers and network administrators in their daily tasks.

Some of the mentioned attacks are DoS attacks, so TAKE CARE about what you're doing because you can convert your network into an UNSTABLE one.

A lot of examples are given at this page EXAMPLES section, showing a real and useful program execution.

Help screen.
Program version.
Start a graphical GTK session.
Start an interactive ncurses session.
Start the network listener for remote admin (Cisco CLI emulation).
Enable debug messages.
Save the current session to the file logfile. If logfile exists, the data will be appended at the end.
Read/write configuration variables from/to conffile.
Disable MAC spoofing.

The following protocols are implemented in yersinia current version:

BPDU version (0 STP, 2 RSTP, 3 MSTP)
BPDU type (Configuration, TCN)
BPDU Flags
BPDU ID
BPDU root path cost
BPDU Root ID
BPDU Bridge ID
BPDU Port ID
BPDU Message Age
BPDU Max Age (default is 20)
BPDU Hello Time (default is 2)
BPDU Forward Delay
Source MAC address
Destination MAC address
Set network interface to use
Attack to launch

MAC Source Address
MAC Destination Address
CDP Version
Time To Live
Device ID
Device Address
Device Port
Device Capabilities
Device IOS Version
Device Duplex Configuration
Device Platform
Device IP Prefix
Device Protocol Hello
Device MTU
Device VTP Management Domain
Device Native VLAN
Device VoIP VLAN Reply
Device VoIP VLAN Query
Device Trust Bitmap
Device Untrusted CoS
Device System Name
Device System ObjectID
Device Management Address
Device Location
Attack to launch

Source MAC address
Destination MAC address
Set network interface to use
Attack to launch

Source MAC address
Destination MAC address
Set network interface to use
Attack to launch

Source MAC address
Destination MAC address
Set network interface to use
Attack to launch

Source MAC address
Destination MAC address
Set network interface to use
Attack to launch

Source MAC address
Destination MAC address
Set network interface to use
Attack to launch

Source MAC address
Destination MAC address
Set network interface to use
Attack to launch

Version
xxxx
xxxx
xxxx
xxxx
xxx
xxxx
Source MAC address
Destination MAC address
Set network interface to use
Attack to launch

Source MAC address
Destination MAC address
Set network interface to use
Attack to launch
Set MPLS Label
Set MPLS Experimental bits
Set MPLS Bottom Of Stack flag
Set MPLS Time To Live
Set MPLS Label (second header)
Set MPLS Experimental bits (second header)
Set MPLS Bottom Of Stack flag (second header)
Set MPLS Time To Live (second header)
Source IP
Source TCP/UDP port
Destination IP
Destination TCP/UDP port
ASCII IP payload

0: NONDOS attack sending conf BPDU
1: NONDOS attack sending tcn BPDU
2: DOS attack sending conf BPDUs
3: DOS attack sending tcn BPDUs
4: NONDOS attack Claiming Root Role
5: NONDOS attack Claiming Other Role
6: DOS attack Claiming Root Role with MiTM

0: NONDOS attack sending CDP packet
1: DOS attack flooding CDP table
2: NONDOS attack Setting up a virtual device

0: NONDOS attack sending raw HSRP packet
1: NONDOS attack becoming ACTIVE router
2: NONDOS attack becoming ACTIVE router (MITM)

0: NONDOS attack sending RAW packet
1: DOS attack sending DISCOVER packet
2: NONDOS attack creating DHCP rogue server
3: DOS attack sending RELEASE packet

0: NONDOS attack sending DTP packet
1: NONDOS attack enabling trunking

0: NONDOS attack sending 802.1Q packet
1: NONDOS attack sending 802.1Q double enc. packet
2: DOS attack sending 802.1Q arp poisoning

0: NONDOS attack sending VTP packet
1: DOS attack deleting all VTP vlans
2: DOS attack deleting one vlan
3: NONDOS attack adding one vlan
4: DOS attack crashing Catalyst

0: NONDOS attack sending 802.1X packet
1: NONDOS attack Mitm 802.1X with 2 interfaces

0: NONDOS attack sending TCP MPLS packet
1: NONDOS attack sending TCP MPLS with double header
2: NONDOS attack sending UDP MPLS packet
3: NONDOS attack sending UDP MPLS with double header
4: NONDOS attack sending ICMP MPLS packet
5: NONDOS attack sending ICMP MPLS with double header

The GTK GUI (-G) is a GTK graphical interface with all of the yersinia powerful features and a professional 'look and feel'.

The ncurses GUI (-I) is a ncurses (or curses) based console where the user can take advantage of yersinia powerful features.

Press 'h' to display the Help Screen and enjoy your session :)

The Network Daemon (-D) is a telnet based server (ala Cisco mode) that listens by default in port 12000/tcp waiting for incoming telnet connections.

It supports a CLI similar to a Cisco device where the user (once authenticated) can display different settings and can launch attacks without having yersinia running in her own machine (specially useful for Windows users).

- Send a Rapid Spanning-Tree BPDU with port role designated, port state agreement, learning and port id 0x3000 to eth1:

yersinia stp -attack 0 -version 2 -flags 5c -portid 3000 -interface eth1

- Start a Spanning-Tree nonDoS root claiming attack in the first nonloopback interface (keep in mind that this kind of attack will use the first BPDU on the network interface to fill in the BPDU fields properly):

yersinia stp -attack 4

- Start a Spanning-Tree DoS attack sending TCN BPDUs in the eth0 interface with MAC address 66:66:66:66:66:66:

yersinia stp -attack 3 -source 66:66:66:66:66:66

The README file contains more in-depth documentation about the attacks.

Yersinia is Copyright (c)

Lots

Alfredo Andres Omella <aandreswork@hotmail.com>
David Barroso Berrueta <tomac@yersinia.net>

$Date: 2017/08/23 08:10:00 $ Yersinia v0.8