本文共 2301 字，大约阅读时间需要 7 分钟。

As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.

That attack is in most cases useless because:- we need physical access to two (not one switch)- two cards in stationAs two cards are possible, that access to two switches in one ie. office is almost impossible.My idea for modification of this attack needs:- two stations to attack by mitm (A and B)- two or more switches with STP protocol- two attacking stations connected to two different switches in way beetween attacked stations (C and D)

A ---- switch 1 ----- switch 2 ----- B

         |              |         |              |         C              D

Take first scenario:

1. A - sends frame to B2. Switch 1 - accepts frame and forwards it to switch 23. Switch 2 - accepts frame via link from switch 1 and forwards it to B

Second scenario:

1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2

A ---- switch 1 --X-- switch 2 ----- B

         |              |         |              |         C  --no conn-- D2. Station A sends frame to B3. Frame is forwarded to C station4. Station C stores frame in memory5. After equal timing station C and station D repair link beetween switch 1 and 26. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet)7. stations C and D break link beetween switches 1 and 28. station D sends transmitted packet to station B

Advantages

- no need for one station with two links to two switches- needs two stations, either compromised or not (in large multiswitch enviroment with many stations sometimes we can find in example two compromised windows or linux hosts)- when we have good timing and packet detection method, we can separate one protocol connection from whole traffic

Disadvantages of method.

- stops whole traffic beetween switches, and needs delicate timing- when link beetween switch 1 and 2 is working we can't see frames that flying across wire

Additional information.

- timing question, ie - retransmition time beetween tcp frames, and time to break and repair link - is it possible to do it before frame is retransmited?

Uh that's all. Please think about it is possible, because my programming skills are to low to make it working.

转载地址：http://uoqmb.baihongyu.com/