Man Linux: Main Page and Category List


       Yersinia - A FrameWork for layer 2 attacks


       yersinia   [-hVGIDd]   [-l   logfile]   [-c   conffile]  protocol  [-M]


       yersinia is a framework for performing layer 2 attacks.  The  following
       protocols  have  been implemented in Yersinia current version: Spanning
       Tree Protocol (STP), VLAN Trunking Protocol (VTP), Hot  Standby  Router
       Protocol  (HSRP),  Dynamic  Trunking Protocol (DTP), IEEE 802.1Q, Cisco
       Discovery Protocol (CDP), Dynamic Host  Configuration  Protocol  (DHCP)
       and, finally, the Inter-Switch Link Protocol (ISL).

       Some  of  the  attacks implemented will cause a DoS in a network, other
       will help to perform any  other  more  advanced  attack,  or  both.  In
       addition, some of them will be first released to the public since there
       isn’t any public implementation.

       Yersinia  will   definitely   help   both   pen-testers   and   network
       administrators in their daily tasks.

       Some  of the mentioned attacks are DoS attacks, so TAKE CARE about what
       you’re doing because you can convert your network into an UNSTABLE one.

       A  lot  of  examples are given at this page EXAMPLES section, showing a
       real and useful program execution.


       -h, --help
              Help screen.

       -V, --Version
              Program version.

       -G     Start a graphical GTK session.

       -I, --interactive
              Start an interactive ncurses session.

       -D, --daemon
              Start  the  network  listener  for  remote  admin   (Cisco   CLI

       -d     Enable debug messages.

       -l logfile
              Save the current session to the file logfile. If logfile exists,
              the data will be appended at the end.

       -c conffile
              Read/write configuration variables from/to conffile.

       -M     Disable MAC spoofing.


       The following protocols are implemented in yersinia current version:

       Spanning Tree Protocol (STP and RSTP)

       Cisco Discovery Protocol (CDP)

       Hot Standby Router Protocol (HSRP)

       Dynamic Host Configuration Protocol (DHCP)

       Dynamic Trunking Protocol (DTP)

       IEEE 802.1Q

       VLAN Trunking Protocol (VTP)

       Inter-Switch Link Protocol (ISL)


       Spanning Tree Protocol  (STP):  is  a  link  management  protocol  that
       provides  path  redundancy  while  preventing  undesirable loops in the
       network. The supported options are:

       -version version
              BPDU version (0 STP, 2 RSTP, 3 MSTP)

       -type type
              BPDU type (Configuration, TCN)

       -flags flags
              BPDU Flags

       -id id BPDU ID

       -cost pathcost
              BPDU root path cost

       -rootid id
              BPDU Root ID

       -bridgeid id
              BPDU Bridge ID

       -portid id
              BPDU Port ID

       -message secs
              BPDU Message Age

       -max-age secs
              BPDU Max Age (default is 20)

       -hello secs
              BPDU Hello Time (default is 2)

       -forward secs
              BPDU Forward Delay

       -source hw_addr
              Source MAC address

       -dest hw_addr
              Destination MAC address

       -interface iface
              Set network interface to use

       -attack attack
              Attack to launch

       Cisco Discovery Protocol (CDP): is a Cisco  propietary  Protocol  which
       main  aim  is  to  let Cisco devices to communicate to each other about
       their  device  settings  and  protocol  configurations.  The  supported
       options are:

       -source hw_addr
              MAC Source Address

       -dest hw_addr
              MAC Destination Address

       -v version
              CDP Version

       -ttl ttl
              Time To Live

       -devid id
              Device ID

       -address address
              Device Address

       -port id
              Device Port

       -capability cap
              Device Capabilities

       -version version
              Device IOS Version

       -duplex 0|1
              Device Duplex Configuration

       -platform platform
              Device Platform

       -ipprefix ip
              Device IP Prefix

       -phello hello
              Device Protocol Hello

       -mtu mtu
              Device MTU

       -vtp_mgm_dom domain
              Device VTP Management Domain

       -native_vlan vlan
              Device Native VLAN

       -voip_vlan_r req
              Device VoIP VLAN Reply

       -voip_vlan_q query
              Device VoIP VLAN Query

       -t_bitmap bitmap
              Device Trust Bitmap

       -untrust_cos cos
              Device Untrusted CoS

       -system_name name
              Device System Name

       -system_oid oid
              Device System ObjectID

       -mgm_address address
              Device Management Address

       -location location
              Device Location

       -attack attack
              Attack to launch

       Hot Standby Router Protocol (HSRP):

       Inter-Switch Link Protocol (ISL):

       VLAN Trunking Protocol (VTP):

       Dynamic Host Configuration Protocol (DHCP):

       IEEE 802.1Q:

       Dynamic Trunking Protocol (DTP):


       Attacks Implemented in STP:

           0: NONDOS attack sending conf BPDU

           1: NONDOS attack sending tcn BPDU

           2: DOS attack sending conf BPDUs

           3: DOS attack sending tcn BPDUs

           4: NONDOS attack Claiming Root Role

           5: NONDOS attack Claiming Other Role

           6: DOS attack Claiming Root Role with MiTM

       Attacks Implemented in CDP:

           0: NONDOS attack sending CDP packet

           1: DOS attack flooding CDP table

           2: NONDOS attack Setting up a virtual device

       Attacks Implemented in HSRP:

           0: NONDOS attack sending raw HSRP packet

           1: NONDOS attack becoming ACTIVE router

           2: NONDOS attack becoming ACTIVE router (MITM)

       Attacks Implemented in DHCP:

           0: NONDOS attack sending RAW packet

           1: DOS attack sending DISCOVER packet

           2: NONDOS attack creating DHCP rogue server

           3: DOS attack sending RELEASE packet

       Attacks Implemented in DTP:

           0: NONDOS attack sending DTP packet

           1: NONDOS attack enabling trunking

       Attacks Implemented in 802.1Q:

           0: NONDOS attack sending 802.1Q packet

           1: NONDOS attack sending 802.1Q double enc. packet

           2: DOS attack sending 802.1Q arp poisoning

       Attacks Implemented in VTP:

           0: NONDOS attack sending VTP packet

           1: DOS attack deleting all VTP vlans

           2: DOS attack deleting one vlan

           3: NONDOS attack adding one vlan

           4: DOS attack Catalyst zero day

       Attacks Implemented in ISL:

           None at the moment


       The GTK GUI (-G) is a GTK graphical interface with all of the  yersinia
       powerful features and a professional ’look and feel’.


       The  ncurses  GUI (-I) is a ncurses (or curses) based console where the
       user can take advantage of yersinia powerful features.

       Press h to display the Help Screen and enjoy your session :)


       The Network Daemon (-D) is a telnet based server (ala Cisco mode)  that
       listens  by  default  in  port  12000/tcp  waiting  for incoming telnet

       It supports a CLI similar to  a  Cisco  device  where  the  user  (once
       authenticated)  can  display  different settings and can launch attacks
       without having yersinia running in her own  machine  (specially  useful
       for Windows users).


       - Send a Rapid Spanning-Tree BPDU with port role designated, port state
       agreement, learning and port id 0x3000 to eth1:

       yersinia stp -attack 0 -version 2 -flags  5c  -portid  3000  -interface

       -  Start  a  Spanning-Tree  nonDoS  root  claiming  attack in the first
       nonloopback interface (keep in mind that this kind of attack  will  use
       the  first  BPDU  on  the  network interface to fill in the BPDU fields

       yersinia stp -attack 4

       - Start a Spanning-Tree DoS  attack  sending  TCN  BPDUs  in  the  eth0
       interface with MAC address 66:66:66:66:66:66:

       yersinia stp -attack 3 -source 66:66:66:66:66:66


       The README file contains more in-depth documentation about the attacks.


       Yersinia is Copyright (c)




       Alfredo Andres Omella <>
       David Barroso Berrueta <>