ATTACKING CDP

A Sneaky CDP Attack

We are going to spoof nonexisting devices to get some interesting results. It is an opportunistic attack, but not a well-known one, and in specific conditions it can easily catch a network administrator unprepared.

Two targets may fall to CDP spoofing. The first and probably the main one is centralized management software. Well-known commercial high-end software suites that rely on CDP for Cisco hosts discovery include IBM Tivoli and CiscoWorks. If you send fake CDP frames claiming the presence of a new Cisco device on the network, management software will try to communicate with it via SNMP, giving you a chance to capture the SNMP community name used. This is likely to be a community used for other Cisco devices on the network and may lead to their successful exploitation. In addition, you can use CDP spoofing for pranks and in order to distract the network administrator's attention. Imagine his or her reaction when an unknown Cisco 12000 series gigabit switch-router (GSR) appears on the LAN! But the main reason is, of course, for getting the community name . There could be cases when SNMP on the network is configured for "no polling, traps only." Under such configuration, sniffing the network for SNMP communities will fail. However, by introducing a "new device" into the mix, an attacker will trigger a necessary initial polling and get the highly desirable string (or strings).

The second target is Cisco IP phones. When a Cisco phone is turned on, mute, headset, and speaker phone indicators light up. Then the phone and a switch to which it is connected start exchanging CDP data to learn about each other. The switch employs CDP to tell the phone which particular VLAN is going to be used for voice traffic. Setting separate VLANs for voice and data traffic is a common practice a sensible network administrator should follow. During this process, the phone should display "Configuring VLAN." When the phone knows which specific VLAN to use, it will apply appropriate 802.1q tags and ask for an IP address from a local DHCP server. At this stage, the phone should display "Configuring IP." The DHCP server will offer not only the IP address, but also an address of the TFTP server where the phone configuration file is stored and from which it is going to be pulled.

We guess you have already sensed a possibility for a spoofing attack. You can inject CDP frames to tell the phones which VLAN to connect to (presumably the one on which you have a host under control). An attack host will have a rogue DHCP server to supply the phone an IP address of your choice and direct it to a rogue TFTP server, so that an attacker-supplied configuration file would be picked up instead of a legitimate one. At any stage, this attack can be turned into DoS, but taking over the phone is more fun, right? The main difference between this and the previous attack against centralized management software is that we do not create a fake CDP device but claim that our frames come from a switch itself, entering a race condition with the switch to supply the phone an incorrect VLAN assignment. Thus, it is, essentially , yet another VLAN hopping (or shifting) attack. Other IP phones, such as those manufactured by Nortel and Avaya, are just as vulnerable to these type of attacks. But since they don't use CDP, you will have to spoof DHCP instead, perhaps using the DHCP mode of Yersinia.

How do we spoof CDP frames in practice? Two main tools can be used for generating custom fake CDP frames. Historically, the first is the cdp utility from FX Irpas (Internetwork Routing Protocol Attack Suite):

 arhontus / # ./cdp ./cdp [-v] -i <interface> -m {0,1} ... Flood mode (-m 0): -n <number> number of packets -l <number> length of the device id -c <char> character to fill in device id -r randomize device id string Spoof mode (-m 1): -D <string> Device id -P <string> Port id -L <string> Platform -S <string> Software -F <string> IP address -C <capabilities>        these are:        R - Router, T - Trans Bridge, B - Source Route Bridge        S - Switch, H - Host, I - IGMP, r - Repeater arhontus / #./cdp -v -i eth1 -m 1 -D 'Router66' -P 'FastEthernet0/1' -C RI \ -L 'Cisco' -S 'IOS 12.2.6' -F '192.168.1.9' 

The second tool is Yersinia in CDP mode (press F3). The Yersinia attack necessary to set a virtual CDP device is fully automated and comes as third on the list when you press x in the ncurses GUI. Don't forget to set all your CDP frames parameters by pressing e and entering the needed values. For the attack against IP phones, save the legitimate frames used by the switch to communicate with the phones (press s , L ), edit them to replace the VLAN number (press e ), and replay them back to the network. To win the race, you can try to use a CDP table flood (attack 1) or send the frames manually, one by one (attack 0). Of course, you can send CDP frames from both local command line and client/server Yersinia modes, but in this case we recommend using the ncurses' GUI since it allows frame capturing, editing, and resending.

Countermeasures Against CDP Spoofing Attacks

To monitor CDP changes from Windows environments, we recommend downloading and installing CDP Monitor from http://www.tallsoft.com/cdpmonitor_setup.exe. This little useful program will detect CDP changes on the network and notify you by popping up a message box and issuing a warning sound. It can also send a warning e-mail to a predefined address and run a custom program upon the change detection. Since sending custom CDP frames from CDP Monitor is possible, it can also be useful in CDP spoofing attacks from Windows; however, we have used only Irpas and Yersinia in our tests.