1 /* vtp.h 2 * Definitions for Cisco's VLAN Trunking Protocol 3 * 4 * Yersinia 5 * By David Barroso <tomac@yersinia.net> and Alfredo Andres <aandreswork@hotmail.com> 6 * Copyright 2005-2017 Alfredo Andres and David Barroso 7 * 8 * This program is free software; you can redistribute it and/or 9 * modify it under the terms of the GNU General Public License 10 * as published by the Free Software Foundation; either version 2 11 * of the License, or (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 21 */ 22 23 #ifndef __VTP_H__ 24 #define __VTP_H__ 25 26 #include <libnet.h> 27 28 #include "terminal-defs.h" 29 #include "interfaces.h" 30 31 #define VTP_SUMM_ADVERT 0x01 32 #define VTP_SUBSET_ADVERT 0x02 33 #define VTP_REQUEST 0x03 34 #define VTP_JOIN 0x04 35 36 static const struct tuple_type_desc vtp_code[] = { 37 { VTP_SUMM_ADVERT, "SUMMARY" }, 38 { VTP_SUBSET_ADVERT, "SUBSET" }, 39 { VTP_REQUEST, "REQUEST" }, 40 { VTP_JOIN, "JOIN" }, 41 { 0, NULL } 42 }; 43 44 45 #define VLAN_TYPE_ETHERNET 0x01 46 #define VLAN_TYPE_FDDI 0x02 47 #define VLAN_TYPE_TRCRF 0x03 48 #define VLAN_TYPE_FDDI_NET 0x04 49 #define VLAN_TYPE_TRBRF 0x05 50 51 static const struct tuple_type_desc vlan_type[] = { 52 { VLAN_TYPE_ETHERNET, "Ethernet" }, 53 { VLAN_TYPE_FDDI, "FDDI" }, 54 { VLAN_TYPE_TRCRF, "TRCRF" }, 55 { VLAN_TYPE_FDDI_NET, "FDDI-NET" }, 56 { VLAN_TYPE_TRBRF, "TRBRF" }, 57 { 0, NULL } 58 }; 59 60 61 62 /* Default values */ 63 #define VTP_DFL_VERSION 0x01 64 #define VTP_DFL_DOMAIN "\x0\x0\x0\x0\x0\x0\x0\x0" 65 #define VTP_DFL_DOM_LEN 0x08 66 #define VTP_DFL_CODE VTP_REQUEST 67 68 #define VTP_TIMESTAMP_SIZE 12 69 #define VTP_DOMAIN_SIZE 32 70 71 #define VLAN_MAX 64 72 #define VLAN_NAME_SIZE 32 73 #define VLAN_ALIGNED_LEN(x) (4*(((x)+3)/4) ) 74 75 #define VTP_DOT10_BASE 0x100000 76 77 #define VTP_VLAN_ADD 0x00 78 #define VTP_VLAN_DEL 0x01 79 #define VTP_VLAN_DEL_ALL 0x02 80 81 static struct proto_features vtp_features[] = { 82 { F_LLC_CISCO, 0x2003 }, 83 { -1, 0 } 84 }; 85 86 87 88 89 struct vlan_info_print { 90 u_int8_t type; 91 u_int16_t id; 92 u_int32_t dot10; 93 u_int8_t name[VLAN_NAME_SIZE+1]; 94 }; 95 96 struct vlan_info { 97 u_int8_t len; 98 u_int8_t status; 99 u_int8_t type; 100 u_int8_t name_len; 101 u_int16_t id; 102 u_int16_t mtu; 103 u_int32_t dot10; 104 }; 105 106 struct vtp_summary { 107 u_int8_t version; 108 u_int8_t code; 109 u_int8_t followers; 110 u_int8_t dom_len; 111 u_int8_t domain[VTP_DOMAIN_SIZE]; 112 u_int32_t revision; 113 u_int32_t updater; 114 u_int8_t timestamp[VTP_TIMESTAMP_SIZE]; 115 u_int8_t md5[16]; 116 }; 117 118 struct vtp_subset { 119 u_int8_t version; 120 u_int8_t code; 121 u_int8_t seq; 122 u_int8_t dom_len; 123 u_int8_t domain[VTP_DOMAIN_SIZE]; 124 u_int32_t revision; 125 }; 126 127 struct vtp_request { 128 u_int8_t version; 129 u_int8_t code; 130 u_int8_t reserved; 131 u_int8_t dom_len; 132 u_int8_t domain[VTP_DOMAIN_SIZE]; 133 u_int16_t start_val; 134 }; 135 136 struct vtp_join { 137 u_int8_t version; 138 u_int8_t code; 139 u_int8_t maybe_reserved; 140 u_int8_t dom_len; 141 u_int8_t domain[VTP_DOMAIN_SIZE]; 142 u_int32_t vlan; 143 u_int8_t unknown[126]; 144 }; 145 146 147 /* VTP mode stuff */ 148 struct vtp_data { 149 u_int8_t mac_source[ETHER_ADDR_LEN]; 150 u_int8_t mac_dest[ETHER_ADDR_LEN]; 151 u_int8_t version; 152 u_int8_t code; 153 u_int8_t followers; 154 u_int8_t seq; 155 char domain[VTP_DOMAIN_SIZE+1]; 156 u_int8_t dom_len; 157 u_int16_t start_val; 158 u_int32_t revision; 159 u_int32_t updater; 160 u_int8_t timestamp[VTP_TIMESTAMP_SIZE+1]; 161 u_int8_t md5[16]; 162 u_int16_t vlans_len; 163 u_int8_t *vlan_info; 164 u_int8_t options[MAX_TLV*MAX_VALUE_LENGTH]; 165 u_int16_t options_len; 166 }; 167 168 169 #define VTP_SMAC 0 170 #define VTP_DMAC 1 171 #define VTP_VERSION 2 172 #define VTP_CODE 3 173 #define VTP_DOMAIN 4 174 #define VTP_MD5 5 175 #define VTP_UPDATER 6 176 #define VTP_REVISION 7 177 #define VTP_TIMESTAMP 8 178 #define VTP_STARTVAL 9 179 #define VTP_FOLLOWERS 10 180 #define VTP_SEQ 11 181 #define VTP_VLAN 14 182 183 /* Struct needed for using protocol fields within the network client */ 184 struct commands_param vtp_comm_params[] = { 185 { VTP_SMAC, "source", "Source MAC", 6, FIELD_MAC, "Set source MAC address", 186 " H:H:H:H:H:H 48 bit mac address", 17, 1, 0, NULL, NULL }, 187 { VTP_DMAC, "dest", "Destination MAC", 6, FIELD_MAC, "Set destination MAC address", 188 " H:H:H:H:H:H 48 bit mac address", 17, 1, 0, NULL, NULL }, 189 { VTP_VERSION, "version", "Version", 1, FIELD_HEX, "Set vtp version", 190 " <00-FF> virtual trunking version", 2, 2, 0, NULL, NULL }, 191 { VTP_CODE, "code", "Code", 1, FIELD_HEX, "Set vtp code", 192 " <00-FF> virtual trunking code", 2, 2, 1, NULL, vtp_code }, 193 { VTP_DOMAIN, "domain", "Domain", VTP_DOMAIN_SIZE, FIELD_STR, "Set vtp domain name to use", 194 " WORD Domain name", VTP_DOMAIN_SIZE, 2, 1, NULL, NULL }, 195 { VTP_MD5, "md5", "MD5", 16, FIELD_BYTES, "Set vtp md5 hash", 196 " HHHHH... MD5 hash", 32, 3, 1, NULL, NULL }, 197 { VTP_UPDATER, "updater", "Updater", 4, FIELD_IP, "Set updater IP address", 198 " A.A.A.A IPv4 address", 15, 3, 0, NULL, NULL }, 199 { VTP_REVISION, "revision", "Revision", 4, FIELD_DEC, "Set vtp revision number", 200 " <0-1999999999> Revision number", 10, 4, 0, NULL, NULL }, 201 { VTP_TIMESTAMP, "timestamp", "Timestamp", VTP_TIMESTAMP_SIZE, FIELD_STR, "Set vtp timestamp", 202 " WORD Timestamp text", VTP_TIMESTAMP_SIZE, 4, 0, NULL, NULL }, 203 { VTP_STARTVAL, "startval", "Start value", 2, FIELD_DEC, "Set vtp start value", 204 " <0-65535> Start value", 5, 4, 0, NULL, NULL }, 205 { VTP_FOLLOWERS, "followers", "Followers", 1, FIELD_DEC, "Set vtp followers", 206 " <0-255> Followers number", 3, 5, 0, NULL, NULL }, 207 { VTP_SEQ, "sequence", "Sequence", 1, FIELD_DEC, "Set vtp sequence number", 208 " <0-255> Sequence number", 3, 5, 0, NULL, NULL }, 209 { 0, "defaults", NULL, 0, FIELD_DEFAULT, "Set all values to default", 210 " <cr>", 0, 0, 0, NULL, NULL }, 211 { 0, "interface", NULL, IFNAMSIZ, FIELD_IFACE, "Set network interface to use", 212 " WORD Network interface", IFNAMSIZ, 0, 0, NULL, NULL }, 213 { VTP_VLAN, "vlan", "VLAN", 0, FIELD_EXTRA, "", "", 0, 0, 0, NULL, NULL} 214 }; 215 216 217 void vtp_th_send(void *); 218 void vtp_th_send_exit(struct attacks *); 219 void vtp_th_dos_del_all(void *); 220 void vtp_th_dos_del_all_exit(struct attacks *); 221 void vtp_th_dos_del(void *); 222 void vtp_th_dos_del_exit(struct attacks *); 223 void vtp_th_dos_add(void *); 224 void vtp_th_dos_add_exit(struct attacks *); 225 void vtp_th_dos_crash(void *); 226 void vtp_th_dos_crash_exit(struct attacks *); 227 228 #define VTP_PARAM_VLAN_ID 0 229 #define VTP_PARAM_VLAN_NAME 1 230 231 static struct attack_param vtp_vlan_add_param[] = { 232 { NULL, "VLAN ID", 2, FIELD_DEC, 4, NULL }, 233 { NULL, "VLAN Name", VLAN_NAME_SIZE, FIELD_STR, VLAN_NAME_SIZE, NULL } 234 }; 235 236 static struct attack_param vtp_vlan_del_param[] = { 237 { NULL, "VLAN ID", 2, FIELD_DEC, 4, NULL } 238 }; 239 240 #define VTP_ATTACK_SEND 0 241 #define VTP_ATTACK_DEL_ALL 1 242 #define VTP_ATTACK_DEL 2 243 #define VTP_ATTACK_ADD 3 244 #define VTP_ATTACK_CRASH 4 245 246 247 static struct _attack_definition vtp_attack[] = { 248 { VTP_ATTACK_SEND, "sending VTP packet", NONDOS, SINGLE, vtp_th_send, NULL, 0 }, 249 { VTP_ATTACK_DEL_ALL,"deleting all VTP vlans", DOS, SINGLE, vtp_th_dos_del_all, NULL, 0 }, 250 { VTP_ATTACK_DEL, "deleting one vlan", DOS, SINGLE, vtp_th_dos_del, vtp_vlan_del_param, 251 SIZE_ARRAY(vtp_vlan_del_param) }, 252 { VTP_ATTACK_ADD, "adding one vlan", NONDOS, SINGLE, vtp_th_dos_add, vtp_vlan_add_param, 253 SIZE_ARRAY(vtp_vlan_add_param) }, 254 { VTP_ATTACK_CRASH, "Catalyst zero day", DOS, SINGLE, vtp_th_dos_crash, NULL, 0 }, 255 { 0, NULL, 0, 0, NULL, NULL, 0 } 256 }; 257 258 259 260 void vtp_register(void); 261 int8_t vtp_send(struct attacks *); 262 int8_t vtp_init_attribs(struct term_node *); 263 int8_t vtp_learn_packet(struct attacks *attacks, char *, u_int8_t *, void *, struct pcap_pkthdr *); 264 char **vtp_get_printable_packet(struct pcap_data *); 265 char **vtp_get_printable_store(struct term_node *); 266 int8_t vtp_load_values(struct pcap_data *, void *); 267 int8_t vtp_update_field(int8_t, struct term_node *, void *); 268 int8_t vtp_generate_md5(char *, u_int32_t, u_int32_t, char *, u_int8_t, u_int8_t *, u_int16_t, u_int8_t *, u_int8_t); 269 int8_t vtp_del_vlan(u_int16_t, u_int8_t *, u_int16_t *); 270 void vtp_modify_vlan(u_int8_t, struct attacks *); 271 int8_t vtp_add_vlan(u_int16_t, char *, u_int8_t **, u_int16_t *); 272 int8_t vtp_init_comms_struct(struct term_node *); 273 int8_t vtp_end(struct term_node *); 274 275 extern void thread_libnet_error( char *, libnet_t *); 276 extern int8_t thread_create( THREAD *, void *, void *); 277 extern void write_log( u_int16_t mode, char *msg, ... ); 278 extern int8_t attack_th_exit(struct attacks *); 279 extern void attack_gen_mac(u_int8_t *); 280 extern struct interface_data *interfaces_get_packet(list_t *, struct interface_data *, u_int8_t *, struct pcap_pkthdr *, u_int8_t *, u_int16_t, time_t); 281 extern int8_t parser_vrfy_mac(char *, u_int8_t *); 282 extern int8_t parser_get_inet_aton(char *, struct in_addr *); 283 extern int8_t parser_get_formated_inet_address(u_int32_t, char *, u_int16_t); 284 extern void md5_sum(const u_char *, size_t, u_char *); 285 286 extern int8_t parser_command2index(register const struct _attack_definition *, register int8_t); 287 extern struct terminals *terms; 288 289 extern int8_t bin_data[]; 290 291 #endif 292 293 /* vim:set tabstop=4:set expandtab:set shiftwidth=4:set textwidth=120: */ 294