Posts‎ > ‎

Ettercap (Part 1), STP and Cisco switches

posted Oct 17, 2013, 11:48 AM by Marc Kerscher   [ updated Oct 18, 2013, 11:30 AM ]
I'm currently studying for the GIAC Security Essentials (GSEC) ( certification. Along with reading any materials that I can find, I also plan to explore the tools that are referenced and seeing how Cisco switches can deal with them. First of here is my lab environment:

I'm using the Ubuntu 12.04 LTS server to run ettercap, which I had no problems installing via apt-get. To run ettercap ARP poison (more on that in another post) against the first WinXP box I use the following command:

ettercap -T -w dump -M ARP / //

Now as I mentioned I will get into ARP poison later on in a different article, initially I want to focus on the stp_mangler plugin. Enabling this feature will have the Linux box acting as root bridge with a priority of 0:


Probably not something I would like to have happen on my network. The VMWare ports connecting to the 3560 switch are all configured as station ports on vlan 10:

interface FastEthernet0/11
 switchport access vlan 10
 switchport mode access
 load-interval 30
 spanning-tree portfast

The easiest would be to enable portfast bpduguard globally on the switch. (Make sure that all the switch to switch connections are not running spanning-tree portfast (which they should not)). The command is:

spanning-tree portfast bpduguard default

Note that enabling bpduguard does not automatically shutdown the port, much to my surprise. However a shut/no shut does the magic:

Now the port is err-disabled. As show above a shut/no shut will re-enable the port. You can also adjust the errdisable setting for the switch to re-enable the port automatically.

Copyright Kerscher Computing LLC 2013