当前位置: 首页 > news >正文

vlan hopping attack

news 来源:原创 2024/5/17 18:29:48

留待参考

 

secure vlan trunking
1. VLAN Hopping with Switch Spoofing
2. VLAN Hopping with double-tagged

.............................................................................

vlan hopping with Switch Spoofing
to Gain Access to a Trunk
DTP can make switch administration easier,but it also can expose switch ports to be compromised.

說明
a switch port is left to its default configuration(trunking mode is auto) . Normally, the switch port would wait to be asked by another switch in the auto or on mode to become a trunk.
Possible as follows:
A well-behaved end user:
1. would not use DTP at all,
2. so the port would come up in access mode with a single-access VLAN.
A malicious user:
1. might exploit the use of DTP
2. and attempt to negotiate a trunk with the switch port.
後果
This makes the PC appear to be another switch; in effect, the PC is spoofing a switch
危害
After the trunk is negotiated, the attacker has access to any VLAN that is permitted to pass over the trunk

solution1
to configure every switch port to have an expected and controlled behavior
configure it to static access mode
(config-if)# switchport mode access

solution2
turn off DTP on all ports
(config-if)#switchport nonegotiate

the way ,an end user never will be able to send any type of spoofed traffic that will make the switch port begin trunking.

 

.............................................................

 

VLAN Hopping with double-tagged
an attacker positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the packet payloads ultimately appear on a totally different VLAN, all without the use of a router

the attack success conditions must exist
1. The attacker is connected to an access switch port.
2. The same switch must have an 802.1Q trunk.
3. The trunk must have the attacker's access VLAN as its native VLAN

VLAN Hopping Attack Process
環境說明:attacker連接之access port為vlan1 , 該switch使用trunk且native vlan為1
1.
Attacker Sends a Double-Tagged Packet onto His Local Access VLAN
attack on vlan1 ---[vlan1][vlan20][payload]---> (access)switch A
2.
When switch A Is Ready to Forward the Packet onto the Trunk,
the First Tag Is Stripped Because it Is the Same as the Trunk's Native VLAN
switch A(trunk) ===[vlan20][payload]===> (trunk)switch B
3.
The Packet Is Received by switch B; as the Second Tag Is Stripped,
it Appears to Identify the Source VLAN as VLAN 20
switch B(access) ---[payload]---> USER on vlan20
4.
The Packet Originally from VLAN 1 Is Now Sent into VLAN 20


solution0
避免native vlan和user的access vlan設為同一個

solution1
configure trunk links with the following steps:
Step 1. Set the native VLAN of a trunk to a bogus or unused VLAN ID.
Step 2. Prune the native VLAN off both ends of the trunk
ps:
Although maintenance protocols such as CDP, PAgP, and DTP normally are carried over the native VLAN of a trunk, they will not be affected if the native VLAN is pruned from the trunk.
They still will be sent and received on the native VLAN as a special case even if the native VLAN ID is not in the list of allowed VLANs
ex:
suppose that an 802.1Q trunk should carry only VLANs 10 and 20. You
should set the native VLAN to an unused value, such as 800. Then you should remove
VLAN 800 from the trunk so that it is confined to the trunk link itself.
Switch(config)# vlan 800
Switch(config-vlan)# name bogus_native
Switch(config-vlan)# exit
Switch(config)# interface gigabitethernet 1/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 800
Switch(config-if)# switchport trunk allowed vlan remove 800
Switch(config-if)# switchport mode trunk


soluction2
to force all 802.1Q trunks to add tags to frames for the native VLAN, too
說明:
The double-tagged VLAN hopping attack won't work because the switch won't remove the
first tag with the native VLAN ID
步驟
1. that tag will remain on the spoofed frame as it enters the trunk
2. At the far end of the trunk, the same tag will be examined, and the frame will stay on the original access VLAN

To force a switch to tag the native VLAN on all its 802.1Q trunks
(config)# vlan dot1q tag native

相关文章:

  • 屏蔽几个知名的安全工具对网站进行扫描
  • PHP面向对象程序设计的61条黄金法则
  • PHP程序员面试题
  • 构架高性能WEB网站的几点知识
  • apache常用配置
  • 作为程序员为什么一直都很努力,却没有进步?
  • node.js进阶学习
  • 3种Nginx防盗链的方法
  • Nginx反向代理到apache
  • Nginx负载均衡如何进行配置
  • 网站上线之前需要检查的13个问题
  • php实现文件上传进度条
  • PHP程序员突破成长瓶颈
  • LINUX常用命令(基础)
  • 面向对象的理解
  • 《Javascript数据结构和算法》笔记-「字典和散列表」
  • 10个确保微服务与容器安全的最佳实践
  • Asm.js的简单介绍
  • conda常用的命令
  • Create React App 使用
  • Javascript Math对象和Date对象常用方法详解
  • JDK 6和JDK 7中的substring()方法
  • Python 使用 Tornado 框架实现 WebHook 自动部署 Git 项目
  • 编写符合Python风格的对象
  • 初识 webpack
  • 小程序、APP Store 需要的 SSL 证书是个什么东西?
  • Python 之网络式编程
  • Semaphore
  • 阿里云服务器如何修改远程端口?
  • 第二十章:异步和文件I/O.(二十三)
  • ​ssh免密码登录设置及问题总结
  • #HarmonyOS:基础语法
  • #NOIP 2014# day.1 T2 联合权值
  • #数学建模# 线性规划问题的Matlab求解
  • (LeetCode 49)Anagrams
  • (Redis使用系列) Springboot 使用redis的List数据结构实现简单的排队功能场景 九
  • (TOJ2804)Even? Odd?
  • (编程语言界的丐帮 C#).NET MD5 HASH 哈希 加密 与JAVA 互通
  • (二)Pytorch快速搭建神经网络模型实现气温预测回归(代码+详细注解)
  • (二)七种元启发算法(DBO、LO、SWO、COA、LSO、KOA、GRO)求解无人机路径规划MATLAB
  • (六)激光线扫描-三维重建
  • (排序详解之 堆排序)
  • (一)基于IDEA的JAVA基础12
  • (原創) 未来三学期想要修的课 (日記)
  • (轉)JSON.stringify 语法实例讲解
  • (轉貼) 2008 Altera 亞洲創新大賽 台灣學生成果傲視全球 [照片花絮] (SOC) (News)
  • ******之网络***——物理***
  • .FileZilla的使用和主动模式被动模式介绍
  • .NET Core 版本不支持的问题
  • .net core 控制台应用程序读取配置文件app.config
  • .NET Standard、.NET Framework 、.NET Core三者的关系与区别?
  • .net 无限分类
  • .NET 中什么样的类是可使用 await 异步等待的?
  • .NET/C# 使窗口永不获得焦点
  • .NET/C# 异常处理:写一个空的 try 块代码,而把重要代码写到 finally 中(Constrained Execution Regions)