Network sniffing method of vswitch spoofing vswitch Cache

Sniff refers to eavesdropping on packets flowing through the network, and the packets usually contain a lot of important private information, such as: what website are you visiting, what is your email password? Which MM are you talking to? QQ and so on ...... many attack methods (such as the famous session hijacking) are based on sniffing. Next let's take a look at the way to spoof the switch cache in the network sniffing method of the switch:

Cncert's well-known session hijacking tool, SSCLONE, uses this method for sniffing, its website also has a special article describing the sniffing method of "spoofing switch cache" (see references ). Let me talk about the principle here.

A cam table in the vswitch records the Mac-Port information (what is the MAC address of the machine corresponding to this Port). The MAC information is obtained from the forwarded packets. The so-called spoofing switch cache is to modify this CAM table to fool the switch! For example, there is a 4-port switch, and its CAM table is as follows:

Port1 -- 11-11-11-11-11-11
 
Port2 -- 22-22-22-22-22-22
 
Port3 -- 33-33-33-33-33-33
 
Port4 -- 44-44-44-44-44-44
Now, machine A of port1 (IP Address: 192.168.1.11, MAC address: 11-11-11-11-11-11) wants to sniff machine B of port2 (IP Address: 192.168.1.22, the MAC address is 22-22-22-22-22-22). What should I do? Haha ~ The process is as follows:

Machine A sends an external data packet as follows:

SrcIP: 192.168.1.11 ScrMac: 22-22-22-22-22-22

DstIP: xxx. xxx (write at will), DstMac: xx-xx (write at Will)

At this time, the switch received this packet and found that in the original CAM, the MAC address of the port1 machine is 11-11-11-11-11-11. How can it change: what about 22-22-22-22-22 ?? Oh, the MAC address of this machine has changed ~ Good! Then I will update the CAM table!

The updated vswitch CAM table is as follows:

Port1 -- 22-22-22-22-22-22-22
 
Port2 -- 22-22-22-22-22-22
 
Port3 -- 33-33-33-33-33-33
 
Port4 -- 44-44-44-44-44-44
Now, the MAC addresses of port1 and port2 are the same. If a data packet is sent from the current Gateway (assuming that port4 is connected to the gateway) to machine B (the IP address is 192.168.1.22, And the MAC address is 22-22-22-22-22-22 ), the switch will query the CAM table in sequence to determine the port to which the packet is forwarded!

When querying port1, it is found that the MAC address corresponding to this port is the same as the MAC address in the packet, and the switch directly forwards the packet to machine A of port1. As the packet has been forwarded, the switch continues to process the next packet ...... in this way, data packets fall into the hands of those who are eager to snoop again!

Pay attention to the following issues:

1). After receiving the packet, A still needs to forward it to B, otherwise the conversation between B and the outside will be interrupted.

2) When A forwards the packet to B, the CAM table of the switch needs to be repaired.

After reading the above two points, you may find some defects:

1). A needs to restore the CAM table when forwarding packets to B, and then cheat again after forwarding. If the gateway sends A data packet to B during packet forwarding, the CAM table is correct at this time. The switch will send the data directly to B, and A cannot listen to the packet, because the preceding operations are required for each forwarding, the CAM table is refreshed frequently. The final result is that the data that A listens to is incomplete.

2). The port number of the switch you connect determines your fate!

If Port B is connected to Port 1 and port A is connected to Port 2, then in this way, A will never sniff the information of port B. Let me think more about it, what if you connect to the last port of the vswitch ??! : <

3) There are many packet loss during cross-switch sniffing!

See:

 

Now switch A is connected to port1 of Switch B, and machine C is connected to port2. If there is no machine B, machine A can still smoothly listen to the information from the machine to C, however, machine B is different. In the cam table of the vswitch, The port1 record is often changed because of the packet distribution of machine A and machine B. You can also think of the problem.

The method to prevent spoofing switch caching is to bind the port-mac information to the switch. However, this is not feasible because it is in conflict with the original design concept of the switch. That is to say, there is no way to prevent it. It is worth noting that wireless networks are now emerging. Like in the hub era, listening to other people's information on wireless networks is not a waste of effort, and the security of wireless networks is worth pondering!