input, output.

VLAN Hopping(VLAN跳跃攻击)背后的一些机制

最近在整理回顾交换方面的知识,注重安全这一块。其中VLAN Hopping吸引了我的注意。

最开始我看的是《CCNP SWITCH(642-813)学习指南》这本书的相关章节,发现讲的非常的简单,令人难以理解,感觉是翻译出了问题。随后使用Google搜索中文文档,依然没有令人满意的说明。没办法,接下来尝试查阅英文文档,收益匪浅,在此与大家分享。

《CCNP SWITCH 642-813 Official Certification Guide》英文原版是我最先参考的文档,其中对VLAN Hooping的描述如下:

When securing VLAN trunks, also consider the potential for anexploit called VLAN hopping. Here, an attacker positioned on one access VLANcan craft and send frames with spoofed 802.1Q tags so that the packet payloadsultimately appear on a totally different VLAN, all without the use of a router.

For this exploit to work, the following conditions must exist in thenetwork configuration:

  • The attacker is connected to an access switch port.

  • The same switch must have an 802.1Q trunk.

  • The trunk must have the attacker’s access VLAN as its native VLAN.

实施VLAN聚合时,应当一种被称为VLAN跳跃攻击的潜在威胁。攻击者位于Access VLAN接口下,会发送一份伪造的带有802.1Q的数据帧,是的该数据帧的载荷能够不经由路由而被传送到另一个VLAN(而这是不允许的)。

网络配置必须满足下列条件才能够使得攻击有效:

  • 攻击者必须连接到Access口

  • 攻击者所连接的交换机上必须启用了802.1Q 聚合

  • 攻击者所连接的Access口所属VLAN必须是Trunk的Native VLAN


攻击过程如上图所示:

1,  攻击者会发送一个打了两层标签的数据帧给它的AccessVLAN(是的,很像QinQ);

2,  交换机A收到数据帧之后,发现最外层的Tag为VLAN10,与Trunk的Native VLAN一致,因此在经由Trunk链路转发该帧的时候,会取出Native VLAN标记,也就是本例的VLAN 10(但该帧有两层,脱掉VLAN 10的Tag后,还有一层VLAN 20的tag);

3,  交换机B收到的数据帧依然有VLAN20的Tag,交换机B会认为这是个正常、需要送往VLAN 20处理的帧,因此会发送到VLAN 20接口;

4,  最终,一个来自VLAN10的数据帧被送达了VLAN 20,攻击完成。

那么接下来我有两个疑问?

PC产生的二层报文都是标准的以太网帧,如何会带有标记,还TM有两层?

普通PC当然只能产生标准以太网帧,而攻击者会使用一些网络工具(如Sniffer Pro)产生带有标记的数据帧。

Access口收到帧,不是应该打上标记吗?

如果在打一层标记,那就三层Tag了,明显不可能。

那到底是是如何处理数据帧的?

对于untagged帧,进入交换机时,被贴上相应的Access接口VLAN ID标签;对于tagged帧的处理,我在查阅中文文档是没有结果,搜索英文文档后,得到了如些结论:

Tagged frames are allowed on an accessport. If the tag is correct for the access VLAN, the switch strips the tag andforwards the frame. If it is for the wrong VLAN, then it should drop the frame.(https://supportforums.cisco.com/thread/16878

打标记的帧允许进入Access口。如果带的标记与该Access口的VLAN ID一致,便不做处理,直接转发。如果带的标记与该Access口的VLAN ID不同,则丢弃该数据帧。

另外,有一篇实验说明也解释了这个现象:

802.1q Frames into non-trunk ports

For the next test, PC 2 was moved to a VLAN1 port on the second switch. PC 1 was moved to a VLAN 1 port on the firstswitch. The trunk cable between the two switches was reconnected.

The 802.1q frame generated in Sniffer Prowas sent from PC 1 and was received by PC 2 as a plain ICMP echo ethernetframe, without the 802.1q tag. This test was repeated with both PCs on VLANs 2and 3 also. In each case, the handcrafted frame was delivered to thedestination machine.

http://www.sans.org/security-resources/idfaq/vlan.php



评论

© Sy's Log | Powered by LOFTER