Vlan Outlines Overview Testing Environment Development Plan CVE
- Slides: 26
Vlan
Outlines • Overview • Testing Environment • Development Plan • CVE and Related Vulnerabilities • Reference
Overview
動態(Dynamic)與靜態(Static) • • • 依方法不同有以下五種 Port-based VLAN MAC-based VLAN IP-subnet based VLAN Layer-3 Protocol based VLAN Rule based VLAN
VLAN Port Types • Trunk Port: 任何VLAN ID都可通過 • Access Port: 只能讓特定VLAN ID通過
MVRP • 開啟MVRP功能後,Switch之間會互相交換Switch Table Vlan 10 Vlan 20 Switch A Truck Port Switch B Vlan 20 Vlan 10
Protocol stack • Vlan依Switch的等級不同而位於網路層第二層跟第三層 網路層(Network Layer) Vlan 資料連結層(Data Link Layer)Vlan 實體層(Physical Layer)
Testing Environment
List of Device and Simulator No. Item Type 1 Switch 硬體 2 PC A 硬體 3 PC B 硬體 4 5 6 Description Remark
環境建立(以無使用,改用下一頁) Router(Cisco 2811) • 將PC A模擬成Switch傳送有TAG的封包,並 用PC B Ping Rounter檢查是否有回應,如果 Switch到Router不通就可能是Fuzz封包造成 Trunk Access Vlan 1 • A傳廣播封包或PC B跟PC C的Switch MAC 孔,並用PC B跟C的Wireshark觀看情況 Switch (Cisco 2960) • 測 0 1 4095 10 Trunk PC A(Switch) PC C Access Vlan 10 PC B
測試環境(目前) Vlan跟MVRP測試環境一樣,而除了Switch設trunk才能看到tag, PC B要調設定才能看到Vlan的tag,詳細教學在文件 Switch (Cisco 2960) Trunk PC A(發 Fuzz 封包) Switch (Cisco 2960) Access vlan 10 PC B Trunk PC A(發 Fuzz封包 ) Trunk PC B
Vlan tag 目的MAC(6) 來源MAC(6) Tag(4) Ether. Type(2) TCI(16 b) PCP(3 b) DEI(1 b) VID(12 b) Data TPID(16 b) (Ether. Type(2 ))
Vlan Tag • TPID ( Tag protocol identifier ) (16 b): • Costumer VLAN tag: 0 x 8100 • Service VLAN Tag or Backbone VLAN Tag: 0 x 88 a 8 • Backbone Service Instance Tag: 0 x 88 e 7 • MVRP: 0 x 88 F 5 • TCI ( Tag control information ) (16 b) • PCP ( Priority code point )(3 b): 0~7. 表示優先順序,越高越強 • DEI ( Drop eligible indicator )(1 b): 前身為CFI,CFI用途為區別Ethernet跟 Token Ring,而DEI用途為考慮丟棄優先級,預設為false。 • VID ( VLAN identifier )(12 b): Vlan ID,0 x 000與0 x. FFF保留
MVRP Protocol Version(1) Attribute Type(1) Attribute Length(1) Attribute List(n) End Mark(2) Vector Attribute 以 End Mark做結尾 Vector Header(2) Vlan ID(2) Attribute Event(1) End Mark(2)
Wireshark Vlan
Wireshark MVRP
Development Plan
規劃模糊測試方向與內容 No. Categories Direction 敘述 1 Vlan Tag PC to Switch 單一tag、雙重tag、三重tag,分 為內容為空內容跟有ICMP內容 2 MVRP PC to Switch 動態Vlan 3 4 5 6 7 Remark
CVE and Related Vulnerabilities
CVE and Related Vulnerabilities • CVE-2018 -0197: A vulnerability in the VLAN Trunking Protocol (VTP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to corrupt the internal VTP database on an affected device and cause a denial of service (Do. S) condition. • CVE-2005 -4441: The PVLAN protocol allows remote attackers to bypass network segmentation and spoof PVLAN traffic via a PVLAN message with a target MAC address that is set to a gateway router • https: //cve. mitre. org/cgi-bin/cvekey. cgi? keyword=vlan+fuzz
Reference
參考文件列表 No. Item Type Description 1 IEEE Standard for Local and metropolitan area networks— Bridges and Bridged Networks(802. 1 Q) PDF 共一份 2 3 4 Remark