本文探讨了在标准STP环境中进行MITM攻击的局限性,并提出了一种新的双站双交换机攻击策略,旨在绕过传统攻击模式的限制。
As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween attacked stations (C and D)
A ---- switch 1 ----- switch 2 ----- B
| |
| |
C D
Take first scenario:
1. A - sends frame to B
2. Switch 1 - accepts frame and forwards it to switch 2
3. Switch 2 - accepts frame via link from switch 1 and forwards it to B
Second scenario:
1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2
A ---- switch 1 --X-- switch 2 ----- B
| |
| |
C --no conn-- D
2. Station A sends frame to B
3. Frame is forwarded to C station
4. Station C stores frame in memory
5. After equal timing station C and station D repair link beetween switch 1 and 2
6. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet)
7. stations C and D break link beetween switches 1 and 2
8. station D sends transmitted packet to station B
Advantages
- no need for one station with two links to two switches
- needs two stations, either compromised or not (in large multiswitch enviroment with many stations sometimes we can find in example two compromised windows or linux hosts)
- when we have good timing and packet detection method, we can separate one protocol connection from whole traffic
Disadvantages of method.
- stops whole traffic beetween switches, and needs delicate timing
- when link beetween switch 1 and 2 is working we can't see frames that flying across wire
Additional information.
- timing question, ie - retransmition time beetween tcp frames, and time to break and repair link - is it possible to do it before frame is retransmited?
Uh that's all. Please think about it is possible, because my programming skills are to low to make it working.
扫一扫
3727
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
