HackMD - Collaborative Markdown Knowledge Base

Практическая работа №5 Атака на DHCP ![](https://i.imgur.com/x7OqcUk.png) ![](https://i.imgur.com/ROUYIy2.png) ![](https://i.imgur.com/Ho32ACH.png) Атака CAM-table overflow ![](https://i.imgur.com/AWFYjvN.png) ![](https://i.imgur.com/g8p04Tf.png) ![](https://i.imgur.com/Lm4EKq6.png) VLAN hopping ![](https://i.imgur.com/4oedtsr.png) ARP spoofing ![](https://i.imgur.com/gxgebfZ.png) Switch во время атаки после настройки arp inspection ![](https://i.imgur.com/ucKyFOx.png) Настройка комутатора ``` Current configuration : 2022 bytes ! ! Last configuration change at 14:38:11 UTC Sat Jan 14 2023 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname Switch ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! ! ! ip arp inspection filter DAI vlan 10 ! ! ! ip dhcp snooping vlan 20 no ip dhcp snooping information option ip cef no ipv6 cef ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Ethernet0/0 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ip arp inspection trust ip dhcp snooping trust ! interface Ethernet0/1 switchport access vlan 10 switchport mode access ip arp inspection limit rate 100 ip dhcp snooping limit rate 15 ! interface Ethernet0/2 switchport access vlan 20 switchport mode access ip arp inspection limit rate 100 ip dhcp snooping limit rate 15 ! interface Ethernet0/3 switchport access vlan 10 switchport mode access ip arp inspection limit rate 100 ip dhcp snooping limit rate 15 ! interface Ethernet1/0 switchport access vlan 20 switchport mode access switchport port-security maximum 5 switchport port-security violation restrict ip arp inspection limit rate 100 ip dhcp snooping limit rate 15 ! interface Ethernet1/1 ! interface Ethernet1/2 ! interface Ethernet1/3 ! interface Ethernet2/0 ! interface Ethernet2/1 ! interface Ethernet2/2 ! interface Ethernet2/3 ! interface Ethernet3/0 ! interface Ethernet3/1 ! interface Ethernet3/2 ! interface Ethernet3/3 ! interface Ethernet4/0 ! interface Ethernet4/1 ! interface Ethernet4/2 ! interface Ethernet4/3 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ! ! arp access-list DAI permit ip host 192.168.10.254 mac host 5008.4200.6601 permit ip host 192.168.10.15 mac host 5061.c000.6900 ! ! ! control-plane ! ! line con 0 logging synchronous line aux 0 line vty 0 4 login ! ! end ``` Настройка ACL для роутера ``` Router(config-if)#do sh run Building configuration... Current configuration : 1859 bytes ! ! Last configuration change at 15:36:40 UTC Sat Jan 14 2023 ! version 15.4 service config service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! ! no aaa new-model mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.254 dns-server 8.8.8.8 ! ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.254 dns-server 8.8.8.8 ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Ethernet0/0 ip address 192.168.1.254 255.255.255.0 ip access-group 101 in ip nat inside ip virtual-reassembly in ! interface Ethernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.254 255.255.255.0 ip access-group 103 in ! interface Ethernet0/0.20 encapsulation dot1Q 20 ip address 192.168.20.254 255.255.255.0 ip access-group 102 in ! interface Ethernet0/1 ip address dhcp ip nat outside ip virtual-reassembly in ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 99 interface Ethernet0/1 overload ! ! ! access-list 101 deny 80 host 192.168.1.1 192.168.10.0 0.0.0.255 access-list 102 deny ip host 192.168.20.1 192.168.10.0 0.0.0.255 access-list 102 deny ip host 192.168.20.1 192.168.20.0 0.0.0.255 access-list 102 permit ip any any access-list 103 deny ip host 192.168.10.1 192.168.0.0 0.0.255.255 access-list 103 permit ip any any ! control-plane ! ! ! ! ! ! ! ! line con 0 logging synchronous line aux 0 line vty 0 4 login transport input none ! ! end ```