--- # System prepended metadata title: Networks. Практическая работа №5 --- # Networks. Практическая работа №5 ## 5.0 Настройка среды Топология ![](https://i.imgur.com/GEQ3pfR.png) План адресации такой - Router - e0/1 192.168.225.254/24, e0/0 10.0.0.1/24, e0/0.1 10.0.1.1/24, e0/0.10 10.0.10.1/24, e0/0.20 10.0.20.1/24 GW 192.168.225.1 - Kali-Linux e0 10.0.1.225/24 GW 10.0.1.1 - Win7 e0 10.0.10.225 GW 10.0.10.1 - Debian e0 10.0.2n0.225/24 GW 10.0.20.1 Настроим роутер ```bash= enable configure terminal hostname Router interface e0/1 ip address 192.168.225.254 255.255.255.0 no shutdown do write interface e0/0 ip address 10.0.0.1 255.255.255.0 no shutdown do write interface e0/0.1 encapsulation dot1q 1 ip address 10.0.1.1 255.255.255.0 do write interface e0/0.10 encapsulation dot1q 10 ip address 10.0.10.1 255.255.255.0 do write interface e0/0.20 encapsulation dot1q 20 ip address 10.0.20.1 255.255.255.0 do write exit ip route 0.0.0.0 0.0.0.0 192.168.225.1 ip route 10.0.0.0 255.255.255.0 10.0.1.254 do write access-list 99 permit 10.0.0.0 0.0.255.255 ip nat inside source list 99 interface e0/1 overload interface e0/1 ip nat outside interface e0/0 ip nat inside interface e0/0.1 ip nat inside interface e0/0.10 ip nat inside interface e0/0.20 ip nat inside do write ``` Результат ![](https://i.imgur.com/iwHV5IW.png) Настроим DHCP на Router. Будем выдавать три пула ```bash= enable configure terminal ip dhcp excluded-address 10.0.1.1 ip dhcp excluded-address 10.0.10.1 ip dhcp excluded-address 10.0.20.1 ip dhcp excluded-address 10.0.1.254 ip dhcp excluded-address 10.0.10.254 ip dhcp excluded-address 10.0.20.254 ip dhcp excluded-address 10.0.1.225 ip dhcp excluded-address 10.0.10.225 ip dhcp excluded-address 10.0.20.225 ip dhcp pool POOL-VLAN1 network 10.0.1.0 255.255.255.0 default-router 10.0.1.1 dns-server 8.8.8.8 domain-name pt.local do write ip dhcp pool POOL-VLAN10 network 10.0.10.0 255.255.255.0 default-router 10.0.10.1 dns-server 8.8.8.8 domain-name pt.local do write ip dhcp pool POOL-VLAN20 network 10.0.20.0 255.255.255.0 default-router 10.0.20.1 dns-server 8.8.8.8 domain-name pt.local do write exit ``` Результат ![](https://i.imgur.com/gm5U8GR.png) Настроим Switch ```bash= enable configure terminal hostname Switch interface e0/1 switchport mode access switchport access vlan 1 do write interface e0/2 switchport mode access switchport access vlan 10 do write interface e0/3 switchport mode access switchport access vlan 20 do write interface e0/0 switchport trunk encapsulation dot1q switchport mode trunk do write ``` Результат ![](https://i.imgur.com/c4wwTsS.png) Проверим выдачу DHCP ![](https://i.imgur.com/pBO4llH.png) Выход в Internet ![](https://i.imgur.com/4OJUpQG.png) ## 5.1 Атака на DHCP. Starvation Установим yersinia ```bash= apt update apt install yersinia -y ``` Проверим состояние DHCP сервера до атаки ![](https://i.imgur.com/XoM3zbL.png) Запустим атаку Запустим yersinia ```bash= yersinia -G ``` ![](https://i.imgur.com/VeSTSz0.png) ![](https://i.imgur.com/T9WKVlf.png) ![](https://i.imgur.com/kQmEbxU.png) Состояние после атаки ![](https://i.imgur.com/4zIkKTd.png) Rogue DHCP Server ![](https://i.imgur.com/e5SmCax.png) ![](https://i.imgur.com/alxh1Bt.png) ![](https://i.imgur.com/9LasJDj.png) На Switch настроим защиту от Rogue DHCP Server и от DHCP starvation ```bash= ip dhcp snooping ip dhcp snooping vlan 1 ip dhcp snooping vlan 10 ip dhcp snooping vlan 20 do write interface e0/0 ip dhcp snooping trust do write interface range e0/1-3 ip dhcp snooping limit rate 10 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security violation restrict do write exit ``` Результат ![](https://i.imgur.com/h0CanDw.png) ## 5.2 Атака VLAN hopping. Сначала проверим что мы ходим через роутер ![](https://i.imgur.com/6A1MBYb.png) Запустим yersinia ```bash= yersinia -G ``` ![](https://i.imgur.com/LL6rGet.png) ![](https://i.imgur.com/lVXX3vy.png) ![](https://i.imgur.com/ErJr77u.png) ```bash= modprobe 8021q vconfig add eth0 20 ifconfig eth0.20 up ``` ![](https://i.imgur.com/i9b4W86.png) ![](https://i.imgur.com/Y1x1o1S.png) Настроим защиту ```bash= enable configure terminal interface range e0/1-3 switchport mode access switchport nonegotiate do write interface e0/0 switchport trunk native vlan 99 do write ``` Результат ![](https://i.imgur.com/WWZ2Yu4.png) ## 5.3 Атака CAM-table overflow. Установим dsniff ```bash= apt update apt install dsniff -y ``` Запустим ```bash= macof ``` Результат ![](https://i.imgur.com/Wj2z1Ir.png) Защита от CAM-table overflow это Port Security. Данная мера реализована в рамках 5.1 ```bash= enable configure terminal interface range e0/1-3 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security violation restrict do write ``` Результат ![](https://i.imgur.com/AzH1pCg.png) ## 5.4 Атака MAC-spoofing. ifconfig eth0 down macchanger -m 50:00:00:04:00:00 eth0 ifconfig eth0 up macchanger -s eth0 ![](https://i.imgur.com/rddjady.png) Защита от атаки MAC-spoofing это Port Security. Данную меру реализовали в 5.1. ```bash= enable configure terminal interface range e0/1-3 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security violation restrict do write ``` Результат ![](https://i.imgur.com/SbVivkI.png) ## 5.5 Настройка ACL. Сконфигурируем расширенный ACL и применим его на интерфейсе роутера. ```bash= enable configure terminal #Kali access-list 100 deny tcp host 10.0.1.225 host 10.0.20.225 eq 80 #Win7 access-list 100 deny ip 10.0.10.225 0.0.0.0 10.0.20.0 0.0.0.255 access-list 100 deny ip 10.0.10.225 0.0.0.0 10.0.10.0 0.0.0.255 access-list 100 deny ip 10.0.10.225 0.0.0.0 192.168.225.0 0.0.0.255 #Debian access-list 100 deny ip 10.0.20.225 0.0.0.0 10.0.1.0 0.0.0.255 access-list 100 deny ip 10.0.20.225 0.0.0.0 10.0.10.0 0.0.0.255 access-list 100 deny ip 10.0.20.225 0.0.0.0 10.0.20.0 0.0.0.255 access-list 100 deny ip 10.0.10.225 0.0.0.0 192.168.225.0 0.0.0.255 #Other access-list 100 permit ip 10.0.0.0 0.0.255.255 any #Default access-list 100 deny ip any any do write ``` Результат ![](https://i.imgur.com/jx7kqSV.png) Применение ACL на интерфейсе: ```bash= enable configure terminal interface e0/0 ip access-group 100 in do write ``` Результат ![](https://i.imgur.com/DipM3tq.png) На этом данная работа закончена