VLAN Hopping

*** Nothing contained in this article is intended to teach or encourage the use of security tools or methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure you have permission from the proper individuals before you use any of the tools or techniques described here.

Introduction

Introduction

In normal case communication is only possible between those VLAN which belongs to the same switch or from any VLAN which is related to that switch. When an attacker tries to sniff traffic from different VLAN or send packets to another VLAN than this is called VLAN Hopping attack. This also a layer 2 attack.

There are two types of VLAN hopping attacks:

1. Switch Spoofing

2. Double Tagging

In switch spoofing the attacker sends the DTP message from his computer to the switch so, that a trunk link can be formed between the attacker and the switch. Once the trunk link is formed between the attacker and the link, the attacker can easily sniffs the packets on all VLANs.

In Double Tagging attack, the attacker sends double encapsulated 802.1q messages to the switch from where switch removes the outer tag, but the inner VLAN id of the victim PC remains which allows attacker to send network traffic to the victim PC. For double tagging to occur the attacker if attacker is connected to the native VLAN interface of the trunk port. It is a unidirectional attack which can lead to denial of service kind of attacks.

Topology Used

The topology consists of 2 cisco switches which are connected via a trunk link on interfaces 1/0/43 and 1/0/47. The Victim PC is on VLAN 10 and is connected to switch 2 on interface 2/0/1. The host PC is on VLAN 10 connected to switch-1 on interface 1/0/1 and attacker is on interface 1/0/3.

In this exercise attacker will form a trunk link with the host vlan, accessing the native VLAN and then attack on Victim PC located on VLAN 10.

Fig. Topology used for the experiment

Attack Methodology

§ Switch Spoofing Attack

The switch spoofing attack is carried as:

Firstly, I configured the VLAN of the PCs connected to different switch. After setting up their VLAN I connected both the switch by making a trunk link, keeping the native VLAN 1.

Fig. VLAN 10 assigned to switch-1 interface

Fig. VLAN 10 assigned to switch-2 interface

After that, I trunked the interfaces of switch-1 and switch-2. The interface number for switch 1 is 1/0/43 and for switch-2 it is 2/0/47.

Fig. Shows switch 1 interface is trunking

Fig. Shows switch 2 interface is trunking

Fig. Both switches are successfully trunked.

After connecting both the switches. Now attacker will perform trunking with the interface of the switch 1. In this case attacker is on different VLAN and has got access to the access port of switch 1. Therefore, attacker has established connection between himself and switch.

Firstly I opened Kali and started yersinia by typing command: yersinia -I

After the yersinia started I started the attack on the switch 1 interface by launching dynamic trunking protocol attack.

After performing the trunk, the interface of the switch1 PC is showing trunks like this.

Fig. Yersinia performed DTP trunking

Now, from the above figure, we can see that the trunk is formed successfully and the attacker got connected to native VLAN of switch 1. This is the end of my switch spoofing attack.

Fig. Trunking successfully on the interface of switch 1

Double Tagging

After that, I started the double tagging attack. Double tagging can only be performed after the switch spoofing so its required. After gaining a successful connection with native VLAN. I sent 802.1q messages to the victim PC located at VLAN 10 with the help of yersinia. The Wireshark results on attacker PC show the frame encapsulated with 2 VLAN IDs and the Wireshark result of victim PC shows the frame that it received from the attacker side.

Fig. attacker sending double encapsulated frame to Victim PC

In the above figure, we can see attacker has a spoofed MAC address. Here VLAN ID of the first tag is 0001 and second tag have ID of victim’s VLAN i.e. 0010. The destination field also contains the victim destination address.

The Wireshark results are as:

Fig. attacker wireshark showing double encapsulated frame being sent to victim

Fig. Victim received ICMP request from attacker

The above figures show that both the attacks were successful.

Mitigation

There are the following solutions for switch spoofing:

§ Never leave an access port in dynamic desirable, dynamic auto or trunk mode.

§ Hardcode all access ports and disable DTP.

§ Hardcode all trunk ports and never enable DTP.

§ Shutdown all unused interfaces.

Fig. All switchport as access port

Fig. Hardcoded trunked port and attacker trunk removed after these commands

There are following solutions for Double Tagging:

§ Don’t put any host on default VLAN.

§ Change native VLAN ID to some unknown VLAN.

§ Explicit tagging of all native VLAN on all trunk port

Fig. Changed the native VLAN to some other ID on switch-1 interface

Result

After performing the mitigation, I tried to launch the attack again. But I was not able to form a trunk link between the host interface and attackers’ interface. As I was not able to form the trunk link between two VLANs I failed in performing both the switch spoofing attack and double tagging attack.

Fig. DTP trunk is not formed after mitgation

Double tagging can be performed after the switch spoofing. Plus once the attacker is able to get access of the native VLAN he can easily perform DoS on any of the system it want in the different VLAN. Therefore, native VLANs need to be properly configured and good security precautions should be taken.