ads

Vlan Hopping Attack








VLAN hopping describes when an attacker connects to a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two VLAN hopping exploit methods: Switch spoofing and Double tagging.




Let's start with Switch Spoofing:

 Switch spoofing allows  the rogue  to pretend to be a member of all VLANs in our network and it  occur when the switch port an attacker connects to, is either in trunking mode or in DTP auto-negotiation mode – both allowing devices that use 802.1q encapsulation to tag traffic with different VLAN identifiers in an agrresive  effort to form a trunk.

 An attacker adds 802.1q encapsulation headers with VLAN tags for remote VLANs to its outgoing frames. The receiving switch interprets those frames as sourced from another 802.1q switch (only switches usually use 802.1q encapsulation after all), and forwards the frames into the appropriate VLAN.
The problem is , that the switch just know it's sending Dynamic Trunking  Protocol frames, and has no idea who is receiving them..




A lot of network administrators will put the switches in auto mode , meaning the port can trunk ,but in fact it isn't looking to do so.But this situation could leads to a problem because a hacker connected to a port in Auto mode , can pretend it's a switch and send DTP frames trying to trunk between our switch and somebody else switch








There are two solutions for that:

  1. Every port  on your switch that doesn't lead to another switch should be place under your administrative control in  access mode.
  2. Disable DTP negotiations in all ports.
 You could use these commands:
 Switch(config-if)# switchport mode access 
Switch(config-if)# switchport nonegotiate

These tips will take out some headaches as a network administrator.



 A double tagging attack begins when an intruder  sends a frame connected to a switch port using two separates VLAN tags in the frame header.

If the attacker is connected to an access port, the first tag matches it. If the attacker is connected to an 802.1Q trunk port, the first tag matches that of the native VLAN (usually VLAN 1). The second tag identifies the VLAN the attacker would like to forward the frame to.

There are some requirements to do that:
  1. The attacker device must be attached  to an access port 
  2. The VLAN used by that access port must be the native VLAN
  3. ISL can not work at all for this attack , so dot1q must be in use.. 
In other words, there is no way  an intruder can do this attack unless the switch is misconfigured .


Check the next graphic and assume that VLAN 20 is the ultimate target



The trunk receive the  double-tagged frame and the native VLAN 10 is removed , but the tag for VLAN 20 still there and is send to the second switch.The second switch forward the frames to ports in that VLAN.The rogue has now successfully hopped from one VLAN to another.

This is a very serious situation because this scheme has been use  for a variety of network attacks , ranging from Trojan horse, virus propagation and stealing bank accounts numbers and password




Make your native VLAN a VLAN that no host are actually a member of. The key feature of a double tagging attack is exploiting the native VLAN. Since VLAN 1 is the default VLAN for access ports and the default native VLAN on trunks, it’s an easy target.
Follow these corrective steps

  1. The first step is to remove access ports from the default VLAN 1 since the attacker’s port must match that of the switch’s native VLAN.(let's called it my_access-port)
 Switch(config-if)# switchport access vlan 15
Switch(config-if)# description my_access_port

2.-The second step is to assign the native VLAN on all switch trunks to an unused VLAN.
 Switch(config-if)# switchport trunk native vlan 90





VLAN hopping is an important topic  to understand when securing our   networks  and preparing for the CCNP switch exam .VLAN hopping can be  prevented with simple trunk and access port configuration .

Also remember that  latest versions of Cisco IOS code drop 802.1Q tagged packets on incoming access ports, helping to limit the potential for a double tagging attack.


So, just to recap, secure  ports statically, disable DTP frames  globally, and also secure  native VLANs to make sure  your network is  safe.
Understanding the switch spoofing and double tagging attacks, will  help you on the preparation for the CCNP Switch exam ,and eventually  will help you keep your networks  secure and be a better professional.

If you like this article ,please share..

Thanks..






Vlan Hopping Attack Vlan Hopping Attack Reviewed by ohhhvictor on 2:55:00 PM Rating: 5

No comments:

 photo imagen120.jpg
Theme images by 5ugarless. Powered by Blogger.