Vlan Hopping Attack
VLAN hopping describes when an attacker connects to a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two VLAN hopping exploit methods: Switch spoofing and Double tagging.
Let's start with Switch Spoofing:
An attacker adds 802.1q encapsulation headers with VLAN tags for remote VLANs to its outgoing frames. The receiving switch interprets those frames as sourced from another 802.1q switch (only switches usually use 802.1q encapsulation after all), and forwards the frames into the appropriate VLAN.
The problem is , that the switch just know it's sending Dynamic Trunking Protocol frames, and has no idea who is receiving them..
A lot of network administrators will put the switches in auto mode , meaning the port can trunk ,but in fact it isn't looking to do so.But this situation could leads to a problem because a hacker connected to a port in Auto mode , can pretend it's a switch and send DTP frames trying to trunk between our switch and somebody else switch
There are two solutions for that:
- Every port on your switch that doesn't lead to another switch should be place under your administrative control in access mode.
- Disable DTP negotiations in all ports.
Switch(config-if)# switchport mode access Switch(config-if)# switchport nonegotiateThese tips will take out some headaches as a network administrator.
If the attacker is connected to an access port, the first tag matches it. If the attacker is connected to an 802.1Q trunk port, the first tag matches that of the native VLAN (usually VLAN 1). The second tag identifies the VLAN the attacker would like to forward the frame to.
There are some requirements to do that:
- The attacker device must be attached to an access port
- The VLAN used by that access port must be the native VLAN
- ISL can not work at all for this attack , so dot1q must be in use..
Check the next graphic and assume that VLAN 20 is the ultimate target
The trunk receive the double-tagged frame and the native VLAN 10 is removed , but the tag for VLAN 20 still there and is send to the second switch.The second switch forward the frames to ports in that VLAN.The rogue has now successfully hopped from one VLAN to another.
This is a very serious situation because this scheme has been use for a variety of network attacks , ranging from Trojan horse, virus propagation and stealing bank accounts numbers and password
Make your native VLAN a VLAN that no host are actually a member of. The key feature of a double tagging attack is exploiting the native VLAN. Since VLAN 1 is the default VLAN for access ports and the default native VLAN on trunks, it’s an easy target.
Follow these corrective steps
- The first step is to remove access ports from the default VLAN 1 since the attacker’s port must match that of the switch’s native VLAN.(let's called it my_access-port)
Switch(config-if)# switchport access vlan 15 Switch(config-if)# description my_access_port2.-The second step is to assign the native VLAN on all switch trunks to an unused VLAN.
Switch(config-if)# switchport trunk native vlan 90
VLAN hopping is an important topic to understand when securing our networks and preparing for the CCNP switch exam .VLAN hopping can be prevented with simple trunk and access port configuration .
Also remember that latest versions of Cisco IOS code drop 802.1Q tagged packets on incoming access ports, helping to limit the potential for a double tagging attack.
So, just to recap, secure ports statically, disable DTP frames globally, and also secure native VLANs to make sure your network is safe.
Understanding the switch spoofing and double tagging attacks, will help you on the preparation for the CCNP Switch exam ,and eventually will help you keep your networks secure and be a better professional.
If you like this article ,please share..
Thanks..
Vlan Hopping Attack
Reviewed by ohhhvictor
on
2:55:00 PM
Rating:
Reviewed by ohhhvictor
on
2:55:00 PM
Rating:
No comments: