VLAN Hopping

VLAN Hopping is an exploitation method used to attack a network with multiple VLANs. It is an attack that involves an attacking system to deploy packets. These packets have a destination of a system on a separate VLAN which would, in normal circumstances, not be accessible by the attacker. VLAN Hopping attacks are primarily conducted within the Dynamic Trunking Protocol (DTP). Often, VLAN Hopping attacks are directed at the trunking encapsulation protocol (802.1q or ISL).

Mitigation – The mitigation of VLAN hopping attacks requires a number of changes to the VLAN configuration. Start by using dedicated VLAN IDs for all trunking ports on a switch, and move all interfaces out of VLAN 1. In addition, it is advisable to disable any unused switch ports and move them to a VLAN that is not being used. Explicitly disable DTP on all user ports to set them to non-trunking mode and/or force it to be an access port.

To do this on a cisco switch, use 

  • switchport nonegotiate and
  • switchport mode access

Tools:

  • BackTrack                               (BackTrack 5 R3 Released! Aug 13th, 2012)
  • Yersinia
  • vconfig
  • Wireshark
  • Nmap

Connect to you network and obtain a network address (DHCP)

dhclient eth0

Ifconfig

I’m attached to the network 10.0.1.0/24

Launch wireshark and check the network for DTP (Dynamic Trunking Protocol) frames and CDP (Cisco Discovery Protocol) frames.

Wireshark

As above both CDP and DTP frames present.

Launch Yersinia and point  at DTP

yersinia -I

Yersinia

DTP frames appear in Yersinia –  launch the attack to configure the port for trunking.

enabletrunk

Before launching Yersinia I could only see traffic from my own network (10.0.1.0/24), now I can start to see traffic from hosts on another network (192.168.2.X).

Wireshark2

As per the 802.1Q information in the frame I can see that the other network is on VLAN 2.

Wireshark3

Create a new interface in the new network and configure vconfig to tag the frames for VLAN2.

vconfig add eth0 2
ifconfig eth0.2 up
ifconfig eth0.2 192.168.2.200/24
ifconfig

VLANPing (ICMP) the host –  look at it’s ports with Nmap.

ping -c 2 192.168.2.2
nmap 192.168.2.2

ping_nmap

Reference:

http://www.backtrack-linux.org/

Advertisements