VLAN hopping is a Layer 2 attack that uses exploits to attack a network with multiple VLANS, the attacker would normally deploy frames into the switch port to either
- Double Tag – Use double tags and attack a real VLAN via the native VLAN
- Switch Spoofing – attempt and negotiate a trunk and gain access to all VLANs
The attacker would normally be connected to a port that is in “access mode” with the same VLAN tag as the native untagged VLAN. The attacker would send frames with two 802.1q tags, the inner and outer tag. The “inner” tag would be the destination VLAN that the attacker is trying to reach and the “outer” tag would be the native VLAN. When the switch receives the frame, it will remove the first (native VLAN) 802.1q tag and forward the frame with the second 802.1q tag. The attacker has now jumped from the native VLAN to the victims VLAN. The traffic is one-way however this could be used to perform a DOS attack.
The attacker would send DTP packets into the switch port and attempt to negotiate a trunk with the switch, once a trunk is negotiated the attacker would have access to all VLANs. Using software, the attacker could perform captures and gain information regarding the network and use it to perform further attacks like “Man in the Middle” or “Brute Force” attacks to gain access to devices.
Why is this possible?
Out of the box all switch ports by default are set with the following characteristics –
- Administrative Mode: dynamic auto – this says I’m willing to negotiate a trunk if you are….
- Operational Mode: static access – I’m operating in access mode
- Negotiation of Trunking: On – Dynamic Trunking Protocol is on and as above willing to negotiate
- Operational Trunking Encapsulation: native – the native VLAN is being trunked
- Access Mode VLAN: 1 – when in access mode the native VLAN is 1
- Trunking Native Mode VLAN: 1 – when in trunking mode the native VLAN is 1
Because the default characteristics of a port allow DTP, negotiations of a trunk, and VLAN 1 as its native VLAN, attackers can use this to take advantage and attack a network.
How can we mitigate this type of attack?
It is Cisco’s best practice to ensure that out of the box all unused ports are configured with the following characteristics –
- The switchport is hard coded as an access port
- The switchport is placed into a VLAN that is NOT being used anywhere and goes nowhere
- DTP is disabled on port
- The native VLAN used is a VLAN that is NOT being used anywhere and goes nowhere
- The switchport port is administratively shutdown.
- Never use VLAN 1 for anything – unless you must to integrate with other vendor devices.
Warning: do not carry out anything outlined in this guide on a live network, and always ensure you have the relevant permissions if you are testing this out for yourself, this should only be done in a lab environment or test network. This document is for the purpose of understanding how these attacks work and how to mitigate against them.
In this example we will take a look at a real life switch spoofing attack scenario using “Kali Linux” and a tool called “Yersinia”, the OS has been setup on a Raspberry Pi that has both a WLAN and RJ45 port. The WLAN interface has been setup as an ad-hoc network so that we can connect to it remotely and use the RJ45 port as the attacking interface. This will be interface “Gig0/13” on the switch.
This attack scenario will emulate an attacker walking into organisation X finding a wall jack in a public space and plugging in the Raspberry PI then remotely (within the distance of the WLAN signal) carrying out the attack.
Step 1. Let’s take a look at the configuration of the network switch at organisation X
#show int gig0/13 switchport
We can see that interface is pretty much in its default state with nothing configured, the port has the following characteristics by default
- Administrative mode: Dynamic Auto
- Administrative Trunking Encapsulation: negotiate
- Operation mode: static access
- Negotiation of Trunking: On
- Access Mode VLAN: 1
- Trunking Native Mode VLAN: 1
- Trunking VLANS Enabled: All
#show int trunk
We can see that “gig0/13” is not in trunking mode (yet!)
Step 2. On the Kali Linux box, launch “Yersinia” the attacking tool
Step 3. Maximize the screen so that “Yersinia” is able to run properly, hit the “I” key on the keyboard to select the attacking interface and press “q”. In this case it will be “eth0”.
Step 4. Hit the “g” key to load the attack type, select “DTP Dynamic Trunking Protocol” and hit “enter”
Step 5. Hit the “x” key to select the attack type and press “1” to “enabling trunking”
“Yersinia” will start sending packets out of “eth0” to attempt to negotiate a trunk, from the output below we can see that the interface mode has changed from “ACCESS/AUTO” to “TRUNK/DESIRABLE”
On the Switch lets see if anything has changed.
#show int trunk
We can see from the output below that “Gig0/13” is now participating in 802.1q trunking for all VLANS.
Again if we check the status of the switchport
#show int gig0/13 switchport
We can now see that the port has changed its characteristics to –
- Operational Mode: trunk
- Operational Trunking Encapsulation: dot1q
Step 5. Back on “Yersinia” hit the “g” key and select “802.1Q IEEE 802.1Q” and hit “enter”
“Yersinia” will now set itself to “802.1q” mode and listen to all the broadcasts for all the VLANS, this information can be used to perform some recon and gain vital information about the VLANS, IP address and Default Gateway.
From the output we can see that “Yersinia” has identified what VLANs are being carried across this trunk and is listing IP addresses from broadcasts as they come in. Within a few seconds we have been able to get all the VLANs used and two network addressing schema’s for “VLAN 255” and “VLAN 10”. This is sufficient for now.
Step 6. On the “Kali box”, edit the main interfaces file to configure the attacking machine with the IP address from the VLANS identified above.
The file should look like the below when opened.
Let’s Insert the entries for “VLAN 10” and “VLAN 255”. For “VLAN 10” lets set a static IP (assuming it isn’t already taken) and for “VLAN 255” – we can go DHCP and see if we can obtain an IP through this method.
Press “CTRL+X” to exit editing mode and select “y” when prompted to save, finally press “enter” to replace the existing file with the changes.
Step 7. Restart the networking service for the changes to take effect, and have a look at the interface status to see if the changes have been applied.
#service networking restart
From the output below we can see that both “eth0.10” & “eth0.255” are now listed, both with IP addresses. We can assume “VLAN 10” has a valid IP, we can test it by using ICMP ping – if there is a conflict on this subnet you may see drops in the reply, in that case you can try another IP until you manage to find a good one. We can see that “VLAN 255” has obtained a valid IP from a DHCP server successfully.
Step 8. Test connectivity by pinging the default gateways for both subnets,
The output below indicates that we have managed to get onto both VLANs successfully reaching their respective default gateways. From here on the attacker can take advantage of countless “Man in the Middle” attacks, ranging from “ARP spoofing”, to “DHCP starvation” and “Brute force” attacks to gain credentials to servers and network devices.
The attacker could also perform a ping sweep and determine what IP address are in use by devices and take advantage of any open ports. Let’s take a quick look at this.
Step 9. On the “Kali box” perform a ping sweep for “VLAN 255”.
From the brief results below, we can the following information:
- IP addresses
- Port information
- MAC-address information
We can see that the device with IP – “192.168.255.21” is displaying a huge amount of open ports including “3389” for RDP.
Step 10. Lets see if we can connect to this device using RDP and find out any further information.
From the output below we can see that an RDP session was successful and from the looks of it, it’s on “console 0”. If the organisations GPO’s haven’t been setup correctly to ensure information regarding the last user is set to not display, the attacker could obtain the username and domain name which will be displayed at this screen. From here the attacker can use brute force to gain access to this system.
In the steps below, we will look at how to mitigate against VLAN hopping and double tagging attacks.
Step 1. On the switch ensure that each and every port that is unused is configured the following way:
#conf t- enter global configuration
#int gig0/13 – enter interface configuration mode for the required unused port, you may also configure a range by using the range command – #interface range gig0/13 – 20
#switchport mode access – hard code to access mode
#switchport access vlan 999 – place the port into an unused VLAN that goes nowhere
#switchport nonegotiate – turn off DTP
#switchport trunk native vlan 999 – configure the native VLAN to something that is not used and goes nowhere (never use VLAN 1)
#shutdown – administratively shut down the port.
Step 2. Verify the configuration
#show run int gig0/13
#show interface gig0/13 switchport
From the output below we can see that the port now has the following characteristics:
- Operational Mode: down
- Negotiation of Trunking: off
- Access mode VLAN: 999
- Trunking Native VLAN: 999
The above steps will help ensure the security of the network and prevent any unauthorized users from plugging in and performing an attack, although other Layer 2 attack prevention steps can be taken this specifically will ensure a malicious user cannot negotiate a trunk and gain access to any VLANs.