VLAN hopping is a Layer 2 attack that uses exploits to attack a network with multiple VLANS, the attacker would normally deploy frames into the switch port to either

1. Double Tag – Use double tags and attack a real VLAN via the native VLAN
2. Switch Spoofing – attempt and negotiate a trunk and gain access to all VLANs

Double Tagging

The attacker would normally be connected to a port that is in “access mode” with the same VLAN tag as the native untagged VLAN. The attacker would send frames with two 802.1q tags, the inner and outer tag. The “inner” tag would be the destination VLAN that the attacker is trying to reach and the “outer” tag would be the native VLAN.

When the switch receives the frame, it will remove the first (native VLAN) 802.1q tag and forward the frame with the second 802.1q tag. The attacker has now jumped from the native VLAN to the victims VLAN. The traffic is one-way however this could be used to perform a DOS attack.

Switch spoofing

The attacker would send DTP packets into the switch port and attempt to negotiate a trunk with the switch, once a trunk is negotiated the attacker would have access to all VLANs. Using software, the attacker could perform captures and gain information regarding the network and use it to perform further attacks like “Man in the Middle” or “Brute Force” attacks to gain access to devices.

Why is this possible?

Out of the box all switch ports by default are set with the following characteristics –

• Administrative Mode: dynamic auto – this says I’m willing to negotiate a trunk if you are….
• Operational Mode: static access – I’m operating in access mode
• Negotiation of Trunking: On – Dynamic Trunking Protocol is on and as above willing to negotiate
• Operational Trunking Encapsulation: native – the native VLAN is being trunked
• Access Mode VLAN: 1 – when in access mode the native VLAN is 1
• Trunking Native Mode VLAN: 1 – when in trunking mode the native VLAN is 1

Because the default characteristics of a port allow DTP, negotiations of a trunk, and VLAN 1 as its native VLAN, attackers can use this to take advantage and attack a network.

How can we mitigate this type of attack?

It is Cisco’s best practice to ensure that out of the box all your unused ports are configured with the following characteristics –

1. The switchport is hard coded as an access port
2. The switchport is placed into a VLAN that is NOT being used anywhere and goes nowhere
3. DTP is disabled on port
4. The native VLAN used is a VLAN that is NOT being used anywhere and goes nowhere
5. The switchport port is administratively shutdown.
6. Never use VLAN 1 for anything – unless you must to integrate with other vendor devices.

Attack Example:

Warning: do not carry out anything outlined in this guide on a live network, and always ensure you have the relevant permissions if you are testing this out for yourself, this should only be done in a lab environment or test network. this document is for the purpose of understanding how these attacks work and how to mitigate against them.

In this example we will take a look at a real life switch spoofing attack scenario using Kali Linux and a tool called “Yersinia”, the OS has been setup on a Raspberry Pi that has both a WLAN and RJ45 port. The WLAN interface has been setup as an ad-hoc network so that we can connect to it remotely and use the RJ45 port as the attacking interface. This will be interface “Gig0/13” on the switch. This attack scenario will emulate an attacker walking into organisation X finding a wall jack and plugging in the Raspberry PI then remotely (within the distance of the WLAN signal) carrying out the attack.

Step 1. Let’s take a look at the configuration of the network switch at organisation X

show int gig0/13 switchport 

We can see that interface is pretty much in its default state with nothing configured, the port has the following characteristics by default

• Administrative mode: “Dynamic Auto”
• Administrative Trunking Encapsulation: negotiate
• Operation mode: static access
• Negotiation of Trunking: On
• Access Mode VLAN: 1
• Trunking Native Mode VLAN: 1
• Trunking VLANS Enabled: All

show int trunk

We can see that gig0/13 is not in trunking mode (yet!)

Step 2. On the Kali Linux box, launch “Yersinia” the attacking tool

yersinia -I

Step 3. Maximise the screen so that “Yersinia” is able to run properly, hit the “I” key on the keyboard to select the attacking interface and press enter. In this case it will be “eth0”.

Step 4. Hit the “g” key to load the attack type, select “DTP Dynamic Trunking Protocol” and hot “enter”

Step 5. Hit the “x” key to select the attack type and press “1” to “enabling trunking”

Yersinia will start sending packets out of “eth0” to attempt to negotiate a trunk, from the output below we can see that the interface mode has changed from “ACCESS/AUTO” to “TRUNK/DESIRABLE”

On the Switch lets see if anything has changed.

show int trunk

We can see from the output below that “Gig0/13” is now participating in 802.1q trunking for all VLANS.

Again if we check the status of the switchport

show int gig0/13 switchport

We can now see that the port has changed its characteristics to –

Step 5. Back on “Yersinia” hit the “g” key and select “802.1Q IEEE 802.1Q” and hit “enter”

Yersinia will now set itself to 802.1q mode and listen to all the broadcasts for all the VLANS, this information can be used to perform some recon and gain vital information about VLANs, IP address and Default Gateway information.

From the output we can see that Yersinia has identified what VLANs are being carried across this trunk and is listing IP addresses from broadcasts as they come in. within a few seconds we have been able to get all the VLANs used and two network addressing schema, for VLAN 255 and VLAN 10. This is sufficient for now.

Step 6. On the Kali box, edit the main interfaces file to configure the attacking machine with the IP address from the VLANS identified above.

nano /etc/network/interfaces

The file should look like the below when opened.

Let’s Insert the entries for VLAN 10 and 255. For VLAN lets set a static IP (assuming it isn’t already taken) and for VLAN 255 – we can go DHCP and see if we can obtain an IP through this method.

Press CTRL+X to exit editing mode and select “y” when prompted to save, finally press enter to replace the existing file with the changes.

Step 7. Restart the networking service for the changes to take effect, and have a look at the interface status to see if the changes have been applied.

service networking restart
ipconfig

From the output below we can see that both “eth0.10” & “eth0.255” are now listed, both with IP addresses. We can assume VLAN 10 has a valid IP, we can test it by using ICMP ping – if there is a conflict on this subnet you may see drops in the reply, in that case you can try another IP until you manage to find a good one. However, we can see that VLAN 255 has obtained a valid IP from a DHCP server successfully.

Step 8. Test connectivity by pinging the default gateways for both subnets,

ping 192.168.10.1
ping 192.168.255.1

The output below indicates that we have successfully managed to get onto both VLANs successfully reaching their respective default gateways. From here on the attacker can take advantage of countless “Man in the Middle” attacks, ranging from ARP spoofing, to DHCP starvation and Brute force attacks to gain credentials to servers and network devices.

The attacker could also perform a ping sweep and determine what IP address are in use by devices and take advantage of any open ports. Let’s take a quick look at this.

Step 9. On the kali box perform a ping sweep for VLAN 255.

nmap 192.168.255.0/24

From the brief results below, we can the following information:

We can see that device with IP – “192.168.255.21” is displaying a huge amount of open ports including “3389” for RDP.

Step 10. Lets see if we can connect to this device using RDP and find out any further information.

rdesktop 192.168.255.21

From the output below we can see that an RDP session was successful and from the looks of it, it’s on “console 0”. If the organisations GPO’s haven’t been setup correctly to ensure information regarding the last user is set to not display, the attacker could obtain the username and domain name which will be displayed at this screen. From here the attacker can use brute force to gain access to this system.

Configuration Example:

In the Steps below, we will look at how to mitigate against VLAN hopping and double tagging attacks.

Step 1. On the switch ensure that each and every port that is unused is configured the following way:

conf t
int gig0/13
description UNUSED-PORT
switchport mode access
switchport access vlan 999
switchport nonegotiate
switchport trunk native vlan 999
shutdown

#conf t- enter global configuration

#int gig0/13 – enter interface configuration mode for the required unused port, you may also configure a range by using the range command – #interface range gig0/13 – 20

#description UNUSED-PORT

#switchport mode access – hard code to access port

#switchport access vlan 999 – place the port into an unused VLAN that goes nowhere

#switchport nonegotiate – turn off DTP

#switchport trunk native vlan 999 – configure the native VLAN to something that is not used and goes nowhere (never use VLAN 1)

#shutdown – administratively shut down the port.

Step 2. Verify the configuration

show run int gig0/13

show interface gig0/13 switchport

From the output below we can see that the port now has the following characteristics:

The above steps will help ensure security of the network and prevent any unauthorized users from plugging in and performing an attack, although other Layer 2 attack prevention steps can be taken this specifically will ensure a malicious user cannot negotiate a trunk and gain access to any VLANs.