Double Tagging<\/strong><\/p>\n\n\n\n The attacker would normally be connected to a port that is in \u201caccess mode\u201d with the same VLAN tag as the native untagged VLAN. The attacker would send frames with two 802.1q tags, the inner and outer tag. The \u201cinner\u201d tag would be the destination VLAN that the attacker is trying to reach and the \u201couter\u201d tag would be the native VLAN. <\/p>\n\n\n\n When the switch receives the frame, it will remove the first (native VLAN) 802.1q tag and forward the frame with the second 802.1q tag. The attacker has now jumped from the native VLAN to the victims VLAN. The traffic is one-way however this could be used to perform a DOS attack.<\/p>\n\n\n\n Switch spoofing <\/strong><\/p>\n\n\n\n The attacker would send DTP packets into the switch port and attempt to negotiate a trunk with the switch, once a trunk is negotiated the attacker would have access to all VLANs. Using software, the attacker could perform captures and gain information regarding the network and use it to perform further attacks like \u201cMan in the Middle\u201d or \u201cBrute Force\u201d attacks to gain access to devices.<\/p>\n\n\n\n Why is this possible? <\/strong><\/p>\n\n\n\n Out of the box all switch ports by default are set with the following characteristics \u2013<\/p>\n\n\n\n <\/p>\n\n\n\n Because the default characteristics of a port allow DTP, negotiations of a trunk, and VLAN 1 as its native VLAN, attackers can use this to take advantage and attack a network.<\/p>\n\n\n\n How can we mitigate this type of attack? <\/strong><\/p>\n\n\n\n It is Cisco\u2019s best practice to ensure that out of the box all your unused ports are configured with the following characteristics \u2013<\/p>\n\n\n\n Attack Example: <\/strong><\/p>\n\n\n\n Warning: do not carry out anything outlined in this guide on a live network, and always ensure you have the relevant permissions if you are testing this out for yourself, this should only be done in a lab environment or test network. this document is for the purpose of understanding how these attacks work and how to mitigate against them.<\/strong><\/span><\/p>\n\n\n\n In this example we will take a look at a real life switch spoofing attack scenario using Kali Linux and a tool called \u201cYersinia\u201d, the OS has been setup on a Raspberry Pi that has both a WLAN and RJ45 port. The WLAN interface has been setup as an ad-hoc network so that we can connect to it remotely and use the RJ45 port as the attacking interface. This will be interface \u201cGig0\/13\u201d on the switch. This attack scenario will emulate an attacker walking into organisation X finding a wall jack and plugging in the Raspberry PI then remotely (within the distance of the WLAN signal) carrying out the attack.<\/p>\n\n\n\n Step 1.<\/strong> Let\u2019s take a look at the configuration of the network switch at organisation X<\/p>\n\n\n\n We can see that interface is pretty much in its default state with nothing configured, the port has the following characteristics by default<\/p>\n\n\n\n <\/p>\n\n\n\n We can see that gig0\/13 is not in trunking mode (yet!)<\/p>\n\n\n\n Step 2.<\/strong> On the Kali Linux box, launch \u201cYersinia\u201d the attacking tool<\/p>\n\n\n\n Step 3.<\/strong> Maximise the screen so that \u201cYersinia\u201d is able to run properly, hit the \u201cI\u201d key on the keyboard to select the attacking interface and press enter. In this case it will be \u201ceth0\u201d.<\/p>\n\n\n\n Step 4.<\/strong> Hit the \u201cg\u201d key to load the attack type, select \u201cDTP Dynamic Trunking Protocol\u201d and hot \u201center\u201d<\/p>\n\n\n\n Step 5.<\/strong> Hit the \u201cx\u201d key to select the attack type and press \u201c1\u201d to \u201cenabling trunking\u201d<\/p>\n\n\n\n Yersinia will start sending packets out of \u201ceth0\u201d to attempt to negotiate a trunk, from the output below we can see that the interface mode has changed from \u201cACCESS\/AUTO\u201d to \u201cTRUNK\/DESIRABLE\u201d<\/p>\n\n\n\n On the Switch lets see if anything has changed.<\/p>\n\n\n\n We can see from the output below that \u201cGig0\/13\u201d is now participating in 802.1q trunking for all VLANS.<\/p>\n\n\n\n Again if we check the status of the switchport<\/p>\n\n\n\n We can now see that the port has changed its characteristics to \u2013<\/p>\n\n\n\n Operational Mode:<\/strong>\u00a0trunk<\/p>\n\n\n\n Operational Trunking Encapsulation:<\/strong>\u00a0dot1q<\/p>\n\n\n\n <\/p>\n<\/div>\n\n\n\n Step 5.<\/strong> Back on \u201cYersinia\u201d hit the \u201cg\u201d key and select \u201c802.1Q IEEE 802.1Q\u201d and hit \u201center\u201d<\/p>\n\n\n\n Yersinia will now set itself to 802.1q mode and listen to all the broadcasts for all the VLANS, this information can be used to perform some recon and gain vital information about VLANs, IP address and Default Gateway information.<\/p>\n\n\n\n From the output we can see that Yersinia has identified what VLANs are being carried across this trunk and is listing IP addresses from broadcasts as they come in. within a few seconds we have been able to get all the VLANs used and two network addressing schema, for VLAN 255 and VLAN 10. This is sufficient for now.<\/p>\n\n\n\n Step 6. <\/strong>On the Kali box, edit the main interfaces file to configure the attacking machine with the IP address from the VLANS identified above.<\/p>\n\n\n\n The file should look like the below when opened.<\/p>\n\n\n\n Let\u2019s Insert the entries for VLAN 10 and 255. For VLAN lets set a static IP (assuming it isn\u2019t already taken) and for VLAN 255 \u2013 we can go DHCP and see if we can obtain an IP through this method.<\/p>\n\n\n\n Press CTRL+X to exit editing mode and select \u201cy\u201d when prompted to save, finally press enter to replace the existing file with the changes.<\/p>\n\n\n\n Step 7.<\/strong> Restart the networking service for the changes to take effect, and have a look at the interface status to see if the changes have been applied.<\/p>\n\n\n\n From the output below we can see that both \u201ceth0.10\u201d & \u201ceth0.255\u201d are now listed, both with IP addresses. We can assume VLAN 10 has a valid IP, we can test it by using ICMP ping \u2013 if there is a conflict on this subnet you may see drops in the reply, in that case you can try another IP until you manage to find a good one. However, we can see that VLAN 255 has obtained a valid IP from a DHCP server successfully.<\/p>\n\n\n\n Step 8.<\/strong> Test connectivity by pinging the default gateways for both subnets,<\/p>\n\n\n\n The output below indicates that we have successfully managed to get onto both VLANs successfully reaching their respective default gateways. From here on the attacker can take advantage of countless \u201cMan in the Middle\u201d attacks, ranging from ARP spoofing, to DHCP starvation and Brute force attacks to gain credentials to servers and network devices.<\/p>\n\n\n\n The attacker could also perform a ping sweep and determine what IP address are in use by devices and take advantage of any open ports. Let\u2019s take a quick look at this.<\/p>\n\n\n\n Step 9.<\/strong> On the kali box perform a ping sweep for VLAN 255.<\/p>\n\n\n\n From the brief results below, we can the following information:<\/p>\n\n\n\n IP addresses<\/p>\n\n\n\n Port information<\/p>\n\n\n\n MAC-address information<\/p>\n<\/div>\n\n\n\n <\/p>\n\n\n\n We can see that device with IP \u2013 \u201c192.168.255.21\u201d is displaying a huge amount of open ports including \u201c3389\u201d for RDP.<\/p>\n\n\n\n Step 10.<\/strong> Lets see if we can connect to this device using RDP and find out any further information.<\/p>\n\n\n\n From the output below we can see that an RDP session was successful and from the looks of it, it\u2019s on \u201cconsole 0\u201d. If the organisations GPO\u2019s haven\u2019t been setup correctly to ensure information regarding the last user is set to not display, the attacker could obtain the username and domain name which will be displayed at this screen. From here the attacker can use brute force to gain access to this system.<\/p>\n\n\n\n Configuration Example: <\/strong><\/p>\n\n\n\n In the Steps below, we will look at how to mitigate against VLAN hopping and double tagging attacks.<\/p>\n\n\n\n Step 1.<\/strong> On the switch ensure that each and every port that is unused is configured the following way:<\/p>\n\n\n\n #conf t- enter global configuration<\/p>\n\n\n\n #int gig0\/13 – enter interface configuration mode for the required unused port, you may also configure a range by using the range command – #interface range gig0\/13 \u2013 20<\/p>\n\n\n\n #description UNUSED-PORT<\/p>\n\n\n\n #switchport mode access \u2013 hard code to access port<\/p>\n\n\n\n #switchport access vlan 999 \u2013 place the port into an unused VLAN that goes nowhere<\/p>\n\n\n\n #switchport nonegotiate \u2013 turn off DTP<\/p>\n\n\n\n #switchport trunk native vlan 999 \u2013 configure the native VLAN to something that is not used and goes nowhere (never use VLAN 1)<\/p>\n\n\n\n #shutdown \u2013 administratively shut down the port.<\/p>\n\n\n\n Step 2.<\/strong> Verify the configuration<\/p>\n\n\n\n From the output below we can see that the port now has the following characteristics:<\/p>\n\n\n\n Operational Mode: <\/strong>down<\/p>\n\n\n\n Negotiation of Trunking:<\/strong> off<\/p>\n\n\n\n Access mode:<\/strong> VLAN 999<\/p>\n\n\n\n Trunking Native VLAN:<\/strong> 999<\/p>\n<\/div>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n The above steps will help ensure security of the network and prevent any unauthorized users from plugging in and performing an attack, although other Layer 2 attack prevention steps can be taken this specifically will ensure a malicious user cannot negotiate a trunk and gain access to any VLANs.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" VLAN hopping is a Layer 2 attack that uses exploits to attack a network with multiple VLANS, the attacker would normally deploy frames into the<\/p>\n","protected":false},"author":1,"featured_media":158,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,9],"tags":[24,25,26,27,28],"class_list":["post-130","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-switching","tag-double-tagging","tag-kali-linux","tag-layer-2-attack","tag-switch-spoofing","tag-vlan-hopping"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=130"}],"version-history":[{"count":24,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/130\/revisions"}],"predecessor-version":[{"id":189,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/130\/revisions\/189"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/158"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-1.jpeg\")
<\/figure>\n\n\n\nshow int gig0\/13 switchport <\/code><\/pre>\n\n\n\n\n
![\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\1.jpg\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/c-users-acitjxm-appdata-local-microsoft-windows-i-4.jpeg\")
<\/figure>\n\n\n\nshow int trunk<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-3.jpeg\")
<\/figure>\n\n\n\nyersinia -I<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-4.jpeg\")
<\/figure>\n\n\n\n![\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\5.jpg\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/c-users-acitjxm-appdata-local-microsoft-windows-i-5.jpeg\")
<\/figure>\n\n\n\n![\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\6.jpg\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/c-users-acitjxm-appdata-local-microsoft-windows-i-6.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-7.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-8.jpeg\")
<\/figure>\n\n\n\nshow int trunk<\/code><\/pre>\n\n\n\n![\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\8.jpg\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/c-users-acitjxm-appdata-local-microsoft-windows-i-7.jpeg\")
<\/figure>\n\n\n\nshow int gig0\/13 switchport<\/code><\/pre>\n\n\n\n![\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\9.jpg\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/c-users-acitjxm-appdata-local-microsoft-windows-i-8.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-11.jpeg\")
<\/figure>\n\n\n\n![\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\11.jpg\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/c-users-acitjxm-appdata-local-microsoft-windows-i-9.jpeg\")
<\/figure>\n\n\n\nnano \/etc\/network\/interfaces<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-13.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-14.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-15.jpeg\")
<\/figure>\n\n\n\nservice networking restart\nipconfig<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-16.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-17.jpeg\")
<\/figure>\n\n\n\nping 192.168.10.1\nping 192.168.255.1<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-18.jpeg\")
<\/figure>\n\n\n\nnmap 192.168.255.0\/24<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-19.jpeg\")
<\/figure>\n\n\n\nrdesktop 192.168.255.21<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-20.jpeg\")
<\/figure>\n\n\n\n![\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\21.jpg\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/c-users-acitjxm-appdata-local-microsoft-windows-i-10.jpeg\")
<\/figure>\n\n\n\nconf t\nint gig0\/13\ndescription UNUSED-PORT\nswitchport mode access\nswitchport access vlan 999\nswitchport nonegotiate\nswitchport trunk native vlan 999\nshutdown<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-22.jpeg\")
<\/figure>\n\n\n\nshow run int gig0\/13<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-23.jpeg\")
<\/figure>\n\n\n\nshow interface gig0\/13 switchport<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2022\/11\/word-image-130-24.jpeg\")
<\/figure>\n\n\n\n