Virtual LAN Hopping

VLAN Hopping

VLAN Hopping Definition: VLAN hopping is a network attack where an attacker gains access to traffic on other VLANs (Virtual Local Area Networks) that should normally be isolated. This attack allows the attacker to bypass VLAN segmentation and access data or services on different VLANs within the same physical network infrastructure.

Methods of VLAN Hopping

  1. Switch Spoofing:

    • Description: The attacker configures their device to pretend to be a trunking switch. By doing this, they can send and receive traffic for multiple VLANs.

    • Process:

      1. Attacker Configuration: The attacker configures their network interface to act as a trunk port, which is capable of carrying traffic for multiple VLANs.

      2. Trunk Negotiation: The attacker’s device engages in the trunk negotiation process with the switch, typically using the Dynamic Trunking Protocol (DTP).

      3. Access to VLANs: Once the trunk is established, the attacker can send and receive traffic tagged for different VLANs, thus gaining access to them.

    • Mitigation: Disable DTP on all ports that do not require trunking and manually configure trunking on ports where it is needed. Set the native VLAN to an unused VLAN ID.

  2. Double Tagging:

    • Description: This method involves an attacker sending frames with two VLAN tags. The first tag is stripped by the first switch, and the second tag is then interpreted by the second switch, effectively hopping the attacker’s traffic to another VLAN.

    • Process:

      1. Crafted Packet: The attacker crafts a packet with two VLAN tags: the outer tag (VLAN A) that matches the attacker’s VLAN, and the inner tag (VLAN B) that matches the target VLAN.

      2. First Switch: The first switch removes the outer VLAN tag (VLAN A) and forwards the packet.

      3. Second Switch: The second switch interprets the remaining inner VLAN tag (VLAN B) and forwards the packet to the target VLAN.

    • Mitigation: Implementing VLAN access control lists (VACLs) to filter traffic and ensuring the native VLAN is not used for carrying user data. Additionally, configuring switches to drop packets with unexpected VLAN tags can help mitigate this risk.

Detection and Prevention

Detection Tools:

  • Network Monitoring Tools: Tools like Wireshark can capture and analyze network traffic to detect unusual or malicious VLAN tags.

  • Intrusion Detection Systems (IDS): Network-based IDS can be configured to detect patterns indicative of VLAN hopping attempts.

Prevention Measures:

  1. Disable Unnecessary Trunking:

    • Disable trunking on all access ports and configure trunk ports explicitly where needed.

    • Use the command switchport mode access on access ports and switchport mode trunk on trunk ports.

  2. Set Native VLAN to an Unused VLAN ID:

    • Configure the native VLAN to a VLAN ID that is not used for regular data traffic to prevent VLAN hopping exploits.

  3. Implement VLAN Access Control Lists (VACLs):

    • Use VACLs to restrict traffic between VLANs and enforce security policies.

  4. Segregate Sensitive VLANs:

    • Physically and logically segregate sensitive VLANs to reduce the risk of VLAN hopping.

  5. Monitor and Log Network Traffic:

    • Regularly monitor and log network traffic to detect any anomalies or signs of VLAN hopping attempts.

By understanding VLAN hopping, its methods, and implementing robust preventive measures, organizations can protect their network infrastructure from this type of attack and maintain the integrity of their VLAN segmentation.

Conducting VLAN hopping as part of a penetration test should be done responsibly and ethically, typically within a controlled environment where you have permission to test. Here’s a step-by-step guide on how to conduct VLAN hopping using tools available on Kali Linux, focusing on the two primary methods: switch spoofing and double tagging.

1. Switch Spoofing

Objective: Trick the switch into thinking the attacker’s machine is a trunking switch, allowing access to multiple VLANs.

Tools:

  • Yersinia: A tool for performing attacks against network protocols, including DTP.

Steps:

  1. Install Yersinia:

    sudo apt-get install yersinia

  2. Launch Yersinia:

    sudo yersinia -G

    This command starts Yersinia in GUI mode.

  3. Select DTP Attack:

    • Navigate to the DTP tab in Yersinia.

    • Select the option to enable trunking on the attacker’s port.

  4. Execute the Attack:

    • Choose the interface connected to the target switch.

    • Start the attack to send DTP messages, causing the switch to negotiate a trunk with the attacker’s machine.

  5. Verify Access to VLANs:

    • Use a network sniffer like Wireshark to monitor traffic on different VLANs and verify if the attack was successful.

2. Double Tagging

Objective: Send frames with double VLAN tags to exploit the switch's handling of VLAN tags, allowing traffic to be forwarded to a different VLAN.

Tools:

  • Scapy: A Python program used for crafting and sending network packets.

Steps:

  1. Install Scapy: Scapy is typically pre-installed on Kali Linux, but you can install or update it with:

    sudo apt-get install python3-scapy

  2. Launch Scapy:

    sudo scapy

  3. Craft a Double-Tagged Packet:

    from scapy.all import *

# Create an Ethernet frame
pkt = Ether()/Dot1Q(vlan=10)/Dot1Q(vlan=20)/IP(dst="192.168.1.1")/ICMP()

# Send the packet on the specified interface
sendp(pkt, iface="eth0")

    • Replace vlan=10 with the VLAN tag of the attacker’s VLAN.

    • Replace vlan=20 with the VLAN tag of the target VLAN.

    • Replace "192.168.1.1" with the IP address of a host in the target VLAN.

    • Replace "eth0" with the correct network interface.

  4. Send the Packet: Run the above script within the Scapy shell. This crafted packet will have two VLAN tags and will attempt to exploit the double tagging vulnerability.

Ethical Considerations

  • Authorization: Ensure you have explicit permission from the network owner to conduct VLAN hopping tests.

  • Controlled Environment: Perform these tests in a controlled and isolated environment to prevent unintentional disruption or damage.

  • Reporting: Document and report findings to the appropriate stakeholders, providing recommendations for mitigating discovered vulnerabilities.

Mitigation Tips

  • Disable DTP: Configure switch ports to disable DTP and manually set trunk ports.

  • VLAN Access Controls: Implement VLAN access control lists (VACLs) to filter traffic.

  • Native VLAN Configuration: Set the native VLAN to an unused VLAN ID.

  • Network Monitoring: Continuously monitor network traffic for signs of VLAN hopping attempts.

By following these steps responsibly, you can simulate VLAN hopping attacks to assess the security posture of VLAN configurations and improve network defenses.

References:

  1. https://www.packetlabs.net/posts/what-is-vlan-hopping/

PreviousNetwork AttacksNextPacket Crafting

Last updated