What is VLAN Hopping?
It is a type of exploit that allows an attacker to bypass any layer2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer3 devices, to access their target.
Since many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform above mentioned exploit. There are two primary methods of VLAN hopping, known as 'Switched Spoofing', and 'Double Tagging'.
It is important to understand how switches operate if we would like to find and exploit their vulnerabilities. We are not necessarily exploiting the device itself, but rather the protocols and configurations which are instructing how they operate.
On a switch, a port is either configured as an access port or a trunking port. An access port is typically used when connecting a host to a switch. With the implementation of VLANs, each access port is assigned to only one VLAN. A trunking port is used when connecting two switches or a switch and a router together. Trunking ports allow for traffic from multiple VLANs.
VLAN hooping types:
1. Switched Spoofing VLAN Attack
An attacker acts as a switch in order to trick a legitimate switch into creating a trunking link between them. As mentioned before, packets from any VLAN are allowed to pass through a trunking link. Once the trunk link is established, the attacker then has access to traffic from any VLAN.
This exploit is only successful when the legitimate switch is configured to negotiate a trunk. This occurs when an interface is configured with either "dynamic desirable", "dynamic auto" or "trunk" mode. If the target switch has one of those modes configured, the attacker then can generate a DTP message from their computer and a trunk link can be formed.
2. Double Tagging Attack
Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link. Another important point is, this attack is strictly one way as it is impossible to encapsulate the return packet. An attacker can use the program Yersinia to craft and send a DTP message. Yersinia is a penetration testing framework built to attack many protocols that reside on layer2. It comes pre-installed with kali Linux and has an easy-to-use graphical user interface (GUI).
An attacker can use the program Scapy, to create the specially crafted frames needed for processing this attack. Scapy is a Python program created to manipulate packets.
How Can You Mitigate VLAN Hopping attacks?
To prevent a Switched Spoofing attack, there are a few steps you should take: Do not configure any access points with either of the following modes: "dynamic desirable", "dynamic auto", or "trunk". Manually configure access ports and disable DTP on all access ports.
· Switchport mode access
· Switchport mode no negotiate
Manually configure all trunk ports and disable DTP on all trunk ports.
· Switchport mode trunk
· Switchport mode no negotiate
Shutdown all interfaces that are not currently in use.
To prevent a Double Tagging attack, there is only one step you need to take: keep the native VLAN of all trunk ports different from user VLANs. The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is different from the VLAN of any user ports. In fact, it is considered a security best practice to use a fixed VLAN that is distinct from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.
Ref:
Luminisindia.com
