VLAN Hopping
Last updated
Last updated
Automates ISL/802.1Q trunk configuration
Operates between switches
Does not operate on routers
• DTP synchronizes the trunking mode on link ends
• DTP prevents the need for management intervention on both sides
• DTP state on ISL/1Q trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “NonNegotiate”
• A station can spoof as a switch with ISL or 802.1Q signaling(DTP signaling is usually required as well)
• The station is then member of all VLANs
• Requires a trunking favorable setting on the port (the SANSpaper is two years old)
here is the VLAN table from the switch console:
The interfaces (G0/0, G0/1) are assigned to VLAN 100 which are the (attacker and victim), and the interface (G0/2) is assigned to VLAN 200.
in order to make the attack successful, the switch has to be on default configuration (in Dynamic Desirable), let’s check the configuration of the attacker’s interface (G0/0):
he switch port is set on Dynamic Desirable thus the VLANs can be negotiated together.
Now we can run the tool (yersinia) in order to enable the TRUNK mode, but before we run the attack let’s see the status of the VLAN:
we can run the tool (yersinia) and choose DTP and then launch attack.
yersinia can run with ncurses CLI inerface of GUI interface.
to run in CLI mode, in you terminal type in :
To run in GUI mode type:
Then choose “enabling trunking” and click OK.
in CLI mode press g to bring up the protocol menu then choose DTP
then press x to open panel and press 1 to enable trunking
After delivering the DTP message, press 5 to open a status dialog. Here, the status indicates TRUNK/AUTO, revealing a successful attack.
Then we will go back to switch console and we can see that there are packets have been sent as shown below:
We will show the VLAN table:
We can see that the interface (G0/0) is set on trunk which means that we can jump other VLANs!
And we can see that all the VLANS are allowed on interface (g0/0):
On Kali, we will add the below commands:
We added a new VLAN interface and we gave it the ID=200. Then we added a new IP and make it up then assign the new created VLAN interface to the eth0.200 interface and make up.
Finally, we can ping the PC-2 that were not accessible and on other VLAN.
So we successfully jumped to the VLAN (200)!
The double-tagging (or double-encapsulated) VLAN hopping attack takes advantage of the way that hardware operates on some switches. Some switches perform only one level of 802.1Q decapsulation and allow an attacker, in specific situations, to embed a second 802.1Q tag inside the frame.
This tag allows the frame to go to a VLAN that the touter 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it can work even if DTP is disabled on the attackers access port.
• Send double encapsulated 802.1Q frames
• Switch performs only one level of decapsulation
• Unidirectional traffic only
This works even if trunk ports are set to off
Another technique to evaluate when evading the NAC system is the option to perform VLAN hopping, particularly in environments where VoIP devices are used to bridge a workstation and a phone over a single network cable. Cisco switches support a special configuration mode where a single switch port can be used to connect a VoIP phone to a voice VLAN, while a second device can connect to the phone to access a different VLAN.
The Cisco VoIP phone effectively becomes a two-port switch, allowing the customer to retain their existing switch density while accommodating the VoIP phones on their network.
To bridge the traffic from the workstation on a different VLAN than the phone, however, the VoIP phone must become a trunk port, if only a limited one, to differentiate between its own traffic and the traffic of the downstream device.
First of all, we must have our PC connected directly to the VoIP phone that we are going to spoof (obviously, this will be connected to the corresponding switch).
With the successful connection, we will capture a CDP packet. Being directly connected to the Cisco device (VoIP phone), the only package that should reach us is that of the phone itself.
With the captured package we verify that it really is the information we need.
Once we have the necessary package, we disconnect from the phone and connect directly to the network (that is, because we are going to impersonate the Cisco dispositive, if we leave the device connected, the switch will detect that there are two devices with the same configuration and impersonation will not take effect).
We replicate the device package to make the Cisco switch believe that we are a VoIP device. In addition, these phones send a package every 60 seconds approximately to ensure the connection, so we must do the same to be trusted.
We must create a virtual interface by renaming our interface + the VLAN of the Cisco device.
We check that it has been created successfully.
We disable the interface to modify the MAC and change it for the legitimate phone (we can see this setting directly in phone options).
With everything configured, we make a dhclient of the interface to verify that the switch provides us with the IP of the phone.
We see how we already have the IP. We only have to verify that we have a connection to the gateway to verify that we are correctly authenticated in the VoIP VLAN.
Automates voice VLAN hopping attack,Listens for CDP to extract voice VLAN number,Creates interface, requests DHCP address.
Includes attack options for Cisco, Avaya, and Nortel switches.
To use voiphopper, you must install the DHCP client utility "dhclient." Voiphopper will not attempt to create the VLAN sub-interface if the dhclient utility is missing.
