VLAN hopping attack – Switch Spoofing and Double tagging
VLAN hopping attack can be possible by two different approaches, Switch Spoofing or Double tagging.
When you are in a situation where you need to configure and set up security of VLAN trunks, also consider the potential for an exploit called VLAN hopping. Attacker can craft and send positioned frames on one access VLAN with spoofed 802.1Q tags so that the packet end up on a totally different VLAN and all this without the use of a router.
A VLAN hopping attack allows frames from one VLAN to pass into another VLAN, without first pass through router. An attacker could use a VLAN hopping attack to “sniff” traffic on another VLAN that the attacker’s PC is supposed to be isolated from. On other side, attacker can also send traffic to a VLAN that the attacker’s PC should not be able to reach. The two main ways for start a VLAN hopping attack are switch spoofing and double tagging.
Trunks on switches carry traffic for all VLANs. If an attacker can convince a switch to go into trunking mode for connected port to the attacker PC, the attacker could then see traffic for all VLANs. This can be then simply used for “sniffing” all the traffic on all VLANs and this type of attack could be used to discover, for example the username and password credentials from network users and administrators and the attacker could use this data for a later attack.
If we speak about Cisco equipment, Cisco Catalyst switch ports default to auto mode for trunking. This means that the ports are in “dynamic desirable” mode and they will automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames. An attacker could attempt to make his switch port enter trunking mode in two different ways. First, (the example on the image on the left) is by spoofing DTP frames and send rogue DTP frames from his PC to the switch. The second way is by simply connecting a rogue switch to his switch port. To make something against switch spoofing, you can disable trunking on all ports that do not need to be trunks, and disable DTP on ports that do need to be trunks.
For this kind of attack to work, the following conditions must exist in the network configuration:
- The attacker is connected to an access switch port.
- The switch must have an 802.1Q trunk.
- The trunk must have the attacker’s access VLAN as its native VLAN.
The attacker, for example, situated on VLAN 10, sends frames that are double tagged as if an 802.1Q trunk is being used. Naturally, the attacker is not connected to a trunk; he is using switch spoofing to turn his switch interface to trunking mode. He is using trunk encapsulation to trick the switch into making the frames hop over to another VLAN.
The real frame maybe with some malicious data is first given an 802.1Q tag with the VLAN ID of the target VLAN, in this case VLAN 20. Then a second bogus 802.1Q tag is added with the attacker’s access VLAN ID – the VLAN 10 in our example.
When the local switch on the left receives a double tagged frame, it decides to forward it out the trunk interface. This is because the first “VLAN 10″ tag has the same VLAN ID as the trunk’s native VLAN. The “VLAN 10″ tag is removed as the frame is sent on the trunk. The switch sends all frames from the native VLAN untagged, that is normal. Now the second “VLAN 20″ tag is posted on the trunk. When switch on the right side receives the frame, it finds second 802.1Q tag. The spoofed tag for VLAN 20 is found and the tag is then removed and the frame is forwarded to VLAN 20. In that moment the attacker has successfully sent a frame from VLAN 10 and gotten the frame injected onto VLAN 20 by not using the router. He made it all through Layer 2 switching.