A virtual local area network (VLAN) is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as “VLAN Hopping”, an brianowens.tvacker is able to bypass these security implementations. Learn more about network segmentation and VLANs here.
You are watching: How can vlan hopping attacks be prevented on a network
This type of exploit allows an brianowens.tvacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an brianowens.tvacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for brianowens.tvackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as “switched spoofing”, and “double tagging”. I will then discuss mitigation techniques.
It is crucial we understand how switches operate if we would like to find and exploit their vulnerabilities. We are not necessarily exploiting the device itself, but rather the protocols and configurations instructing how they operate.
On a switch, a port is either configured as an access port or a trunking port. An access port is typically used when connecting a host to a switch. With the implementation of VLANs, each access port is assigned to only one VLAN. A trunking port is used when connecting two switches or a switch and a router together. Trunking ports allow for traffic from multiple VLANs. A trunk port can be configured manually or created dynamically using Dynamic Trunking Protocol (DTP).
DTP is a Cisco proprietary protocol where one use is to dynamically establish a trunk link between two switches.
Switched Spoofing VLAN brianowens.tvack
An brianowens.tvacker acts as a switch in order to trick a legitimate switch into creating a trunking link between them. As mentioned before, packets from any VLAN are allowed to pass through a trunking link. Once the trunk link is established, the brianowens.tvacker then has access to traffic from any VLAN. This exploit is only successful when the legitimate switch is configured to negotiate a trunk. This occurs when an interface is configured with either “dynamic desirable”, “dynamic auto” or “trunk” mode. If the target switch has one of those modes configured, the brianowens.tvacker then can generate a DTP message from their computer and a trunk link can be formed.
Double tagging occurs when an brianowens.tvacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This brianowens.tvack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the brianowens.tvacker belongs to the native VLAN of the trunk link. Another important point is, this brianowens.tvack is strictly one way as it is impossible to encapsulate the return packet.
VLAN Hopping Exploit
Scenario 1 – Switch Spoofing brianowens.tvackIn this scenario there exists the brianowens.tvacker, a switch, and the target server. The brianowens.tvacker is brianowens.tvached to the switch on interface FastEthernet 0/12 and the target server is brianowens.tvached to the switch on interface FastEthernet 0/11 and is a part of VLAN 2. Take a look at the following topology.
Once you are familiar with the topology, take a look at a few of the configurations set for the switch:
interface FastEthernet0/11switchport mode accessswitchport mode nonegotiateswitchport access vlan 2!interface FastEthernet0/12switchport mode dynamic autoHopefully, you can see the configuration issue with interface fa0/12. This port is set to accept incoming negotiations to determine whether the port is for access or trunking. Which means an brianowens.tvacker is able to perform a Switch Spooking brianowens.tvack. Once the brianowens.tvacker connects to the port they can then send a DTP message and a trunking link will be established.An brianowens.tvacker can use the program Yersinia to craft and send a DTP message. Yersinia is a penetration testing framework built to brianowens.tvack many protocols that reside on layer 2. It comes pre-installed with kali Linux and has an easy to use graphical user interface (GUI).Yersinia Homepage – http://www.yersinia.net/To launch Yersinia: yersinia -GHere is a quick look at the GUI:
Now to send a DTP message is as simple as the following 4 steps:
click “Launch brianowens.tvack”click the tab “DTP”click “enable trunking”click “ok”
Yersinia will the send out a DTP message and within a few seconds, a trunking link will be established. In our scenario, the brianowens.tvacker will then have access to all traffic flowing through VLAN 2 and can directly brianowens.tvack without going through any layer 3 devices.
Scenario 2 – Double Tagging brianowens.tvackIn this scenario, there exists an brianowens.tvacker, 2 switches, and a target server. The brianowens.tvacker is brianowens.tvached to switch 1. Switch 1 is brianowens.tvached to switch 2 and finally, our target is brianowens.tvached to switch 2. Take a look at the following topology.
From the picture, we can see that switch 1 reads and removes only the outside tag. It checks that the host is part of the stated VLAN and forwards the packet to all native VLAN ports (VLAN 1). Switch 2 then receives the packet with only one header left. It assumes the frame belongs to the stated VLAN on this tag (VLAN 2) and forwards to all ports configured for VLAN 2. The target then receives the packet sent by the brianowens.tvacker.
VLAN = HOPPED.Due to the nature of this brianowens.tvack, it is strictly one way. Please also note that this brianowens.tvack may not work on new switches.
Mitigation for VLAN Hopping
To prevent a Switched Spoofing brianowens.tvack, there are a few steps you should take:
Do not configure any access points with either of the following modes: “dynamic desirable”, “dynamic auto”, or “trunk”.Manually configure access ports and disable DTP on all access ports.switchport mode accessswitchport mode nonegotiateManually configure all trunk ports and disable DTP on all trunk ports.switchport mode trunkswitchport mode nonegotiateShutdown all interfaces that are not currently in use.
To prevent a Double Tagging brianowens.tvack, keep the native VLAN of all trunk ports different from user VLANs.
Switches were not built for security. However, it is important to utilize security measures at every level. If you are to take the time to segment your network, make sure it is done properly and securely. Be diligent when configuring your network.
About the Author: Pam
Pam is an undergraduate student with an interest in information security and software development. She spends her time working on personal projects and engaging with the InfoSec industry. FollowPam on Twitter.