top of page
  • CyberBrew Team
    • Jun 13
    • 6 min read

 Mastering VLAN Hopping – PenTest+ Review

 




Vlan Hopping



VLAN Hopping is a network attack method that allows an attacker to break out of one VLAN and gain access to traffic on other VLANs that would normally be segregated. This type of attack is particularly dangerous because VLANs (Virtual Local Area Networks) are typically used to isolate network segments for security and performance reasons. When an attacker is able to hop from one VLAN to another, they can bypass these security measures and potentially intercept sensitive data or launch further attacks within your network.

 

For an attacker, or hopefully just a penetration tester, VLAN hopping can be a useful technique. However, it requires rather deep knowledge of how VLAN’s actually operate specifically how a switch interacts with traffic (handling tagged versus untagged traffic). The two most common methods for VLAN Hopping are Double Tagging and Switch Spoofing. Although exploiting different vulnerabilities in a VLAN implementation the end goal remains the same.


 What is VLAN Hopping?


We will start off with VLAN Hopping. Imagine you are performing an internal penetration test where your system is placed on a corporates network. The VLAN you currently have access doesn’t have sensitive data but you are aware of another VLAN that has this data you are trying to gain access to. The VLAN is secure and the system you are currently using is not placed in this VLAN and does not have access to it. Remember, VLAN’s are most commonly use to segment networks with the primary goal of preventing unauthorized access. Nothing is ever a 100% secure and if certain vulnerabilities are exploited, it is possible to actually break hop between VLANS and break through the isolation. With this concept, we can understand why it is referred to as “VLAN Hopping”.

For a real-world scenario, you can think of an attacker trying to make it’s way further into a corporate’s network. For example, they may began by accessing a guest network that anyone could connect to and then attempting to move further into it the network. Although it’s not an easy task using techniques could hypothetically allow an attacker to penetrate further into the corporate network into internal VLANs that they should not normally have access to. To get a better idea of this concept we’ll look at the 2 most common VLAN hopping techniques which is Double Tagging and Switch Spoofing.

 

 Double Tagging

 

 What is Double Tagging?

 

Double Tagging in the first method we’ll take a look into it. Often times you may here it referred to as VLAN stacking. In basic terms, this technique involves an attacker inserting two VLAG tags into a packet header. The outer tag is used by the first switch the packet will encounter (the access switch) and the second (inner tag) will be used by the second switch (trunk switch) that in combination works to direct the packet to a different VLAN. In this concept, it would be directing the attacker’s network packets to a different VLAN (hopping to a new VLAN).


How Double Tagging is Performed

 

1. Initial Packet Construction: The attacker constructs a packet with two VLAN tags. The outer tag corresponds to the attacker's current VLAN (let's say VLAN 10), and the inner tag corresponds to the target VLAN (let's say VLAN 20).

  

2. Packet Transmission: The attacker sends this double-tagged packet onto the network.

 

3. Access Switch Handling: The first switch (access switch), which the attacker's device is directly connected to, strips off the outer VLAN tag (VLAN 10) and forwards the packet.

 

4. Trunk Link Handling: The packet, now with the inner VLAN tag (VLAN 20), is forwarded by the trunk link. The second switch (trunk switch) receives the packet and, seeing the VLAN 20 tag, forwards it to VLAN 20.

 

Tools Used for Double Tagging

 

Several tools can be used to perform Double Tagging attacks. Some of the most common ones include:

 

Yersinia: A popular network attack tool that can perform various Layer 2 attacks, including VLAN Hopping through Double Tagging.

Scapy: A powerful Python-based interactive packet manipulation tool that allows crafting and sending custom packets with multiple VLAN tags.

 

Scenario Example: Double Tagging Attack

 

Consider a corporate network with two VLANs: VLAN 10 (user device VLAN) and VLAN 20 (server VLAN). An attacker connects to VLAN 10 and sends a double-tagged packet (outer tag VLAN 10, inner tag VLAN 20). The access switch strips off the outer tag and forwards the packet through the trunk link. The trunk switch then reads the inner tag (VLAN 20) and forwards the packet to VLAN 20. As a result, the attacker can now access the server VLAN, bypassing VLAN isolation.

 

Recognizing Vulnerability to Double Tagging

To determine if a network is susceptible to Double Tagging attacks, check for the following:

 

- Native VLAN Mismatch: Ensure that the native VLAN (untagged VLAN) on the trunk ports is not the same as any user VLAN.

- Strict VLAN Tagging: Ensure that all frames on trunk ports are tagged, including native VLAN frames.

Network administrators should also regularly audit VLAN configurations and apply security best practices to mitigate such vulnerabilities.

 

Switch Spoofing

 

What is Switch Spoofing?

Switch Spoofing on the other hand is another common method of attempting to VLAN hop. In this scenario the attacker will actually configure their device to mimic or act as a trunking switch. If successful, the attacker negotiate a trunk link with the connected switch and access other VLANs the switch it initiated the trunk link with may be connected to.

 

How Switch Spoofing is Performed

 

1. Device Configuration: The attacker configures their network interface card (NIC) to operate in trunk mode, allowing it to send and receive traffic tagged with multiple VLAN IDs.

 

2. Trunk Negotiation: The attacker’s device sends Dynamic Trunking Protocol (DTP) packets to the switch, attempting to negotiate a trunk link.

 

3. VLAN Access: If the switch is configured to accept DTP requests and forms a trunk link with the attacker’s device, the attacker can now send and receive traffic on multiple VLANs.

Tools Used for Switch Spoofing

Several tools and techniques can facilitate Switch Spoofing attacks:

 

-Yersinia: In addition to Double Tagging, Yersinia can be used to send DTP packets and negotiate trunk links.

- Ettercap: A comprehensive suite for man-in-the-middle attacks, which can also be used for VLAN Hopping by trunk negotiation.

- Manual Configuration: Advanced users can manually configure their NIC to send DTP packets using low-level packet crafting tools like Scapy.

 

Scenario Example: Switch Spoofing Attack

 

Imagine a scenario where an attacker plugs into a network port in a corporate office where the network is not performing checks at the physical port level. By sending DTP packets, the attacker’s device negotiates a trunk link with the switch. As a result, the attacker can now send and receive traffic on all VLANs allowed on that trunk link, gaining unauthorized access to sensitive network segments.

 Recognizing Vulnerability to Switch Spoofing

 

To identify and mitigate vulnerabilities to Switch Spoofing:

 

- Disable DTP: Configure switch ports to disable DTP and set the ports to access mode rather than dynamic auto or dynamic desirable mode.

- Port Security: Implement port security features to restrict which devices can connect and negotiate trunk links.

- VLAN Pruning: Manually prune VLANs on trunk links to ensure only necessary VLANs are allowed.

 

Network Administrators should regularly review switch configurations and ensure that security policies are consistently applied across the network.

 

Conclusion

 

VLAN Hopping is a sophisticated attack technique that exploits VLAN implementation vulnerabilities to gain unauthorized access to different network segments. By understanding the methods of Double Tagging and Switch Spoofing, penetration testers can better assess the security of network environments and help implement effective countermeasures.

 

Interview Practice

 

To further solidify your understanding, here are some interview questions and answers on VLAN Hopping:

 

Q1: What is VLAN Hopping?

 

VLAN Hopping is a network attack method that allows an attacker to break out of one VLAN and gain access to traffic on other VLANs, bypassing network segmentation security measures.

 

Q2: Describe the Double Tagging method of VLAN Hopping.

 

Double Tagging involves inserting two VLAN tags into the packet’s header. The first switch removes the outer tag, and the second switch forwards the packet based on the inner tag, allowing access to the target VLAN.

 

Q3: How can an attacker perform Switch Spoofing?

 

In Switch Spoofing, the attacker configures their device to operate in trunk mode and negotiates a trunk link with the switch using DTP packets, gaining access to multiple VLANs.

 

Q4: What tools can be used for Double Tagging attacks?

 

Tools like Yersinia and Scapy can be used to perform Double Tagging attacks by crafting and sending custom double-tagged packets.

 

Q5: How can network administrators mitigate VLAN Hopping attacks?

 

Administrators can mitigate VLAN Hopping by ensuring strict VLAN tagging, disabling DTP on switch ports, implementing port security, and pruning unnecessary VLANs on trunk links.

 

By mastering these techniques and implementing robust security measures, you can enhance the security posture of your network and prevent VLAN Hopping attacks.

 


4 views0 comments

Recent Posts

See All

Comments

bottom of page