A virtual local area network (VLAN)
is used to share the physical network while creating virtual segmentations to divide specific groups. For example,
a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as 'VLAN Hopping', an attacker
is able to bypass these security implementations.
VLAN Hopping
This
type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With
proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have
misconfigurations which will allow for attackers to perform said exploit.
On a switch, a port is
either configured as an access port or a trunking port.
An access port is typically used when connecting a host to a switch. With
the implementation of VLANs,
each access port is assigned to only one VLAN.
A trunking port is used when connecting two switches or a switch and a router together. Trunking ports allow for traffic from multiple VLANs. A trunk port can
be configured manually or created dynamically using Dynamic Trunking Protocol (DTP).
Switched Spoofing VLAN Attack
An attacker acts as a switch
in order to trick a legitimate switch into creating a trunking link between them. As mentioned before,
packets from any VLAN are allowed to pass through a trunking link. Once the trunk link
is established, the attacker
then has access to traffic from any VLAN. This exploit is only successful when the legitimate switch
is configured to negotiate a trunk. This occurs when an interface
is configured with either "dynamic desirable", "dynamic auto" or "trunk" mode. If the target switch has one of those modes configured, the attacker then can generate a DTP message from their computer and a trunk link can
be formed.
Double Tagging
Double tagging occurs when an attacker adds and
modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link. Another important point is, this attack is strictly one way as it is impossible to encapsulate the return packet
https://www.alienvault.com/blogs/security-essentials/vlan-hopping-and-mitigation
VLAN Hopping is an attack where the attacker
is able to send traffic from one VLAN into another. There are two different methods to accomplish this:
Double tags: the idea behind the attack is that the
attacker is connected to an interface in access mode with the same VLAN as the native untagged VLAN on the trunk. The attacker sends a frame with two 802.1Q tags, the “inner” VLAN tag is the VLAN that we want to reach and the “outer” VLAN tag is the native VLAN. When the switch receives the frame, it will remove the first (native VLAN) 802.1Q tag and forwards the frame with the second 802.1Q tag on its trunk interface
(s). The attacker has now “jumped” from the native VLAN to the victim’s VLAN
.It’s a
one way trip but it could
be used perhaps for a DOS attack.
Switch spoofing: the attacker will send DTP packets and tries to negotiate a trunk with the switch, this is possible when you use the default “dynamic auto” or “dynamic desirable”
switchport mode. Once you have a trunk to your computer, you will have access to all VLANs. This is basically a misconfiguration since
you should never configure your interfaces to use the dynamic
switchport modes.
https://networklessons.com/cisco/ccnp-switch/vlan-hopping
No comments:
Post a Comment