VLAN Hopping
VLAN hopping is a computer security exploit. The principle is that an attacking host on one VLAN accesses traffic from other VLANs that it should not have access to. There are two methods:
- Switch Spoofing
- Double Tagging
Switch Spoofing
Switch Spoofing is the technique of imitating a junction switch. Dynamic Trunking Protocol (DTP) is usually used to perform this attack.
Here is the flow of this attack:
- We start by sending DTP frames on an Access port .
- If the DTP mode is in DYNAMIC AUTO or DYNAMIC DESIRABLE then the attack is possible
- A negotiation request is sent to switch the link to trunk mode
Remediations
The Switch Spoofing technique is only exploitable when the interfaces of a switch are configured to negotiate a trunk.
The first thing to do is to disable the DTP: switchport nonegotiate
Next, make sure that ports not configured as junction are configured as access port: switchport mode access
Double Tagging
This attack consists of encapsulating two VLAN fields in the frames sent. To exploit this technique, it is necessary to be connected to an 802.1Q compatible port.
Here is the sequence of this attack:
- We send a frame with two encapsulated VLAN fields (the first one corresponds to the VLAN we have access to and the second one we want to reach)
- The frame is transmitted without the first tag because it is the native VLAN of a trunk interface (trunk mode)
- The second tag is then visible to the second switch that the frame encounters
- This second VLAN tag indicates that the frame is destined for a target host on a second switch
- The frame is then sent to the target host as if it came from the target VLAN, effectively bypassing network mechanisms that logically isolate VLANs from each other
Remedializations
The Double Tagging technique is only exploitable on switch ports configured to use native VLANs.
It is important not to use the default VLAN (VLAN 1): switchport access vlan 2
You can also replace the native VLAN of all ports in trunk mode with an unused VLAN ID: switchport trunk native vlan 999
You can also force explicit tagging of the native VLAN on all ports in trunk mode: vlan dot1q tag native