802.1Q VLAN
VLANS are used within enterprises to segment networks and create individual broadcast domains. Along with reducing unnecessary broadcast of traffic, 802.1Q tagging limits the scope of ARP cache poisoning and other local attacks in which administrators define arbitrary VLAN ID values (0-4095), that are used to tag Ethernet frames and establish network segment.
However, there are a few risks that come with 802.1Q implementation:
- Dynamic trunk abuse to compromise VLANs and data (switch spoofing)
- Double-tagging frames to send data to other VLANs
- Layer 3 bypass of private VLAN port isolation
Let’s go to each of them.
A/ Dynamic Trunking
In a typical hardened environments, each port will have a static assignment, constraining you to a specific VLAN. Many switches support the Dynamic Trunking Protocol (DTP) by default, however, this protocol can be abused to emulate a switch and receive traffic across all VLANs
- The five port modes supported by Cisco switches are:
- Access : Places the port into a permanent nontrunking mode
- Trunk : Places the port into a permanent trunking mode
- Dynamic auto : The port may convert the link to a trunk if the neighboring port negotiates a trunk or dynamic desirable connection (the default mode)
- Dynamic desirable : The port actively attempts to convert its link to a trunk, becoming a trunk port if the neighboring port negotiates a trunk, dynamic desirable, or dynamic auto mode
- Nonegotiate : Disables dynamic trunking entirely for the port
In order to perform the VLAN hopping attack, the following tools can be used:
- dtpscan : dtp detection “https://github.com/commonexploits/dtpscan”
- yersinia : VLAN hopping attack “https://github.com/tomac/yersinia”
B/ Double-tagging
If the native VLAN used between switches to form a trunk is exposed to an attacker, he/she can double-tag frames and send content to other networks.
A valid destination MAC and IP address is required to deliver content. The majority of practical attacks are unidirectional and utilize connectionless protocols (UDP). However, it is possible to establish a TCP connection with a victim if that host can communicate with an IP under the attacker’s control.
C/ Layer 3 Private VLAN Bypass
In guest wireless networks, and other environments, private VLAN settings are used to prevent peers from interacting from another. Depending on network ACLs, it might be possible to send IP packets up to a router, which are then forwarded to a neighboring peer.
Our other posts:
