VLAN Attacks Flashcards
VLAN Hoping Attacks
Attacks modus operandi
The hacker configures a host to act like a switch to take advantage of the automatic
trunking port feature enabled by default on most switch ports.
VLAN Hoping Attacks
Expected results
A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN
without the aid of a router.
VLAN Hoping Attacks
Details
The hacker configures the host to spoof 802.1Q signaling and Cisco-proprietary Dynamic
Trunking Protocol (DTP) signaling to trunk with the connecting switch.
§ (If successful) the switch establishes a trunk link with the host
§ The hacker can now access all the VLANs on the switch. He can send and receive traffic on
any VLAN, effectively hopping between VLANs
VLAN double-tagging Attacks
Attacks modus operandi
The hacker sends double tagged frames through a trunk port the first one belonging
to the trunk native VLAN
VLAN double-tagging
Attacks
Expected results
Send data to hosts on VLANs supposedly blocked to the hacker.
VLAN double-tagging
Attacks
Limitation
A VLAN double-tagging attack is unidirectional and works only when the attacker is
connected to a port residing in the same VLAN as the native VLAN of the trunk port.
Mitigation
Disable trunking on all access ports
Disable auto trunking on trunk links so that trunks must be manually enabled
Be sure that the native VLAN is only used for trunk links
VLAN attacks
Mitigation cisco commands
On Cisco switches
Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the
“switchport mode access” interface configuration command.
Step 2: Disable unused ports and put them in an unused VLAN.
Step 3: Manually enable the trunk link on a trunking port by using the “switchport mode trunk” command.
Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the “switchport nonegotiate” command.
Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the “switchport trunk native vlan vlan_number” command.
