VLAN Hopping and Switch Spoofing Flashcards

1
Q

What is VLAN hopping?

A

When a client double-tags a packet so that the top tag is stripped at the trunk, and is sent to the VLAN on the underlying tag by the receiving switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What must be in place for VLAN hopping to be successful?

A

The malicious host must be connected to an access port that is the same VLAN as the native trunk VLAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is switch spoofing?

A

When a malicious host forms a trunk with a switch by sending DTP frames across a port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What two steps can be taken to help prevent VLAN hopping? (Choose two)

A. Place unused ports in a common unrouted VLAN
B. Enable BPDU guard
C. Implement port security
D. Prevent automatic trunk configuration
E. Disable CDP on ports where it is not necessary

A

Answer: A D

Explanation

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on
various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging.

1) Switch spoofing:

Switch_Spoofing.jpg

The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

2) Double-Tagging:

Double_Tagging.jpg

In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

Please notice that if the port in which the attacker connects to is an access port then he can make an attack too. But maybe you will wonder “what a switch do if it receives tagged traffic from an access port?”. Here is the answer quoted from Cisco site:

Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged) for the VLAN assigned to the port, the packet is forwarded. If the port receives a tagged packet for another VLAN, the packet is dropped, the source address is not learned, and the frame is counted in the No destination statistic.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swint.html#wp1107751)

So in this case, the attacker is on VLAN 10, which is also the native VLAN -> the packet is forwarded.

To mitigate VLAN Hopping, the following things should be done:

1) If no trunking is required, configure port as an access port, this also disables trunking on that interface:

Switch(config-if)# switchport mode access

2) If trunking is required, try to configure the port to Nonegotiate to prevent DTP frames from being sent.

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate

  • > Therefore answer D – Prevent automatic trunk configuration is correct.
    3) Set the native VLAN to an unused VLAN and don’t use this VLAN for any other purpose:

Switch(config-if)# switchport trunk native vlan VLAN-ID

4) Force the switch to tag the native VLAN on all its 802.1Q trunks:

Switch(config)# vlan dot1q tag native

In this question, answer A – Place unused ports in a common unrouted VLAN is also correct because the Double-Tagging method requires the attacker’s port must be in the same VLAN with Native VLAN -> Place these ports in unrouted VLAN will put these ports in different VLAN from the Native VLAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is one method that can be used to prevent VLAN hopping on the network?

A. Configure VACLs.
B. Configure all frames with two 802.1Q headers.
C. Enforce username/password combinations.
D. Explicitly turn off Dynamic Trunking Protocol (DTP) on all unused ports.
E. All of the above

A

Answer: D

Explanation

Disable DTP so that switchport will not negotiate trunking on the link by this command:

Switch(config-if)# switchport nonegotiate
Or a better way is to configure it as an access port:

Switch(config-if)# switchport mode access
Note: VACLs should only be used to mitigate DHCP Snooping, not VLAN Hopping by filtering out DHCP Reply from outside ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which two statements about VLAN hopping are true? (Choose two)

A. Attacks are prevented by utilizing the port-security feature.
B. An end station attempts to gain access to all VLANs by transmitting Ethernet frames in the 802.1q encapsulation.
C. Configuring an interface with the “switchport mode dynamic” command will prevent VLAN hopping.
D. An end station attempts to redirect VLAN traffic by transmitting Ethernet frames in the 802.1q encapsulation.
E. Configuring an interface with the “switchport mode access” command will prevent VLAN hopping.

A

Answer: B E

Explanation

Please read the explanation of Question 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gather information?

A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that is allowed on the trunk.
B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch, regardless of the VLAN to which the data belongs.
C. The attacking station will generate frames with two 802.1Q headers to cause the switch to forward the frames to a VLAN that would be inaccessible to the attacker through legitimate means.
D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with the domain information in order to capture the data.

A

Answer: A

Explanation

Please read the explanation of Question 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you prevent switch spoofing?

A

by configuring every switch port to have an expected and controlled behavior. The best way to prevent a basic switch spoofing attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP, and manually enable trunking.

1) Never leave an access port in “dynamic desirable”, “dynamic auto” or “trunk” mode.
2) Hardcode all the access ports as access port and disble DTP everywhere.
3) Hardcode all the trunk ports as trunk port and never enable DTP on trunk ports.
4) Shutdown all the interfaces which are not in use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do you prevent VLAN hopping?

A

set the native VLAN of a trunk to a bogus or unused VLAN ID then prune the native VLAN off both ends of the trunk. Make sure that your native trunk VLAN is not active on any access ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly