VLAN Hoping Attack
VLAN Hopping Attack allows traffic from one Vlan to pass into another VLAN, without first being route.
VLAN hopping can disable any security measures users may have in place on the device which maps routes between the VLAN’s. Hackers use VLAN hopping to capture sensitive information such as bank account details and passwords from targeted network subscribers. VLAN hopping is also used by some attackers to corrupt, modify, or delete data from the end user’s computer. Another intended use of VLAN hopping is to propagate viruses, worms, Trojan horses, and other malicious programs such as malware and Spyware.
Two common methods of VLAN Hopping: Switch Spoofing and Double Tagging.
Default, Ethernet Trunks on Cisco Catalyst Switches carry traffic for all VLANs.
Come Cisco Catalyst switch ports default for auto mode for trunking, which means that ports automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames.
Attackers could attemp to make the victim’s switch to enter trunking mode either by spoofing DTP frames (tools like Yersinia) or by connect with a real switch.
a. Disable Trunking on all ports that do not need to form trunks:
Interface ethernet 0/1
Switch port mode access
b. Prevent the use of DTP:
Interface ethernet 0/2
Switchport trunk encapsulation dot1q
Switchport mode trunk
Keep in mind that On an IEEE 802.1Q Trunk (Only on dot1q trunk), the native VLAN does not add any tagging to frames travelling from one switch to another switch.
If an attacker ‘s PC belongs to the native VLAN, he could exploit this native VLAN characteristic to send traffic that has two 802.1Q Tags. The outer tag is for the native VLAN, the inner tag is for the target VLAN to which the attacker want to inject traffic.
As illustrated in Figure below, SW1 removes the outer tag (specifies the native VLAN) from frame before forwarding the frame to SW2. When receive the frame, SW2 “sees” only inner tag (VLAN100) and SW2 sends the traffic out to the target VLAN.
To help prevent a VLAN hopping attack using double tagging, do not use the native VLAN to send users’ traffic. This cound accomplished by creating a VLAN that does not have any ports. This unused VLAN is solely for the perpose of native VLAN assignment.
Interface gigaethernet 0/3
Switchport trunk native vlan 400