VLAN Security – organization of such VLAN usage when it is impossible to access unauthorized traffic transmitted in all VLANs except those to which access is allowed. It is considered that it is enough to isolate the traffic within a single VLAN and it becomes absolutely impossible to view it or, moreover, to modify it for other network members who do not have direct access to this VLAN. In fact, this is only partially true. There are a lot of different ways in case the switch is incorrectly configured to force it to direct the tagged traffic of many VLANs to the port instead of the traffic of one VLAN. This is only possible if the switch is configured incorrectly.
Most often, VLAN technology is used to connect computers connected to different physical routers to a single subnet (e.g. machines located in different offices). However, from an information security point of view, it also has many advantages. Not only does it protect a device on one subnet from unauthorized access from another, but it also makes it easier to manage security policies by allowing these policies to be applied to the entire subnet rather than to individual devices.
To make full use of the VLAN, you’ll need all kinds of professional networking equipment. However, some household routers, such as Keenetic, also support this technology.
Any packets transmitted between VLANs must pass through a router or other layer 3 devices. Security is one of many reasons why network administrators configure the VLAN. With an exploit known as “Hopping VLAN”, however, an attacker can bypass these security implementations.
A DTP (Dynamic Trunking Protocol) packet is sent through the port to the attacker, indicating to the switch that the port is trunked (i.e. tagged VLAN traffic is transmitted through it). It is necessary that the port is configured accordingly. Not all frames will be processed.
This type of exploit allows an attacker to bypass any layer 2 restrictions created to separate nodes. If the switch port is configured correctly, the attacker will have to go through the router and any other Layer 3 devices to access his target. However, many networks either have poor VLAN implementations or have misconfigurations that allow attackers to perform the specified exploit. In this article I will discuss two major VLAN hop methods known as ‘double label’ spoofing. I will then talk about mitigation methods.
It is critical to understand how switches work if we want to find and exploit their vulnerabilities. We do not necessarily operate the device itself, but rather protocols and configurations that instruct how they work.
The switch has a port or configured as an access port or as a trunking port. The access port is usually used when a host is connected to a switch. With a VLAN implementation, each access port is assigned only one VLAN. The trunking port is used when two switches or a switch and a router are connected. Trunking ports allow you to use traffic from multiple VLANs. The trunking port can be configured manually or created dynamically using the dynamic trunk protocol (dtp).
DTP is a proprietary Cisco protocol where one usage must dynamically establish a trunk connection between two switches.
Switched Spoofing VLAN Attack
The attacker acts as a switch to trick a legitimate switch into creating a trunked link between them. As mentioned earlier, packets from any VLAN can pass through the backbone. Once the trunk link is established, the attacker then has access to traffic from any VLAN. This vulnerability is only successful if the allowable switch is configured for trunk matching. This happens when the interface is configured with either “dynamic desirable”, “dynamic auto” or “Trunk” mode. If the target switch has one of these configured modes, then an attacker can generate a DTP message from their computer and a trunk connection can be formed.
Double marking occurs when an attacker adds and changes tags on an Ethernet frame to allow packets to be sent over any VLAN. This attack takes advantage of how many switches handle the tags. Most switches will only remove the external tag and forward the frame to all their own VLAN ports. With this in mind, this exploit is only successful if the attacker belongs to his own VLAN on the backbone. Another important point is that this attack is strictly one-way and does not encapsulate the packet.
VLAN Hopping Exploit
To run Yersinia:
Here’s a quick look at the graphical interface:
Scapy Documentation – //scapy.readthedocs.io/en/latest/usage.html
Using sendp() function to create a package:
>>sendp(Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=2)/IP(dst='<destination IP’, src='<source IP>’)/ICMP())
This will create a double 802.1 q encapsulated packet for the target on VLAN 2. Take a look at the following topology to see how the switches are managing this frame.
How is it protected?
To prevent a spoofing attack, you need to perform a few steps:
- Do not configure access points with any of the following modes: “preferably dynamic”, “dynamic automatic” or “trunk”.
- Set access ports manually and disable DTP on all access ports.
- switchport access mode
- switchport non-contact mode
- Manualize all trunk ports and disable DTP on all trunk ports.
- switchport mode trunk
- switchport non-contact mode
- Disable all interfaces that are not currently in use.
To prevent double tagging attacks, keep your own VLAN on all trunk ports other than the custom VLAN. Switches were not designed to be secure. However, it is important to use security measures at all levels. If it takes time to segment the network, make sure it is done correctly and securely. Be careful when setting up your network.
Source: //hackfix.ru/ and //habr.com/ and //www.kaspersky.ru/.