VLAN Hopping

ReneMolenaar · April 6, 2018, 1:32am

This topic is to discuss the following lesson:

aelwahid · December 13, 2016, 12:40pm

Dear René,

Thank you very much for this great job !

I have a couple of questions about double tagging :

To be effective and exploited, this attack means that the attacker frame is not already in a port with a vlan other than the native vlan ?

In this sentence : “When the switch receives the frame, it will remove the first 802.1Q tag and forwards the frame with the second 802.1Q tag on its trunk interface(s).” Why the switch remove the first tag when this one " enter " the trunk ? Removing tags occurs when the frame exit the trunk for being delivered to the destination host ? Isn’t it ?

If it is a " native vlan " does the switch remove the tag at the entry of the trunk ? We use the native vlan to specify untagged frames ?

To be honest, not very clear for me

Prince

ReneMolenaar · December 13, 2016, 12:40pm

Hi Prince,

Normally when a switch receives a tagged frame, it will remove the tag and then forwards it on access interfaces or other trunks. If it is sent on other trunk interfaces, then it will be tagged again.

With VLAN hopping, the VLAN of the attacker has to be the same as the native VLAN on the trunk. Here’s what happens:

The attacker sends a double tagged frame, an inner (20) and outer (1) VLAN tag. The outer tag matches the native VLAN of the trunk.
The switch receives the double tagged frame, looks at the outer VLAN (1) tag and removes it.
The switch forwards the frame on all interfaces that belong to the native VLAN (1), this includes trunks.
The frame (with one tag left) is forwarded to the other switch, which looks at the VLAN (2) tag and forwards it on all interfaces that belong to that VLAN 20.

Hope this helps!

Rene

aelwahid · December 13, 2016, 12:40pm

For sure René, it helps a lot

Thank you again for the great job! Well done!

Prince

stlourenco · December 27, 2017, 11:14pm

Hi, Rene.

I confess that this lesson be confused, since I know frames that are received by the switch on access ports are dropped. The SW1 FastEthernet0/1 interface should be configured in trunk mode for this attack to work, correct?

ReneMolenaar · January 2, 2018, 11:44am

Hi Stefanio,

I understand this can be confusing. When you read about VLAN hopping, they usually talk about interfaces in access mode that accept frames with two VLAN tags. The first tag is ignored, the second one allows you to jump from one VLAN to another.

The 3560 switch that I used didn’t like this at all…it does not accept a frame that is tagged if the interface is configured in access mode. I didn’t test it but older switches (or IOS images), or other vendors switches, might accept a double-tagged frame on an access mode interface, making VLAN hopping possible.

In my example, I had to set Fa0/1 on SW1 to trunk mode for it to accept double VLAN tags. On modern IOS switches, VLAN hopping on access mode interfaces is no longer an issue.