VLANs are designed to prevent communication between subnets. In this video, you’ll learn how an attacker can use VLAN hopping to circumvent VLAN segmentation.
If you look at the network configuration on your enterprise network, you’ll notice there are many different VLANs that have been configured. Sometimes, these VLANs are arranged organizationally, so you might have a beeline for one particular part of a business and another VLAN that would handle another part of the business. Maybe there’s a network engineering VLAN or separate VLAN just for security communication.
These VLANs are used as a way to segment the network, so if you’re on one VLAN, you don’t have access to devices that might be on a different VLAN. However, crafty attackers have found different ways to circumvent these existing security controls and find ways to move from one VLAN to another without going through a router. The two methods that we’ll discuss that provide an attacker with a way to have an unauthorized communication between VLANs is both switch spoofing and double tagging.
On many switches, a network administrator will specifically configure an interface on that switch to act like an access port. That means you’ll be plugging in a laptop, a desktop, or some other in user station. You can also configure ports on a switch to be a trunked interface so that you can send many different VLANs over one single connection between switches.
Although the best practice is for network administrator to manually make these configurations on a switch, there are configuration options in the switch to set up an automatic configuration. That means when you plug-in your device, the switch will automatically determine if that is an access device or a trunk connection. Another interesting part about this automatic configuration is that it doesn’t need any type of authentication.
This means that an attacker can find a way to make the switch interpret that connection as one thing or the other. An attacker could then plug-in with a laptop but tell the laptop to send trunk negotiation down that link to the switch. The switch and the other end will automatically configure it as a trunk connection because it assumes the device on the other end is a switch and not the attacker’s laptop.
Now that the attacker’s laptop is acting as a switch, it can send any information down that link across any particular VLAN and have that information switched off to the appropriate VLAN on the other side of that switch. Although this does require the attacker to have physical access to the switch, it’s a relatively easy way for the attacker to circumvent the VLAN segmentation that keeps one VLAN from communicating with another. This is why a best practice is for switch administrators to disable that automatic configuration process and make them configure each interface as an access interface or a trunk interface.
Normally, when information is sent across the trunk, a tag is added to that time frame that has the VLAN information that could then be interpreted on the other side. If you add an additional tag to that same frame, you may be able to take advantage of double tagging, where the first switch will interpret the first tag, send the traffic on to another switch, where the second tag will then be evaluated. This takes advantage of a feature in the switch called the native VLAN that doesn’t require a tag to exist. So once the first native VLAN tag is removed, the attacker’s fake tag can be used to send that traffic to any VLAN.
Although the attacker is double tagging this traffic to get it onto that external VLAN, there’s no way for the other VLAN to send that traffic back, since the users on that network are not going to be doing any type of double tagging. This means that it’s a one-way trip. This makes it very good for denial of service traffic, where you’re sending all of the information in one direction or you’re using an application that doesn’t require any type of response.
The way that you would prevent double tagging is to prevent anyone from using the native VLAN. You would change the native VLAN ID and force tagging of anyone who’s putting traffic onto the native VLAN. Let’s visually see how this double tagging process would work. We’ll start with an attacker who was on VLAN 10 that wants to send information to a victim on VLAN 20.
In between both of those is a trunk for both VLAN 10 and 20, and you’ll notice the native VLAN is VLAN 10. The attacker will begin by creating a specially crafted frame. This frame has an ethernet header and data inside of it, just like any other ethernet frame, but instead of having a single tag inside of it, there are two separate 802.1Q tags, one for VLAN 10 and one for VLAN 20.
That time frame is sent to the first switch, where the native VLAN is 10, so the VLAN 10 tag is no longer needed. That means it will be removed from this ethernet frame, and the only thing left would be the VLAN 20 tag. That means that time frame will be sent to the other side of that communication.
The VLAN 20 tag is then identified within the frame. That switch removes it from the frame and places that data onto VLAN 20, where it finds its way to the victim. Although the victim doesn’t have a way to communicate back to the original attacker device because that attacker is on a different VLAN, the attacker could send any type of traffic and as much traffic as they would like to this victim that is clearly on a completely different VLAN.