VLAN hopping

VLAN hopping

VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN. The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. —wikipedia

In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking protocols used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host. —wikipedia

In a double tagging attack, an attacking host connected on a 802.1q interface prepends two VLAN tags to packets that it transmits. The packet is forwarded without the first tag, because it is the native VLAN. The second (false) tag is then visible to the second switch that the packet encounters. This false VLAN tag indicates that the packet is destined for a target host on a second switch. The packet is then sent to the target host as though it originated on the target VLAN bypassing the network mechanisms that logically isolate VLANs from one another. —wikipedia

Easy 802.1Q VLAN Hopping

Frogger is a simple VLAN enumeration and hopping script.

Download/Install

https://github.com/nccgroup/vlan-hopping—frogger

git clone https://github.com/nccgroup/vlan-hopping.git

How To Use

chmod +x frogger.sh
./frogger.sh

Features

  • Sniffs out CDP packets and extracts (VTP domain name, VLAN management address, Native VLAN ID and IOS version of Cisco devices)
  • It will enable a DTP trunk attack automatically
  • Sniffs out and extracts all 802.1Q tagged VLAN packets within STP packets and extracts the unique IDs.
  • Auto arp-scans the discovered VLAN IDs and auto tags packets and scans each VLAN ID for live devices.
  • Auto option to auto create a VLAN interface within the found network to connect to that VLAN.

Requirements

  • Arp-Scan 1.8 (in order to support VLAN tags must be V1.8 – Backtrack ships with V1.6 that does not support VLAN tags)
  • Yersina (built into Backtrack)
  • Tshark (buit into Backtrack)
  • Screen (built into Backtrack)
  • Vconfig (built into Backtrack)

Tested on Backtrack 5 and Kali

Notes for VMware

VLAN hopping generally (not just this script) can have issues within VMware if running the VM within Windows with certain Intel drivers. The Intel drivers strip off the tags before it reaches the VM. Either use an external USB ethernet card such as a DLink USB 2.0 DUB-E100 (old model 10/100 not gigabit) or boot into Kali natively from a USB stick. Intel has published a registry fix, to work on some models: https://www-ssl.intel.com/content/www/us/en/support/network-and-i-o/ethernet-products/000005498.html – adding “MonitorMode” 1 to the registry does resolve the issue.

Categories: Exploits, VLAN Tags: , , ,
%d bloggers like this: