Hacking Networks with Kali - VLAN Hopping (DTP Attack) and Mitigation procedures

Описание: VLAN hopping is a network security vulnerability that occurs when an attacker gains unauthorized access to traffic on different VLANs (Virtual Local Area Networks) within a switched network. VLAN hopping takes advantage of the way VLANs are configured and implemented to gain access to sensitive information or perform unauthorized actions.

Here are two common types of VLAN hopping attacks:

Double Tagging (Q-in-Q Attack): This attack exploits a vulnerability in the way some switches handle tagged Ethernet frames. By attaching multiple VLAN tags to an Ethernet frame, an attacker can deceive the switch into thinking the frame belongs to a different VLAN. This allows the attacker to bypass VLAN segregation and potentially gain unauthorized access to sensitive VLANs.

Switch Spoofing (Switch Spoof Attack): In this attack, an attacker spoofs the MAC address of a switch in the network. By pretending to be a switch, the attacker can send spoofed control frames to manipulate the VLAN configuration of the targeted switch. This can lead to unauthorized access to other VLANs or disruption of network traffic.

VLAN hopping with respect to a Dynamic Trunking Protocol (DTP) attack is a specific type of VLAN hopping that takes advantage of the DTP protocol to gain unauthorized access to VLANs in a switched network.

DTP is a Cisco proprietary protocol used to negotiate and dynamically establish trunk links between switches. Trunk links allow the transmission of multiple VLANs over a single physical link. However, if DTP is not properly secured or configured, it can be exploited by an attacker to perform VLAN hopping.

Here's how a VLAN hopping attack using DTP can occur:

Attacker connects to the network: The attacker connects a rogue device, such as a laptop or switch, to an access port on the target switch.

Rogue device sends DTP frames: The rogue device sends DTP frames, masquerading as a switch, to the target switch. These frames contain false DTP information, such as requesting the establishment of a trunk link.

Target switch enables trunking: If the target switch is not properly configured or has DTP enabled, it may accept the false DTP frames and establish a trunk link with the rogue device.

Attacker gains access to multiple VLANs: Once the trunk link is established, the attacker gains access to all the VLANs allowed on that trunk. This allows the attacker to potentially eavesdrop on traffic, perform unauthorized actions, or gain access to sensitive information in different VLANs.

To protect against VLAN hopping through DTP attacks, it is recommended to take the following precautions:

Disable DTP: If trunking is not required on a particular switch port, disable DTP entirely. This prevents the switch from automatically negotiating trunk links.

Manually configure trunk ports: Instead of relying on DTP, manually configure trunk ports on the switch, explicitly specifying which VLANs are allowed on each trunk link.

Use VLAN access control: Implement VLAN access control mechanisms, such as access control lists (ACLs) or VLAN maps, to control which VLANs are allowed on specific switch ports.

Regularly review and update switch configurations: Periodically review and update switch configurations to ensure that DTP is disabled where not needed and that trunk ports are properly configured.

By implementing these measures, network administrators can mitigate the risk of VLAN hopping attacks specifically related to DTP and enhance the overall security of their switched network.