Contents

Introduction
Trunk Link Cheating
Countermeasure
VLAN Hopping

Introduction

Dynamic Trunking Protocol (DTP) allows Trunk Link established easily between switches. However, it is also a vulnerability to a network. In this article, Yersinia is used to attach DTP in order to crack the VLAN. It is assumed that you already understood the theory of VLANDTP.

⛑️  Please be reminded that the aim of this article is to explain the network threats and how to eliminate the issue. Illegal activities are not encouraged⛑️

Trunk Link Cheating

By default, DTP is set to dynamic auto mode. When auto mode meets dynamic desirable, the access link with becomes trunk link. So, attacker can cheat the switch to form trunk link with him easily by sending DTP dynamic desirable message.

In the following example, Attacker and PC is assigned to VLAN10 and VLAN20 respectively. They cannot communicate unless going through the gateway. But, the dynamice auto mode of Fa1/0/24 at SW1 gives a chance to the Attacker.

vlan-attack

SW1#show int fastEthernet 1/0/24 trunk 

Port        Mode         Encapsulation  Status        Native vlan
Fa1/0/24    auto         negotiate      not-trunking  1

Port        Vlans allowed on trunk
Fa1/0/24    10

Port        Vlans allowed and active in management domain
Fa1/0/24    10

Port        Vlans in spanning tree forwarding state and not pruned
Fa1/0/24    10

Attacker run Yersinia and press g, then choose DTP to attack Dynamic Trunking Protocol.

vlan-attack

Press x and choose 1. Yersinia starts to send DTP to Switch and becomes trunk.

vlan-attack

SW1#show int fastEthernet 1/0/24 trunk 

Port        Mode         Encapsulation  Status        Native vlan
Fa1/0/24    auto         n-802.1q       trunking      1

Port        Vlans allowed on trunk
Fa1/0/24    1-4094

Port        Vlans allowed and active in management domain
Fa1/0/24    1,11-20

Port        Vlans in spanning tree forwarding state and not pruned
Fa1/0/24    none

Since the connection between the Attacker and switch is trunk, Attacker can send packet to any VLANs. We can test it by pressing g to change to 802.1Q.

vlan-attack

The target is VLAN20, so press e to modify the VLAN of packet to 20.

vlan-attack

Press x and choose 0 to send a Broadcast ICMP Packet (Destination IP: 255.255.255.255) to VLAN20. If Wireshark is used to do packet capturing at PC, we can see the ICMP packet.

vlan-attack

Now, the Attacker can follow up by using ARP Spoofing, DHCP Spoofing or Man-in-the-middle to attack VLAN20.

Countermeasure

To protect from DTP attack, change the port to access mode if we know that the port is connecting to a host but not a switch.

SW1(config-if)#switchport mode access

VLAN Hopping

Long time ago, Attacker can attack VLAN even access mode is used. It is called VLAN Hopping Attack or Double Tag Attack. In the following diagram, trunk is used between SW1 and SW2 and the native VLAN is VLAN1 by default. Unfortunately, the Attacker is also assigned to use VLAN1.

vlan-attack

In this situation, Attacker can use Double Tag to encapsulate VLAN20 message into VLAN1 and send to SW1. Since VLAN1 is the Native VLAN, SW1 will remove the VLAN1 tag and send the message to SW2. SW2 find VLAN20 tag in the packet and finally send the packet to VLAN20.

I did some tests but find that the attack is not working in current version of IOS (version 12 or later). However, we should not assign VLAN1 to users for safety concern.