Trunk Link Cheating
Dynamic Trunking Protocol (DTP) allows Trunk Link established easily between switches. However, it is also a vulnerability to a network. In this article, Yersinia is used to attach DTP in order to crack the VLAN. It is assumed that you already understood the theory of VLAN 及 DTP.
⛑️ Please be reminded that the aim of this article is to explain the network threats and how to eliminate the issue. Illegal activities are not encouraged⛑️
Trunk Link Cheating
By default, DTP is set to dynamic auto mode. When auto mode meets dynamic desirable, the access link with becomes trunk link. So, attacker can cheat the switch to form trunk link with him easily by sending DTP dynamic desirable message.
In the following example, Attacker and PC is assigned to VLAN10 and VLAN20 respectively. They cannot communicate unless going through the gateway. But, the dynamice auto mode of Fa1/0/24 at SW1 gives a chance to the Attacker.
SW1#show int fastEthernet 1/0/24 trunk Port Mode Encapsulation Status Native vlan Fa1/0/24 auto negotiate not-trunking 1 Port Vlans allowed on trunk Fa1/0/24 10 Port Vlans allowed and active in management domain Fa1/0/24 10 Port Vlans in spanning tree forwarding state and not pruned Fa1/0/24 10
Attacker run Yersinia and press g, then choose DTP to attack Dynamic Trunking Protocol.
Press x and choose 1. Yersinia starts to send DTP to Switch and becomes trunk.
SW1#show int fastEthernet 1/0/24 trunk Port Mode Encapsulation Status Native vlan Fa1/0/24 auto n-802.1q trunking 1 Port Vlans allowed on trunk Fa1/0/24 1-4094 Port Vlans allowed and active in management domain Fa1/0/24 1,11-20 Port Vlans in spanning tree forwarding state and not pruned Fa1/0/24 none
Since the connection between the Attacker and switch is trunk, Attacker can send packet to any VLANs. We can test it by pressing g to change to 802.1Q.
The target is VLAN20, so press e to modify the VLAN of packet to 20.
Press x and choose 0 to send a Broadcast ICMP Packet (Destination IP: 255.255.255.255) to VLAN20. If Wireshark is used to do packet capturing at PC, we can see the ICMP packet.
Now, the Attacker can follow up by using ARP Spoofing, DHCP Spoofing or Man-in-the-middle to attack VLAN20.
To protect from DTP attack, change the port to access mode if we know that the port is connecting to a host but not a switch.
SW1(config-if)#switchport mode access
Long time ago, Attacker can attack VLAN even access mode is used. It is called VLAN Hopping Attack or Double Tag Attack. In the following diagram, trunk is used between SW1 and SW2 and the native VLAN is VLAN1 by default. Unfortunately, the Attacker is also assigned to use VLAN1.
In this situation, Attacker can use Double Tag to encapsulate VLAN20 message into VLAN1 and send to SW1. Since VLAN1 is the Native VLAN, SW1 will remove the VLAN1 tag and send the message to SW2. SW2 find VLAN20 tag in the packet and finally send the packet to VLAN20.
I did some tests but find that the attack is not working in current version of IOS (version 12 or later). However, we should not assign VLAN1 to users for safety concern.
Was this article helpful?