VLAN Hopping – CompTIA Network+ N10-006 – 3.2


A properly configured network should never allow users to communicate between broadcast domains. In this video, you’ll learn how switch spoofing and double tagging can be used to hop between VLANs.
<< Previous: Man in the Middle AttacksNext: Compromised Systems >>


We’ve talked in a previous video about the importance of using VLANs and how you would configure VLANs on your switch. You might have VLANs set up for organizational purposes. You might have the network engineering team on one VLAN, the marketing team on another, the accounting team on a third. And ideally those VLANs are completely separated from one another. It’s a good security best practice to have every one segmented out on their own individual VLAN.

And when a person is on their own VLAN, they can only communicate with users who are on the same VLAN. You would have to go through a router and, in many cases, a security device to be able to communicate between these different VLANs. Unfortunately there are a number of mechanisms that might allow someone to hop from one VLAN to another. That’s obviously something you don’t want to have happen. You are specifically assigning users to particular VLANs and you want to be sure they stay on those VLANs.

The two mechanisms that we’re going to look at though can be used to hop between VLANs. And we’ll look at switch spoofing and double tagging. With switch spoofing, the bad guy’s taking advantage of a capability inside the switch that automatically determines what’s connecting to an individual port. It determines whether that is an access port, which would be an end user device, or it may determine that what’s being connected is a trunk interface and it configures itself automatically for that particular trunk interface.

Now on most switches, this auto-negotiation of these port types has no security associated with it. You don’t have to authenticate or prove that you are who you say you are. You simply send a trunk negotiation to that interface and the switch just assumes that you happen to be a trunked interface. Once the bad guy has sent this spoof trunk negotiation and has now been configured as a trunked interface, he can then send trunked information across any of those configured VLANs. For this reason alone switch administrators should disable any automated trunk negotiation.

You should manually determine whether each interface on a switch happens to be an access port or a trunked port. A very creative way of hopping from one VLAN to another is using a mechanism called double tagging. With double tagging, you’re crafting a very specific looking frame and inside of that frame, you have multiple VLAN tags. This takes advantage of a switch configuration functionality called the native VLAN and native VLANs commonly do not have a tag associated with them.

So by using this native VLAN and an additional VLAN tag, you can hop from one VLAN to another. To perform this double tagging, you have to hop through multiple switches. That’s where those tags are being removed. The first switch will remove the native tag and within that frame, there will be a second tag already inside of it. This is not something that’s commonly done.

This second fake tag is seen by the second switch down the line, which then, of course, forwards that message to the appropriate VLAN. You’re now able to send or hop to a different VLAN that was never originally assigned to you. One challenge with double tagging– because there’s spoofing going on, there’s no way for that traffic to come back to you. So this is a one-way trip. But if you’re trying to perform a denial of service, this might be a useful mechanism to use.

If you’re configuring a switch and you want to avoid this double tagging, then you want to get rid of any device that is on the native VLAN. You want to change the default VLAN ID for that native VLAN, and then you want to force tagging for any traffic that would be now on that particular native VLAN. And by forcing the tag, you’re avoiding this capability of being able to double tag as the traffic is traversing these multiple switches. Let’s look at how this VLAN tagging would work. I’ve created a very simple network diagram.

On one side is our attacker who is on VLAN 10. In the middle are two switches, and between these switches is a trunk connection. There’s VLAN 10 and VLAN 20 on this trunk. And the native VLAN on this trunk is VLAN 10. And then we have the separate connection down here to our victim who is on VLAN 20.

The goal of our attacker is to jump from VLAN 10 to VLAN 20 so that they can communicate directly to the victim even though there’s not a router in the middle. Obviously this is something that should never happen on our switch configurations. We should be able to segment into separate VLANs and control the access between those VLANs with a router. To jump between VLANs, our attacker is going to craft a very specific kind of Ethernet frame. It will have a normal Ethernet header, it will have the normal Ethernet data inside of it that we want to ultimately get to that victim machine.

And in the middle are going to be two separate 802.1Q VLAN tags. There’s going to be one that has a VLAN tag 10 and inside of that is VLAN tag 20. That’s our double tagging right there. The attacker then sends that frame off to the first switch on our network. The first switch sees that this is something that needs to go onto VLAN 10.

VLAN 10 is the native VLAN here, so it’s simply strips off that tag. It does not add a separate tag because VLAN 10 is the native VLAN. And so we’re left with the Ethernet header, the 802.1Q tag inside of VLAN 20, and the data. The switch then sends this traffic across the network as VLAN 10.

On the other side, the switch receives this, sees that there is a tag waiting for VLAN 20, removes the tag, and sends that information onto the destination, which is our victim machine on VLAN 20. So you can see by adding that extra tag in the middle and taking advantage of our native VLAN, we’re now able to jump between VLAN 10 and VLAN 20.