In most cases, it’s not possible to jump from one VLAN to another without a router. In this video, you’ll learn how attackers can use switch spoofing and double tagging to hop between VLANs.
On the switches that we use at home and in our offices, we will often configure separate Virtual Local Area Networks, or VLANs. These VLANs are designed to keep different parts of the network separated from other parts. For example, you might have a VLAN that separates everyone at an organizational level. So there might be a marketing VLAN, an accounting VLAN, and a shipping and receiving VLAN. At home, you might have different VLANs for your normal network traffic, your Internet of Things devices, and the cameras that you use for security.
One of the advantages of these VLANs is that it separates these different devices into their own separate network. And each network is not able to communicate with the other unless there happens to be a router between them. But in some configurations, it may be possible to communicate to a different VLAN, even though there’s no router between those two VLANs. We commonly see this done in two different methods. One of them is switch spoofing. And the other one is double tagging.
Switch spoofing takes advantage of a configuration on your switch that autoconfigures an interface to be either an interface for a device or an interface for another switch. When you connect a device to a switch, the switch will automatically determine what’s on the other side. And if the switch determines that it’s connected to another switch, it could configure a trunk connection between those two interfaces.
This is the real key to hopping from one VLAN to another, is pretending that you are a switch and being able to move to whatever VLAN you would like through that trunk. Since switches can send information from one switch to the other over the same VLAN, we can perform that exact same configuration by pretending or spoofing ourselves to be a switch. Once we connect to a switch and convince that switch that we also are a switch, we now have the ability to send information to any VLAN that may be configured on that particular port.
This is why it’s probably a good idea to disable this trunk negotiation process between different switches. Although this does make the configuration and management process of the switch a little bit easier for the network administrator, it opens up problems like this that can create security issues on your network. Ideally, the network administrator should manually configure trunk interfaces and not allow autonegotiation. They should also configure individual VLANs that should be allowed to pass from one switch to the other. By disabling this autonegotiation process, you’ve now removed switch spoofing from this ability to hop between VLANs.
Another form of VLAN hopping is called double tagging. Obviously, VLAN tags are used in trunking between switches. And if we add additional tags to an interface, it’s possible that we could communicate to a different VLAN. This type of configuration takes advantage of what we call the native VLAN configuration for a switch. All switches have a native VLAN. And by taking advantage of that configuration, we should be able to communicate to a different VLAN on that switch.
We rely on these VLAN tags during the trunking process. And the VLAN tag is what tells the destination switch which VLAN this traffic is destined for. With double tagging, we’ve crafted a special frame that normally would not be seen on the network. This frame doesn’t have a single tag on it. It has two separate VLAN tags.
This means, in certain configurations, we can have one switch, remove the first tag, and place that data onto the appropriate VLAN, and then have a separate switch remove the second tag, and place that frame into a completely different VLAN. At that point, the contents of that packet are forwarded to the target. And we’ve now been able to hop from one VLAN to another.
Because we’re adding this extra tag into the frame that normally wouldn’t be there, there’s no way to receive a response from the information that we’re sending. So everything that we’re sending out is a one-way communication from one device to another. Although this is not practical for normal network communication, it does allow us to put data onto a VLAN that normally we would not have access to.
If an attacker is trying to perform a denial of service, this could be a good method to use to accomplish that. To avoid this problem, we need to make sure that we don’t have users put onto the native VLAN on that switch. Ideally, we would change the native VLAN ID. Normally, on switches, that native VLAN ID is 1. We would make it some other value. And then we would force tagging of the native VLAN for all traffic across that switch.
Here’s how this would work. We have a network setup with two switches. We have an attacker that’s on VLAN 10. That’s the green VLAN. We have a trunk between switches that supports sending information over VLAN 10 and VLAN 20. VLAN 20 is the red VLAN. And then we have our second switch, which has connections to the victim device, which is on VLAN 20.
You’ll notice, on this link between the switches, that the native VLAN is VLAN 10. The attacker is going to create a frame that has two tags inside of it. One of the 802.1Q tags is for VLAN 10. And the other tag is for VLAN 20. For the first step, the attacker sends the entire frame to the next switch down the line. That switch will interpret the first tag it sees in this frame, which, in this case, is the VLAN 10 tag. So this switch knows that it should put this data onto VLAN 10 after removing that VLAN 10 tag from this frame.
And that’s exactly what happens next. We now have a frame that has removed that VLAN 10 tag. But of course, because we are double tagging, there is an additional tag still included in this frame. This frame is sent along to the next switch, which will interpret this as a trunked frame that needs to be dropped onto VLAN 20. This switch is going to remove that tag, take the rest of the data, and send it on to VLAN 20, where it will be received by the victim device. So you can see how you can start on VLAN 10. But by using the double tagging, you’re able to send data to a device that is on VLAN 20.