Since I’m still in security mode until I can get my massive SDN post completed, lets have a look at using Yersinia to have some fun with native vlans and DTP to remind everyone DON’T USE VLAN 1!!!!
Vlan hopping is a security attack that takes advantage of the native vlan being used. The attack works like this, I have also made a fancy animated gif to show the concept (don’t laugh it is my first attempt at a gif!)
- The attacker sends a specially made packet that contains two tags, the first is the native vlan, and the second is the target vlan.
- The switch connected to the attacker strips the first tag since it is the native vlan, because the packet has a second tag the switch then forwards the frame based on its value.
- The second switch sees the frame that wants to go to the server vlan so it strips the tag and sends it on its way.
- The server receives the packet as if it was in the same vlan.
Note: This only works with two switches since a single switch won’t strip both tags.
Topology
For today’s topology I’m using GNS3 with IOL for the switching, largely for convenience’s sake but this would work just fine with VIRL or physical switches.
I have two switches that are trunked to each other, each switch has a router connected to it on its E0/1 port. The attack node is a Kali VM and is connected to SW1’s E0/0 and is using default port configuration, the target server is a CentOS VM connected to SW2’s E0/0 in vlan 101.
The attack VM has a IP of 192.168.100.11/24
The target VM has a IP of 192.168.101.11/24
Vlan Hopping
To start playing with this we will be using Yersinia which is a Layer 2 centric Cisco attack tool that is bundled in Kali. First lets verify that the attacker can not reach the target server because there is no default gateway, the IP address of the Kali is actually irrelevant for this lab.
As mentioned it the topology section, the port is left to default though I added a portfast command to speed up some things.
SW1(config-if)#do sh run int e0/0 Building configuration... Current configuration : 66 bytes ! interface Ethernet0/0 duplex auto spanning-tree portfast
To open it type: yersinia -I to get the command line tool, you can use -G to use the GUI but it is still in alpha and seems to have a few issues still. Though if you do use the GUI the basic steps are the same.
When you open the tool it will tell you it has selected eth0 as its interface, if your Kali has multiple interfaces you may want to change it with the I key.
Press the H key to see the various commands that are available to us
Press the G key for “Go to other protocol screen” and select 802.1Q to get to the Vlan Hopping goodness.
Once we are in the screen press E to enter edit mode,
Edit Vlan2 to be vlan 101, this is the second vlan tag we talked about above. You can optionally also edit the source and destination IP. The source will just change the source IP the target sees but since this is a one way trip for the packet we don’t need to worry that much since we are just sending a ping. The destination is the target IP, if you leave it at 255.255.255.255 it will broadcast the ping to all hosts in the target vlan. When you are done press ESC.
To actually send the packet press X to bring up the attack menu, then press 1 to send the double encapsulated packet.
If we look at a wireshark capture taken from the Kali computer we can see the packet with two tags.
But if we look at a wireshark capture from the target server we can see the packet arrived but has no tags in the packet because the switches stripped them.
Note: I got my screenshots mixed up between tests so the IPs don’t match, just pretend the IPs between the two captures match 🙂
We can also set the vlan to 12 to talk to the routers but we can only talk to R02 because of the need to strip both tags.
R02#debug ip icmp ICMP packet debugging is on R02# *Mar 11 22:20:56.256: ICMP: echo reply sent, src 10.1.2.2, dst 10.1.2.11, topology BASE, dscp 0 topoid 0
To mitigate this, all we need to do is make sure we don’t use the native vlan as a access vlan, if we set the vlan on the port to be say vlan 100 then the switch will not forward the second tag.
DTP
Now that I hopefully scared you into not being lazy with your vlan assignments. I may as well scare you away from using DTP as well.
DTP is the Dynamic Trunking Protocol and it is a somewhat misguided attempt from Cisco to try to make switches a bit more easy to manage by low skilled workers, the idea is that the port always wants to be a trunk and will become one if you connect the port to another Cisco switch but the problem is that what happens if an attacker says they want to be a trunk?
Let’s confirm that our attacker port is currently an access port before we start.
SW1(config-if)#do sh int e0/0 sw Name: Et0/0 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL
While in Yersinia, press G to switch to the DTP section and then press X to open the attack menu. Then press 1 to make the port a trunk port.
Just like that the port is now dynamically trunking!!!
SW1(config)#do sh int e0/0 sw Name: Et0/0 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL
Now we can simply add a vlan interface to our attack host and we can talk directly with the routers!!!!
To mitigate this we can do two things, one is to disable DTP by static settings ports as access ports with the switchport mode access command and by also disabling sending DTP with the switchport nonegotiate command.