Breaking In – Fun with the Native Vlan

Standard

 

Since I’m still in security mode until I can get my massive SDN post completed, lets have a look at using Yersinia to have some fun with native vlans and DTP to remind everyone DON’T USE VLAN 1!!!!

Vlan hopping is a security attack that takes advantage of the native vlan being used. The attack works like this, I have also made a fancy animated gif to show the concept (don’t laugh it is my first attempt at a gif!)

l2attack

  1. The attacker sends a specially made packet that contains two tags, the first is the native vlan, and the second is the target vlan.
  2. The switch connected to the attacker strips the first tag since it is the native vlan, because the packet has a second tag the switch then forwards the frame based on its value.
  3. The second switch sees the frame that wants to go to the server vlan so it strips the tag and sends it on its way.
  4. The server receives the packet as if it was in the same vlan.

Note: This only works with two switches since a single switch won’t strip both tags. 

Topology

l2attack-topology.png

For today’s topology I’m using GNS3 with IOL for the switching, largely for convenience’s sake but this would work just fine with VIRL or physical switches.

I have two switches that are trunked to each other, each switch has a router connected to it on its E0/1 port. The attack node is a Kali VM and is connected to SW1’s E0/0 and is using default port configuration, the target server is a CentOS VM connected to SW2’s E0/0 in vlan 101.

The attack VM has a IP of 192.168.100.11/24
The target VM has a IP of 192.168.101.11/24

Vlan Hopping

To start playing with this we will be using Yersinia which is a Layer 2 centric Cisco attack tool that is bundled in Kali.  First lets verify that the attacker can not reach the target server because there is no default gateway, the IP address of the Kali is actually irrelevant for this lab.

As mentioned it the topology section, the port is left to default though I added a portfast command to speed up some things.

SW1(config-if)#do sh run int e0/0
Building configuration...

Current configuration : 66 bytes
!
interface Ethernet0/0
 duplex auto
 spanning-tree portfast

l2attack-017

To open it type: yersinia -I to get the command line tool, you can use -G to use the GUI but it is still in alpha and seems to have a few issues still. Though if you do use the GUI the basic steps are the same.

l2attack-00.png

When you open the tool it will tell you it has selected eth0 as its interface, if your Kali has multiple interfaces you may want to change it with the I key.

l2attack-02

Press the H key to see the various commands that are available to us

l2attack-03

Press the G key for “Go to other protocol screen” and select 802.1Q to get to the Vlan Hopping goodness.

l2attack-05

Once we are in the screen press E to enter edit mode,

l2attack-07

Edit Vlan2 to be vlan 101, this is the second vlan tag we talked about above. You can optionally also  edit the source and destination IP. The source will just change the source IP the target sees but since this is a one way trip for the packet we don’t need to worry that much since we are just sending a ping. The destination is the target IP, if you leave it at 255.255.255.255 it will broadcast the ping to all hosts in the target vlan.  When you are done press ESC.

l2attack-09

To actually send the packet press X to bring up the attack menu, then press 1 to send the double encapsulated packet.

l2attack-011

If we look at a wireshark capture taken from the Kali computer we can see the packet with two tags.

l2attack-020

But if we look at a wireshark capture from the target server we can see the packet arrived but has no tags in the packet because the switches stripped them.

Note: I got my screenshots mixed up between tests so the IPs don’t match, just pretend the IPs between the two captures match 🙂

l2attack-014

We can also set the vlan to 12 to talk to the routers but we can only talk to R02 because of the need to strip both tags.

l2attack-019

R02#debug ip icmp
ICMP packet debugging is on
R02#
*Mar 11 22:20:56.256: ICMP: echo reply sent, src 10.1.2.2, dst 10.1.2.11, topology BASE, dscp 0 topoid 0

To mitigate this, all we need to do is make sure we don’t use the native vlan as a access vlan, if we set the vlan on the port to be say vlan 100 then the switch will not forward the second tag.

DTP

Now that I hopefully scared you into not being lazy with your vlan assignments. I may as well scare you away from using DTP as well.

DTP is the Dynamic Trunking Protocol and it is a somewhat misguided attempt from Cisco to try to make switches a bit more easy to manage by low skilled workers, the idea is that the port always wants to be a trunk and will become one if you connect the port to another Cisco switch but the problem is that what happens if an attacker says they want to be a trunk?

Let’s confirm that our attacker port is currently an access port before we start.

SW1(config-if)#do sh int e0/0 sw
Name: Et0/0
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

While in Yersinia, press to switch to the DTP section and then press X to open the attack menu. Then press 1 to make the port a trunk port.

l2attack-012l2attack-022

Just like that the port is now dynamically trunking!!!

SW1(config)#do sh int e0/0 sw
Name: Et0/0
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Now we can simply add a vlan interface to our attack host and we can talk directly with the routers!!!!

l2attack-024.png

To mitigate this we can do two things, one is to disable DTP by static settings ports as access ports with the switchport mode access command and by also disabling sending DTP with the switchport nonegotiate command.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s