Professor Messor 4.2 | VLAN Hopping & Spoofing
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/8
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
9 Terms
Virtual Local Area Networks (VLANs)
Are used to segment a network into different groups, such as organizational, network engineering, or security VLANs. This ensures that users only have access to their designated VLAN, improving security by isolating different parts of the network.
However, attackers can attempt to bypass VLAN segmentation through methods like switch spoofing or double tagging, allowing them to "hop" between VLANs without proper authorization.
Switch Spoofing:
Takes advantage of switches that support automatic configuration, which can determine if a connected device is an access device or a trunk connection without requiring authentication. An attacker can exploit this by pretending to be a switch and sending trunk negotiation messages.
With physical access to the switch, the attacker can establish a trunk link, allowing them to send and receive traffic from any configured VLAN. To prevent this, switch administrators should disable automatic trunk negotiations and manually configure trunk and access interfaces.
Double tagging
An attacker crafts a packet with two VLAN tags. Normally, when traffic is sent across a trunk, a VLAN tag is added to the packet to identify the VLAN. In this attack, the first switch interprets and removes the first tag (which is associated with the native VLAN) and forwards the packet. The second switch then sees the second "fake" tag and processes the packet as if it belongs to that VLAN, allowing the attacker to send traffic to any VLAN.
This is a one-way attack, meaning responses can't easily return to the source, making it more useful for DoS attacks. To mitigate this risk, it's advisable not to put any devices on the native VLAN, change the native VLAN ID, and enforce tagging of the native VLAN.
Double Tagging Example
Imagine you have a network with two VLANs, VLAN 10 and VLAN 20, connected by a trunk port. The native VLAN for this trunk is VLAN 10. In a double tagging attack, the attacker crafts a frame with two 802.1Q tags: the first tag for VLAN 10 (the native VLAN) and the second tag for VLAN 20.
When the frame reaches the first switch, the native VLAN tag (VLAN 10) is removed, as it is assumed to be the native VLAN, leaving only the VLAN 20 tag. The switch then forwards the frame with just the VLAN 20 tag across the trunk link to the next switch.
Upon receiving the frame, the second switch interprets the remaining VLAN 20 tag and forwards the frame to the devices on VLAN 20. Although the attacker on VLAN 10 cannot receive responses from the victim on VLAN 20, they can continuously send traffic to the victim, potentially overwhelming the victim's device in a denial-of-service scenario.
Spoofing
Involves pretending to be something or someone you're not.
For instance, a spoofed web server or DNS server might trick users into divulging sensitive information. Email address spoofing occurs when the sender’s address is forged, making it appear as though the email is coming from someone else. Similarly, caller ID spoofing involves falsifying the incoming call information, often using local phone numbers to make the call seem more trustworthy.
On-path attacks, also involve spoofing; the attacker pretends to be both endpoints
Address Resolution Protocol (ARP)
In normal communication, when a device needs to communicate with another device on the network, it sends out a broadcast message with the target IP address, asking for the corresponding MAC address. The device with the matching IP address responds with its MAC address.
This information is then stored in the ARP cache of the requesting device, allowing it to direct future communications to the correct MAC address without needing to broadcast again.
ARP Poisoning (IP Spoofing):
The attacker spoofs the IP address of a legitimate device, such as the router. The ARP response contains the attacker’s MAC address but falsely associates it with the IP address of the legitimate device.
The target device, unaware of the spoof, updates its ARP cache with this incorrect information, replacing the legitimate MAC address with the attacker’s.
IP Address Spoofing:
Occurs when a device uses the IP address of another device to impersonate it. The attacker "spoofs" the IP address, making it seem as though their traffic is coming from a legitimate source.
While this can be used for legitimate purposes like load balancing or load testing, it is often used for malicious activities such as ARP poisoning, DNS amplification, or Distributed Denial of Service (DDoS) attacks
Unlike MAC address spoofing, IP address spoofing is easier to detect. Network administrators can apply rules to block invalid traffic and enable switch security features to mitigate these attacks.
MAC Spoofing
Involves changing the Media Access Control (MAC) address of a network device.
Each Ethernet device has a unique, burned-in MAC address, but most drivers allow users to modify it. While changing the MAC address can be legitimate—for instance, if an internet provider expects a certain MAC address or specific applications require it—it can also be used for malicious purposes.
Attackers may spoof a MAC address to bypass MAC-based access control lists or to deceive a wireless filter. Detecting MAC spoofing is challenging because it is difficult to distinguish between the original and the spoofed device.
This activity is limited to the local subnet. One security measure to prevent MAC spoofing is to limit the access and scope of devices on the local network.