Sunday, October 18, 2009

Abusing VLANs With BackTrack

In this post I'm going to have a little fun with VLANs. As I've been studying for the CCNA cert I've been reading how great VLANs are, so in this post i'm going to have a little fun with some really cool tools from the Backtrack distro. My aim is to demonstrate why simlpy placing hosts in a seperate VLAN might sometimes not be enough if you really don't want anyone to have access to them. Let's get started.


I start off by connecting to the LAN and getting a network address

dhclient eth0

I can see that I'm attached to the network

Next I fire up wireshark and check the network for DTP (Dynamic Trunking Protocol) frames and CDP (Cisco Discovery Protocol) frames.

I can see that I have both CDP and DTP frames present.

Now I want to tell the switch that my port is a trunk port, for this I'll use Yersinia and tell it to look at DTP.

yersinia -I

After I see DTP frames appear in Yersinia I launch the attack to configure the port for trunking.

Now I need to know the VLAN number that other networks are on. Before launching Yersinia I could only see traffic from my own network (, now I can start to see traffic from hosts on another network (

Looking at the 802.1Q information in the frame I can see that the other network is on VLAN 2.

With this information I'll create a new interface in the new network and configure vconfig to tag the frames for VLAN2.

vconfig add eth0 2
ifconfig eth0.2 up
ifconfig eth0.2

Now I check I can ping the host I saw with Wireshark and I have a quick look at it's ports with Nmap.

ping -c 2

Great, I have plenty here to play with, and on port 80 ...........

Okay obviously this was staged but hopefully it illustrates two things. VLANs can be abused and Yersinia rocks!!!!!!!!!


Anonymous said...

Good post. I hope this helps hapless security engineers in design meetings. said...

Interesting. This should only work in the case when the switch has been configured to automatically detect trunks, right?

SynJunkie said... - Yes, although I'm yet to test it, I beleive that configuring ports as access ports would mitigate this vulnerability.

Tim Grossner said...

Correct - the vulnerability only exists if the switchport is configured as a trunk, or to autodetect them. If it was just configured as an access port and placed in a vlan, all is well.

Tim Grossner said...

Right, this is only vulnerable if the port is configured as a trunk, or to auto-detect trunks. If its configured as an access port and placed into a vlan, it should be fine.

Anonymous said...

So it's pretty common to configure access ports with SWITCHPORT MODE ACCESS but wouldn't it still accept the trunk unless you set it to NONNEGOTIATE?

Anonymous said...

Nevermind, according to the CCNA security book, SWITCHPORT MODE ACCESS blocks all trunking on that port.

SWITCHPORT NONEGOTIATE is for use on a port that is a trunk, but doesn't want to participate in dynamic trunking.

Anonymous said...

CCNA Security 101, disabled CDP and DTP on access ports.

SynJunkie said...

Agreed, there are ways to prevent this. AS there are methods to prevent almost all attacks. Are these methods always used? I would say rarely. Especially on the infrastructure and especially on the soft and chewy center!

Anonymous said...

pruning vlans off the trunks would also mitigate risk of exposure to/from other vlans. im not sure off-hand what vlans would be allowed if the port negotiates, is it any vlan?

Anonymous said...

I don't know if it's a coincidence or not but if your IP is 10.*.*.* there's a VLAN hidden in the 192.*.*.*? Or any IP that's not 192 indicates a VLAN?

SynJunkie said...

Usually al the VLAN's will have different network ranges. I have just used different classes of IP address to make things clear for the blog post.

Anonymous said...

Using VLAN hopping, it is still possible to access other VLANs, as long as the trunk port between two switches uses the attackers access VLAN as the native vlan.

The attacker could encapsulate a .1q packet inside another. When the packet is sent over the trunk, the first tag is stripped, and the packet is allowed unmodified over the trunk. On the neigboring switch, the packet is then sent on to the destination host in a different VLAN.

Yersinia allows for this kind of attack. "Sending double encapsulated 802.1Q packet ".

Solution: prune the native VLAN of the trunk.

SynJunkie said...

Thats what I like, an attack and a solution.

Thanks for the comment


didn0t said...

Any idea why yersinia freezes when I start it on BT4?

SynJunkie said...

No, have you checked the BT forums, they are pretty comprehensive.