Vlan hopping

Discussion in 'Cisco' started by Sherlock Holmes, Sep 26, 2007.

  1. Hi All,

    Does anyone know of Vlan Hopping? Can anyone explain how it works?
    Sherlock Holmes, Sep 26, 2007
    1. Advertisements

  2. thort


    Sep 26, 2007
    vlan hoping

    VLAN hoping is basically a security issue. Besides the network reasons for configuring VLANS (reduced broadcast domains, switch virtualisation, etc.) the security reasons are simple, segment users. So in example I configure two VLANS: accounting and others. This keeps their traffic separate and they need to pass through a router with ACL or firewall to intercommunicate.
    However, if I am a member of the others VLAN and can get my pc directly into the accounting VLAN, I just bypassed the firewall. If you don't understand how I could do that, then you need to learn about VLAN TAGGING.

    Standard default configuration problems inherent to cisco and non security minded network admins with cisco equipement:
    1. Default Management VLAN1 on all ports.
    2. Multiple VLANS configured on same port.
    3. Dynamic Trunking Protocol (DTP) on by default.
    5. Trunk ports carry all VLANs by default.
    4. CDP configured by default

    So with a good sniffer (that reads tagged frames), an OS, NIC or application that can do VLAN tagging, a CDP sniffer, and a DTP generator: I could 1. Put my self in the management VLAN1 (with correct IP address - thanx CDP!) which is seldom filtered, or 2. Put my self directly into the accounting VLAN if multiple vlans are on the same port, or 3. Turn my switchport into a trunk with DTP and have access to all VLANs.

    thort, Sep 26, 2007
    1. Advertisements

  3. Hi,

    Sherlock Holmes schrieb:
    > Hi All,
    > Does anyone know of Vlan Hopping? Can anyone explain how it works?

    Yes I can.
    Lets start that way. You have two switches with a trunk link between them.
    On both side you have vlan v1 and vlan v2.

    He creates a package with a vlan v2 packet header and puts this in a
    vlan v1 packet. The Switch then transports that packet to the ports. On
    the trunk port it removes the v1 header and what a surprise there is v2
    header. Now it transports the Package to v2 port.

    I'm currently didn't remember what the hacker has to do to bring the
    switch to extract. I only remember something about switchport mode and
    not set so access. There is a protocol a cisco switch use to find out
    the port is a trunk or a access port.

    When you have still questions left, send me an mal.

    So long Alexander
    =?ISO-8859-1?Q?Alexander_Gr=FCmmer?=, Sep 26, 2007
  4. Hi,

    found the Book description:

    "VLAN hopping relies on the Dynamic Trunking Protocol (DTP). If you have
    two switches that are connected, DTP can negotiate between the two to
    determine if they should be an 802.1Q trunk. Negotiation is done by
    examining the configured state of the port. "


    "Trunk links carry traffic from all VLANs. In 802.1Q trunking, which DTP
    negotiates, four bytes are added to the Ethernet header to define what
    VLAN a frame is a member of. When a frame leaves the trunk and enters
    another switch, the 802.1Q shim header is removed, the frame check
    sequence is recalculated, and the frame is brought back to its original

    VLAN hopping exploits the use of DTP. In VLAN hopping, you spoof your
    computer to appear as another switch. You send a fake DTP negotiate
    message announcing that you would like to be a trunk. When the real
    switch hears your DTP message, it thinks it should turn on 802.1Q
    trunking. When trunking is turned on, all traffic for all VLANs is sent
    to your computer. Figure 10-6 illustrates this process.

    After a trunk is established, you either can proceed to sniff the
    traffic, or you can send traffic by adding 802.1Q information to your
    frames that designate which VLAN you want to send your attack to.

    I think that describes the thing. So to prevent vlan hopping you should
    always disable DTP.

    So long Alexander
    =?ISO-8859-1?Q?Alexander_Gr=FCmmer?=, Sep 26, 2007
  5. thort


    Sep 26, 2007
    Exactly what Alexandre says about trunking and DTP (he gave a more detailed explanation than I). But you can also have multiple vlans on a switchport, not just on a trunk, and then you can hop that way too.

    Some good basic cisco security commands:
    Global Config:
    spanning-tree portfast bpduguard default
    spanning-tree guard root
    User Port Config - Interface fe0/X:
    switchport mode access (truns off DTP on that port)
    switchport access vlan X
    switchport port-security

    And change le Native VLAN from the default: VLAN1 on both switchports and trunks (especially on trunks!)
    Last edited: Sep 27, 2007
    thort, Sep 27, 2007
  6. ABCD1234


    Feb 14, 2009
    double tagging 802.1Q

    i have problem understanding VLAN hopping. I want to demonstrate this attack. at the moment i have got 2 switches. 1 switch has two pc's, 1 in vlan 2 and other in vlan 3. the second switch has also two pc's. 1 in vlan 2 and other in vlan 3.

    At the moment they cannot ping etc.. switch 1 has a VLAN 1 IP address of Switch 2 has a VLAN 1 ip address of The switches has trunking between them. I have set that up by using switchport trunk encap 802.1Q on both sides. By the way the native VLAN is 1.

    I have got an attack pc on VLAN 1 using yersinia. And i cannot get onto another vlan.

    Can anyone help me out please...
    ABCD1234, Feb 14, 2009
  7. Ford Perfect

    Ford Perfect

    Mar 26, 2009
    Here you can find an example for misusing DTP with yersinia:


    Hope it helps.
    Ford Perfect, Mar 26, 2009
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul

    VLAN or Not to VLAN

    Paul, Oct 27, 2003, in forum: Cisco
  2. Neil Rowland

    Auxiliary VLAN V VLan

    Neil Rowland, Apr 13, 2004, in forum: Cisco
    Phil Dotchon
    Apr 14, 2004
  3. PS2 gamer
    Ivan Ostres
    May 28, 2004
  4. Jos_Cit

    Vlan Hopping Anomaly

    Jos_Cit, Aug 6, 2005, in forum: Cisco
    Walter Roberson
    Aug 15, 2005
  5. Imhotep

    PC-hopping mobile malware sighted

    Imhotep, Sep 24, 2005, in forum: Computer Security
    Sep 24, 2005

Share This Page