VLAN jumping

Photo by Blake Cheek on Unsplash

Photo by Blake Cheek on Unsplash

VLANs are being used to split the switches on the network into logically separated networks. That way a network manager can for example separate students from teachers on the school networks and prevent students capable of accessing the teacher's network and potentially make some bad decisions.

In this article, I will try to explain how a student can access or jump to another VLAN they are not supposed to access, and how you as a network manager can prevent it from happening.

DTP

Dynamic Trunking Protocol

Switches can be interconnected using trunking protocols such as the 802.1q. This will make a link between two switches act as a so-called trunk. A trunk is basically a link that carries frames belonging to multiple VLANs. Each frame that is sent across the trunk is tagged with an indication of what VLAN it belongs to. That way the receiving switch can place the frame into the correct VLAN on its side.

To make VTP work both switches on each side of the trunk must have the same VLANS, and must allow for communication of all those VLANs between each other.

The setup on cisco Switches is quite simple because trunking can be negotiated by default on every interface.

DTP Hacking

How to jump to the VLAN you want to be in.

The good thing about trunks is that they can make multiple switches act as one extended switch. This is great for management, but of course, this can be exploited by creative and knowledgeable individuals (hackers).

This exploit requires a managed Cisco switch, like the Catalyst 2960. This can be bought cheap as lab equipment on eBay.

Since every switch interface by default is trying to form a trunk using DTP all you have to do is connect a switch to the interface. If an evil switch is set up with trunking enabled on the connected interface, the hacker can use their evil switch to connect to any of the running VLANs.

To enable trunking of all VLANs on the evil switch run this command.

conf t
int g0/1
switchport mode trunk
switchport trunk allowed vlan all

Now that the evil switch is able to accept every VLAN coming across the trunk link you can list all VLANs coming across the trunk by issuing a simple command.

show interface trunk

...
Port Vlans allowed on trunk
Gi0/1 1-4094

Port Vlans allowed and active in management domain
Gi0/1 10,20,30,99
...

By looking at the output above you can see that there is a list of VLANs that exist on the network. Now you can easily configure another interface on the switch to access exactly the VLAN you want to connect to.

In a network like the above with only four VLANs, it's easy to scan the entire network for interesting network devices such as servers and specific computers using tools like NMAP.

To make another switch interface a part of VLAN 10 you issue a couple of simple commands on the evil switch.

conf t
int g0/2
switchport mode access
switchport access vlan 10

If you connect a computer to the GigabitEthernet 0/2 interface on the switch you can now access VLAN 10. To jump to another VLAN you simply issue the switchport access command with another VLAN.

Disable DTP

Prevent VLAN jumping

To prevent a pesky hacker from being able to attach a switch to your network or use a piece of software to emulate a managed switch and use it to jump to any off-limit VLAN, you simply disable DTP on interfaces that are intended to be used for end devices such as laptops and workstations.

We start by manually setting the switch interfaces to being an access port, that way it cannot be used as a trunk. Then to disable DTP completely you set the interface to not negotiate trunking.

config terminal
int g0/1
switchport mode access
switchport nonegotiate

Now it's impossible to attach an evil switch to the network and perform VLAN jumping.

Another benefit of setting the interface to nonegotiate is that it will allow the endpoints to connect faster because the interface will not go through the process of trying to negotiate if the link should be a trunk port even if you set it to be an access port.