Full Disclosure mailing list archives
VLAN Hopping, myth or reality?
From: "Yersinia Authors" <yersinia () wasahero org>
Date: Mon, 19 Sep 2005 22:35:25 +0200 (CEST)
Hello, just some thoughts added to the eternal discussion about VLAN Hopping (802.1q double encapsulated attacks, trunking, ... see the @stake paper or the Sean Convery BH presentation) There are lots of resources in the Internet talking about those attacks in a theoric way, but we weren't able to find any implementation, so here is a step by step guide to perform a VLAN Hopping + ARP Poisoning, allowing an user to sniff and (why not?) perform a mitm attack against other user in another VLAN. The tool described here, yersinia, can do this, among other fancy features. Note for the network administrators: this attack can be avoided just by properly configuring your switch DTP settings in each port (disabling trunking). Steps: 1.- Start yersinia graphical mode: yersinia -I 2.- Select the network interfaces you want to use ('i') 3.- Wait for some minutes (~3 minutes). If you see DTP traffic, the attack can be accomplished; if not, we are sorry. We need to set up the trunk: go to DTP mode (F5 or press 'g'), press 'd' to initialize default values, then 'x' (attacks) and then '1' ('enabling trunking'); you should be able to see some other DTP packets. 4.- Switch to 8021.q mode (F6 or press 'g'). There should be some packets there, most of them related to spanning tree or broadcast traffic. 5.- For this attack, we need to know: a) Victim's VLAN b) Victim's gateway IP Addresss. c) A host in the victim's network segment that is not alive. Press 'd' to initialize default values, and then 'x', then '2' (sending 802.1q arp poisoning). Then fill in those three values, and suddenly, you should be able to see the traffic generated by the victim and destination the gateway :) If you look around yersinia options, there is a useful option that saves all the traffic in pcap format, so you can sniff the victim network data and save it automatically in a file. Of course, this attack can only be performed locally. We haved tested this attack only against Cisco switches 29xx, so we would be pleased if we received notifications of working attacks in other Cisco modeles, or better, other vendors (which is almost impossible since DTP is Cisco proprietary, but, we've seen HP switches with CDP enabled ;) ) Yersinia: http://yersinia.sourceforge.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- VLAN Hopping, myth or reality? Yersinia Authors (Sep 19)
- Re: VLAN Hopping, myth or reality? Mikael Abrahamsson (Sep 19)