Vlan Hopping Anomaly

---

• From: "Jos_Cit" <giuseppe.citerna@xxxxxx>
• Date: 6 Aug 2005 02:49:26 -0700

---

Hello, i have read many doc about this attack but there are many
contradictions.

I hnow that this exploit exist in 2 ways :

Basic=> The attacker spoof a switch and gains the trunked states of the
switch's port. Rely on auto-negotiate feature turned ON.
This ways is simple to understand.

******************************************************************
Complex 1 => This attack is described on
http://www.sans.org/resources/idfaq/vlan.php and to work need that the
attacker and the trunk share same native vlan ( ex. VLAN 10 ). In this
doc. that the attacker send on the access port ( VLAN 10 ) a tagged
frame with a VLAN-ID of target VLAN ( ex. VLAN 20 ) . The switch takes
frame and forward it on trunk port without native tag (10). The other
switch read VLAN-ID(20) and forward frame on the access vlan 20.
In this scenario my doubts is :

1) Why the first SW accepts tagged frame but does'nt read the tags ?
Is this behavior an anomaly of work ?

2) Why the last switch that receives native frame on trunk port reads
the VLAN-ID ? Is this normal or anomaly ? I think that sw does'nt read
VLAN-ID because the frame on trunk is native .

******************************************************************

Complex 2 => In other docs per ex:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
, there is an attack called " Double-Encapsulated 802.1Q ". In this
exploit the conditions are similar to the precedent but the attacker
need to insert two VLAN-ID ( outer,inner ). If this case work then :

1) The first switch read VLAN-ID on access port and forward frame on
trunk ( strip off first VLAN-ID ) . This behavior is different that
precedent case . Why the switch forward this frame according to VLAN-ID
on the access-port ? Is this behavior another anomalies ?

******************************************************************

Sorry about lenght of post.



Thanks


Giuseppe Citerna
ccie#1053




























Complex 2 => This

.

---

• Follow-Ups:
  • Re: Vlan Hopping Anomaly
    • From: Jos_Cit
  • Re: Vlan Hopping Anomaly
    • From: Walter Roberson
  • Re: Vlan Hopping Anomaly
    • From: www.BradReese.Com

• Prev by Date: Re: Aironet 1200 ping problem
• Next by Date: Re: How to select a stable IOS version for switch ?
• Previous by thread: Aironet 1200 ping problem
• Next by thread: Re: Vlan Hopping Anomaly
• Index(es):
  • Date
  • Thread

---

Relevant Pages Vlan Hopping Vulnerability ... and forward it on trunk port without native tag. ... The other switch ... - Why the first SW accepts tagged frame? ... VLAN-ID because the frame on trunk is native. ... (comp.dcom.lans.ethernet) Re: Vlan Hopping Anomaly ... switch does'nt reads VLAN-ID and in the COMPLEX 2 the switch reads the ... VLAN-ID on his access-port? ... According to me only second case were a bug, because on the access port ... > switch read VLAN-IDand forward frame on the access vlan 20. ... (comp.dcom.sys.cisco) Re: Vlan Hopping Vulnerability ... > and forward it on trunk port without native tag. ... > vlan 20. ... > - Why the first SW accepts tagged frame? ... if the switch has ingress filtering ... (comp.dcom.lans.ethernet) Re: Cause of some major X10 problems found ... I can probably provide the switch as well. ... The probability that a noise source will create valid X-10 PLC codes ... only one valid 11 cycle frame, which it reports using a lower case ... (comp.home.automation) Re: thoughts on kernel security issues ... I'm pretty sure that you only get a 3 second delay on the specific ... as a test, switch to vc/0 and enter 'root', then press enter. ... Switch to vc/1, and enter 'root', then press enter. ... Automating an attack on about 10 different ssh connections shouldn't be ... (Linux-Kernel)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)