1

I've been reading about Switch Spoofing for some homework, and found that the attack is based on Cisco DTP protocol.

In case I want to replicate the attack in class, I would use HP switch 2510 from our lab, which doesn't use DTP because it's a Cisco protocol, but it uses LAPD to dinamically configure trunk ports based on LAPD packets.

Is it possible to replicate the attack with this device?

Some references I've been reading:

https://github.com/nccgroup/vlan-hopping---frogger

https://howdoesinternetwork.com/2012/vlan-hopping-attack

https://en.wikipedia.org/wiki/VLAN_hopping

Btc Sources
  • 113
  • 6

1 Answers1

2

Short answer: Yes. As long as you can get a trunk link between your device and the switch.

Long Answer: This attack takes advantage of how the native vlan works with dot1Q packets. A trunk link negotiates the encapsulation protocol of the link, which is usually 802.1Q. If you just send dot1q packets to the switch they are going to be dropped so that is why you need to create that trunk link between the devices, so as long as you can do that then you can replicate the attack. You will have to do some more research on how LAPD works and its default settings. For example, in Cisco's Catalyst family of switches, DTP is set to 'desirable' by default, meaning that it is willing to trunk and all you have to do is tell that port that you want to trunk and it will create that trunk link and negotiate the encapsulation protocol (Usually 802.1Q). I demonstrated this using a tool called Yersinia. So, you will have to see if LAPD does something similar. You will also have to make sure the other correct variables are in place to make this attack work as well but overall, if you can create a trunk between your device and the switch then it is possible to replicate the attack.

Things to think about:

  • Make sure to research the default configurations of the HP switch and the different modes of LAPD if you are going to make a practical case for this attack. For example, how I outlined above about the default configuration of DTP and why it works.

  • If you are going to target LAPD then you might have trouble finding a tool that does this as Yersinia attacks DTP because Cisco is much more popular. If you need or have the time to create your own tool, then you can accomplish this with the Scapy library for Python which allows you to create and craft packets at the each layer of the TCP/IP hybrid model and let's you to implement and define specific protocols and parameters.

  • For this attack to work in demonstration make sure you get a trunk link, you are sitting in the native vlan as an attacker and the target is in a different vlan.

If this is just to demonstrate the VLAN -hopping attack itself and not HP LAPD specifically then I recommend you try to get your hands on a Cisco device even if its virtual through GNS3 or Cisco Packet Tracer. It would be much easier to demonstrate as Yersinia is an already created tool that can attack DTP and craft double-tagged packets.

nd510
  • 1,738
  • 1
  • 10
  • 15
  • I did read all the device manual referred to LACP, as well as how DTP works. The problem comes because I need to replicate the attack in our lab, and we don't have cisco switches so I think I'll have to leave this attack and think in another L2 attack. I did watch some demos with Yersinia as well, and noticed that it doesn't have LACP implemented... Also looked for other tool but found nothing, and I'm afraid I don't have enough time to create my own tool. If I could only virtualize a Cisco Switch in a VM or something like that, everything would be OK xD. Thanks for your completeness. – Btc Sources May 31 '17 at 09:59