1
00:00:00,030 --> 00:00:01,110
VLAN hopping,

2
00:00:01,110 --> 00:00:03,870
or virtual local area network hopping.

3
00:00:03,870 --> 00:00:05,790
Now, a virtual local area network

4
00:00:05,790 --> 00:00:08,880
or VLAN is used to partition a broadcast domain

5
00:00:08,880 --> 00:00:11,400
and isolate it from the rest of the computer network

6
00:00:11,400 --> 00:00:12,810
at the data link layer

7
00:00:12,810 --> 00:00:15,330
or layer two of the OSI model.

8
00:00:15,330 --> 00:00:17,400
VLANs are commonly used in intranets

9
00:00:17,400 --> 00:00:18,840
and local area networks

10
00:00:18,840 --> 00:00:20,670
to increase the security of the network

11
00:00:20,670 --> 00:00:23,280
by creating segmentation between different portions

12
00:00:23,280 --> 00:00:24,930
of the larger network.

13
00:00:24,930 --> 00:00:26,430
This forces all of the traffic

14
00:00:26,430 --> 00:00:27,990
to use layer three routing to move

15
00:00:27,990 --> 00:00:29,670
between the different VLANs.

16
00:00:29,670 --> 00:00:31,650
And this gives the network defenders a chance

17
00:00:31,650 --> 00:00:34,440
to apply access control lists to the layer three switch

18
00:00:34,440 --> 00:00:36,810
or router reports that are providing the segmentation

19
00:00:36,810 --> 00:00:40,650
and filtering of the traffic between the two VLANs.

20
00:00:40,650 --> 00:00:43,530
As a network penetration tester, if you gain access

21
00:00:43,530 --> 00:00:46,680
to a user's workstation that's located in one VLAN,

22
00:00:46,680 --> 00:00:48,420
you're going to need to learn how to break out of

23
00:00:48,420 --> 00:00:51,570
that VLAN in order to gain access to other sensitive areas

24
00:00:51,570 --> 00:00:54,000
of the network that you're going to want to access.

25
00:00:54,000 --> 00:00:55,380
Things like the server VLAN

26
00:00:55,380 --> 00:00:57,995
that houses all the critical business servers, for example.

27
00:00:57,995 --> 00:01:00,810
This involves VLAN hopping.

28
00:01:00,810 --> 00:01:02,610
Now, VLAN hopping is a technique

29
00:01:02,610 --> 00:01:05,430
that exploits a misconfiguration to direct traffic

30
00:01:05,430 --> 00:01:08,730
to a different VLAN without proper authorization.

31
00:01:08,730 --> 00:01:11,340
VLAN hopping is usually accomplished using either double

32
00:01:11,340 --> 00:01:15,660
tagging, switch spoofing or a MAC table overflow attack.

33
00:01:15,660 --> 00:01:18,030
Double tagging is a method where the attacker tries

34
00:01:18,030 --> 00:01:20,730
to reach a different VLAN using vulnerabilities in the

35
00:01:20,730 --> 00:01:24,480
trunk port configuration as a form of VLAN hopping.

36
00:01:24,480 --> 00:01:26,520
This can occur when the threat actor is connected

37
00:01:26,520 --> 00:01:29,430
to an interface port on a switch using access mode

38
00:01:29,430 --> 00:01:30,480
with the same VLAN

39
00:01:30,480 --> 00:01:33,780
as the native untagged VLAN on that trunk.

40
00:01:33,780 --> 00:01:36,750
Then whenever the attacker sends a frame on the network,

41
00:01:36,750 --> 00:01:40,140
they instead send it with two 802.1q tags,

42
00:01:40,140 --> 00:01:42,660
which is why we call this double tagging.

43
00:01:42,660 --> 00:01:45,210
The inner tag is going to contain the true destination

44
00:01:45,210 --> 00:01:48,000
that the attacker wants to reach while the outer tag is

45
00:01:48,000 --> 00:01:50,280
going to contain the native VLAN.

46
00:01:50,280 --> 00:01:52,260
The native VLAN is the one VLAN

47
00:01:52,260 --> 00:01:54,420
that normally travels across the trunk port

48
00:01:54,420 --> 00:01:56,520
without a VLAN tag by itself.

49
00:01:56,520 --> 00:01:59,550
So when the switch receives the double tagged frame,

50
00:01:59,550 --> 00:02:01,440
it's first going to remove that outer tag

51
00:02:01,440 --> 00:02:03,330
that contains the native VLAN,

52
00:02:03,330 --> 00:02:05,970
and then it's going to forward the frame to the VLAN

53
00:02:05,970 --> 00:02:09,150
of the second tag, which had the inner tag with the location

54
00:02:09,150 --> 00:02:11,718
that the attacker really wanted to get their traffic to.

55
00:02:11,718 --> 00:02:14,310
The result of this double tagging attack is

56
00:02:14,310 --> 00:02:17,040
that the attacker can now break out of the current VLAN,

57
00:02:17,040 --> 00:02:18,960
in this case, the native VLAN,

58
00:02:18,960 --> 00:02:22,020
and then migrate themselves into the destination VLAN

59
00:02:22,020 --> 00:02:24,840
resulting in a successful VLAN hop.

60
00:02:24,840 --> 00:02:27,060
Unfortunately though, for us as attackers,

61
00:02:27,060 --> 00:02:30,090
this technique is really a one-way trip for those frames

62
00:02:30,090 --> 00:02:31,500
that are being double tagged

63
00:02:31,500 --> 00:02:34,380
because the destination is not going to double tag the return

64
00:02:34,380 --> 00:02:37,320
data and send it back to us as attackers.

65
00:02:37,320 --> 00:02:41,190
Instead, the return frames are sent to the initial tag.

66
00:02:41,190 --> 00:02:43,830
Now, you may be wondering, "Why would an attacker

67
00:02:43,830 --> 00:02:46,470
or a penetration tester want to use double tagging

68
00:02:46,470 --> 00:02:49,020
to send data into a VLAN without being able

69
00:02:49,020 --> 00:02:51,240
to receive any responses back?"

70
00:02:51,240 --> 00:02:54,390
Well, usually this double tagging technique is going

71
00:02:54,390 --> 00:02:56,310
to be used as part of a blind attack

72
00:02:56,310 --> 00:02:59,850
or part of a denial of service or stress testing attack.

73
00:02:59,850 --> 00:03:03,000
A blind attack is one where commands are set to the victim,

74
00:03:03,000 --> 00:03:05,632
but the attacker, or in our case, a pen tester, doesn't get

75
00:03:05,632 --> 00:03:07,980
to see any of the responses.

76
00:03:07,980 --> 00:03:10,140
For example, if I knew that a machine in

77
00:03:10,140 --> 00:03:12,870
that VLAN was vulnerable to a specific exploit

78
00:03:12,870 --> 00:03:15,540
that could allow me to perform a remote code execution,

79
00:03:15,540 --> 00:03:18,520
I could send the exploit into the VLAN using double tagging

80
00:03:18,520 --> 00:03:21,600
with that payload that can then establish a beacon,

81
00:03:21,600 --> 00:03:22,890
and that would call out to my command

82
00:03:22,890 --> 00:03:26,160
and control server every morning at 3:00 AM for example.

83
00:03:26,160 --> 00:03:27,480
Now when the beacon goes out

84
00:03:27,480 --> 00:03:30,360
and connects to my server, this is going to be outside

85
00:03:30,360 --> 00:03:32,580
of the local area network, and therefore

86
00:03:32,580 --> 00:03:34,530
I can establish two-way communications with

87
00:03:34,530 --> 00:03:38,250
that device from the internal network in that other VLAN out

88
00:03:38,250 --> 00:03:41,790
to my server out in the internet and back again.

89
00:03:41,790 --> 00:03:43,230
The other reason for using this type

90
00:03:43,230 --> 00:03:45,930
of VLAN hopping is from when you don't necessarily need

91
00:03:45,930 --> 00:03:47,430
to get a response back.

92
00:03:47,430 --> 00:03:49,860
This is the case if you're doing a denialist service attack

93
00:03:49,860 --> 00:03:51,420
or a stress test.

94
00:03:51,420 --> 00:03:53,100
In a denialist service attack,

95
00:03:53,100 --> 00:03:55,230
the attacker won't need to receive a response for any

96
00:03:55,230 --> 00:03:56,580
of the data being forwarded into

97
00:03:56,580 --> 00:03:59,280
that VLAN using the double tagging technique

98
00:03:59,280 --> 00:04:01,200
because they're simply trying to flood that VLAN

99
00:04:01,200 --> 00:04:03,390
with a bunch of data as part of their attack,

100
00:04:03,390 --> 00:04:05,126
and they don't care about the response.

101
00:04:05,126 --> 00:04:08,370
To prevent a double tagging attack from being successful,

102
00:04:08,370 --> 00:04:10,410
cybersecurity professionals always need

103
00:04:10,410 --> 00:04:12,570
to ensure they change the default configuration

104
00:04:12,570 --> 00:04:16,890
of their native VLAN from VLAN ID One to something else.

105
00:04:16,890 --> 00:04:20,339
And also, they should never add user devices into the native

106
00:04:20,339 --> 00:04:22,680
VLAN inside of their network.

107
00:04:22,680 --> 00:04:23,790
Now, the second method

108
00:04:23,790 --> 00:04:26,340
of conducting a VLAN hopping attack is known

109
00:04:26,340 --> 00:04:27,990
as switch spoofing.

110
00:04:27,990 --> 00:04:30,270
Switch spoofing occurs when an attacker attempts

111
00:04:30,270 --> 00:04:32,220
to use the dynamic trunking protocol

112
00:04:32,220 --> 00:04:36,060
or DTP to negotiate a trunk port with a switch.

113
00:04:36,060 --> 00:04:38,970
Normally, DTP negotiations are only performed

114
00:04:38,970 --> 00:04:42,300
by the switch when initially connects to a trunk port.

115
00:04:42,300 --> 00:04:44,520
Now, by default, trunk ports are set up

116
00:04:44,520 --> 00:04:47,730
to support auto negotiation between two different switches.

117
00:04:47,730 --> 00:04:49,867
This way they can share their VLAN information,

118
00:04:49,867 --> 00:04:53,400
but if an attacker configures their attack workstation

119
00:04:53,400 --> 00:04:55,860
to look like it's a switch, they can configure it

120
00:04:55,860 --> 00:04:57,810
to be set up as dynamic auto

121
00:04:57,810 --> 00:05:01,320
or dynamic desirable when they're in switch port mode.

122
00:05:01,320 --> 00:05:03,630
Then when they connect to the trunk port,

123
00:05:03,630 --> 00:05:06,180
it's going to automatically negotiate a trunking connection

124
00:05:06,180 --> 00:05:07,680
just like a switch would.

125
00:05:07,680 --> 00:05:09,330
Now, once that trunk is established

126
00:05:09,330 --> 00:05:11,580
with the attacker's workstation by the switch,

127
00:05:11,580 --> 00:05:15,120
that attacker workstation now has access to all the VLANs

128
00:05:15,120 --> 00:05:16,254
inside of the network.

129
00:05:16,254 --> 00:05:19,170
To prevent a switch spoofing attack from being used

130
00:05:19,170 --> 00:05:21,090
during a VLAN hopping exploit,

131
00:05:21,090 --> 00:05:23,520
cybersecurity professionals should always configure their

132
00:05:23,520 --> 00:05:26,040
switch ports to have dynamic switch port modes

133
00:05:26,040 --> 00:05:27,900
disabled by default.

134
00:05:27,900 --> 00:05:30,030
This will ensure your switch doesn't support auto

135
00:05:30,030 --> 00:05:31,560
negotiation by default,

136
00:05:31,560 --> 00:05:33,749
and you can then prevent switch spoofing from allowing VLAN

137
00:05:33,749 --> 00:05:36,126
hopping to occur in your network.

138
00:05:36,126 --> 00:05:39,330
The final method of conducting VLAN hopping isn't as much

139
00:05:39,330 --> 00:05:42,060
of a technique that allows VLAN hopping as it is one

140
00:05:42,060 --> 00:05:45,060
that allows VLANs to no longer be enforced.

141
00:05:45,060 --> 00:05:47,520
Do you remember how switches maintain a CAM table

142
00:05:47,520 --> 00:05:49,800
that remembers all the MAC addresses that are being used

143
00:05:49,800 --> 00:05:51,570
by the different switch ports?

144
00:05:51,570 --> 00:05:54,433
Well switch manufacturers built in a backup method in case

145
00:05:54,433 --> 00:05:57,180
those CAM tables became overloaded

146
00:05:57,180 --> 00:05:59,400
or they couldn't be read at a given time.

147
00:05:59,400 --> 00:06:01,650
If these cam tables become overloaded,

148
00:06:01,650 --> 00:06:03,660
the switch will stop acting like a switch

149
00:06:03,660 --> 00:06:05,730
and essentially it will fail open

150
00:06:05,730 --> 00:06:07,680
and start to act like a hub.

151
00:06:07,680 --> 00:06:09,480
Now, just in case you don't remember the difference

152
00:06:09,480 --> 00:06:11,610
between a switch and a hub from your earlier network

153
00:06:11,610 --> 00:06:13,720
studies, a switch uses intelligence

154
00:06:13,720 --> 00:06:16,440
to only transmit frames out to the switch ports

155
00:06:16,440 --> 00:06:18,780
that are involved in a given conversation.

156
00:06:18,780 --> 00:06:21,458
A hub, on the other hand, doesn't have any intelligence,

157
00:06:21,458 --> 00:06:23,520
and so it just repeats out every frame

158
00:06:23,520 --> 00:06:26,820
it receives out every single port that's connected to it,

159
00:06:26,820 --> 00:06:28,860
and it relies on the network clients on the other end

160
00:06:28,860 --> 00:06:30,840
of those ports to ignore any frames

161
00:06:30,840 --> 00:06:32,700
that aren't addressed to them.

162
00:06:32,700 --> 00:06:35,610
So as a penetration tester, you can go ahead

163
00:06:35,610 --> 00:06:37,681
and overload the cam table of the switch by flooding it

164
00:06:37,681 --> 00:06:40,740
with MAC addresses, which will then cause the switch

165
00:06:40,740 --> 00:06:43,590
to fail open and begin acting like a hub.

166
00:06:43,590 --> 00:06:46,020
This will start sending out all the frames it receives out

167
00:06:46,020 --> 00:06:48,000
on every port, including the port

168
00:06:48,000 --> 00:06:50,070
that you have a packet sniffer hooked up to,

169
00:06:50,070 --> 00:06:52,720
so you can read the traffic destined for other VLANs.