Close Panel




VLAN Hoping Attack

By IPSECS Admin. Posted in Exploitation | Comments Off


VLAN Hopping is an exploitation method used to attack a network with multiple VLANs. It is an attack that involves an attacking system to deploy packets. These packets have a destination of a system on a separate VLAN which would, in normal circumstances, not be accessible by the attacker. VLAN Hopping attacks are primarily conducted within the Dynamic Trunking Protocol (DTP). Often, VLAN Hopping attacks are directed at the trunking encapsulation protocol (802.1q or ISL).

Malicious traffic used for VLAN Hopping is tagged with a VLAN ID destined outside the VLAN on which the system conducting the attacks belongs to. An attacker can also attempt to behave and look like a switch, which will negotiate trunking, allowing the attacker to not only send, but receive traffic across more than one VLAN.

There are two common methods of VLAN Hopping; Switch Spoofing and Double Tagging.

Switch Spoofing

A Switch Spoofing attack is used to exploit the network by configuring a system to mimic a switch. This is not always an easy attack to perform, as it requires the attacker to be able to emulate itself as ISL or 802.1q, thus signaling with Dynamic Trunk Protocol signaling. This attack method allows a malicious user to mimic a machine as a switch with a trunking port. If the attack is successful, it then has a membership across all VLANs.

Double Tagging

Double Tagging is an attack which postulates that the attacker tags transmitted frames, with split headers, both of which as 802.1q headers. This will allow the frames to be forwarded into the wrong VLAN. Double Tagging works because the first switch that the frames reach strips the the first of the two 802.1q headers, and then forwards the frame with the second header destined for the victim VLAN. The conclusion of the stripped first 802.1q header is that the frame is forwarded with the inner header, out of all switch switch ports, and trunk ports that are configured with the native VLAN where the attacker resides. The secondary switch will then forward the stripped frame to the second VLAN identifier, thus VLAN Hopping occurs.

Attack Vector

Yersinia is a GNU/Linux framework that takes advantage of some of the weaknesses in different network protocols. It can be used for analyzing and testing deployed networks and systems. To use Yersinia for a VLAN Hopping attack, the following steps may be followed:

  1. Start Yersinia via the command line by typing: yersinia -I.
  2. Select a NIC you wish to use by pressing “i”.
  3. Set Yersinia to trunking mode:
    1. Load DTP mode by pressing the “g” key, then select DTP mode.
    2. Press the “x” button to open the attacks menu.
    3. Press “1” to enable trunking mode.
  4. Set Yersinia to 802.1q mode by pressing the “g” key and selecting 802.1Q mode.
  5. The following needs to be obtained via reconnaissance for this attack to work:
    1. Victim’s VLAN
    2. Victim’s gateway IP Address.
    3. A host in the victim’s network segment that is not alive.

The following will perform an ARP Poisoning attack to assist in man-in-the-middle attacks:

  1. Press ‘d’ to initialize default values, and then press ‘x’ to open the attack panel.
  2. Select 2; “sending 802.1Q arp poisoning”
  3. Fill in the information gathered by reconnaissance in step 5. The attack will take place.


VLAN hopping can disable any security measures users may have in place on the device which maps routes between the VLAN’s. Hackers use VLAN hopping to capture sensitive information such as bank account details and passwords from targeted network subscribers. VLAN hopping is also used by some attackers to corrupt, modify, or delete data from the end user’s computer. Another intended use of VLAN hopping is to propagate viruses, worms, Trojan horses, and other malicious programs such as malware and Spyware.


The mitigation of VLAN hopping attacks requires a number of changes to the VLAN configuration. Start by using dedicated VLAN IDs for all trunking ports on a switch, and move all interfaces out of VLAN 1. In addition, it is advisable to disable any unused switch ports and move them to a VLAN that is not being used. Explicitly disable DTP on all user ports to set them to non-trunking mode. To do this on a cisco router, use the router(config)# switchport mode access interface configuration command.

Taken From :

Email this author | All posts by | Subscribe to Entries (RSS)


» Comments are closed.