4

I am broading up more this unanswered question: VLAN tagging and access port

Let's assume I am trying to accomplish Double Tagging Attack. From my understanding, prerequisites of this attack is to be connected to access port, which has the same VLAN as Native VLAN on trunk ports.

As an attacker, I create frame with two tags inside. The inner tag being the VLAN of my target and the outer tag being the tag of Native VLAN.

So what happens when access port sees the tagged traffic? It would make sense that it would just discard it, preventing this attack from happening. From the materials what I've seen, switch strips the VLAN tag and since it was native VLAN, it doesn't add new tag on trunk link, therefore it passes my frame with target VLAN, effectively reaching my target.

I would understand that this can happen if I use it with combination of Switch spoofing and creating trunk link between my PC and Switch (using DTP for example). But then, there is no reason to double tag it, because I am on trunk link and there is no need for modification and I can just use my target VLAN.

Can someone clarify this for me?

Improve this question
5
  • Helping you to damage a network is explicitly off-topic here.
    – Ron Maupin
    Commented Mar 21, 2016 at 14:54
  • Oh I don't mean to damage my network, we are talking about lab scenario. I am trying to better understand the attack just to make sure I can mitigate it.
    – phandox
    Commented Mar 21, 2016 at 15:42
  • 1
    Depends on the switch and firmware. Cisco access ports drop tagged frames. (that's not necessarily true for older/buggy versions.)
    – Ricky
    Commented Mar 21, 2016 at 20:29
  • Possible duplicate of VLAN tagging and access port
    – WhiteWinterWolf
    Commented Jul 3, 2016 at 13:00
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.
    – Ron Maupin
    Commented Aug 13, 2017 at 19:56

1 Answer 1

Reset to default
3

Please check this -

Double tagging VLAN hopping attack takes advantage 802.1Q tagging and tag removal process of many types of switches. Many switches remove only one 802.1Q tag. In Double tagging attack, an attacker changes the original frame to add two VLAN tags. An outer tag, which is of his own VLAN and an inner hidden tag of the victim's VLAN. Here the attacker's PC must belong to the native VLAN of the trunk link.

When the double tagged frame reaches the switch, the switch can only see the outer tag of the VLAN that the interface really belongs to.

The Switch OmniSecuSW1 will now remove the outer VLAN Tag and will forward to all the ports belong to native VLAN (in this example, VLAN1). One copy of that frame is forwarded to the trunk link to reach the next switch OmniSecuSW2.

When the frame reaches OmniSecuSW2, it will open the frame to see the second tag. OmniSecuSW2 will now assume that frame belongs to VLAN 100 and it is forwarded to VLAN 100

For further reference -

http://www.omnisecu.com/ccna-security/what-is-double-tagging-attack-how-to-prevent-double-tagging-attack.php

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.