1. Home
  2. Cisco Systems
  3. Vlan Hopping Anomaly

Vlan Hopping Anomaly

Hello, i have read many doc about this attack but there are many contradictions.

I hnow that this exploit exist in 2 ways :

Basic=> The attacker spoof a switch and gains the trunked states of the switch's port. Rely on auto-negotiate feature turned ON. This ways is simple to understand.

****************************************************************** Complex 1 => This attack is described on
formatting link
and to work need that the attacker and the trunk share same native vlan ( ex. VLAN 10 ). In this doc. that the attacker send on the access port ( VLAN 10 ) a tagged frame with a VLAN-ID of target VLAN ( ex. VLAN 20 ) . The switch takes frame and forward it on trunk port without native tag (10). The other switch read VLAN-ID(20) and forward frame on the access vlan 20. In this scenario my doubts is : 1) Why the first SW accepts tagged frame but does'nt read the tags ? Is this behavior an anomaly of work ? 2) Why the last switch that receives native frame on trunk port reads the VLAN-ID ? Is this normal or anomaly ? I think that sw does'nt read VLAN-ID because the frame on trunk is native .

******************************************************************

Complex 2 => In other docs per ex:

formatting link
there is an attack called " Double-Encapsulated 802.1Q ". In this exploit the conditions are similar to the precedent but the attacker need to insert two VLAN-ID ( outer,inner ). If this case work then :

1) The first switch read VLAN-ID on access port and forward frame on trunk ( strip off first VLAN-ID ) . This behavior is different that precedent case . Why the switch forward this frame according to VLAN-ID on the access-port ? Is this behavior another anomalies ?

******************************************************************

Sorry about lenght of post.

Thanks

Giuseppe Citerna ccie#1053

Complex 2 => This

Reply to
Jos_Cit
Loading thread data ...

Hi Giuseppe,

You may find Cisco's VLAN Hopping Attack helpful:

formatting link
Sincerely,

Brad Reese BradReese.Com Cisco Repair Service Experts

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 U.S. Toll Free: 877-549-2680 International: 828-277-7272

Reply to
www.BradReese.Com

Thanks Brad, i know this paper. The doc. describes double-tagging attack. In my post i describe 3 form of this exploit. The problem is to know the logic of switches-

thanks Giuseppe Citerna

formatting link
ha scritto:

formatting link

Reply to
Jos_Cit

Giuseppe,

Cisco hired @stake for the Research Report:

Secure Use of VLANs: An @stake Security Assessment

formatting link
and Cisco's VLAN Security and VLAN Hopping Attacks:

formatting link
Finally, Sean Convery of Cisco Systems provided the following Black Hat Presentation on VLAN Hopping:

formatting link
Sincerely,

Brad Reese SMARTnet Eligible Cisco Factory Refurbished

formatting link

Reply to
www.BradReese.Com

Thanks Brad, but i read this doc. The problem is another.

Giuseppe

Reply to
Jos_Cit

In article , Jos_Cit wrote: :Hello, i have read many doc about this attack but there are many :contradictions.

:I hnow that this exploit exist in 2 ways :

In your bay-networks posting, you listed 3 exploits instead of 2.

You have multi-posted -- posted substantially the same message to several different newsgroup. I'm not going to chase down all of the newsgroups and post answers in all of them. Go back to those newsgroups and post indicating which -one- newsgroup should receive the response. Better yet, cross-post that "I took the conversation to ZZZ" message instead of multi-posting it.

Reply to
Walter Roberson

Sorry for multi-posting , i did not know that it was not educated .

I took the conversations to comp.dcom.sys.cisco and all reply would have to be sent to this newsgroup.

Giuseppe Citerna

"Walter Roberson" ha scritto nel messaggio news:dd5908$mor$ snipped-for-privacy@canopus.cc.umanitoba.ca...

Reply to
Jos_Cit

Hello, i tested this scenario with 2948G / 3500XL and i can to hop VLAN . Instead with 3550 i cannot . I have tested only case with ONE encapsulations dot.1q and not dot.1q-in-dot.1q scenario.tag

But to return to my original case, why in a case ( COMPLEX 1 ) the first switch does'nt reads VLAN-ID and in the COMPLEX 2 the switch reads the VLAN-ID on his access-port ? Both behavior are BUGs or only second case ? According to me only second case were a bug, because on the access port switch does'nt reads 802.1q encap. Is right ?

thanks

Giuseppe Citerna ccie#10503

"Jos_Cit" ha scritto nel messaggio news: snipped-for-privacy@g47g2000cwa.googlegroups.com...

formatting link
, there is an attack called " Double-Encapsulated 802.1Q ". In this

Reply to
Jos_Cit

Hi Bob , you don't know me . I am a italian boy , I am a security consultant . I read , sometimes , your posts . I think that you know a little your arguments .... a little But , I think .. that you should f*ck a little .... because you are a hysteric girl ..... In italiano ... una checca isterica :)

Ciao .... scopa di più e posta di meno

Rocco

Bob Goddard wrote:

Reply to
albachiarajenny

Hi Walter ..... I think that anyone is perfect ... But Jos_Cit , although post your messages like multiposting is a correct person , and the word stupid is the real wrong ! best regards

Rocco

Reply to
albachiarajenny

[...]

Congratulations, you have just made yourself the laughing stock of usenet.

Reply to
Bob Goddard

Hi Walter ,

whit this phrase

you have demonstrated arrogance and aggressiveness. I think that you must reflect on this phrase and to be more educated .

Giuseppe Citerna

"Walter Roberson" ha scritto nel messaggio news:dd5908$mor$ snipped-for-privacy@canopus.cc.umanitoba.ca...

Reply to
Jos_Cit

What means your post ?

thanks Giuseppe Citerna

Reply to
Jos_Cit

In article , Jos_Cit wrote: :Hi Walter , :whit this phrase

:> "[...] it's all part of one's right to be publicly stupid." -- Dave Smey

:you have demonstrated arrogance and aggressiveness.

Giuseppe, it is part of my file of quotations; each of my postings has one added on randomly. I don't find out which one until I read the finished posting. The line is not specifically directed at you.

:I think that you must :reflect on this phrase and to be more educated .

The quotation is a reminder, counseling patience with other posters, as the "free marketplace of ideas" includes the right to express ideas in ways that might at first seem odd, argumentative, or even stupid. As my ideas might seem the same way to others, the quote is a reminder to myself as well, that any courtesies that I expect to be extended to myself, I must be prepared to extend to others.

The quotation suggests, by its reference to the choice of wording as a "right", that before attacking others, that one should pause and mentally recognize their humanity (or canineity ;-) ) and review one's initial reaction to their posting, seeking a deeper understanding before replying.

Reply to
Walter Roberson

Ok Walter , excuse us if we don't understand that your application generate automatic string . But I say you that if : the "free marketplace of ideas" includes the right to express ideas The same right is for Jos ... first .... second the idea is a your idea o a idea of your application ? Because if it isn't a your idea , as you tell , the only thing to do is , to say : Exsuse me if my application is stupid ....

Bye

Rocco

Reply to
albachiarajenny

In article , security_123@ wrote: :Ok Walter , excuse us if we don't understand that your application :generate automatic string .

Well, it would have been obvious to anyone with Usenet experience who'd been reading the newsgroup for more than about a day. I'm averaging about 6 posts to the newsgroup per day; I'm past the

4500 posting mark for this newsgroup alone. No-one sustains that kind of output and -hand- picks a different random signature for every posting.

:But I say you that if : :the "free marketplace of ideas" includes the right to express ideas :The same right is for Jos ...

The free marketplace of ideas does not include the right to demand that other people listen and respond. People are thus free to say "I am going to ignore you unless you post in this particular format." Whether the poster agrees to use that format or not would depend upon the potential value of the answers that would be lost by not agreeing.

It happens that the people most likely to be annoyned by multiposting (posting the same question to several newsgroups) are the "old-timers" who have been around for a long time and answer a lot of questions. So it is usually a good idea to avoid multiposting, as it tends to result in your questions being ignored by the people who are most likely to know the answer and take the time to write out the answer.

Jos could have ignored my advice, but then I would have ignored Jos...

:second :the idea is a your idea o a idea of your application ?

I selected the quotation and added it in to the configuration file, if that is what you mean. I do not, though, select the particular quotation that gets attached to any one posting.

:Because if it isn't a your idea , as you tell , the only thing to do is :, to say : :Exsuse me if my application is stupid ....

I have evidence that the application's random number generator is biased in practice, but I suspect that is not what you mean by "the application is stupid".

The appliation -is- stupid in that it does not have any artificial intelligence to read the posting and select the quotation that would be most appropriate.

Do I apologize for having selected that quotation as one of the possibilities? No. I have been using electronic mass communication systems for more than 20 years, and the quotation aptly summarizes a lot of what has happened over the years.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.