Notes

• Before applying all the mitigation techniques we should make sure that our switch is secure otherwise the attacker will access the switch and turn-off all these mitigations.
• Most of the network management protocols we know and love are insecure (syslog, SNMP, TFTP, Telnet, FTP, etc.)
• Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP etc.)
• Notice that some Attacks in layer 2 are both layer2-layer3 attacks like :
  • ARP Attacks
  • DHCP Attacks

Layer 2

References:

• VLAN Hopping - Wikipedia (opens in a new tab)

• VLAN Hopping and Mitigation (opens in a new tab)

• On a switch, a port is either configured as an access port or a trunking port.

• An access port is typically used when connecting a host to a switch. With the implementation of VLANs, each access port is assigned to only one VLAN.

• A trunking port is used when connecting two switches or a switch and a router together.

• Trunking ports allow for traffic from multiple VLANs. A trunk port can be configured manually or created dynamically using Dynamic Trunking Protocol (DTP).

VLAN Attacks

2 Primary methods of VLAN Hopping:

1. Switched Spoofing

• An attacker acts as a switch in order to trick a legitimate switch into creating a trunking link between them.

• As mentioned before, packets from any VLAN are allowed to pass through a trunking link. Once the trunk link is established, the attacker then has access to traffic from any VLAN.

• This exploit is only successful when the legitimate switch is configured to negotiate a trunk. This occurs when an interface is configured with either dynamic desirable, dynamic auto or trunk mode.

• If the target switch has one of those modes configured, the attacker then can generate a DTP message from their computer and a trunk link can be formed.

• This link shows the VLAN attacks with Yersenia: VLAN Hopping and Mitigation (opens in a new tab)

Mitigation

• Switch spoofing can only be exploited when interfaces are set to negotiate a trunk. To prevent this attack on Cisco IOS (opens in a new tab), use one of the following methods:

1. Ensure that ports are not set to negotiate trunks automatically by disabling DTP (opens in a new tab):

Switch (config-if)# switchport nonegotiate

2. Ensure that ports that are not meant to be trunks are explicitly configured as access ports

Switch (config-if)# switchport mode access

2. Double Tagging

• In a double tagging attack, An attacker connected to an 802.1Q enabled port prepends two VLAN tags (opens in a new tab) to a frame that it transmits. The frame (externally tagged with VLAN ID that the attacker's port is really a member of) is forwarded without the first tag because it is the native VLAN of a trunk interface. The second tag is then visible to the second switch that the frame encounters. This second VLAN tag indicates that the frame is destined for a target host on a second switch. The frame is then sent to the target host as though it originated on the target VLAN, effectively bypassing the network mechanisms that logically isolate VLANs from one another. However, possible replies are not forwarded to the attacking host (unidirectional flow).

Example:

• If the attacker is on VLAN 20 port on a switch and VLAN 20 is the Native VLAN for the trunk link between 2 switches then the attacker can inject another VLAN tag inside after it's original VLAN tag, so it should be something like this: VLAN20 TAG || TARGET VLAN TAG || The rest of the frame

• When this frame reaches the switch, the switch will find that this frame came from a VLAN 20 port and it's the Native VLAN for that trunk link it wan't to go through so, the switch will remove the VLAN20 tag " because Native VLANS move through trunking links untagged, and when the frame reaches the switch on the other side, it will see the victim VLAN TAG that we injected earlier on the frame, so it will redirect it to all ports of that VLAN.

• This link shows the VLAN attacks with Scapy: VLAN Hopping and Mitigation (opens in a new tab)

Mitigation

• Double Tagging can only be exploited on switch ports configured to use native VLANs. Trunk ports configured with a native VLAN don't apply a VLAN tag when sending these frames. This allows an attacker's fake VLAN tag to be read by the next switch.
• Double Tagging can be mitigated by any of the following actions (Incl. IOS example):

1. Simply do not put any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port

Switch (config-if)# switchport access vlan 2  

2. Change the native VLAN on all trunk ports to an unused VLAN ID.

Switch (config-if)# switchport trunk native vlan 999  

3. Explicit tagging of the native VLAN on all trunk ports. Must be configured on all switches in network autonomy.

Switch(config)# vlan dot1q tag native

MAC Attacks

• CAM table overflow
  • Switch learns MAC addresses by 2 ways:
    1. Manually
    2. Dynamically: when the frame come to the switch it will learn that this MAC is on this port from the source MAC of the frame.
  • The MAC address lives in the MAC table with aging time that can be configured.
  • Aging time ranges from 10 to 1,000,000 seconds with a default of 300 seconds (five minutes)
• Smart Notes:
  • Switches don't have MAC addresses generally; they work at a level below them (although they do know what the MAC addresses of the devices connected to them are).
  • only some new switches can have MAC address. and we can know it with:
    • arp -a
    • Install lldp package on linux.
• CAM stands for “content addressable memory”
• It's basicly MAC address table overflow
• This attack basically overflows the MAC address table sothat the switch can't learn any new MAC's, and we know that if the switch doesn't know the port of the destination MAC it will flood the frame, so this attack will convert the switch to a hub.just flooding all the trafic it gets.

[!NOTE] This attack can be performed with the old “MACOF” tool since 1999.

Mitigation

PORT Security

• It will allow only one MAC to access a switch port
• This port can be set manually
• Can use sticky to get the MAC address of the first device to connect to it.

Switch(config-if)# switchport port-security mac-address sticky  

• Some switches can allow more than one port on the switch and can be configured manually to “ this is because of ip phones that uses 2 or three MAC's”

switch(config)# switchport port-security maximum value  

• Some new switches has the ability to allow only one MAC per VLAN on a switch port.

On Cisco equipment there are three different main violation types:

• Shutdown – When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.

• Protect – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. When using this mode, no notification message is sent when this violation occurs.

• Restrict – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. However, unlike the protect violation type, a message is also sent indicating that a violation has occurred.

Setting violation type:

Switch(config-if)# switchport port-security violation {restrict | shutdown|protect}

Layer 1

• Phone Tapping A physical attack is any in which you interfere with the physical channel of communication between two nodes. The simplest example of a Layer 1 attack is a phone tap - this is a physical device inserted into a phone line in order to eavesdrop on the conversation between two parties.
• Evil-Twin Attack Also called Evil-Twin Access-Point In the case of wifi, a physical attack can be conducted, called the Evil Twin (opens in a new tab) attack, in which the radio onboard the sheep's device (the sheep's Layer 1, hence the Layer 1 attack) is tricked into thinking that the evil twin, and its radio, are the access point. This is done by overpowering the radio signal of the true access point.