VLAN Hopping.

Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation Telegram Group: https://t.me/informationprotection1 Website: https://legascom.ru Email: online@legascom.ru #informationprotection #informationsecurity
With this attack, an attacker can try to transfer data to another VLAN. As you know, trunk mode is used in switches for interaction between virtual local area networks (VLANs). In Cisco Catalyst switches, the port does not operate in access mode or trunk mode by default, so the DTP protocol (Dynamic Trunk Protocol) is running on the port. Obviously, with this configuration of the switch ports, it is enough for an attacker to pretend to be a switch, as a trunk connection will be established between them and, accordingly, the VLANs configured on the switch will be available, after which it will not be difficult to transfer data to another VLAN.
Before proceeding to describe measures to eliminate this threat, let's discuss what problems VLAN Hopping can lead to in practice. As a rule, in most organizations, servers operate in one network segment (VLAN), administrators' workstations in another, and ordinary users in the third. The DMZ segment should be located separately, although switches are usually not used to differentiate it. Thus, if an attacker, being in the user segment, can penetrate the administrators' VLAN, he can try to attack the administrators' machines or listen to traffic for unencrypted passwords and other confidential information.
Now let's move on to the appropriate switch configuration. First, you need to forcibly switch all the interfaces used on the switch to access and trunk modes, where appropriate. Unused ports must be switched to shutdown mode and transferred to a non-existent VLAN that will be known only to this switch, meaning it will not be transmitted via trunk ports to other switches.
For those who want to experiment with this type of attack, I recommend the PackETH utility, which allows you to construct a package starting from the second OSI layer.
Run the necessary commands on the switch.
Switch# conf t
Switch (config)# int f0/1
Switch (config-if)# switchport mode access
Switch(config)# vlan 999
Switch(config)# name Unconnected
Switch(config)# exit
Switch(config)# int range f0/12-24
Switch(config-if-range)# switchport access vlan 999
Switch(config-if-range)# shut
In the first line, we used the command to switch to configurator mode. In the second one, go into the port configuration, then switch it to access mode. After that, we create a VLAN and give it a name. Then we forcibly turn off all remaining ports on the switch, having previously transferred them to a new VLAN.
The settings described above allow you to resist VLAN Hopping attacks.