I got into programming all because of your videos Mr. David. Thankfully with the help of your networking/programming courses on both youtube and udemy my life has drastically changed and I have landed a great job. I have been told by other workers that I am a genius (all credit goes to you!) and they always come to me for help even though I've only been employed for a year. Happiest birthday Mr. David and I wish you and your family a very healthy and peaceful life. Thank you for everything!
I’m on the path to CCNA based off the same videos. Would love to know more about the job you landed. What was your background before; mine is teaching and I have no official professional IT experience, but that doesn’t mean they don’t all come running to me for help at the office when anything tech related needs support
@@davidbombalHopefully, you respond. Are you saying that physically tapping the line is necessary? If so, does that not add another node to change the topology of the network? The additional node being the Trunk. Also, would this be a kind of MitM?
Don't believe what you read online. VLAN hopping is possible and I'm going to show you how :) I'll also show you have to mitigate these types of attacks. Boson Bombal 8 Weeks to CCNA: davidbombal.wiki/bosonbombal // MENU // 00:00 ▶ Messing With The Network 00:51 ▶ Intro to VLAN Hopping 01:20 ▶ VLAN Test Setup 2:35 ▶ Starting Wireshark Captures//Filtering for ICMP 3:30 ▶ Python Script Explained 4:13 ▶ Windows 11 Network Setup 4:52 ▶ VLAN Configuration Diagram 5:02 ▶ Python Script Explained Continued 5:17 ▶ Test 01 - Running the script in Kali Linux 5:51 ▶ Examining ICMP Packets in Wireshark 6:46 ▶ Examining Network Setup with PuTTY 8:29 ▶ Why the script doesn't work 8:44 ▶ Test 02 - One More Time 9:30 ▶ How to make it work 10:21 ▶ Test 03 - Running the modified script 10:40 ▶ The Trick Step by Step 11:31 ▶ Test 04 - I'll Do That Again 12:46 ▶ Test 05 - Let's Try That Again 15:44 ▶ How To Mitigate VLAN Hopping 17:26 ▶ Test 06 - After Implementing Mitigation 18:09 ▶ Don't Use VLAN 1 18:22 ▶ Changing the Native VLAN 19:22 ▶ Test 07 - After Changing Native VLAN 19:45 ▶ Test 08 - After Changing Native VLAN 19:58 ▶ Again, Don't Use VLAN 1! 21:00 ▶ Looking At The Modified Python Script 21:55 ▶ Changing the Python Script to Target New VLAN Config 23:04 ▶ Stacking Multiple Packets // TAP used // Dualcomm ETAP-2003 10/100/1000Base-T TAP :amzn.to/3we7mGI // Script // Github: github.com/davidbombal/scapy/blob/main/vlan-hopping.py // Previous videos // Previous video: ruclips.net/video/CIWD9fYmDig/видео.html Playlist: davidbombal.wiki/scapy // SCAPY RESOURCES // Website: scapy.net/ Documentation: scapy.readthedocs.io/en/latest/ // SCAPY INSTALLATION // sudo apt update sudo apt install python3-pip sudo pip3 install scapy // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal RUclips: ruclips.net/user/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com Disclaimer: This video is for educational purposes only. I own all equipment used for this demonstration. No actual attack took place on any websites. Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
That's some next level content right there, now when someone will tell me that python is a kid's language, i'll tell them "Did you know that you can VLAN hop with just a few lines of codes ?"
You can do that with basically any other langauge. Remember these exploits have been around for yonks- way before Python and such. H3ck, you can do this easy with Perl.
Sir, I've pointed out your channel in weekly discussions from our Associate degree in cyber security program at Lackawanna College in Pennsylvania. First term, second year, this video fits our content 100%. Absolutely amazing, thank you for this and all your fine content.
Hi David Bombal, thanks for the really interesting video. In summary for others and in conclusion: On Trunk-Ports the 802.1Q VLAN Tag is removed by the transferring switch, if the frame is tagged with the same vlan-id as the configured native-vlan for trunk-port (VLAN1 per default) and you're able to hopp the vlan, as long as you now the vlan-id on the access-port and as the same vlan-id is used for access-ports and as native-vlan for trunk-ports. So far, so known....But... The firmware-version of your switch seems to mitigate the known risk and removed the first two 801.q tags by sending out to the other switch, but not a third one and so the hopping was still possible if you add 3 tags to the frame. The big question is, why did the switch not remove the third one....maybe beacause of compatibility with Q-in-Q? It would be interesting, whether the firmware of other models or vendors behave in the same way.
solutions are pretty simple, use a bogus vlan ID not used for anything as native vlan trunk id, never have anything in access for it. unfortunately these rules have existed forever and not followed....
Great content. I learned to remove all access interfaces from vlan 1 in 2001. If you change the native vlan and start adding new switches or vlan aware (vmware) devices you are going to get flooded with native vlan error messages. Simply never use vlan 1 for anything except what it was intended for.
Nicely done Mr. Bombal! It's great that you emphasize the value in playing with the different options to help learn how things really work. I used to do this in our work lab many, many years ago when I was studying for my CCIE, but we didn't have all the tools that exist today. Even so, trying several different configuration options and then paying attention to how things break and what the different "show" and "debug" commands report is a great way to sharpen one's troubleshooting skills.
Hi David! Nicely done ;-) Should remind us that we should a) never assume that everyone/everything that is using our infrastructure behaves well and b) that we should spend the time to understand and configure our network properly. Many thanks for the thorough analysis!
Excellent content David! Also a more rigid security measure is to setup VLAN access rule/s on the ports the PC's are connected to and the VLAN trunk to only allow certain VLANS to traverse. IE Kali switch should have switchport access allowed vlan 2.
@David Bombal : This attack mean that you know the VLAN on which you want to hop on. On your last exemple we can see that if you know the VLANs, you can hop even if VLAN1 is not used. So the big problem, is more about why Cisco allow these forged packet and to be careful about information on the architecture not being leaked.
Exactly, Don't let anybody tell you things are not possible, try, try and try again (for yourself) to see if it truly is impossible to do. As you just demonstrated, it takes time and a certain amount of grit to do what we do. Its part of the fun and the mental exercise we put ourselves through in order to find the answers to the problems we want to "Test" ;) Nice work mate.. Keep up the great content your putting out. Its refreshing to see this kind of information available to the general public via your channel!. Keep it up!
Using or not using VLAN 1 has nothing to do with this. (not using VLAN 1 would just be security through obscurity.) The issue is the switch erroneously allowing tagged traffic on a non-tagged ("access") port. Try this with hardware from someone who cares more about the quality of the product than their stock price.
@@davidbombal what if I were to send 3 packets with the first being 999 then 3 and 3? thus I could just write a pythin script to run all 4096 VLANs until i got a reply.. I do 100% agree with you on not using VLAN 1, ever. . I often have it sitting off as the default VLAN in a single port that is unused by itself where it can do nothing.. I usually use Aruba switches i need to try this on those and see if i can mitigate it... or are you saying that if I make my native VLAN something that I never use anyplace else? so those tags dont get forwarded? I want to see one where you used 999 as your first tag.. if your port is native to 999 and then you start with that and stack double tag 3's what happens? ie if you are in a hotel its easy to unplug the wireless AP in the room and insert into the network at that point and watch the traffic.. you will quickly learn the tagged and untagged VLANs coming in.. usually 3 of them.. some of those netwqorks are Layer 3 and 4 protected but many are not.. so if you snag the native VLAN of a port threough trial and error will the script break the network again or is it simply a "Vlan ID 1" thing?
Old network guy here, this is kind of a ‘public’ secret among us in the day. The story was that Cisco has some legacy code that only runs in vlan 1. It’s proprietary protocol stuff so they have a hard time changing it. Never used native vlan 1 myself and ports are shut down administrative when not in use. MAC filtering is pretty common today as well. Even with some fancy management software.
I think you have "untagged" confused with "vlan 1". CDP, spanning-tree (dot1D), ... will be sent untagged no matter how the port is configured. (PVST was a hack to run multiple STP's in their own VLAN)
Always find it funny that when attackers do it, its called double tagging, when SPs do it, its called QinQ. (just kidding, they are not exactly the same.)
It _is_ the same thing - a stack of dot1q tags. However when SP's do it, it's explicitly configured on the hardware, and it will only process what it's supposed to process and ignore (or drop) anything else.
This shows how a misconfigured VLAN can mess with your network! POINT TO NOTE- keep the device away from VLAN 1, create other VLAN for them and The most IMPORTANT thing is DO NOT MISCONFIGURE YOUR NATIVE VLAN! Damm, this is a Interesting !!!
yes you can do this in case of such a bad switch config. would be nice if the switch would cover this case or prevent such config. you however missed to tell that this way one could establish a outgoing connection from your windows vlan and actually get service access.
Whilst this issue may look serious but its not as bad as one may imagine. In order to exploit this attack the hacker needs physical access to the switch, since you cannot inject these crafted packets from a remote location. If your physical security allows an unauthorised person to wander around your premises then you have bigger issues to worry about than jumping between vlans. But I do agree with the suggested mitigation.
@@matthewschuster4600 "So technically"?? Nah, at the most that's a technicality. An insecure wifi can indeed be seen as the practical equivalent of a "physical" access Kevin Tedder is referring to.
Again.. the problem is that there are a *lot* of networks that have a design that allows according access, so that you could inject packets like shown here. In a perfect world, everyone would have enough knowledge and time(!) to look after things as they should. In reality.. until then it's good so spread info. It might not be that bad in theory, but *if* it's applicable, it's a complete disaster.
note that even at the end when u configured switch 2 with access port vlan 2, because u forge packets in scapy u could have sent a crafted frame directly with id tag 3(or multiple vlan id 3 dot1q tag) just to prove that the it will travel through the trunk with tag 3 to pc windows & router vlan 3 subnet network.
I don't even get why a trunk port needs a native vlan - in an HP switch, you can set a port to have tagged traffic only (no native untagged vlan at all) - this solves this entire problem. Just a poor design choice by cisco, or a misconfiguration on his part.
Cool... but is this because of a bug in Cisco not stripping the tags properly? Would you need to use a non-default native vlan on trunk ports if you're using UniFi gear as well?
very well done, but double tagging is only one method to finalize VLAN hopping. The other method is by using switch spoofing, exploited in Cisco IOS devices, when the ports are set to negotiate trunks through Dynamic Trunking Protocol. :-)
I haven't see the whole video however if the switch has ingress filtering at the port set to only accept untagged traffic, logically you would not be able to vlan hop.
David, In your current setup what happens when you set the vlan tag to 999 in your hop1to3? does it break again and allow traffic through? So three tags the first being 999 the next two being 3?
Hi, it's very useful. You're very good! I just have one question: What if, in the last example, you put 3 tags like this Dot1Q(vlan=2)\Dot1Q(vlan=[ID native vlan])\Dot1Q(vlan=3)? Neither in this case will it work?
Interesting catalyst 1900 switches had significant vlan hopping issues (from memory) but was fixed in 2900. Wonder if the firmware code has been used on cheaper switches. Tried this on other vendors by any chance?
As a network 'person' security comes at layers. #0 No default passwords, #1 Don't have a mirror port on any of your switches. #2 No one gets physical access to your network closet without a key or Bazooka.
The script command Dot1Q seems to be based on using vlan 1 to do its "magik". Could you make it use vlan 999 instead and see how thing would go? The "trick" in this is to find what is the native vlan in order to push bad frames and you will be able to hop vlan again.
@@raoskidoo15 What I wanted to add but didn't had time is: That is why you need a NGFW that will route (and not a typical router/L3 switch) your traffic between vlans nowaday as it can easily prevent that kind of attack (to name a few of them) - this vlan traffic is also known as east-west traffic in the data center between vms and applications of anykind.
Hi David, I was working on this idea of triple tagging in gns3. but finally I realized that still Double tagging works for me.( my imported switch is Cisco IOSvL@) . my question is which one of cisco switches are safe against double tagging and triple tagging is needed?
Ok this is Cisco related but not on topic. I have a question. I have multiple working computers that will connect to the domain, and all of the share drives on some vlans but not on the vlan I need them on. David do you have a possible answer or solution?
This stuff reminds me of years ago me and a worker was playing with blocking. Network subnets. I forgot to plug the machine in from one subnet back into the other subnet. Stupid thing still logged into the domain on the wrong subnet. Ooops. Could I access say a FTP server between the subnets. No, I could not. Yes. I did find out the additional rules to block Domain logins between the subnets. :) But, it is also why I tell people I'm not a router, Cisco, etc expert. This was on a Mikrotik router setup too.
In the first example, you use a access-port. So you send a multiple tagged frame to the first switch. This switch should classify this frame to the set PVID (in your case VID1). The frame will get send out the trunkt to the next switch. Egress tagless (the switch does no manipulation to the tags), because the switch has internally cassified the frame to VID/PVID1 which is the native-VLAN on the trunk too. The switchport on the other side is a trunk port and sees a frame with 802.1q tag. He should calssify the packet to this VID (from the outer tag) and it sould move on. At this point the VLAN translation happens. What I dont understand, why are 3 tags needed? Is this a thing from the 802.1q standard and its CVID/SVID-thing? Or is this a Cisco-thing? And why not setting on a true access-port "allow only untagged frames"? But most ports nowadays are trunk (or better hybrid) ports because you have usually a (VOIP)-phone connected to the switch and on the phone is (untagged) the PC. Does "ingress filtering" help? I dont know how this handles multiple tagged frames. I think this will check only the outer tag/PVD.
The issue has nothing to do with three tags. The issue has to do with Cisco assuming that there would not be a mis-configured frame with two tags on the same vlan. It would appear at the surface that they are simply stripping each tag once, instead of stripping all non-allowed vlans. This allows a duplicate tag to fall through the cracks. There’s nothing wrong with vlan 1, either. I wish you had not confused that with the native vlan concept, as they will only confuse network newbies. Try this with a UniFi, GE or Ruggedcom switch and you’ll understand the issue.
My tests show different results to what you stated. Did you watch the entire video? Also, VLAN 1 on Cisco devices does not necessarily work like other vendors.
Yes, I did watch the whole video, and I appreciate the response. I'll go back and experiment more with this, but with the cisco switches I have on my desk (2300 series), I noticed an interesting pattern that placing the third tag with a different vlan (other than 2) didn't propagate the signal, but placing two tags with the same vlan did. This is important if you were to try an attack that uses more than one vlan in the attack. That was the premise behind my comment that the three tags is a mis-label on the specific attack. It also works with 5 tags for a multi-vlan attack (or anothers if you span expand it). The key is that three is not the only magic number. My experiments indicate a far worse problem than what you really highlighted here. Your mitigations do work with the cisco switches. Initial testing with a GE switch, which has very similar configuration parameters as the cisco did not exhibit the same pass-through behavior. The Ruggedcom interface is complete different, and I'm still trying to figure out how to best replicate the test there. I think you sufficiently clarified your explanation on vlan 1 later in the video, but -- at least on the 2300 series -- I was able to recreate this with a non-vlan 1 attack with some creative global defaults. My comment on vlan one was more nitpicking on semantics than anything. It's personal preference and you can ignore the comment. Ultimately, cisco needs to update their firmware. The way the switch is configured, it should not pass traffic by overloading the vlan tags of a packet. It's an interesting dilemma that ultimately validates the message you're trying to communicate with this whole video. Don't take someone's word on security. Play around with it and see what you can do. I'm going to be doing this with at least 6 more switch series that I have in production to see just how far I might can take this. Thanks for the vid.
Thank you for the great comment and adding information about your additional tests and scenarios. The reason I emphasized 3 tags is that all the documentation I found online referred to two tags for VLAN hopping (double tagging). I have not seen anyone mention 3 tags anywhere to get around protections and run this attack. Here is Wikipedia for example: en.wikipedia.org/wiki/VLAN_hopping - I demonstrated adding lots of tags later in the video, but the video was getting too long to go into any more depth at that point. I think I've shown in the video that adding additional tags changes things from the typical double tagging people refer to and opens up another whole can of worms - or opportunities :) Please keep us updated on your findings.
Greeting Mr. david Is it possible for you to make video on how your pc setup looks like i'm kinda fond of it the way you setup to run pc, windows and linux all at the same time to test around etc and also the way you setup is it for security reasons by any means kindly its a humble request we learn alot from you but please tell us so i can also make a setup like you 💙💙
So if an attacker knows what the native vlan is set to; they can configure their SCAPY to use the that VLAN, right? Seems to me like a persistent threat could just bruteforce through all 4094 VLANs until they receive a successful message back. Actually I think I need to reproduce your lab setup. not sure where the switch is stripping the tag. on ingress or egress, and whether it's the first switch or the second switch (pre-native or post-native).
They probably just expect people to use a distinct native vlan on trunk ports and not have any end device traffic on the native vlan. That is best practices and something that is usually drilled into people very early on in Cisco training (to not ever use vlan 1). Obviously, some places aren't going to have proper configs though, especially if they don't have a trained person setting things up.
Hi David, I’m watching you’re RUclips videos and content on Udemy for 5 years now and climbed up the ladder but…. Did you do something with you’re hair? It looks very nice, something has changed I think
Love the video! So in an environment where the router is doing all L3 and all switches are running in L2 with VLANs... The trunks between the switches to the router would have a separate native of say 999 then tag all VLANs necessary for the network? Also what if I connect an AP that needs the different VLANS? In this case would it still be that "999" vlan?
the native vlan is relevant to the trunk in question - you can use a different native vlan for each trunk if you like; but it can get a bit annoying. So for example the switch to router native vlan could be 999 and switch to AP could be 998 or 999 it doesn't affect functionality. Best practice is to avoid native vlan towards any potential entry points for compromise - like an access port on a switch, or a server used for user access for some reason. If you trunk to a user device for some reason, I'd keep that on a different native vlan - but otherwise you can re-use it.
You should create network hacking using python course and certification, thank you for this ❤️ Just one question, i have eJPT and CEH, i want to take CCNA before OSCP, is that okay?
@@samsampier7147 You would have to add vlan 999 to the vlan database to use it as a native vlan though. But I don't think the method shown in the video would work for vlan 999 unless the Kali computer were also on a port assigned to vlan 999, like it was with vlan 1.
@@KL-lt8rc can you explain why would want to create the vlan 999? I just verified that my production switches work fine without the native vlan existing. Granted Cisco is consistently inconsistent. Configs for one model of Cisco switch don't necessarily work for another model.
@@samsampier7147 It may depend on the switch, model, IOS version, etc. I've not heard of being able to use a vlan as native without also creating the vlan. The switch may also do it automatically if you add it to the interface? Not sure. But either way, the reason the OP's question wouldn't work is because the attacker computer needs to be on the same vlan as the native, whether 999 or 1 or whatever.
So what would a hacker actually use this for? As an aside your frequent switching between your two cameras was somewhat annoying because the pitch/tone/whatever (I know nothing about sound) would change.
A hacker could, theoretically, inject traffic to a machine they normally wouldn't be able to talk to. They could probably also setup some kind of half-open TCP session attack to take down a system.
Dear sir, i have been following your channel and all of it great contents. they are so amazing, i have learnt alot. please what is the benefit of joining your membership?
At higher levels you get access to all the videos on my website and get access to Boson ExSim and NetSim software (depends on level, and conditions apply)
The configuration demonstrates mitigations against an issue with VLANs - what I am showing shouldn’t work, but it does. Some people would tell you that Cisco should fix this. I don’t get into arguments. I am just demonstrating something that works that shouldn’t work.
I'm a beginner in networking but I'm wondering, why does the trunk port even have the native VLAN on which the frames are sent without a VLAN tag? What's a good use of it? It would seem much more logical if it would be mandatory for each frame in the trunk to have it's VLAN tag set to some value. Every frame with no tag should be immediately discarded. And if you need both untagged and tagged frames for something like a server, IP phone, IPTV or whenever else it could make sense to do that, you should use hybrid port.
It's the L2 / MAC version of an all 1's broadcast (the other side of the coin for ARP) required to populate the switch fabric to map out the physical backplane layout to pair MAC address to ports. Same as the ARP table to say find a host address on a port or CDP Neighbors or a routing protocol for layer 3. You can't select a path/route if you don't first have a table populated with your options to select a choice from Chicken and egg you need broadcast traffic to generate unicast paths/routes I once had 5000 traders down in one building for 2 days due to a "bug" in the cat code which allowed someone named " Daniel" to fuck up and wr net " set broadcast limit 0" Instead of 50 while cutting and pasting the main template pushed out to the multicast ticker plant killing all market data. No quotes for any symbols or instruments or even routes or Neighbors for that matter.... after a couple of hours TAC flew out half of the shift from RTP in Raleigh on the company jet put a couple of them in a helicopter from LaGuardia to the downtown heliport to get on site before Market open (they showed up on Wall St in tank tops board shorts and flip flops) We missed the entire trading day I was the one that found the problem a rookie but I didn't know what was wrong I just noticed the difference The Cisco fellow engineer took credit and Daniel kept his job because all the Geniuses couldn't find the problem as a result of that many products were born to automate the process and now the command has been changed to "storm control" to limit the maximum with the minimum fixed at 25% to make it idiot-proof. Or Danny proof as we call it
I got into programming all because of your videos Mr. David. Thankfully with the help of your networking/programming courses on both youtube and udemy my life has drastically changed and I have landed a great job. I have been told by other workers that I am a genius (all credit goes to you!) and they always come to me for help even though I've only been employed for a year. Happiest birthday Mr. David and I wish you and your family a very healthy and peaceful life. Thank you for everything!
That's fantastic! Well done! You did the hard work, so well done :)
I’m on the path to CCNA based off the same videos. Would love to know more about the job you landed. What was your background before; mine is teaching and I have no official professional IT experience, but that doesn’t mean they don’t all come running to me for help at the office when anything tech related needs support
@@davidbombalHopefully, you respond. Are you saying that physically tapping the line is necessary? If so, does that not add another node to change the topology of the network? The additional node being the Trunk. Also, would this be a kind of MitM?
Don't believe what you read online. VLAN hopping is possible and I'm going to show you how :) I'll also show you have to mitigate these types of attacks.
Boson Bombal 8 Weeks to CCNA: davidbombal.wiki/bosonbombal
// MENU //
00:00 ▶ Messing With The Network
00:51 ▶ Intro to VLAN Hopping
01:20 ▶ VLAN Test Setup
2:35 ▶ Starting Wireshark Captures//Filtering for ICMP
3:30 ▶ Python Script Explained
4:13 ▶ Windows 11 Network Setup
4:52 ▶ VLAN Configuration Diagram
5:02 ▶ Python Script Explained Continued
5:17 ▶ Test 01 - Running the script in Kali Linux
5:51 ▶ Examining ICMP Packets in Wireshark
6:46 ▶ Examining Network Setup with PuTTY
8:29 ▶ Why the script doesn't work
8:44 ▶ Test 02 - One More Time
9:30 ▶ How to make it work
10:21 ▶ Test 03 - Running the modified script
10:40 ▶ The Trick Step by Step
11:31 ▶ Test 04 - I'll Do That Again
12:46 ▶ Test 05 - Let's Try That Again
15:44 ▶ How To Mitigate VLAN Hopping
17:26 ▶ Test 06 - After Implementing Mitigation
18:09 ▶ Don't Use VLAN 1
18:22 ▶ Changing the Native VLAN
19:22 ▶ Test 07 - After Changing Native VLAN
19:45 ▶ Test 08 - After Changing Native VLAN
19:58 ▶ Again, Don't Use VLAN 1!
21:00 ▶ Looking At The Modified Python Script
21:55 ▶ Changing the Python Script to Target New VLAN Config
23:04 ▶ Stacking Multiple Packets
// TAP used //
Dualcomm ETAP-2003 10/100/1000Base-T TAP :amzn.to/3we7mGI
// Script //
Github: github.com/davidbombal/scapy/blob/main/vlan-hopping.py
// Previous videos //
Previous video: ruclips.net/video/CIWD9fYmDig/видео.html
Playlist: davidbombal.wiki/scapy
// SCAPY RESOURCES //
Website: scapy.net/
Documentation: scapy.readthedocs.io/en/latest/
// SCAPY INSTALLATION //
sudo apt update
sudo apt install python3-pip
sudo pip3 install scapy
// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
RUclips: ruclips.net/user/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
Disclaimer: This video is for educational purposes only. I own all equipment used for this demonstration. No actual attack took place on any websites.
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
That's some next level content right there, now when someone will tell me that python is a kid's language, i'll tell them "Did you know that you can VLAN hop with just a few lines of codes ?"
Python is an awesome language that can be used for both hacking and science.
Not to mention that it’s also the language of choice for machine learning applications.
If someone tells you Python is a kids language, they do not know what they're talking about.
You can do that with basically any other langauge. Remember these exploits have been around for yonks- way before Python and such.
H3ck, you can do this easy with Perl.
Sir, I've pointed out your channel in weekly discussions from our Associate degree in cyber security program at Lackawanna College in Pennsylvania. First term, second year, this video fits our content 100%. Absolutely amazing, thank you for this and all your fine content.
Hi David Bombal, thanks for the really interesting video.
In summary for others and in conclusion:
On Trunk-Ports the 802.1Q VLAN Tag is removed by the transferring switch, if the frame is tagged with the same vlan-id as the configured native-vlan for trunk-port (VLAN1 per default) and you're able to hopp the vlan, as long as you now the vlan-id on the access-port and as the same vlan-id is used for access-ports and as native-vlan for trunk-ports.
So far, so known....But...
The firmware-version of your switch seems to mitigate the known risk and removed the first two 801.q tags by sending out to the other switch, but not a third one and so the hopping was still possible if you add 3 tags to the frame. The big question is, why did the switch not remove the third one....maybe beacause of compatibility with Q-in-Q? It would be interesting, whether the firmware of other models or vendors behave in the same way.
solutions are pretty simple, use a bogus vlan ID not used for anything as native vlan trunk id, never have anything in access for it.
unfortunately these rules have existed forever and not followed....
Happy Birthday David!
Thank you Richard!
Really fascinating! Amazing that this kind of content is free to watch.
Thank you Maurijn! Glad you enjoyed the video :)
This is the only tech on youtube who actually looks trustworthy, imma subscribe and see if I'm right.
David bombal you are one of best lecturer I had before.Thank u so much and God bless you.
David, what an awesome video. I have a couple of cisco switches laying around that I will definitely try this on. Thank you for such great content!
Glad you enjoyed the video!
Simply amazing work Mr. Bombal!
Great content. I learned to remove all access interfaces from vlan 1 in 2001. If you change the native vlan and start adding new switches or vlan aware (vmware) devices you are going to get flooded with native vlan error messages.
Simply never use vlan 1 for anything except what it was intended for.
And what is it intended for?
Nicely done Mr. Bombal! It's great that you emphasize the value in playing with the different options to help learn how things really work. I used to do this in our work lab many, many years ago when I was studying for my CCIE, but we didn't have all the tools that exist today. Even so, trying several different configuration options and then paying attention to how things break and what the different "show" and "debug" commands report is a great way to sharpen one's troubleshooting skills.
B56
Hi David! Nicely done ;-) Should remind us that we should a) never assume that everyone/everything that is using our infrastructure behaves well and b) that we should spend the time to understand and configure our network properly. Many thanks for the thorough analysis!
Fancy seeing you here :))
@@examen1996 yes it‘s a small world ;-)
Excellent content David! Also a more rigid security measure is to setup VLAN access rule/s on the ports the PC's are connected to and the VLAN trunk to only allow certain VLANS to traverse. IE Kali switch should have switchport access allowed vlan 2.
@David Bombal : This attack mean that you know the VLAN on which you want to hop on.
On your last exemple we can see that if you know the VLANs, you can hop even if VLAN1 is not used.
So the big problem, is more about why Cisco allow these forged packet and to be careful about information on the architecture not being leaked.
Exactly, Don't let anybody tell you things are not possible, try, try and try again (for yourself) to see if it truly is impossible to do. As you just demonstrated, it takes time and a certain amount of grit to do what we do. Its part of the fun and the mental exercise we put ourselves through in order to find the answers to the problems we want to "Test" ;)
Nice work mate.. Keep up the great content your putting out. Its refreshing to see this kind of information available to the general public via your channel!. Keep it up!
Happy birthday Mr. David. You are the man who inspire us daily with your quality contents. Thank you!
Thank you! I appreciate that!
nicely done.. many years of working on switches, and even i found this interesting.. thanks a bunch for demonstrating vlan hopping.
I don't know what VLAN is so I stop at half the video, but wow you actually hacked it LOL!!
Happy Birthday David! 🙌🔥🎉🎉
Thank you!
Happy Birthday Mr. Bombal, I hope you had a wonderful time, surrounded by friends and family! 🎁 🎂 🎉 🎊 🎈
Thank you!
Using or not using VLAN 1 has nothing to do with this. (not using VLAN 1 would just be security through obscurity.) The issue is the switch erroneously allowing tagged traffic on a non-tagged ("access") port. Try this with hardware from someone who cares more about the quality of the product than their stock price.
My tests show different results to what you stated. VLAN 1 on Cisco devices does not necessarily work like other vendors.
@@davidbombal what if I were to send 3 packets with the first being 999 then 3 and 3? thus I could just write a pythin script to run all 4096 VLANs until i got a reply.. I do 100% agree with you on not using VLAN 1, ever. . I often have it sitting off as the default VLAN in a single port that is unused by itself where it can do nothing.. I usually use Aruba switches i need to try this on those and see if i can mitigate it... or are you saying that if I make my native VLAN something that I never use anyplace else? so those tags dont get forwarded? I want to see one where you used 999 as your first tag.. if your port is native to 999 and then you start with that and stack double tag 3's what happens? ie if you are in a hotel its easy to unplug the wireless AP in the room and insert into the network at that point and watch the traffic.. you will quickly learn the tagged and untagged VLANs coming in.. usually 3 of them.. some of those netwqorks are Layer 3 and 4 protected but many are not.. so if you snag the native VLAN of a port threough trial and error will the script break the network again or is it simply a "Vlan ID 1" thing?
@@eldoradoboy Except you will never have a reply, because the computer on VLAN 3 will reply on this VLAN that your Kali cannot see.
Old network guy here, this is kind of a ‘public’ secret among us in the day. The story was that Cisco has some legacy code that only runs in vlan 1. It’s proprietary protocol stuff so they have a hard time changing it. Never used native vlan 1 myself and ports are shut down administrative when not in use. MAC filtering is pretty common today as well. Even with some fancy management software.
I think you have "untagged" confused with "vlan 1". CDP, spanning-tree (dot1D), ... will be sent untagged no matter how the port is configured. (PVST was a hack to run multiple STP's in their own VLAN)
@@jfbeam Haha, yes you are correct. It’s a long time since I was doing networking stuff so thanks for correcting me!
Always find it funny that when attackers do it, its called double tagging, when SPs do it, its called QinQ. (just kidding, they are not exactly the same.)
It _is_ the same thing - a stack of dot1q tags. However when SP's do it, it's explicitly configured on the hardware, and it will only process what it's supposed to process and ignore (or drop) anything else.
This shows how a misconfigured VLAN can mess with your network! POINT TO NOTE- keep the device away from VLAN 1, create other VLAN for them and The most IMPORTANT thing is DO NOT MISCONFIGURE YOUR NATIVE VLAN! Damm, this is a Interesting !!!
Really cool and useful content!
Thank you, David!
This Channel keeps putting out very educating Videos!😎
Excelent video. Do not use VLAN 1, or more precisely: Do not mix tagged and untagged traffic on 802.1Q links.
802.1Q trunk ports have an untagged VLAN.
Great job thinking outside the box of how VLAN tagging operates. Thank you for following up on how to defend against this vulnerability.
Van Harte gefeliciteerd David !
(hbday in dutch).
Hurray, the algorithm suggested me something useful :D
I don't understand but it's fascinating to watch. nice video man.
Fantastic! Thank you for a great illustration. Some was a little fast for me, but adjusting the playback speed works great 👍
yes you can do this in case of such a bad switch config. would be nice if the switch would cover this case or prevent such config.
you however missed to tell that this way one could establish a outgoing connection from your windows vlan and actually get service access.
it's a shame that such issues can still occur. I think I heard of this 20 years back and it still works in some cases.
Whilst this issue may look serious but its not as bad as one may imagine. In order to exploit this attack the hacker needs physical access to the switch, since you cannot inject these crafted packets from a remote location. If your physical security allows an unauthorised person to wander around your premises then you have bigger issues to worry about than jumping between vlans.
But I do agree with the suggested mitigation.
uhhhh ever heard of wireless networks ?
@@matthewschuster4600 yes, and if the WiFi has not been secured correctly then the same unauthorised security issue applies.
@@kevintedder4202 Yes. So technically you don't need physical access to the switch to do vlan hopping.
@@matthewschuster4600 "So technically"?? Nah, at the most that's a technicality. An insecure wifi can indeed be seen as the practical equivalent of a "physical" access Kevin Tedder is referring to.
Again.. the problem is that there are a *lot* of networks that have a design that allows according access, so that you could inject packets like shown here. In a perfect world, everyone would have enough knowledge and time(!) to look after things as they should. In reality.. until then it's good so spread info. It might not be that bad in theory, but *if* it's applicable, it's a complete disaster.
happy birthday david
Thank you Anthony!
Great video man greetings from Cuba
note that even at the end when u configured switch 2 with access port vlan 2, because u forge packets in scapy u could have sent a crafted frame directly with id tag 3(or multiple vlan id 3 dot1q tag) just to prove that the it will travel through the trunk with tag 3 to pc windows & router vlan 3 subnet network.
A good reminder to change the native vlan on trunk ports
I don't even get why a trunk port needs a native vlan - in an HP switch, you can set a port to have tagged traffic only (no native untagged vlan at all) - this solves this entire problem. Just a poor design choice by cisco, or a misconfiguration on his part.
@@gorak9000 I believe it's because things like CDP and STP traffic gets sent between the switches untagged.
@@gorak9000 That's possible on lots of non-Cisco gear. The best you can do with most cisco stuff is disallow the native vlan on the trunk port.
Networking + Security -- Best Video ❤️
Very nice work David. Highly educational.
Thank you! Glad you enjoyed the video :)
thanks a lot. confirms i still plan networks correctly :)
Awesome when things are so silly / simple. What a fun find.
This has made my day
Can you do a hacking session using containers ? Like multiple containers to simulate a ddos or multiple attacks on a network. Thanks
im also learning python! thank you David!!
Cool... but is this because of a bug in Cisco not stripping the tags properly?
Would you need to use a non-default native vlan on trunk ports if you're using UniFi gear as well?
I really appreciated your content. I have learned a lot from your channel.
Hi David, wouldn't a port mirror not enough to capture the trunk frames instead using a TAP ? Thanks again.
Thank you David for another fantastic video. All the Best.
Thanks for your support!
Programmers: "I wrote a program."
Python programmers: "I wrote a program in Python!"
very well done, but double tagging is only one method to finalize VLAN hopping.
The other method is by using switch spoofing, exploited in Cisco IOS devices, when the ports are set to negotiate trunks through Dynamic Trunking Protocol.
:-)
I haven't see the whole video however if the switch has ingress filtering at the port set to only accept untagged traffic, logically you would not be able to vlan hop.
I love it when Network dudes tell me how they use vlan 1 in networks. Im like bro, brooooooo!!!!
great video big fan.student from 🇮🇳
please make a video about, how to hack a device connected to same network, HAPPY BIRTHDAY DAVID
Thank you!
David, In your current setup what happens when you set the vlan tag to 999 in your hop1to3? does it break again and allow traffic through? So three tags the first being 999 the next two being 3?
Hi, it's very useful. You're very good! I just have one question: What if, in the last example, you put 3 tags like this Dot1Q(vlan=2)\Dot1Q(vlan=[ID native vlan])\Dot1Q(vlan=3)? Neither in this case will it work?
very helpful information. Thank you!
Oustanding.!!!Please a full course with scapy.
Interesting catalyst 1900 switches had significant vlan hopping issues (from memory) but was fixed in 2900. Wonder if the firmware code has been used on cheaper switches. Tried this on other vendors by any chance?
I learned everything from u the best educator
Glad you think so!
As a network 'person' security comes at layers. #0 No default passwords, #1 Don't have a mirror port on any of your switches. #2 No one gets physical access to your network closet without a key or Bazooka.
hey david amazing as always, can i mention such tricks you teach here and of course mention your channel being the resource ???????
The script command Dot1Q seems to be based on using vlan 1 to do its "magik".
Could you make it use vlan 999 instead and see how thing would go? The "trick" in this is to find what is the native vlan in order to push bad frames and you will be able to hop vlan again.
I was thinking the same thing. Either stack 3/999/999/2 or 999/999/3 or 999/999/2 or just 999. I'm curious now and my lab is not up :/
@@raoskidoo15 What I wanted to add but didn't had time is: That is why you need a NGFW that will route (and not a typical router/L3 switch) your traffic between vlans nowaday as it can easily prevent that kind of attack (to name a few of them) - this vlan traffic is also known as east-west traffic in the data center between vms and applications of anykind.
I believe the Kali box would also have to be on a port that has been assigned vlan 999 as an access vlan.
Hello Mr Bombal thx i m Just studying this topic thx
Sir, at what age did you start learning hacking?
Hi David, I was working on this idea of triple tagging in gns3. but finally I realized that still Double tagging works for me.( my imported switch is Cisco IOSvL@) . my question is which one of cisco switches are safe against double tagging and triple tagging is needed?
The first thing I thought when I saw him smile alone was : damn this dude made all that for himself
Ok this is Cisco related but not on topic. I have a question. I have multiple working computers that will connect to the domain, and all of the share drives on some vlans but not on the vlan I need them on. David do you have a possible answer or solution?
Thank you for these great videos. It is a great learning tool for new people in the industry
Thank you!
This stuff reminds me of years ago me and a worker was playing with blocking. Network subnets. I forgot to plug the machine in from one subnet back into the other subnet. Stupid thing still logged into the domain on the wrong subnet. Ooops. Could I access say a FTP server between the subnets. No, I could not. Yes. I did find out the additional rules to block Domain logins between the subnets. :) But, it is also why I tell people I'm not a router, Cisco, etc expert. This was on a Mikrotik router setup too.
Really nice content here! Thank you!
Gracias a tus vídeos ......me motivo en seguir en el mundo del TI.
Happy Birtday maneer Bombal
Baie Dankie Jabulani!
Is this only Cisco switch thing or does it affect switches from other manufacturers as well?
In the first example, you use a access-port. So you send a multiple tagged frame to the first switch. This switch should classify this frame to the set PVID (in your case VID1). The frame will get send out the trunkt to the next switch. Egress tagless (the switch does no manipulation to the tags), because the switch has internally cassified the frame to VID/PVID1 which is the native-VLAN on the trunk too. The switchport on the other side is a trunk port and sees a frame with 802.1q tag. He should calssify the packet to this VID (from the outer tag) and it sould move on. At this point the VLAN translation happens.
What I dont understand, why are 3 tags needed? Is this a thing from the 802.1q standard and its CVID/SVID-thing? Or is this a Cisco-thing?
And why not setting on a true access-port "allow only untagged frames"? But most ports nowadays are trunk (or better hybrid) ports because you have usually a (VOIP)-phone connected to the switch and on the phone is (untagged) the PC.
Does "ingress filtering" help? I dont know how this handles multiple tagged frames. I think this will check only the outer tag/PVD.
The moral of the story is Cisco need to test their code extensively!
Don't use Cisco switch would be an even better thing!
The issue has nothing to do with three tags. The issue has to do with Cisco assuming that there would not be a mis-configured frame with two tags on the same vlan. It would appear at the surface that they are simply stripping each tag once, instead of stripping all non-allowed vlans. This allows a duplicate tag to fall through the cracks. There’s nothing wrong with vlan 1, either. I wish you had not confused that with the native vlan concept, as they will only confuse network newbies. Try this with a UniFi, GE or Ruggedcom switch and you’ll understand the issue.
My tests show different results to what you stated. Did you watch the entire video? Also, VLAN 1 on Cisco devices does not necessarily work like other vendors.
Yes, I did watch the whole video, and I appreciate the response. I'll go back and experiment more with this, but with the cisco switches I have on my desk (2300 series), I noticed an interesting pattern that placing the third tag with a different vlan (other than 2) didn't propagate the signal, but placing two tags with the same vlan did. This is important if you were to try an attack that uses more than one vlan in the attack. That was the premise behind my comment that the three tags is a mis-label on the specific attack. It also works with 5 tags for a multi-vlan attack (or anothers if you span expand it). The key is that three is not the only magic number. My experiments indicate a far worse problem than what you really highlighted here.
Your mitigations do work with the cisco switches. Initial testing with a GE switch, which has very similar configuration parameters as the cisco did not exhibit the same pass-through behavior. The Ruggedcom interface is complete different, and I'm still trying to figure out how to best replicate the test there. I think you sufficiently clarified your explanation on vlan 1 later in the video, but -- at least on the 2300 series -- I was able to recreate this with a non-vlan 1 attack with some creative global defaults. My comment on vlan one was more nitpicking on semantics than anything. It's personal preference and you can ignore the comment.
Ultimately, cisco needs to update their firmware. The way the switch is configured, it should not pass traffic by overloading the vlan tags of a packet. It's an interesting dilemma that ultimately validates the message you're trying to communicate with this whole video. Don't take someone's word on security. Play around with it and see what you can do. I'm going to be doing this with at least 6 more switch series that I have in production to see just how far I might can take this.
Thanks for the vid.
Thank you for the great comment and adding information about your additional tests and scenarios. The reason I emphasized 3 tags is that all the documentation I found online referred to two tags for VLAN hopping (double tagging). I have not seen anyone mention 3 tags anywhere to get around protections and run this attack. Here is Wikipedia for example: en.wikipedia.org/wiki/VLAN_hopping - I demonstrated adding lots of tags later in the video, but the video was getting too long to go into any more depth at that point. I think I've shown in the video that adding additional tags changes things from the typical double tagging people refer to and opens up another whole can of worms - or opportunities :) Please keep us updated on your findings.
Thank you very much David
You're welcome!
Now I know that I have some more work to do at work to change the trunking VLAN.
thanks for the tech detail and sharing your knowledge \o/
Happy birthday david.
Thank you very much :)
That was excellent many shops I have been in avoid this simply as a matter of standards
Greeting Mr. david
Is it possible for you to make video on how your pc setup looks like i'm kinda fond of it the way you setup to run pc, windows and linux all at the same time to test around etc and also the way you setup is it for security reasons by any means kindly its a humble request we learn alot from you but please tell us so i can also make a setup like you 💙💙
So if an attacker knows what the native vlan is set to; they can configure their SCAPY to use the that VLAN, right? Seems to me like a persistent threat could just bruteforce through all 4094 VLANs until they receive a successful message back. Actually I think I need to reproduce your lab setup. not sure where the switch is stripping the tag. on ingress or egress, and whether it's the first switch or the second switch (pre-native or post-native).
keep makin this kinda videos.
This is scary especially when it's Cisco. How could they not test multiple tagging, and how has this not been patched since the 90s or 00s?
They probably just expect people to use a distinct native vlan on trunk ports and not have any end device traffic on the native vlan. That is best practices and something that is usually drilled into people very early on in Cisco training (to not ever use vlan 1). Obviously, some places aren't going to have proper configs though, especially if they don't have a trained person setting things up.
So you’re saying to set the native VLAN on the ISL trunks to some VLAN that doesn’t actually exist anywhere on the network to act as a sinkhole?
Hi David, I’m watching you’re RUclips videos and content on Udemy for 5 years now and climbed up the ladder but…. Did you do something with you’re hair? It looks very nice, something has changed I think
happy birthday sir
Thank you :)
Love the video! So in an environment where the router is doing all L3 and all switches are running in L2 with VLANs... The trunks between the switches to the router would have a separate native of say 999 then tag all VLANs necessary for the network? Also what if I connect an AP that needs the different VLANS? In this case would it still be that "999" vlan?
the native vlan is relevant to the trunk in question - you can use a different native vlan for each trunk if you like; but it can get a bit annoying. So for example the switch to router native vlan could be 999 and switch to AP could be 998 or 999 it doesn't affect functionality. Best practice is to avoid native vlan towards any potential entry points for compromise - like an access port on a switch, or a server used for user access for some reason. If you trunk to a user device for some reason, I'd keep that on a different native vlan - but otherwise you can re-use it.
You should create network hacking using python course and certification, thank you for this ❤️
Just one question, i have eJPT and CEH, i want to take CCNA before OSCP, is that okay?
Interesting, have you tried stacking 802.1q frames with the new native vlan?
I believe the idea if you do not add the vlan 999 to vlan database. Then cam for that vlan won’t exist therefore a frame will never form.
@@samsampier7147 I can't understand anything you said.
@@samsampier7147 You would have to add vlan 999 to the vlan database to use it as a native vlan though. But I don't think the method shown in the video would work for vlan 999 unless the Kali computer were also on a port assigned to vlan 999, like it was with vlan 1.
@@KL-lt8rc can you explain why would want to create the vlan 999? I just verified that my production switches work fine without the native vlan existing. Granted Cisco is consistently inconsistent. Configs for one model of Cisco switch don't necessarily work for another model.
@@samsampier7147 It may depend on the switch, model, IOS version, etc. I've not heard of being able to use a vlan as native without also creating the vlan. The switch may also do it automatically if you add it to the interface? Not sure.
But either way, the reason the OP's question wouldn't work is because the attacker computer needs to be on the same vlan as the native, whether 999 or 1 or whatever.
Great video as always!
Thank you!
So what would a hacker actually use this for?
As an aside your frequent switching between your two cameras was somewhat annoying because the pitch/tone/whatever (I know nothing about sound) would change.
A hacker could, theoretically, inject traffic to a machine they normally wouldn't be able to talk to. They could probably also setup some kind of half-open TCP session attack to take down a system.
Dear sir, i have been following your channel and all of it great contents. they are so amazing, i have learnt alot. please what is the benefit of joining your membership?
At higher levels you get access to all the videos on my website and get access to Boson ExSim and NetSim software (depends on level, and conditions apply)
So essentially configure your devices properly like we are supposed to do anyways?!
The configuration demonstrates mitigations against an issue with VLANs - what I am showing shouldn’t work, but it does. Some people would tell you that Cisco should fix this. I don’t get into arguments. I am just demonstrating something that works that shouldn’t work.
I'm a beginner in networking but I'm wondering, why does the trunk port even have the native VLAN on which the frames are sent without a VLAN tag? What's a good use of it? It would seem much more logical if it would be mandatory for each frame in the trunk to have it's VLAN tag set to some value. Every frame with no tag should be immediately discarded.
And if you need both untagged and tagged frames for something like a server, IP phone, IPTV or whenever else it could make sense to do that, you should use hybrid port.
It's the L2 / MAC version of an all 1's broadcast (the other side of the coin for ARP) required to populate the switch fabric to map out the physical backplane layout to pair MAC address to ports.
Same as the ARP table to say find a host address on a port or CDP Neighbors or a routing protocol for layer 3.
You can't select a path/route if you don't first have a table populated with your options to select a choice from
Chicken and egg you need broadcast traffic to generate unicast paths/routes
I once had 5000 traders down in one building for 2 days due to a "bug" in the cat code which allowed someone named " Daniel" to fuck up and wr net
" set broadcast limit 0"
Instead of 50 while cutting and pasting the main template pushed out to the multicast ticker plant killing all market data. No quotes for any symbols or instruments or even routes or Neighbors for that matter.... after a couple of hours TAC flew out half of the shift from RTP in Raleigh on the company jet put a couple of them in a helicopter from LaGuardia to the downtown heliport to get on site before Market open (they showed up on Wall St in tank tops board shorts and flip flops)
We missed the entire trading day I was the one that found the problem a rookie but I didn't know what was wrong I just noticed the difference The Cisco fellow engineer took credit and Daniel kept his job because all the Geniuses couldn't find the problem as a result of that many products were born to automate the process and now the command has been changed to
"storm control" to limit the maximum with the minimum fixed at 25% to make it idiot-proof. Or Danny proof as we call it
It's because traffic for certain protocols (cisco discovery protocol, spanning-tree, etc) are sent between switches untagged.