Attacks on the layer two of the OSI model (VII): 802.1Q

The IEEE 802.1Q protocol is a public specification. It describes the format used by packets going through trunking links. Due to the open nature of the specification, this standard is now accepted by most manufacturers and it's a common way to establish trunks between switches of different vendors. However, it's not the only one. Most manufacturers have their own solutions. For instance, Cisco also uses its own, proprietary protocol ISL (Inter-Switch Link).

When a switch receives a frame, it adds a 802.1Q tag (4 bytes), recomputes the FCS (Frame Check Sequence) and sends the original frame with the modifications to the trunking link. The VID field identifies the VLAN to which the packet belongs. That identifier value can range from 0 to 4096. Theoretically, if we establish a trunking link and the switch supports 802.1Q, we could send packets to different VLANs.
In order to use 802.1Q it's mandatory to establish a trunk. In the previous section we've seen, how we can enable a trunk with DTP and, in addition, specify that the encapsulation will be done using 802.1Q. Let's suppose then, that the trunk link has been established in a corresponding port. The attacks against 802.1Q can be divided into two classes:

• sending 802.1Q frames in order to send them to VLANs which don't belong to the attacker,
• use of double encapsulated 802.1Q frames - this kind of an attack adds two tags to the original frame with the purpose of using the VLAN from the second tag as destination, when the switch removes the first tag.

Let's first try to send double encapsulated 802.1Q frames with Yersinia. On the 802.1Q screen, we fill the fields with default values ([d] key) and go to the editor mode ([e] key). Now let's change the Source MAC value to 66:66:66:66:66:66, then change the VLAN value to 16 and VLAN2 value to 1. Finally, let's exit the editor mode ([return]). Now let's move on to the attack window with [x], and choose attack sending 802.1Q double enc. packet.

Yersinia ICMP Echo Request packet decoded using Ethereal

Ethernet II, Src: 66:66:66:66:66:66, Dst: ff:ff:ff:ff:ff:ff
 Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
 Source: 66:66:66:66:66:66 (66:66:66:66:66:66)
 Type: 802.1Q Virtual LAN (0x8100)
802.1q Virtual LAN
 111. .... .... .... = Priority: 7
 ...0 .... .... .... = CFI: 0
 .... 0000 0001 0000 = ID: 16
 Type: 802.1Q Virtual LAN (0x8100)
802.1q Virtual LAN
 111. .... .... .... = Priority: 7
 ...0 .... .... .... = CFI: 0
 .... 0000 0000 0001 = ID: 1
 Type: IP (0x0800)
Internet Protocol, Src Addr: 10.0.0.1 (10.0.0.1), Dst Addr: 255.255.255.255 (255.255.255.255)
 Protocol: ICMP (0x01)
 Source: 10.0.0.1 (10.0.0.1)
 Destination: 255.255.255.255 (255.255.255.255)
Internet Control Message Protocol
 Type: 8 (Echo (ping) request)
 Checksum: 0xb953 (correct)
 Identifier: 0x0042
 Sequence number: 00:42
 Data (8 bytes)
0000  59 45 52 53 49 4e 49 41                           YERSINIA 

Yersinia uses 802.1Q to send ICMP Echo Request packets with the payload YERSINIA. It is clearly seen, that we've sent a double encapsulated 802.1Q frame - first with VLAN 16 and finally with VLAN 1. This attack only demonstrates, that we can inject traffic to other VLANs (this is called VLAN-hopping). However, more advanced attacks can also be performed, like Man-in-the-Middle.

Alfredo Andrés
David Barroso
S21sec e-crime

>