You work as a network technician at Company.com. Your boss is interested in switch
spoofing. She asks you how an attacker would collect information with VLAN hoping through
switch spoofing. You should tell her that the attacking station…
A.
…uses VTP to collect VLAN information that is sent out and then tags itself with the
domain information in order to capture the data.
B.
…will generate frames with two 802.1Q headers to cause the switch to forward the
frames to a VLAN that would be inaccessible to the attacker through legitimate means.
C.
…uses DTP to negotiate trunking with a switch port and captures all traffic that is
allowed on the trunk.
D.
…tags itself with all usable VLANs to capture data that is passed through the switch,
regardless of the VLAN to which the data belongs.
E.
None of the other alternatives apply
Explanation:
DTP should be disabled for all user ports on a switch. If the port is left with DTP autoconfigured (default on many switches), an attacker can connect and arbitrarily cause the port
to start trunking and therefore pass all VLAN information.http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900
aecd800ebd1e.pdf
isn’t the answer is B? the double tagging is a vlan hopping attacking mode.
The answer is B and C – there are two ways to exploit VLAN hopping per http://www.ciscopress.com/articles/article.asp?p=1681033&seqNum=3
“A user can achieve this in two ways against the default configuration of a Cisco switch port. The first and most commonly used VLAN hopping method is where the attacker makes his workstation act as a trunk port. Most switches, in the default configuration, need only one side of a connection to announce themselves as a trunk; then the switch automatically trunks all available VLANs over the switch port. This results in the attacker seeing all traffic across all VLANs.
The second way an attacker can hop VLANs is by using double tagging. With double tagging, the attacker inserts a second 802.1q tag in front of the existing 802.1q tag. This relies on the switch stripping off only the first 802.1q tag and leaving itself vulnerable to the second tag. This is not as common a method of VLAN hopping as using trunking.”