You should tell her that the attacking station…

You work as a network technician at Company.com. Your boss is interested in switch
spoofing. She asks you how an attacker would collect information with VLAN hoping through
switch spoofing. You should tell her that the attacking station…

You work as a network technician at Company.com. Your boss is interested in switch
spoofing. She asks you how an attacker would collect information with VLAN hoping through
switch spoofing. You should tell her that the attacking station…

A.
…uses VTP to collect VLAN information that is sent out and then tags itself with the
domain information in order to capture the data.

B.
…will generate frames with two 802.1Q headers to cause the switch to forward the
frames to a VLAN that would be inaccessible to the attacker through legitimate means.

C.
…uses DTP to negotiate trunking with a switch port and captures all traffic that is
allowed on the trunk.

D.
…tags itself with all usable VLANs to capture data that is passed through the switch,
regardless of the VLAN to which the data belongs.

E.
None of the other alternatives apply

Explanation:
DTP should be disabled for all user ports on a switch. If the port is left with DTP autoconfigured (default on many switches), an attacker can connect and arbitrarily cause the port
to start trunking and therefore pass all VLAN information.
Reference:
http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900aecd800ebd1e.pdf



Leave a Reply 3

Your email address will not be published. Required fields are marked *


Cisco Jedi

Cisco Jedi

The correct answer is B, using double 802.1q tags

http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10

Double-Tagging Attack (3.3.1.2)

Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify as shown in Figure 3-29. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link.

ploiesti

ploiesti

Correct like Jedi is saying.

Answer C refers to switch spoofing.

Switch spoofing happens when an attacker can persuade a switch to go into trunking mode which then allows all traffic for all vlans to be seen. This would happen if a trunk port was set to auto and the attacker sent spoofed DTP (Dynamic Trunking Protocol) frames or connected a rogue switch to the switchport.

KurpLondon

KurpLondon

Correct answer is C. The important keyword here is “through switch spoofing”

We are talking about switch spoofing here not vlan hoping attack. B is not the correct answer