You work as a network technician at Company.com. Your boss is interested in switch
spoofing. She asks you how an attacker would collect information with VLAN hoping through
switch spoofing. You should tell her that the attacking station…
A.
…uses VTP to collect VLAN information that is sent out and then tags itself with the
domain information in order to capture the data.
B.
…will generate frames with two 802.1Q headers to cause the switch to forward the
frames to a VLAN that would be inaccessible to the attacker through legitimate means.
C.
…uses DTP to negotiate trunking with a switch port and captures all traffic that is
allowed on the trunk.
D.
…tags itself with all usable VLANs to capture data that is passed through the switch,
regardless of the VLAN to which the data belongs.
E.
None of the other alternatives apply
Explanation:
DTP should be disabled for all user ports on a switch. If the port is left with DTP autoconfigured (default on many switches), an attacker can connect and arbitrarily cause the port
to start trunking and therefore pass all VLAN information.
Reference:
http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900aecd800ebd1e.pdf
The correct answer is B, using double 802.1q tags
http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10
Double-Tagging Attack (3.3.1.2)
Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify as shown in Figure 3-29. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link.
Correct like Jedi is saying.
Answer C refers to switch spoofing.
Switch spoofing happens when an attacker can persuade a switch to go into trunking mode which then allows all traffic for all vlans to be seen. This would happen if a trunk port was set to auto and the attacker sent spoofed DTP (Dynamic Trunking Protocol) frames or connected a rogue switch to the switchport.
Correct answer is C. The important keyword here is “through switch spoofing”
We are talking about switch spoofing here not vlan hoping attack. B is not the correct answer