Testing Switches for Vulnerabilities

Book Excerpt: To hackers, your routers are a veritable Fort Knox. This article details some of the methods used to determine if the switches on your LAN are just as impenetrable.
(Page 1 of 3)

By Andrew Whitaker and Daniel Newman

From Penetration Testing and Network Defense, Chapter 10, pp. 333-337 - Cisco Press. Reprinted with permission.

Routers are not the only networking devices that are vulnerable to attack. You should also thoroughly test your switches on your LAN. Following are some of the methods for testing switches:

  • VLAN hopping
  • Spanning Tree attacks
  • MAC table flooding
  • ARP attacks
  • VTP attacks

VLAN Hopping

VLANs are a Layer 2 method of segmenting your broadcast domains. VLANs are also often used to provide additional security on networks because computers on one VLAN cannot talk to users on another VLAN without explicit access through the use of inter-VLAN routing or a multilayer switch. However, as you shall soon see, VLANs by themselves are not enough to secure your environment. Through VLAN hopping, a malicious hacker can hop from one VLAN to another, even if he is not authorized.

VLAN hopping relies on the Dynamic Trunking Protocol (DTP). If you have two switches that are connected, DTP can negotiate between the two to determine if they should be an 802.1Q trunk. Negotiation is done by examining the configured state of the port. There are five states, as described in the DTP States table below.

DTP States

State Description
On Port is configured to be a trunk.
Off Port is configured to be an access port and should not be a trunk.
Auto Port is set to auto-negotiate a trunk status. Will become a trunk if the other switch actively wants to be a trunk
Desirable Port is set to auto-negotiate a trunk and actively announces that it wants to be a trunk.
Nonegotiate Port disables DTP and sets it to be a trunk. There will be no negotiation.

Both switches need to agree to be trunks before a trunk link is established. Table 10-3 shows the required states necessary for a trunk to be made.

DTP Negotiation

Switch 1 States
Switch 2 States
ON Trunk   Trunk Trunk  
AUTO Trunk     Trunk  
DESIRABLE Trunk   Trunk Trunk  
NONEGOTIATE         Trunk

Trunk links carry traffic from all VLANs. In 802.1Q trunking, which DTP negotiates, four bytes are added to the Ethernet header to define what VLAN a frame is a member of. When a frame leaves the trunk and enters another switch, the 802.1Q shim header is removed, the frame check sequence is recalculated, and the frame is brought back to its original form.

VLAN hopping exploits the use of DTP. In VLAN hopping, you spoof your computer to appear as another switch. You send a fake DTP negotiate message announcing that you would like to be a trunk. When the real switch hears your DTP message, it thinks it should turn on 802.1Q trunking. When trunking is turned on, all traffic for all VLANs is sent to your computer. The following figure illustrates this process.

VLAN Hopping

VLAN Hopping

After a trunk is established, you either can proceed to sniff the traffic, or you can send traffic by adding 802.1Q information to your frames that designate which VLAN you want to send your attack to.

Page 1 of 3

1 2 3
Next Page

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.