What is a method to launch a VLAN hopping attack?

A VLAN hopping attack is where a device on one VLAN can receive traffic from another VLAN that it’s not a member of. One of the common methods to launch a VLAN hopping attack involves sending spoofed native VLAN information.

Here’s how the attack works using spoofed native VLAN information:

1. An attacker configures a system to mimic a trunking interface by tagging Ethernet frames with the VLAN ID of the target VLAN.
2. Because switches by default send traffic from the native VLAN untagged, the attacker sends frames with no VLAN tag.
3. The switch receives these untagged frames and assumes they belong to the native VLAN.
4. If the native VLAN of the attacker’s port matches the target VLAN, the switch forwards the frames to the target VLAN.

The attacker’s system essentially pretends to be a switch expecting untagged frames from the native VLAN, which the switch obligingly sends. This is a form of VLAN hopping because the traffic “hops” from the native VLAN to another without passing through a router.

Sending spoofed native VLAN information is a more direct and common method of VLAN hopping compared to the other options listed, which are:

• Introducing a rogue switch and enabling trunking: This could potentially allow VLAN hopping, but it involves physical access and more complex configuration.
• Flooding the switch with MAC addresses: This would lead to a different type of attack, such as a MAC address table overflow, which could make the switch act like a hub, broadcasting traffic to all ports.
• Sending spoofed IP addresses from the attacking host: This method would be more relevant to IP-based attacks, such as IP spoofing, rather than VLAN hopping.