Abusing VLANs With BackTrack

In this post I'm going to have a little fun with VLANs. As I've been studying for the CCNA cert I've been reading how great VLANs are, so in this post i'm going to have a little fun with some really cool tools from the Backtrack distro. My aim is to demonstrate why simlpy placing hosts in a seperate VLAN might sometimes not be enough if you really don't want anyone to have access to them. Let's get started.

Tools:

• BackTrack.
• Yersinia.
• vconfig.
• Wireshark.
• Nmap.

I start off by connecting to the LAN and getting a network address

dhclient eth0

I can see that I'm attached to the network 10.0.1.0/24.

Next I fire up wireshark and check the network for DTP (Dynamic Trunking Protocol) frames and CDP (Cisco Discovery Protocol) frames.

I can see that I have both CDP and DTP frames present.
Now I want to tell the switch that my port is a trunk port, for this I'll use Yersinia and tell it to look at DTP.

yersinia -I

After I see DTP frames appear in Yersinia I launch the attack to configure the port for trunking.

Now I need to know the VLAN number that other networks are on. Before launching Yersinia I could only see traffic from my own network (10.0.1.0/24), now I can start to see traffic from hosts on another network (192.168.2.2).

Looking at the 802.1Q information in the frame I can see that the other network is on VLAN 2.

With this information I'll create a new interface in the new network and configure vconfig to tag the frames for VLAN2.

vconfig add eth0 2

ifconfig eth0.2 up

                       ifconfig eth0.2 192.168.2.200/24

                                                                  ifconfig

Now I check I can ping the host I saw with Wireshark and I have a quick look at it's ports with Nmap.

ping -c 2 192.168.2.2

nmap 192.168.2.2

Great, I have plenty here to play with, and on port 80 ...........

Okay obviously this was staged but hopefully it illustrates two things. VLANs can be abused and Yersinia rocks!!!!!!!!!