A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:
Which of the following represents what the penetration tester is attempting to accomplish?
The penetration tester is attempting a double-tagging attack, a form of VLAN hopping. By sending a packet with two VLAN tags, the tester is trying to exploit the way some network switches handle VLAN tags. The outer tag (VLAN 100) is stripped by the first switch, leaving the inner tag (VLAN 50) intact, which can redirect the packet to a different VLAN (VLAN 50) than originally specified, potentially reaching a different network segment. This technique bypasses network segmentation and is used to gain access to network segments that are normally not accessible from the attacker's current VLAN.
I believe this to be D. Double-tagging, a method of VLAN hopping. https://scapy.readthedocs.io/en/latest/usage.html
sendp(Ether()/Dot1Q(vlan=2)/Dot1Q(vlan=7)/IP(dst=target)/ICMP()) Is certainly VLAN hopping using Double Tagging.
The above line of code is a Python command that can be used to send a Layer 3 Ethernet frame with a VLAN tag (vlan=50) and an IP packet to the destination 172.16.50.10, containing an ICMP request. It is used to test networks and network devices for security vulnerabilities
D is right answer
Definitely Double Tagging. The destination VLAN ID is appended to the source VLAN ID.
D is correct
D. Double-tagging attack Explanation: • Double-Tagging Attack: This attack is a type of VLAN hopping attack where an attacker sends frames with two VLAN tags. The purpose is to exploit the way some network switches handle VLAN tags. The outer VLAN tag (100) is stripped by the first switch, leaving the inner VLAN tag (50) intact. This can cause the packet to be sent to a different VLAN (VLAN 50) than the attacker is actually on (VLAN 100), potentially reaching a different network segment. Analysis of the Command: • Ether(): Constructs an Ethernet frame. • Dot1Q(vlan=100): Adds the first VLAN tag (100). • Dot1Q(vlan=50): Adds the second VLAN tag (50), which is the tag that will remain after the outer tag is stripped. • IP(dst="172.16.50.10"): Adds an IP layer with the destination IP address 172.16.50.10. • ICMP(): Adds an ICMP layer, typically used for ping operations.
Another type of VLAN attack is a double-tagging (or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled because a host typically sends a frame on a segment that is not a trunk link. https://www.ciscopress.com/articles/article.asp?p=2181837
This very much looks like double tagging attack. Check this source with packet/wireshark capture https://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
The command being run is creating an Ethernet frame with two VLAN tags (VLAN 100 and VLAN 50) and an IP packet with a destination IP address of 172.16.50.10 and an ICMP payload. This is an example of a Double-tagging attack, also known as a Q-in-Q attack, which involves encapsulating a frame with two VLAN tags to gain access to a different VLAN. The purpose of this attack is to bypass network segmentation and gain access to a network segment that is not directly accessible from the attacker's current position on the network.