VLAN hopping is the act of illegally moving from one VLAN to another. A VLAN (virtual LAN) is a logical grouping of switch ports that can extend across any number of switches on an Ethernet campus. Its purpose is to organize devices by security need and/or to limit the impact of broadcast traffic on the larger network. A switched network can have (nearly) any number of VLANs that extend across the campus, each being its own broadcast domain with its own subnet ID. Metro Ethernet Metropolitan Area Networks (MANs) can even extend a company's VLANs to other locations around town. The most common use cases are to segregate the network by department, device type, or security level.
Because VLANs are logically segmented away from the rest of the network, you would ordinarily have to use a router to move traffic between them. This allows you to set access control lists and other policies to control which hosts can access hosts in other VLANs. Ordinarily, a switch port or Wi-Fi connection can only belong to one VLAN at a time, and cannot change unless specifically configured by the network administrator. This means that whatever port or SSID the device connects to determines the VLAN that device is in. You would have to plug into a different port or connect to a different WLAN to change your VLAN. Or, if permitted, a router would have to route your traffic from your existing VLAN to other VLANs. There are, however, ways to bypass this restriction. Some examples include:
- Overflowing the MAC table on a vulnerable switch so that it behaves like a hub, repeating frames out all ports.
- Configuring the interface of an attacker machine to become a trunk port. It will then negotiate an unauthorized trunk link with the switch, which allows traffic from any VLAN to flow over that link. This allows the attacker machine to then apply the desired VLAN tag to malicious packets. The switch will then deliver those packets to the restricted VLAN.
One popular VLAN hopping tool is Frogger. It is a command-line tool that automatically sets up a trunk link, identifies VLAN IDs that are in use, and tags your traffic for the desired VLAN.
Note: For more information about Frogger, see https://www.commonexploits.com/frogger-the-vlan-hopper/.
Note: In some cases, VLAN membership for a device is dynamically determined by its MAC address. The network administrator pre-creates a list of VLANs and the MAC addresses that belong to them. When the device is plugged in, its MAC address is checked against the VLAN database and the corresponding VLAN is dynamically assigned to that port.