Exam PT0-002 topic 1 question 165 discussion

I believe this to be D. Double-tagging, a method of VLAN hopping. https://scapy.readthedocs.io/en/latest/usage.html

sendp(Ether()/Dot1Q(vlan=2)/Dot1Q(vlan=7)/IP(dst=target)/ICMP()) Is certainly VLAN hopping using Double Tagging.

D. Double-tagging attack Explanation: • Double-Tagging Attack: This attack is a type of VLAN hopping attack where an attacker sends frames with two VLAN tags. The purpose is to exploit the way some network switches handle VLAN tags. The outer VLAN tag (100) is stripped by the first switch, leaving the inner VLAN tag (50) intact. This can cause the packet to be sent to a different VLAN (VLAN 50) than the attacker is actually on (VLAN 100), potentially reaching a different network segment. Analysis of the Command: • Ether(): Constructs an Ethernet frame. • Dot1Q(vlan=100): Adds the first VLAN tag (100). • Dot1Q(vlan=50): Adds the second VLAN tag (50), which is the tag that will remain after the outer tag is stripped. • IP(dst="172.16.50.10"): Adds an IP layer with the destination IP address 172.16.50.10. • ICMP(): Adds an ICMP layer, typically used for ping operations.

Another type of VLAN attack is a double-tagging (or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled because a host typically sends a frame on a segment that is not a trunk link. https://www.ciscopress.com/articles/article.asp?p=2181837

This very much looks like double tagging attack. Check this source with packet/wireshark capture https://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/

The command being run is creating an Ethernet frame with two VLAN tags (VLAN 100 and VLAN 50) and an IP packet with a destination IP address of 172.16.50.10 and an ICMP payload. This is an example of a Double-tagging attack, also known as a Q-in-Q attack, which involves encapsulating a frame with two VLAN tags to gain access to a different VLAN. The purpose of this attack is to bypass network segmentation and gain access to a network segment that is not directly accessible from the attacker's current position on the network.

The above line of code is a Python command that can be used to send a Layer 3 Ethernet frame with a VLAN tag (vlan=50) and an IP packet to the destination 172.16.50.10, containing an ICMP request. It is used to test networks and network devices for security vulnerabilities

Definitely Double Tagging. The destination VLAN ID is appended to the source VLAN ID.

D is correct