hacktricks/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md

# Lateral VLAN Segmentation Bypass

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

If direct access to a switch is available, VLAN segmentation can be bypassed. This involves reconfiguring the connected port to trunk mode, establishing virtual interfaces for target VLANs, and setting IP addresses, either dynamically (DHCP) or statically, depending on the scenario (**for further details check [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)).**

Initially, identification of the specific connected port is required. This can typically be accomplished through CDP messages, or by searching for the port via the **include** mask.

**If CDP is not operational, port identification can be attempted by searching for the MAC address**:

```
SW1(config)# show mac address-table | include 0050.0000.0500
```

Prior to switching to trunk mode, a list of existing VLANs should be compiled, and their identifiers determined. These identifiers are then assigned to the interface, enabling access to various VLANs through the trunk. The port in use, for instance, is associated with VLAN 10.

```
SW1# show vlan brief
```

**Transitioning to trunk mode entails entering interface configuration mode**:

```
SW1(config)# interface GigabitEthernet 0/2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
```

Switching to trunk mode will temporarily disrupt connectivity, but this can be restored subsequently.

Virtual interfaces are then created, assigned VLAN IDs, and activated:

```bash
sudo vconfig add eth0 10
sudo vconfig add eth0 20
sudo vconfig add eth0 50
sudo vconfig add eth0 60
sudo ifconfig eth0.10 up
sudo ifconfig eth0.20 up
sudo ifconfig eth0.50 up
sudo ifconfig eth0.60 up
```

Subsequently, an address request is made via DHCP. Alternatively, in cases where DHCP is not viable, addresses can be manually configured:

```bash
sudo dhclient -v eth0.10
sudo dhclient -v eth0.20
sudo dhclient -v eth0.50
sudo dhclient -v eth0.60
```

Example for manually setting a static IP address on an interface (VLAN 10):

```bash
sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0
```

Connectivity is tested by initiating ICMP requests to the default gateways for VLANs 10, 20, 50, and 60.

Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.

## References

* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`# Lateral VLAN Segmentation Bypass`

a 2024-07-18 23:15:55 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`<details>`

a 2024-07-18 23:15:55 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-07-18 23:15:55 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
			`</details>`
a 2024-07-18 23:15:55 +00:00			`{% endhint %}`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-07 04:06:18 +00:00			If direct access to a switch is available, VLAN segmentation can be bypassed. This involves reconfiguring the connected port to trunk mode, establishing virtual interfaces for target VLANs, and setting IP addresses, either dynamically (DHCP) or statically, depending on the scenario (for further details check [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)).
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-03 14:45:32 +00:00			`Initially, identification of the specific connected port is required. This can typically be accomplished through CDP messages, or by searching for the port via the include mask.`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-03 14:45:32 +00:00			`If CDP is not operational, port identification can be attempted by searching for the MAC address:`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
			```
			`SW1(config)# show mac address-table \| include 0050.0000.0500`
			```

a 2024-02-03 14:45:32 +00:00			`Prior to switching to trunk mode, a list of existing VLANs should be compiled, and their identifiers determined. These identifiers are then assigned to the interface, enabling access to various VLANs through the trunk. The port in use, for instance, is associated with VLAN 10.`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
			```
			`SW1# show vlan brief`
			```

a 2024-02-03 14:45:32 +00:00			`Transitioning to trunk mode entails entering interface configuration mode:`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
			```
			`SW1(config)# interface GigabitEthernet 0/2`
			`SW1(config-if)# switchport trunk encapsulation dot1q`
			`SW1(config-if)# switchport mode trunk`
			```

a 2024-02-03 14:45:32 +00:00			`Switching to trunk mode will temporarily disrupt connectivity, but this can be restored subsequently.`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-03 14:45:32 +00:00			`Virtual interfaces are then created, assigned VLAN IDs, and activated:`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-07 04:06:18 +00:00			```bash
			`sudo vconfig add eth0 10`
			`sudo vconfig add eth0 20`
			`sudo vconfig add eth0 50`
			`sudo vconfig add eth0 60`
			`sudo ifconfig eth0.10 up`
			`sudo ifconfig eth0.20 up`
			`sudo ifconfig eth0.50 up`
			`sudo ifconfig eth0.60 up`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			```

a 2024-02-03 14:45:32 +00:00			`Subsequently, an address request is made via DHCP. Alternatively, in cases where DHCP is not viable, addresses can be manually configured:`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-07 04:06:18 +00:00			```bash
			`sudo dhclient -v eth0.10`
			`sudo dhclient -v eth0.20`
			`sudo dhclient -v eth0.50`
			`sudo dhclient -v eth0.60`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			```

a 2024-02-03 14:45:32 +00:00			`Example for manually setting a static IP address on an interface (VLAN 10):`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-07 04:06:18 +00:00			```bash
			`sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			```

a 2024-02-03 14:45:32 +00:00			`Connectivity is tested by initiating ICMP requests to the default gateways for VLANs 10, 20, 50, and 60.`

			`Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-08 03:06:37 +00:00			`## References`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-02-03 14:45:32 +00:00			`* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-07-18 23:15:55 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00			`<details>`

a 2024-07-18 23:15:55 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
a 2024-07-18 23:15:55 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3523] No subject 2022-09-30 10:43:59 +00:00
			`</details>`
a 2024-07-18 23:15:55 +00:00			`{% endhint %}`