This chapter covers VLAN hopping and network pivoting, two critical attack techniques that allow penetration testers to bypass network segmentation and move laterally across a compromised network. For the PT0-002 exam, these topics fall under Domain 3: Attacks and Exploits, Objective 3.1 (Given a scenario, perform network-based attacks). Approximately 10–15% of exam questions touch on VLAN hopping, trunking attacks, or pivoting methods. Mastering these concepts is essential for understanding how attackers escape isolated network segments and for recommending effective mitigations.
Jump to a section
Imagine a hotel with two separate wings: Wing A (executive floor) and Wing B (standard floor). Each wing has its own key card system that only unlocks doors in that wing. The hotel’s central elevator, however, has a special override: if a guest from Wing B inserts their card into the elevator’s reader, the elevator can be tricked into thinking the guest is from Wing A by sending a fake “Wing A” signal. This is VLAN hopping: the attacker (guest from Wing B) sends a specially crafted frame (fake key card signal) to a switch (elevator) that trusts the attacker’s device to identify which VLAN it belongs to. In switch spoofing, the attacker pretends to be a trunk link (the elevator’s maintenance panel) that can access all wings. In double tagging, the attacker puts two VLAN tags on a frame (like a key card with two room numbers), and the first switch removes the outer tag, leaving the inner tag to access a restricted VLAN. Once inside the executive VLAN, the attacker can move laterally (pivot) to other devices on that network, just as the guest from Wing B can now walk through Wing A’s corridors and enter any room.
What is VLAN Hopping?
VLAN hopping is an attack that allows an attacker on one VLAN to gain unauthorized access to traffic on another VLAN. It exploits the way switches handle VLAN tagging and trunk links. There are two primary types: switch spoofing and double tagging.
Switch Spoofing: In this attack, the attacker’s device pretends to be a switch and negotiates a trunk link with the real switch. If the switch’s trunk ports are configured with Dynamic Trunking Protocol (DTP) in dynamic desirable or auto mode, the attacker can send DTP frames to establish a trunk. Once the trunk is established, the attacker can send and receive frames tagged with any VLAN ID, effectively gaining access to all VLANs that the trunk carries.
Double Tagging: This attack works only when the attacker is on a VLAN that uses the same native VLAN as the trunk port on the first switch. The attacker sends a frame with two 802.1Q tags: an outer tag matching the native VLAN and an inner tag targeting the victim VLAN. When the frame reaches the first switch, it strips the outer tag (because it’s the native VLAN) and forwards the frame with the inner tag still intact. The second switch then processes the inner tag and delivers the frame to the victim VLAN.
How It Works Internally
IEEE 802.1Q Tagging: A standard Ethernet frame can carry a 4-byte VLAN tag inserted between the source MAC and EtherType fields. The tag contains a 12-bit VLAN ID (0–4095), with VLAN 0 and 4095 reserved, VLAN 1 as the default native VLAN, and VLANs 2–1001 as normal range. Trunk ports carry frames for multiple VLANs by adding tags; access ports strip tags and assign frames to a single VLAN.
DTP Frames: DTP uses Cisco proprietary frames (destination MAC 01-00-0C-CC-CC-CC) to negotiate trunking. The switch port can be in one of several modes: access (never trunk), trunk (always trunk), dynamic desirable (actively tries to form trunk), dynamic auto (passively waits), and nonegotiate (disables DTP). If the attacker’s NIC can send DTP frames, it can force a dynamic desirable or auto port to become a trunk.
Double Tagging Step-by-Step: 1. Attacker on VLAN 10 (native VLAN) sends a frame with two tags: outer tag = VLAN 10, inner tag = VLAN 20. 2. The first switch (Switch A) receives the frame on an access port in VLAN 10. Since the outer tag matches the native VLAN, Switch A removes it and forwards the frame out of its trunk port. 3. The trunk port on Switch A carries all VLANs. The frame now has only the inner tag (VLAN 20). Switch A forwards it to Switch B. 4. Switch B receives the frame on its trunk port. It sees the VLAN 20 tag and forwards the frame to the destination on VLAN 20. 5. The victim on VLAN 20 receives the frame, and if it’s a broadcast or unicast, the attacker can capture responses or perform attacks.
Key Components, Defaults, and Timers
Native VLAN: Default is VLAN 1. Double tagging exploits the native VLAN because the first switch does not tag frames on the native VLAN. Using a native VLAN other than 1 (e.g., VLAN 999) reduces risk but does not eliminate it if the attacker is on that VLAN.
DTP Defaults: On Cisco switches, most ports default to dynamic auto or dynamic desirable. This varies by model and IOS version; for example, Catalyst 2960 defaults to dynamic auto. The exam often tests that dynamic auto does not actively send DTP frames but responds to them, while dynamic desirable actively sends DTP frames.
Trunk Port: A port configured as trunk (or negotiated to trunk) carries all VLANs by default (1–4094). Administrators can prune VLANs to limit which VLANs are allowed on the trunk.
VLAN Range: Normal VLANs are 1–1005; extended VLANs are 1006–4094. The 12-bit ID allows 4096 VLANs, but 0 and 4095 are reserved.
Configuration and Verification Commands
Preventing Switch Spoofing: - On all user-facing ports, set the port to access mode and disable DTP:
interface GigabitEthernet0/1
switchport mode access
switchport nonegotiate- Or explicitly set the port to access and disable trunking:
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
no switchport trunk encapsulation dot1qPreventing Double Tagging: - Change the native VLAN on all trunk ports to an unused VLAN ID (e.g., VLAN 999):
interface GigabitEthernet0/24
switchport trunk native vlan 999Ensure that the native VLAN is not used for any user access ports.
Verification Commands:
- show interfaces trunk – displays trunk ports, native VLAN, and allowed VLANs.
- show interfaces status – shows port mode (access/trunk) and VLAN.
- show dtp interface – shows DTP mode and status.
- show vlan brief – lists all VLANs and their ports.
Interaction with Related Technologies
VLAN Hopping and STP: Spanning Tree Protocol (STP) can be manipulated to reroute traffic, but VLAN hopping itself does not rely on STP. However, an attacker might combine VLAN hopping with STP attacks (e.g., BPDU spoofing) to become a root bridge and intercept traffic.
VLAN Hopping and DHCP Snooping: DHCP snooping can prevent rogue DHCP servers but does not directly prevent VLAN hopping. However, it can help detect unauthorized devices.
VLAN Hopping and 802.1X: 802.1X authentication can block unauthorized devices from the network, but once authenticated, the device could still attempt VLAN hopping if the port is not properly hardened.
Network Pivoting
Pivoting (also called lateral movement) is the technique of using a compromised host as a gateway to attack other hosts on different network segments. Once an attacker gains a foothold on one system, they can use it to route traffic to internal networks that are not directly accessible.
Methods of Pivoting:
- Port Forwarding: Using tools like SSH, netcat, or meterpreter, the attacker forwards a local port on the attacker’s machine to a service on a target behind the compromised host.
- Proxychains: The attacker sets up a SOCKS proxy on the compromised host and routes all traffic through it. Tools like proxychains can then be used with any TCP-based tool (e.g., nmap, sqlmap).
- Tunneling: VPN tunnels (e.g., using openvpn or ssh -w) create a virtual network interface on the attacker’s machine, allowing full IP-level access.
- Routing: Adding static routes on the compromised host to forward traffic to other subnets.
Example with Meterpreter:
1. Attacker exploits a host and gets a meterpreter session.
2. Attacker runs route add to add a route to the internal subnet (e.g., 192.168.10.0/24) through the compromised host.
3. Attacker then runs portfwd add -L 0.0.0.0 -l 3389 -p 3389 -r 192.168.10.50 to forward RDP traffic.
4. Attacker connects to localhost:3389 to reach the target.
Pivoting with SSH:
- Local port forwarding: ssh -L 8080:target:80 user@compromised
- Remote port forwarding: ssh -R 8080:attacker:80 user@compromised
- Dynamic port forwarding (SOCKS): ssh -D 1080 user@compromised
Pivoting with Netcat:
- On compromised host: nc -l -p 4444 -e /bin/sh
- On attacker: nc -v compromised_ip 4444
Key Components for Pivoting
Routing Table: The compromised host must have IP forwarding enabled to act as a router. On Linux: echo 1 > /proc/sys/net/ipv4/ip_forward. On Windows: set IPEnableRouter registry key.
Firewall Rules: The compromised host must allow forwarding and not block the attacker’s traffic. The attacker may need to disable or bypass host-based firewalls.
Tunneling Protocols: SSH, HTTP/HTTPS (using tools like reGeorg), DNS (using iodine), and ICMP (using pingtunnel) can be used to bypass network restrictions.
Interaction with VLAN Hopping
VLAN hopping is often a precursor to pivoting. Once an attacker gains access to a new VLAN, they can scan for vulnerable hosts, exploit them, and then use those hosts to pivot further into the network. For example, after double tagging to reach the management VLAN, the attacker might find a server with SSH access and use it to pivot to the data center network.
Exam Focus on VLAN Hopping and Pivoting
The PT0-002 exam expects you to:
Identify the two types of VLAN hopping attacks and the conditions required for each.
Know the default DTP modes and which modes are vulnerable.
Understand how to mitigate VLAN hopping (disable DTP on user ports, change native VLAN, use dedicated VLAN IDs).
Recognize that double tagging is a one-way attack (attacker can send frames but cannot receive responses unless the victim responds to a spoofed request).
For pivoting, know the difference between port forwarding, SOCKS proxy, and VPN tunneling.
Understand that pivoting requires IP forwarding enabled on the compromised host.
Be able to choose the appropriate pivoting method given a scenario (e.g., need to scan multiple ports → SOCKS proxy; need to access a single service → port forwarding).
Common Pitfalls
Confusing DTP modes: Dynamic auto does not initiate trunking but responds; dynamic desirable actively initiates. Both are vulnerable if the attacker sends DTP frames.
Thinking double tagging allows bidirectional communication: Double tagging only allows the attacker to send frames to the victim VLAN. The victim’s response will be sent to the attacker’s real MAC address, but the attacker must be able to receive it on their own VLAN. If the response is unicast, the switch will deliver it to the attacker’s port only if the MAC address is learned on that VLAN; otherwise, it will be flooded or dropped.
Assuming VLAN hopping is prevented by using VLAN ACLs: VLAN ACLs filter traffic within a VLAN but do not prevent the initial unauthorized access via trunking or double tagging.
Forgetting that native VLAN mismatches can cause double tagging vulnerabilities: If the native VLAN on the trunk is the same as the attacker’s access VLAN, double tagging is possible.
Conclusion
VLAN hopping and network pivoting are powerful techniques that allow attackers to bypass segmentation and expand their foothold. Understanding the underlying mechanisms—802.1Q tagging, DTP, and IP forwarding—is crucial for both attacking and defending. On the PT0-002 exam, be prepared to identify vulnerable configurations, recommend mitigations, and select appropriate pivoting methods based on scenario descriptions.
Reconnaissance and Target Selection
The attacker first identifies potential entry points: a host on a VLAN that can communicate with a trunk port or a host that can send double-tagged frames. The attacker uses network scanning (e.g., nmap) to discover active hosts and their VLAN assignments. They also look for switches that may have DTP enabled by checking if the attacker’s NIC can negotiate a trunk. The attacker may also capture DTP frames to determine the switch’s DTP mode. This step is critical because the attack only works if the switch port is not hardened (e.g., not set to access mode with switchport nonegotiate).
Initiating Switch Spoofing Attack
If the switch port is in dynamic desirable or auto mode, the attacker sends DTP frames to negotiate a trunk. The attacker’s device must be capable of sending DTP frames (e.g., using a tool like Yersinia or a crafted packet). Once the trunk is established, the attacker can send and receive frames tagged with any VLAN ID. The attacker then sets their interface to trunk mode and starts sending frames with desired VLAN tags. The switch will treat the attacker as a legitimate trunk link, giving access to all VLANs allowed on that trunk.
Initiating Double Tagging Attack
If the attacker cannot negotiate a trunk, they may attempt double tagging. The attacker must be on a VLAN that matches the native VLAN of the trunk connecting the first switch to the second switch. The attacker crafts an Ethernet frame with two 802.1Q tags: the outer tag set to the native VLAN (e.g., VLAN 1), and the inner tag set to the target VLAN (e.g., VLAN 20). The frame is sent to the first switch. The first switch strips the outer tag because it matches the native VLAN and forwards the frame out of its trunk port with only the inner tag. The second switch then processes the inner tag and delivers the frame to the target VLAN.
Exploiting Access to Victim VLAN
Once the attacker has access to the victim VLAN (via trunk or double tagging), they can perform reconnaissance on that VLAN: scanning for live hosts, open ports, and vulnerabilities. The attacker can also launch attacks such as ARP spoofing, DHCP starvation, or man-in-the-middle attacks. For double tagging, the attack is one-way; the attacker can send packets but will not receive responses directly unless they also spoof the source MAC or use a broadcast. The attacker may need to combine with other techniques (e.g., ARP spoofing on the victim VLAN) to capture responses.
Establishing Pivot Point
After gaining access to a host on the victim VLAN, the attacker may use that host as a pivot to reach other networks. The attacker compromises the host (e.g., via a vulnerability or credential theft) and enables IP forwarding. Then the attacker sets up a tunnel (e.g., SSH dynamic port forwarding, meterpreter route add) to route traffic through the compromised host. For example, using SSH: `ssh -D 1080 user@compromised_host` creates a SOCKS proxy. The attacker then configures tools like proxychains to use the proxy, allowing them to scan and exploit hosts on networks beyond the initial VLAN.
Lateral Movement and Data Exfiltration
Using the pivot, the attacker moves laterally to other hosts, repeating the process: scan, exploit, pivot. The attacker may also exfiltrate data through the tunnel. The pivot point can be used to bypass firewalls and network segmentation. The attacker must be careful not to overwhelm the pivot host or trigger detection. Tools like Metasploit’s autoroute and portfwd simplify the process. The attacker may also set up multiple pivot points to create a chain, further obscuring their origin.
In a large enterprise, VLANs are used to segment departments (e.g., HR, Finance, Engineering) and to separate management traffic from user traffic. A common misconfiguration is leaving user-facing switch ports in dynamic auto mode, which allows an attacker inside the building to plug into a wall jack and potentially negotiate a trunk. For example, in a corporate office, an attacker gains physical access to a conference room and connects a laptop to the Ethernet port. The switch port is in dynamic auto (default on many Cisco switches). The attacker runs Yersinia to send DTP frames, and the switch negotiates a trunk. The attacker now has access to all VLANs, including the management VLAN. They can then scan for servers with default credentials or unpatched vulnerabilities.
Another scenario involves double tagging in a data center. The network team uses VLAN 1 as the native VLAN on all trunk links for simplicity. An attacker compromises a web server in VLAN 1 (the native VLAN). The attacker then sends double-tagged frames with an inner tag targeting the database VLAN (VLAN 100). The first switch strips the outer tag (VLAN 1) and forwards the frame to the database VLAN. The attacker can then send SQL injection payloads to the database server, even though the web server is not supposed to communicate directly with the database.
In a penetration test, pivoting is often necessary after gaining initial access to a DMZ host. For example, the tester exploits a vulnerable web application on a public-facing server. The server has two network interfaces: one in the DMZ and one in the internal network. The tester uploads a web shell and uses it to enable IP forwarding. Then the tester sets up a SOCKS proxy via SSH (if SSH is allowed) or uses a tool like Chisel to create a tunnel. From the tester’s machine, they can now scan internal IPs (e.g., 10.0.0.0/8) that were previously unreachable. They find a domain controller and exploit it using pass-the-hash. This allows them to gain domain admin privileges and access all systems.
When misconfigured, VLAN hopping can lead to severe data breaches. For instance, if an attacker gains access to the finance VLAN, they can intercept payroll data or initiate fraudulent transfers. Pivoting amplifies the damage by allowing the attacker to move from a low-value host to critical systems. Mitigations include: setting all user ports to access mode with switchport nonegotiate, using a dedicated native VLAN other than 1, implementing 802.1X for device authentication, and using network segmentation with firewalls between VLANs. Additionally, monitoring for DTP frames or unusual VLAN tags on access ports can help detect attacks.
On the PT0-002 exam, VLAN hopping and pivoting appear in Domain 3.1: Perform network-based attacks. You must be able to:
Distinguish between switch spoofing and double tagging.
Identify the DTP modes that are vulnerable: dynamic desirable and dynamic auto are both vulnerable if the attacker sends DTP frames. Access mode with nonegotiate is safe.
Know that double tagging requires the attacker to be on the native VLAN of the trunk.
Understand that double tagging is a one-way attack; the attacker can send frames but cannot directly receive responses unless they also spoof the source MAC or use broadcast.
Know mitigation commands: switchport mode access, switchport nonegotiate, switchport trunk native vlan <unused>.
For pivoting, know the difference between local port forwarding, remote port forwarding, and dynamic port forwarding (SOCKS proxy).
Understand that IP forwarding must be enabled on the pivot host.
Recognize that pivoting can use various protocols: SSH, HTTP, DNS, ICMP.
Common wrong answers on exam questions: 1. "Double tagging allows bidirectional communication." This is false. The victim’s response is sent to the attacker’s MAC address, but the second switch will forward it based on the attacker’s MAC on the attacker’s original VLAN. Since the attacker is not on the victim VLAN, the response may be dropped or flooded. The attacker can only send, not receive, unless they also spoof. 2. "Setting all ports to access mode prevents VLAN hopping." True for switch spoofing, but double tagging still possible if the attacker is on the native VLAN. Full prevention requires also changing the native VLAN. 3. "Dynamic auto is safe because it doesn't initiate trunking." Dynamic auto responds to DTP frames from the attacker, so it can be tricked into trunking. 4. "Pivoting requires a VPN tunnel." VPN is one method, but port forwarding and SOCKS proxies are also valid.
Edge cases the exam loves: the native VLAN is not VLAN 1 but still matches the attacker’s VLAN; double tagging still works. Also, if the trunk port has VLAN pruning, the attacker can only access allowed VLANs, so double tagging may fail if the inner VLAN is not allowed.
To eliminate wrong answers, focus on the underlying mechanism: switch spoofing relies on DTP negotiation; double tagging relies on native VLAN stripping. For pivoting, check if the scenario requires multiple ports (SOCKS) or a single service (port forwarding).
VLAN hopping has two types: switch spoofing (via DTP) and double tagging (via native VLAN).
Switch spoofing is bidirectional; double tagging is one-way (send only).
DTP modes: dynamic auto and dynamic desirable are vulnerable; access mode with nonegotiate is safe.
Double tagging requires the attacker's access VLAN to match the native VLAN of the trunk.
Mitigation: disable DTP on user ports (switchport nonegotiate), change native VLAN to an unused ID, and never use the native VLAN for access ports.
Pivoting uses a compromised host to route traffic to other networks; requires IP forwarding enabled.
Common pivoting methods: SSH port forwarding (local/remote/dynamic), SOCKS proxy, meterpreter route, VPN tunneling.
The PT0-002 exam expects you to choose the correct pivoting method based on scenario: single service → port forwarding; multiple services → SOCKS proxy.
VLAN hopping and pivoting often combine: gain access to a new VLAN via hopping, then pivot to deeper networks.
These come up on the exam all the time. Here's how to tell them apart.
Switch Spoofing
Exploits DTP to negotiate a trunk link between attacker and switch
Gives attacker access to all VLANs allowed on the trunk (usually all)
Bidirectional: attacker can send and receive traffic on any VLAN
Requires attacker to send DTP frames; works on dynamic desirable/auto ports
Mitigated by setting ports to access mode and disabling DTP
Double Tagging
Exploits native VLAN handling on trunk links
Only allows attacker to send frames to a specific target VLAN (one-way)
Unidirectional: attacker can send but cannot directly receive responses
Requires attacker to be on the same VLAN as the native VLAN of the trunk
Mitigated by changing native VLAN to an unused ID and not using that VLAN on access ports
Mistake
VLAN hopping only works on Cisco switches.
Correct
While DTP is Cisco proprietary, double tagging works on any switch that supports 802.1Q, including HP, Juniper, and others. The attack exploits the 802.1Q standard, not a vendor-specific feature.
Mistake
Setting the native VLAN to an unused ID completely prevents double tagging.
Correct
It prevents the common case where the attacker is on VLAN 1, but if the attacker's access VLAN matches the new native VLAN (e.g., VLAN 999), double tagging is still possible. Therefore, the native VLAN must be unused and also not assigned to any access port.
Mistake
Double tagging allows the attacker to receive responses from the victim.
Correct
Double tagging is a one-way attack. The attacker can send frames to the victim VLAN, but responses are sent to the attacker's MAC address on the victim VLAN. Since the attacker's MAC is not present on that VLAN, the second switch will either drop the frame or flood it, but the attacker will not receive it unless they also spoof their MAC on the victim VLAN (e.g., via ARP spoofing).
Mistake
Dynamic auto mode is secure because it does not actively send DTP frames.
Correct
Dynamic auto responds to DTP frames from the attacker. If the attacker sends a DTP frame requesting trunking, the switch will agree and form a trunk. Both dynamic desirable and dynamic auto are vulnerable.
Mistake
Pivoting always requires administrative privileges on the compromised host.
Correct
Many pivoting techniques require administrative privileges to enable IP forwarding or install tunneling software. However, some methods (e.g., SSH port forwarding) can work with user-level access if SSH is allowed and the user can run SSH. But to forward traffic for other hosts, IP forwarding typically needs root/admin.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Trunking is a legitimate switch feature that carries traffic for multiple VLANs over a single link using 802.1Q tagging. VLAN hopping is an attack that exploits trunking to gain unauthorized access to VLANs. In switch spoofing, the attacker pretends to be a switch and negotiates a trunk. In double tagging, the attacker exploits how switches handle native VLAN tags on trunks.
Yes. Switch spoofing can be detected by monitoring for DTP frames on access ports (using port security or 802.1X). Double tagging can be detected by inspecting frames for multiple 802.1Q tags (though most switches do not log this by default). Network monitoring tools (e.g., Wireshark) can capture such anomalies. Also, using features like DHCP snooping and dynamic ARP inspection can help detect suspicious activity.
The native VLAN is the VLAN to which untagged frames are assigned on a trunk port. By default, it is VLAN 1. In double tagging, the attacker sends a frame with two tags: the outer tag matches the native VLAN. The first switch strips the outer tag (since native VLAN frames are not tagged) and forwards the frame with the inner tag to the next switch. This allows the frame to reach a different VLAN. Changing the native VLAN to an unused ID reduces the risk but does not eliminate it if the attacker is on that VLAN.
The best practice is a combination: (1) Set all user-facing ports to access mode and disable DTP with `switchport mode access` and `switchport nonegotiate`. (2) Change the native VLAN on all trunk ports to an unused VLAN ID (e.g., 999). (3) Explicitly prune unused VLANs from trunk ports. (4) Implement 802.1X authentication for device access. (5) Use VLAN ACLs and firewalls to restrict inter-VLAN traffic.
Pivoting is a broader concept: using a compromised host to route traffic to other networks. Port forwarding is a specific technique within pivoting where a single port on the attacker's machine is forwarded to a specific service on a target through the compromised host. Pivoting can also involve SOCKS proxies (forwarding multiple ports) or VPN tunnels (forwarding entire network traffic).
Yes. Metasploit's meterpreter has built-in pivoting capabilities. After getting a session, you can use `route add` to add a route to an internal subnet through the compromised host. Then you can use `portfwd` to forward specific ports or use the `auxiliary/server/socks_proxy` module to set up a SOCKS proxy. This allows other Metasploit modules to scan and exploit hosts on the internal network.
IP forwarding (or routing) allows the compromised host to forward packets between its network interfaces. Without it, the host will drop packets not destined for itself. On Linux, enable with `sysctl net.ipv4.ip_forward=1` or `echo 1 > /proc/sys/net/ipv4/ip_forward`. On Windows, set the registry key `HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter` to 1. Many pivoting tools (like SSH with `-w` option) automatically enable forwarding.
You've just covered VLAN Hopping and Network Pivoting — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?