VLAN hopping → cross into production
Discover that the access port negotiates trunking (DTP). Send double-tagged frames or set up a fake trunk to send packets into restricted VLANs.
§ Context
Assumed environment: attacker has a foothold on a non-prod VLAN. The switchports default DTP=auto / dynamic-desirable. Production hosts are reachable from the trunk.
§ Steps
- 01Foothold on a guest / dev VLANInitial AccessT1078— Valid Accounts
- 02Send 802.1Q double-tagged framesLateral MovementN-VLAN-HOP— VLAN Hopping
- 03Yersinia DTP attack — negotiate trunkLateral MovementN-VLAN-HOP— VLAN Hopping
- 04Internal nmap sweep on prod VLANDiscoveryN-NMAP-INTERNAL— Internal Nmap Sweep
- 05Pivot (SSH / chisel / impacket relay)Lateral MovementN-SSH-PROXY— SSH Dynamic / Reverse Tunnel
§ References
- T1078Valid Accounts
§ Frequently asked
- What is the "VLAN hopping → cross into production" attack path?
- Discover that the access port negotiates trunking (DTP). Send double-tagged frames or set up a fake trunk to send packets into restricted VLANs. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Foothold on a guest / dev VLAN (T1078) — a initial access primitive. Assumed environment: attacker has a foothold on a non-prod VLAN.
- What is the final impact of this kill-chain?
- The final step lands on Pivot (SSH / chisel / impacket relay) (N-SSH-PROXY), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Industroyer2 IEC-104 substation hijack
Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.
- Shared techniques2
z/OS TN3270 → RACF userID brute → mainframe shell
Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.
- Shared techniques2
SSRF → reach internal Redis → write SSH key → RCE
Web app SSRF lets the attacker hit gopher://redis on the internal network. Inject CONFIG SET dir + dbfilename + SAVE to write an SSH authorized_keys onto the Redis host — log in as the Redis user.
- Shared techniques2
Reconfigure MFP LDAP → harvest service-account credentials
Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.
- Shared techniques2
HMI default credentials → operations disruption
Wonderware / iFix HMI exposed to the corporate network with vendor-default credentials. Operators see attacker-controlled values + commands sent to PLCs through legit channels.
- Shared techniques2
PMKID attack → offline crack with no client interaction
WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak.