VLAN hopping is a Layer 2 network attack vector critical to the CompTIA PenTest+ curriculum regarding network infrastructure exploits. It involves an attacker manipulating 802.1Q tagging to bypass network segmentation and access traffic on Virtual Local Area Networks (VLANs) to which they are not a…VLAN hopping is a Layer 2 network attack vector critical to the CompTIA PenTest+ curriculum regarding network infrastructure exploits. It involves an attacker manipulating 802.1Q tagging to bypass network segmentation and access traffic on Virtual Local Area Networks (VLANs) to which they are not authorized. This allows the attacker to reach restricted subnets, servers, or endpoints that should be logically isolated. There are two primary mechanisms for executing this attack: Switch Spoofing and Double Tagging.
Switch Spoofing exploits the Dynamic Trunking Protocol (DTP). Many switches are configured by default to automatically negotiate trunk links. An attacker connects a device to a switch port and masquerades as a switch by sending DTP frames. If successful, the connection establishes a trunk link, granting the attacker access to all VLANs traversing that trunk. Remediation requires disabling DTP on all user-facing ports and statically configuring them as access ports.
Double Tagging exploits the way switches process the Native VLAN. The attacker crafts a packet with two VLAN tags: an outer tag matching the port's Native VLAN and an inner tag for the target victim VLAN. The first switch sees the Native VLAN tag, strips it (as per protocol), and forwards the packet. The next switch sees the remaining inner tag and forwards the traffic to the restricted target VLAN. While Double Tagging works even if DTP is disabled, it is generally a unidirectional attack—traffic flows to the target but cannot easily return to the attacker—making it useful for Denial of Service (DoS) or blind attacks rather than interactive shells. Mitigation involves ensuring the Native VLAN is an unused ID distinct from any user data VLANs.
CompTIA PenTest+ Guide: VLAN Hopping Attacks
Overview VLAN Hopping is a network attack technique that allows an attacker to bypass layer 2 segmentation. In a properly secured network, hosts on one VLAN (Virtual Local Area Network) should not be able to communicate with hosts on another VLAN without passing through a router or firewall. VLAN hopping exploits switch configuration vulnerabilities to allow an attacker to send traffic to a restricted VLAN from a different, unauthorized VLAN.
Why it is Important Network segmentation is a fundamental security control. Administrators use VLANs to separate sensitive data (like Finance or R&D) from high-risk networks (like Guest Wi-Fi or IoT devices). If a penetration tester can successfully perform a VLAN hopping attack, they demonstrate that the internal segmentation is flawed, allowing for unauthorized lateral movement and potential privilege escalation.
How it Works There are two primary methods of VLAN hopping you must understand for the CompTIA PenTest+:
1. Switch Spoofing This attack relies on the Dynamic Trunking Protocol (DTP). Many switches are configured to automatically negotiate whether a port should be an 'access' port or a 'trunk' port. An attacker connects to a port and runs software (like Yersinia) to mimic a switch and negotiate a trunk link. If successful, the attacker establishes a trunk connection, giving them access to traffic from all VLANs allowed on that trunk.
2. Double Tagging This attack exploits the 802.1Q tagging standard. The attacker sends a frame with two VLAN tags attached to it. The Outer Tag matches the native VLAN of the switch port the attacker is connected to. The Inner Tag matches the target (victim) VLAN. When the first switch receives the frame, it sees the native VLAN tag, strips it off, and forwards the packet. The next switch in the chain then sees the inner tag and forwards the packet to the restricted target VLAN. Note that this is typically a one-way (blind) attack.
Exam Tips: Answering Questions on VLAN Hopping Attacks When analyzing scenario-based questions on the PenTest+, use these keywords to identify the attack or the solution:
Key Indicators: If the scenario mentions DTP, negotiation, or the attacker mimicking a switch, the answer is Switch Spoofing. If the scenario mentions Native VLAN, encapsulation, or two 802.1Q headers, the answer is Double Tagging.
Remediation Strategies: To fix Switch Spoofing: Disable DTP (turn off auto-negotiation) on all ports and manually configure user-facing ports as 'access' ports. To fix Double Tagging: Change the Native VLAN of the trunk links to an unused ID that is not used by any user traffic.