# Lateral VLAN Segmentation Bypass
πBreached Write Content Wednesdays
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
**This page was copied from** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)\*\*\*\*
If you have access to a switch that you are directly connected to, you have the ability to bypass VLAN segmentation within the network. Simply switch the port to trunk mode (otherwise known as trunk), create virtual interfaces with the IDs of the target VLANs, and configure an IP address. You can try requesting the address dynamically (DHCP) or you can configure it statically. It depends on the case.
First you need to find out exactly which port you are connected to. This is done via CDP messages, or you can search the port by mask **include**.
**If the CDP is suddenly disabled, you can try searching the port by our MAC address.**
```
SW1(config)# show mac address-table | include 0050.0000.0500
```
Before we switch to trunk mode, we need to list the existing VLANs and find out their identifiers. Then we will hang these identifiers on our interface to access VLANs. Thus, thanks to the trunk we can access any VLAN. By the way, the port we are connected to belongs to VLAN 10.
```
SW1# show vlan brief
```
**Here we go. Enter interface configuration mode and go into trunk mode.**
```
SW1(config)# interface GigabitEthernet 0/2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
```
During the switch to trunk mode, connectivity is lost. But I will fix that.
Create virtual interfaces and βhangβ VLAN ID on them, and then raise them.
```
~$ sudo vconfig add eth0 10
~$ sudo vconfig add eth0 20
~$ sudo vconfig add eth0 50
~$ sudo vconfig add eth0 60
~$ sudo ifconfig eth0.10 up
~$ sudo ifconfig eth0.20 up
~$ sudo ifconfig eth0.50 up
~$ sudo ifconfig eth0.60 up
```
Now you need to request an address via DHCP. But if in your case this is not possible, you can set the address statically.
```
~$ sudo dhclient -v eth0.10
~$ sudo dhclient -v eth0.20
~$ sudo dhclient -v eth0.50
~$ sudo dhclient -v eth0.60
```
Example of configuring a static IP address on an interface (VLAN 10):
```
~$ sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0
```
To test the connection, I initiate ICMP requests to the default gateways **for VLANs 10, 20, 50, 60**
In the end, **I bypassed VLAN** segmentation and can get into any VLAN network, which unties my hands for the next steps
πBreached Write Content Wednesdays
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://breached.gitbook.io/dashboard/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
.png)
.png)
%20(2).png)
%20(3).png)
.png)
.png)