Note: this post was made in November 2015

So today I decided to learn about VLAN attacks but every video I see just asks you to use yersinia or the frogger script. If you are reading this you probably saw all those and still have no idea what is happening.

So what I did was read the frogger script to see how it was grabbing information from tshark and parsing it to the user to be displayed.

From what I understand you can run:

tshark -R "vlan" -V -i eth1

To obtain the the verbose output of the vlan scans. If you scroll around you will see " = ID: " fields. These are the VLAN IDs we need and are looking for.

If we run the following command we can obtain information regarding the switch:

tshark -R "cdp" -V -i eth1

Information regarding the device name and management IP is displayed.

From this point on, from my n00bness as I still do not understand what is happening, just that I know on one of these VLANs I can access the management IP. I went ahead and decided to hop onto each one and see which one can route to it ?

For example, if my list of IDs that I have discovered are 5, 10 and 15 then I would do the following:

modprobe 8021q vconfig add eth1 5 ifconfig eth1.5 10.100.100.100 up ping

If it did not respond, I would try 10 and finally 15 until I found out which one this lived on.

Due to the environment I was in when I was performing the tests. I had to connect through an SSH box. Therefore, if possible to use the arp-scan tool, the following command will allow arp scanning with VLAN tags.

arp-scan -Q -I