# VLAN Attacks *Note: this post was made in November 2015* So today I decided to learn about VLAN attacks but every video I see just asks you to use yersinia or the frogger script. If you are reading this you probably saw all those and still have no idea what is happening. So what I did was read the frogger script to see how it was grabbing information from tshark and parsing it to the user to be displayed. From what I understand you can run: > tshark -R "vlan" -V -i eth1 To obtain the the verbose output of the vlan scans. If you scroll around you will see " = ID: " fields. These are the VLAN IDs we need and are looking for. If we run the following command we can obtain information regarding the switch: > tshark -R "cdp" -V -i eth1 Information regarding the device name and management IP is displayed. From this point on, from my n00bness as I still do not understand what is happening, just that I know on one of these VLANs I can access the management IP. I went ahead and decided to hop onto each one and see which one can route to it ? For example, if my list of IDs that I have discovered are 5, 10 and 15 then I would do the following: > modprobe 8021q\ > vconfig add eth1 5\ > ifconfig eth1.5 10.100.100.100 up\ > ping If it did not respond, I would try 10 and finally 15 until I found out which one this lived on. Due to the environment I was in when I was performing the tests. I had to connect through an SSH box. Therefore, if possible to use the arp-scan tool, the following command will allow arp scanning with VLAN tags. > arp-scan -Q -I --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.vincentyiu.com/red-team/post-exploitation/vlan-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.