Frogger – VLAN Hopping Script

Here is a little script I made that automates VLAN enumeration and hopping. Firstly it is not a tool so to speak, it is simply a bash script I put together that automates the process of VLAN enumerating and hopping end to end with interactive menus etc. It uses tools already out there for the process. Another thing to note is I have no coding experience and this is one of my first bash scripts I have created, so I am sure there are better ways of putting this script together but it works.

What’s the point of the script?

It saves manually sniffing packets, going through and noting down the VLAN IDs etc. It is a fast way to discover live devices within each VLAN ID. Let’s say you have 100 VLAN IDs it will take you some time manually find devices or VLANs of interest.

Who should use the script?

I would recommend if you haven’t mastered VLAN hopping manually (sniffing packets, yersinia etc), then go and do that first. First learn how to do this and there are various articles around explaining it. This script I use for ease and clarification, but I know how to do it manually and always the best way. Obviously only use this on your own test networks or networks you are authorised to conduct testing on.

It is a simple one command script and it will do the following:

  • Sniffs out CDP packets and extracts (VTP domain name, VLAN management address, Native VLAN ID and IOS version of Cisco devices)
  • It will enable a DTP trunk attack automatically
  • Sniffs out and extracts all 802.1Q tagged VLAN packets within STP packets and extracts the unique IDs.
  • It then feeds these IDs into arp-scan and auto tags packets and scans each VLAN ID for live devices.
  • Then gives an option to auto create a VLAN interface within the found network to connect to that VLAN.
  • Has various cleanup and error checking parts to the script.
  • It is very automated and fast.
  • Works over SSH too. So if the client only gives you SSH access to a system, it will work if all dependencies are installed.

I have only tested this on backtrack version 5. It needs arp-scan version 1.8 or above in order to arp-scan with tagged VLAN IDs. Download that from NTA Monitor http://www.nta-monitor.com/tools/arp-scan/

It does dependency and version checks for you, so when you run the script it will check you have all the required software and correct versions.

Feedback welcome (except your crap at coding comments..I already know this :) )

Video demo:

Screen shots are below.

____________________________________________________________________________________________________

Download from the NCC Open Source GitHub Repository below:

https://github.com/nccgroup/vlan-hopping

____________________________________________________________________________________________________

To run simply type ./frogger.sh (must run as root user)

Another important note is VLAN hopping/sniffing doesn’t work well from within VMware player/Workstation OS. Best way is to boot off Backtrack direct or USB etc with the correct version of ARP-SCAN.

 Dependency checks – you can also alter the CDP/STP scan times (edit the top of script)

 Select local interface to use

 VTP Domain

 Native VLAN ID

 Cisco IOS Version

 VLAN Management IP Address – Enter the IP or CIDR you want to scan for devices

 

List of all tagged VLAN IDs

 Arp-Scan Of Each VLAN ID Found – Device found in VLAN ID 99

 Create a local VLAN Interface to place yourself in the VLAN

Connection made to device in the VLAN