Network Segmentation Bypass
#Overview
Enterprise networks use segmentation controls to isolate devices, restrict lateral movement, and enforce policy. In practice, these controls are frequently misconfigured, outdated, or bypassable. After gaining wireless access (or a wired drop), the attacker faces VLAN isolation, MAC filtering, NAC enforcement, and 802.1X authentication — each of which has known bypass techniques.
This section covers attacks that traverse or circumvent network segmentation controls. The prerequisite is network access at any level — even a restricted guest VLAN is a starting point.
#Attack Progression
Network Access Gained (any VLAN)
|
v
What control blocks movement?
|
|-- VLAN Isolation
| |-- Can I see trunk ports? --> [VLAN Hopping](vlan-hopping.md)
| |-- DTP enabled? --> Switch Spoofing
| |-- Double tagging possible? --> 802.1Q Double Tag
| |-- VoIP VLAN reachable? --> VoIP Hopping
|
|-- MAC Filtering
| |-- See [MAC Filtering Bypass](mac-filtering-bypass.md)
| |-- Passive monitoring for valid MACs
| |-- MAC spoofing with ifconfig/macchanger
| |-- OUI fingerprinting for realistic MACs
|
|-- NAC / 802.1X
| |-- MAB-only? --> [NAC Bypass](nac-bypass.md) (spoof printer/IoT)
| |-- 802.1X? --> [802.1X Attacks](8021x-attacks.md)
| | |-- EAP downgrade --> PEAP/GTC
| | |-- Certificate trust chain --> MITM
| | |-- Wired bypass --> hub insertion / switch spoofing
| |
| |-- Posture assessment? --> Agent spoofing, cached creds
|
|-- Captive Portal
|-- See [Captive Portal Bypass](../wifi-attacks/captive-portal-bypass.md)
|-- MAC whitelist spoofing
|-- DNS/ICMP tunneling
TEXT
#Technique Files
| File | Covers | Complexity |
|---|---|---|
| VLAN Hopping | DTP switch spoofing, 802.1Q double tagging, VoIP hopping, VLAN discovery | Medium |
| MAC Filtering Bypass | Passive MAC discovery, spoofing, OUI fingerprinting, enterprise AP bypass | Low-Medium |
| NAC Bypass | MAB spoofing, device profiling, posture bypass, vendor-specific (Cisco ISE, Aruba) | Medium-High |
| 802.1X Attacks | EAP downgrade, PEAP/GTC, certificate trust, hostapd-wpe, eaphammer | High |
#General Methodology
#1. Determine Current Network Position
# What VLAN am I on?
ip addr show
ip route show
# ARP scan for neighboring hosts
arp-scan --interface=eth0 --localnet
# DHCP lease information (may reveal VLAN ID)
cat /var/lib/dhcp/dhclient.leases
# Or on Windows
ipconfig /all
BASH
#2. Identify Segmentation Controls
# Check for 802.1Q tags (VLAN IDs)
tcpdump -i eth0 -nn -e vlan
# Check for DTP (Dynamic Trunking Protocol)
tcpdump -i eth0 -nn -e ether proto 0x2004
# Check for CDP (Cisco Discovery Protocol)
tcpdump -i eth0 -nn -e ether proto 0x2000
# Check for LLDP
tcpdump -i eth0 -nn -e ether proto 0x88cc
# Identify switch port mode (access/trunk)
# Look for multiple VLANs in ARP table
arp-scan --interface=eth0 --localnet | awk '{print $2}' | sort -u
BASH
#3. Select Bypass Technique
Based on the control encountered, refer to the specific technique file. The order of preference is:
- MAC filtering bypass (simplest, least noisy)
- VLAN hopping (moderate noise, high impact)
- NAC bypass (requires device profiling, moderate noise)
- 802.1X attacks (most complex, highest noise)
#4. Validate Bypass
After bypassing segmentation, validate the new network position:
# Verify new VLAN access
ip addr show
arp-scan --interface=eth0 --localnet
# Test connectivity to previously unreachable hosts
ping -c 3 <target_IP>
nmap -sn <new_subnet>
# Check for new services
nmap -sV -p- <target_range>
BASH
#Cross-References
- WiFi Attacks -- Gaining initial wireless access before segmentation bypass
- 09 - Lateral Movement -- Post-segmentation-bypass pivoting techniques
- 07 - Post-Exploitation -- Credential hunting and situational awareness after gaining new network position
- 01 - Pre-Foothold -- Passive wireless survey for initial reconnaissance