[!NOTE] While “Advanced Network Attacks” often conjures images of botnet-driven DDoS, for a Red Teamer, the real game is silent interception. Gaining physical or logical access to a switch port is game over if you know how to manipulate Layer 2 and 3 protocols.

Most corporate networks are hard shells with soft centers. Once you bypass the initial Network Access Control (NAC), the internal traffic is often unencrypted and trusting. This guide moves beyond simple ARP spoofing into the protocols that admins forget to secure: IPv6, DTP, and 802.1X.

The Blind Spot: IPv6 Shadow Networks

IPv6 is enabled by default on almost all modern Windows workstations, even if the corporate network is purely IPv4. This creates a shadow network that defenders rarely monitor.

MITM6 (DNS Takeover)

Attackers can act as a malicious DHCPv6 server. Since Windows prefers IPv6 over IPv4, if you give a machine an IPv6 lease and set yourself as the DNS server, the victim will send you authentication data.

The Attack Flow:

  1. Tool: mitm6 (by fox-it).
  2. Action: Listen for DHCPv6 SOLICIT messages.
  3. Response: Reply with an ADVERTISE message, assigning an IPv6 address and setting the attacker’s IP as the DNS server.
  4. Capture: When the victim requests a resource (e.g., WPAD or a file share), relay the NTLM authentication to a target via HTTP/SMB/LDAP (using ntlmrelayx).
1
2
3
4
5
6

# Step 1: Start mitm6 on the interface (target domain required)
sudo mitm6 -d corp.local -i eth0

# Step 2: In a separate terminal, start ntlmrelayx
# Target: Domain Controller LDAP (create a new user) or CA (request certificate)
impacket-ntlmrelayx -6 -t ldaps://192.168.1.10 -wh "wpad.corp.local" -l loot/

[!WARNING] MITM6 is highly disruptive. It can break internet connectivity for victims if not configured correctly. Use with caution in production.

NAC Bypass Techniques

Network Access Control (NAC) often relies on fragile trust mechanisms.

1. The Printer Masquerade (MAC Spoofing)

Many organizations use MAB (MAC Authentication Bypass) for dumb devices like printers or IP phones that can’t do 802.1X.

  • Technique: Scan the label on a VoIP phone or printer. Clone its MAC address to your laptop.
  • Result: The switch sees a “trusted device” and opens the port.
1
2
3
4

# Change MAC on Linux
sudo ifconfig eth0 down
sudo ifconfig eth0 hw ether 00:11:22:33:44:55
sudo ifconfig eth0 up

2. The Bridge (Persistence)

If port security is strict, physically place a transparent bridge (like a specialized Raspberry Pi or throwaway switch) between a legitimate PC and the wall jack. The bridge clones the PC’s MAC address and piggybacks traffic.

VLAN Hopping

If switch ports are not configured with switchport mode access, they may negotiate a trunk link via DTP (Dynamic Trunking Protocol).

Switch Spoofing

If an attacker plugs into a port configured as dynamic auto or dynamic desirable and sends DTP packets claiming to be a switch, the port converts to a trunk.

  • Impact: The attacker now has access to ALL VLANs passing through that trunk, not just the VLAN assigned to the floor.

Tool: yersinia

1
2

sudo yersinia -G
# Select "DTP" -> "Enable Trunk"

Double Tagging

Injecting a frame with two 802.1Q VLAN tags. The first switch strips the first tag and forwards the packet to the trunk. The second switch sees the second tag and forwards it to the target VLAN. This is a one-way attack (useful for DoS or specific UDP exploits).

HSRP/VRRP Hijacking

First Hop Redundancy Protocols (HSRP/VRRP) allow two routers to share a virtual IP (the default gateway).

  • Attack: Inject a superior HSRP packet (higher priority).
  • Result: The attacker becomes the default gateway for the subnet. All internet traffic passes through your machine.

Tool: lokibot or yersinia

Conclusion

The internal network is noisy. Broadcast traffic, multicast protocols (LLMNR, NBT-NS, mDNS), and autoconfiguration protocols (DHCP, SLAAC) create a chaotic environment where an attacker can hide. By mastering these Layer 2/3 interactions, you don’t just scan the network—you become the network.

UncleSp1d3r