BSides Buffalo 2026: Mapping Internal Networks - The Art of Finding Things

All right. Uh, thank you everybody for joining us here in track one. Uh, there will be two presentations uh, shorter than the 50-minut previous tracks. 20 minutes each. Um, one thing to make sure of, please make sure your phones are on silent. You use the restroom during the time. Please go out the side doors. Um, allow to do. Let's give a round of applause to Christopher Bruns. UH, ALL RIGHT, like he said, my name is uh Christopher Bruns. Um I'm here to talk about mapping uh internal networks. I call it the art of finding things. Uh one of the most important parts of uh an active penetration test. So a little bit about me. Um I used to be a golf

professional, PJ golf professional before I got into cyber security. Been doing, you know, that for about 5 years. Uh I started with gap assessments and audits and then I moved into penetration testing and red team engagements after about you know I've been doing that for about three years and if you want to reach out to me uh there's my LinkedIn down there um you know ask any questions that you guys have. So what are some of the goals of asset discovery and network discovery? So you know first and foremost as a penetration tester we want to cover ground quickly effectively and without network disruption. So we need to understand what kind of packets we're sending out

and the frequency of which we're doing that. We want to find as many networks and hosts as possible because you know we cannot test what we don't find. Um you know things that are really really important to find are active directory assets um important uh infrastructure and applications. So they SCADA OT business applications um and the like. Um and like I said, you know, if you don't spend the time to find these networks and these things, you're going to miss glaring holes in operations. I found uh backup solutions uh with default passwords before. I have found um bridged ISP networks um for large ISPs that was in a a customer's environment. And you know I found uh

unprotected medical solutions uh which offered me the access to uh PHI as well and without you know proper network mapping I would have never found those things to begin with and then you know this also helps with the documentation and the attack planning. Um so you start to find the infrastructure then you start to formulate your attack and then you can get to do the fun stuff which is the attacking. So what do I usually do to start? So, I'm going to try to find what my active IP address is. So, that's an if config, an IP addard, or an IP config if you're in the Windows space. Uh, once you find that, you can kind of find your slash16.

That's what I usually start with. Um, and then I'm going to be searching for targets uh from 0 to 255 and every slash24 within that slash16. Um, and so I primarily use, you know, a couple of different tools. So, I'll use NMAPAP, which most people should be familiar with. Um, FPING, which is, you know, kind of a heavy hitter. It's going to be working on a ping protocol. Um, and then, uh, Massan, which is a super fast, um, uh, TCP port scanner. Um, and really, you know, the differences between NMAPAP and FPING from a network discovery standpoint is FPG's going to be working on uh a uh ICMP echo, which is a type 8. And then end mapap I use a

uh type 13 and a type 17 which are two different types of ICMP uh request because some networks might actually be blocking the echo but they might not be thinking about the other type of ICMP uh requests that actually um can be used in the suite. So, you know, one thing that you got to remember is a lot of times these tools are going to be very very targeted and you want to build scripts or wrappers around these tools to make them more effective. As you can see on the uh right, this is a a bare minimum script that I've used in the past. I've I've built bigger ones since then. um which basically allows you to use fing and to

look for every slash uh 24 and a slash16 and will give you an output of both um IP addresses and uh targets. So making lists and being able to dduplicate them is very very important because it'll allow you to feed those lists into more tools as you work your way through the network. Um, but like I said, this is going to be using the regular echo that everybody's, uh, you know, primarily used to seeing. Um, and is what gets you 85 to 90% of the way there because on most internal networks, echo is generally speaking allowed, unless you're looking at very protected networks in general. Um, with NAP, um, we're going to be using a couple of different flags here

than people are probably used to. We're going to be using the - PPP and the - PM. Those are the type 13 and a type 17 um ICMP request. On the right, you'll see um the command that I'll use. It'll give output. It'll give output in a couple of different formats. I usually like to output in all different formats because you never know what you're going to need. So, it's best to do all outputs so that you can save yourself the time from having to rescan and redo things after that. Um so you know once you've run the end mapap scan then you can use things like a to take the scan data and get you what you want which is the IP

addresses um and the networks. So you know MAPAP is something that I use all the time but in network discovery and asset discovery I'm going to be using you know different types of protocols and different types of flags to do um what I need it to do. Next is going to be mass. Now, this is more a tool for the larger internet. So, outside of internal networks, I use it for internal networks because it's quick. I can cover a lot of ground quickly, but you have to remember that you're working on a production environment and they need uptime. So, you kind of have to figure out how big is the network that I'm touching, you

know, where am I in the network? And then also, you know, what is the appetite for the customer and doing things quickly? Some might want you to tune it down. Some might want you to tune it up. Really just depends on the engagement. So for this one, you know, you want to think about what are some of the TCP ports that are common to see on a network. So remote access on internal networks, very very common. Um web services, very very common as well. Uh and then Windowsbased, so SMB um as well. And then you know if you're targeting other specific types of environments, you might want to use some different ports. So think about DNS can

help you find domain controllers and also uh networking gear. Um uh database uh ports as well. And then um you know things like uh SCADA ports, you know, I've worked on some SCA networks before and you know adding these different ports in there can help enrich the data. But the more ports you add, the longer these scans are going to take and the more packets are going to be sent out. So those are things uh definitely to remember. And you know, like I said, rate limiting is going to be a crucial part of this. So, start slow and then work your way up as you, you know, get an understanding and a feel for how much

network output um or throughput that that network actually has. Um, and as you can see, you know, I got some screenshots there on the uh right. It's a very similar process to the other tools that I showed where you're going to be taking the first tool which is mass scan outputting it into a file and then using o and other types of uh of other types of commands to take that output and then distill it down into lists that you can forward into uh other tools. So once you have an idea of the slash24s that you're targeting um you want to enrich the data that you have um to find even more targets. So this is where

using a good spread of tools really really matters. So um if everybody if if people have done any kind of you know CTFs or hacking there's uh uh net exec it's a very very common tool for pentesters. I spend a lot of time in this tool. It has a bunch of different protocols and it's really really good um on Windows environments of finding different targets. So it works on SMB, SSH, LDAP, FTP and a bunch of others. Um I really like the gen relay list. That's going to actually help you find targets with SMB um signing turned off which should help you uh attack those with SMB relay attacks and get into file shares. If you get an admin then you can get

credentials as well. Um so very very good and each of these protocols is a suite of modules that you can use and each of those modules has a different type of enumeration and even attacks um that you can do with them. Um other types of tools I like to use uh ARP scan for your local network. If you're having a hard time finding things around you um ARP scan is a really good one but it's only going to find stuff um on your uh broadcast domain and on your local part of your network. Um other things like uh MBT scan uh can help you find Windows hosts. Um 161 which is an SMTP um uh

discovery tool can help you find things like networking gear and other type of OT and IoT type of uh systems. And then you know at this point you should have a good idea of what the active directory domain is. um you can use this N uh NS lookup command um to basically find uh more domain controllers and it'll give you the IP address which will give you other other SL8 or SL16s uh to look at. So a lot of times companies will have their domain controllers in a bunch of different parts of the network and this is another good way for you to take those uh SL16s or SL8s and then reiterate this process as you go

through. So once you have discovered, you know, as many networks as you can find, as many hosts you can find, now we're going to be looking at actually digging into the individual hosts. So that's why it's important to, you know, grab and get as many files as you can in terms of collecting all your IP addresses to then feed into tools again like NMAP. So this is a large command. It's got a lot going on. Um, but primarily it's got a couple of different points. So, it's got post and port, service and script detections, um speed and throttling, um timeouts and retries, and then uh progress and output. So, a lot of this is going to be

dependent on the type of devices you're going after. This is a a standard one that I use quite frequently, but this is where you can really get um into the weeds on what NMAP can do to give you data. And I like top 10,000 ports because these are curated lists of the top 10,000 ports that MAP is used to seeing. Um, doing all 65,000 plus uh is a lot of extra data. So this will kind of get you 95% of the way there um most of the time. So after we have all of that data collected, there's a couple of things that I like to do. I like to visualize the data that I get. So there are edmap

to HTML um little translation tools that you can get to give you yourself a nice report. Um web map is something that I've used a lot as well. It gives you a good visualization um and allows you to when I said um make sure to you know export as many different types of formats as your tools allow. This works with XML and will help visualize all that data to make it more digestible to look at. And then another tool that I really like is eyewitness. And so this tool will actually go take the XML format of end mapap and then go and find uh web applications. It'll take a screenshot of the dashboard of that

web application and makes finding those things infinitely better and infinitely faster. And that's how I found you know a lot of the unprotected kind of I mean there's default credentials everywhere on internal networks because people usually don't have an onboarding process and those things uh get missed. But I, you know, ever since I've been using that tool, it's been really, really fruitful for me. So once we've done all of that, we want to review the collected information that we've uh gathered, dduplicate our lists. Um, we want to identify the key infrastructures. So that's uh key infrastructures like networking and then also business applications. Um, document the active directory um information as well. So like domain controllers, ADCS

and the like. And then you can take all that and start planning your attack. Um, which is very very important. If you don't plan out your attack, then you're going to be kind of going in a bunch of different directions. And when you're working on a large network, having a good plan will help you be efficient um, while you're going through. So, this is kind of where the real fun. I did want to talk a little bit about some of like the common ways that I get myself into uh, networks and some of the ways that I get credentials. Um the first one's responder. It uh you know works with insecure broadcast protocols and it's a poisoner. So a lot of times

authentication uh requests can come out. You poison them say yes that's me. Um and you can get uh hashes network hashes uh nm uh to be specific. You can crack them and then that's your way in. Um another one is manin in the middle six with an LDAP relay. And what this one's really good at is uh poisoning IPv6. Um the reason why a lot of this is tuned to IPv4 is because that is the common uh IP that's going to be on internal networks because of our RFC1 1918 gave them their own private spaces. You don't necessarily need um IPv6 for this. But since it's usually turned on Windows devices, you can poison um those

requests and then relay that to a domain controller and if they have the Windows default uh for machine account quota, you can make yourself a machine account on the domain and that can get you authenticated access um to start uh doing some more further enumeration. And then uh another common one is asp roasting. Um it works with uh pre-authentication being disabled which you can basically request um a ticket and that's encrypted with the user's password. Um so you're going to want to find uh usernames which is where curb route comes in and then you can use net exec um to take that list of usernames and then request those uh tickets and with the hopes of being able to crack uh

some of those credentials. So once you've done all of that and you have your footholds into the network, um there's a couple of places that I usually like to go through. Uh NetX also has another good uh module which is the get network module and that'll actually dump all the IP addresses for every host um that it knows about and that's where you can start identifying more SL8s1624s and reiterate the entire process from there. So that's how you kind of spider and find more and more networks. Um, you know, two other places that I normally find a lot of issues is current roasting. That's a pretty classic one, but one that's becoming more and more

apparent to me is Active Directory certificate services. So, ECS1 and ECS8. Uh, ECS8's a uh a web enrollment uh relay attack. And then the other one is going to be a vulnerability within certificate templates where you can specify uh the name of an account that you want to request a ticket for. important that could be any ticket um or that could be any user. So you you can request the domain admin ticket get that authenticate to the domain and then get the hash of a domain admin and then at that point you basically own the entire network you know besides the individual uh systems and so you know one of the things as a pentester that you need to get more and

more familiar with is automation. You only have a certain period of time. It could be a couple of weeks to a couple of months. And you need to be effective. And so a lot of times I will build rappers around my tools. I'm not the best coder in the world, but I've used artificial intelligence to be able to help me build these tools. And I have a couple of different scripts that take pretty much all the stuff that I've shown here and then put it together. And so I can just run the script. It'll give me everything that I need and then I can get to attacking uh more quickly. And uh that's it for my presentation. Is

there any questions? Go ahead. >> Um I believe during your presentation you said you uh did some reconnaissance in some SCADA environments. >> Did you feel like it was necessary to be familiar with any of the specific routing protocols that they use in that type of equipment? >> Definitely because you know a lot of times you're not necessarily going to know what you're based up with. But in that case, you know, I had some understanding that it was going to be like a water authority like thing. So it's it's understanding, you know, what kind of protocols are they using? Are they using encryption? You know, like uh backnet is a clear text protocol. And so

you can start snipping that, you know, with wire shark and being able to understand like sometimes within the data will actually show you where within the building and what the actual thing that it's responsible for is going to be right there within the packet. So you can kind of start, you know, figuring out, okay, this looks like it's a door controller. This looks like it's the HVAC controller. And then I can actually start to, you know, build more of an attack and have an understanding about the network. So a lot of times they're not going to give you a network map. They're not going to give you an IP list. They want you to kind of find it

and act as an attacker. >> Yep. >> The list of the 10,000 ports that you said was like 95% there. I might have missed it. Was that like a box you checked? Is that something you found on your own? >> So that's right in Net Map. So if you don't specify the ports that you want, it'll do top 1,000. And so those are the most common ports that end MAPAP um is usually going to find cuz like the other ones, the the the later ones that the closer you get to 65,000, those are going to be ephemeral ports and they're not going to be as used as much. But those top 10,000 are going to be

registered to services and will get you 95% of the way there. um when you're doing it, it just helps you reduce the amount of packets, the amount of time it takes to do whatever. >> That's great. So, you said it's right in end map. It's just like something you check or whatever. >> Yeah. D- top ports and then you can do 10,000, 5,000, 1,000, you know, whatever you want and it'll curate the list for you. >> All right. Thanks. >> Yep. No problem. >> Uh can you clarify what a SCA network is? I heard Hback. So, >> yeah. So, it's it's basically like think about a water authority. These are going to be all the little controllers that

are within uh a building. So, you know, HVAC, you know, water authorities. So, any any kind of uh you know, OT like technologies are going to be using like backnet um to be able to orchestrate all the different controllers. Um so, say you know, you're working on a water authority and it's going to have chlorine and a bunch of other things and chemicals that it puts in, it's going to use those controllers to basically change the flow of all those. So that's kind of what those SCADA systems I mean think about you know traffic lights and all those other things that keep you know basically everything that we use up and operational they're generally pretty

insecure which is why they're segmented most of the time. >> So when you say your water authority it's basically opening valves. >> Yeah. Exactly. >> Okay. you know, because if you if you were to mess up, that's why I was I was sweating bullets during those kind of things because if you're working on things that everybody uses, then if you make a mistake, then you affect everybody, which is why research and taking your time is so so important because you'd rather not have to deal with an angry customer than when you could have spent a couple of hours doing some additional research. So thinking back off of what you just said, if you do know you're doing

something like SCADA, what type of research would you would you do? Would that be um like machine specific or >> Yeah. So like I'll do some general research on what I should expect to see and then as I get into a penetration test, I'm going to start to see what's around and then I'm going to pivot to looking at specific, you know, whether that's semens or other different types of technologies. I'm gonna start to hone in. And that's where artificial intelligence, you know, I use Claude all the time. It can really help supercharge your research. And then you can also, you know, obviously you take out customer bits of information, but give it some output and it can start to be

like, okay, go here, think about this, and really speed up that process. I just wanted to add something, too. So if it's uh something like a a PECAP you're trying to get from from something like that, sometimes the tools like Wireshark are not designed for the volume that comes out of that. So it will actually crash some of those tools. So there's actually companies like Draos which have their own proprietary algorithm. It's called DP3 which allows them to parse that data without it uh crashing. >> How much time would you typically get on an engaged bit like that? So we do about 90 days which for a small network is more than enough time. On a large

network you're really going to have to think about okay what are the more important things to test. I usually test Active Directory first and then I move on to individual systems once I feel like I've I've gotten everything I can get out of Active Directory. So, you know, if you're doing a uh, you know, say 500 users, maybe like a 100 servers and maybe like a thousand different endpoints, I'm going to use all three of those months. Um, and then also too, it's not just internal, it's external networks, um, social engineering, wireless, you know, we do fishing, fishing, and stuff like that as well. So, it really just depends on the statement of work, but, you know, 3

months is our kind of our standard. Are >> you pretty much just working around the clock? No, I mean it's, you know, 9 to5. Um, but that's why automation is your friend when it comes to this kind of stuff. It makes the whole and and understanding your tooling and having a good set of tools that you can always go to that give you results time and time again. >> Just out of curiosity, when you're doing this for a company, how often do their internal security people just, you know, find what you're doing at any moment? depends on who is at the company and what technologies they use. Okay? >> There are going to be some people that

don't care what you're doing and there's going to be some people who are nervous who care that you're on their network and will look for you. So, it's a a little bit political when it comes to those things. But generally speaking, I'm always shocked at how often people don't see what I'm doing cuz a lot of like like Kerber roasting and Azeroth roasting, those can be seen as normal activities on the network. So unless they're using specific technologies and a good uh SIM solution, they might not see them, you know. Um I get I get shocked about that all the time, honestly. >> Let's give it a hand for Christopher.