hpr-knowledge-base/hpr_transcripts/hpr3090.txt

Episode: 3090
Title: HPR3090: Locating Computer on a Enterprise Network
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3090/hpr3090.mp3
Transcribed: 2025-10-24 16:35:43

---

This is Hacker Public Radio episode 3,090 for Friday 5 June 2020.
Today's show is entitled Locating Computer Honor Enterprise Network
and is part of the series Networking. It is the 50th anniversary show of operator
and is about 40 minutes long
and carries an explicit flag. The summary is
Advanced NMA P-Tips.
This episode of HPR is brought to you by AnanasThost.com.
Get 15% discount on all shared hosting with the offer code
HPR15. That's HPR15.
Better web hosting that's honest and fair at AnanasThost.com.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
inspection stuff will know and say, nope, no FTP for you. We only allow HTTPS and maybe
email, email and I'm app and pop. We don't allow any other protocols. And there are some
other methods you can basically hide encrypted traffic and or tunnel traffic through legitimate
protocols like ICMP. There's HTTPS and a few other ones. So a lot of times companies get
the intention that, hey, when you change it on the internet, the only thing you can do
is DNS. Okay, DNS, you can actually tunnel through DNS. It's relatively slow, like dial
up speeds because each packet has a maximum size of like 53 bytes or something. There's
a number of other methods and ways to tunnel out protocols. They basically have cloned versions
of other distributions like pond plug and PWN, PL, UG, pond plug, older other distributions
feel free to reach out and if you want to link to those, but they basically facilitate
all the configuration needed to create reverse tunnels and tunneling over arbitrary protocols
and different protocols. I will say there's not a whole lot of need for all of that unless
you're a highly secure environment and the only way to get out is 90% of the time you
can get out via DNS. People will say, well, this computer is not connected to the internet.
Well, if you can type in slookupyahoo.com and resolveyahoo.com and you have control over
the device and you can run arbitrary code on that system, then you can tunnel your traffic
over DNS and get on the internet. So we're talking high security, quote-unquote, error
gaped networks that are power grid, infrastructure, big stuff that these people will say, nope,
it's not on the internet. It can't get there. The only way to get there is a jumpbox which
is connected to the internet via the series of other connections, tunnels, VPNs, road
access, other protocols. So everything is connected to the internet. Don't let anybody
tell you that anything is air-gapped. There's probably instances where you have three
letter agencies where something is actually air-gapped and they have to manually move traffic
to that thing. But in all, for all intents purposes, most of the time when people say air-gapped,
they mean there's a jumpbox in between that in the internet. But that's my rant for tunneling
and how internet's work at corporate environments in places where high security is involved.
Well, I've had instances where client tells me there's no internet and I just tunnel
out through my S tunnel and I'm going to go and I can do everything I need to do and
perform all the assessments I need to form. Sometimes you'll see fairly often that some
of these misconfigured proxy servers will block all internet traffic but they will allow
anything HTTPS. So all you have to do is install HTTPS everywhere or use S tunnel or
any other other methods. But it will force HTTPS on every site and then everything will
just work and that's not the internet. So not only is it not plain text, it's everything
is SSL and you don't have any visibility into it and they're not trying to break the SSL
to even see what you're doing. So you can essentially exfilled data securely by default because
there's no other way to get on the internet except through SSL. So when you tell your clients
and vendors and whatever that everything is locked down except for SSL, then you're basically
telling everyone that if you want to exfilled data, guess what? We're going to guarantee
that that data is going to be encrypted when you exfilled it and nobody will have any
visibility into it. So that was a bit longer of a rant than I would thought for networking
and connectivity. But suffices to say if someone tells you a network connected thing doesn't
have internet type NS lookup and do NSlookupspacegoogle.com and if you get a resolve tell them
that that's what the internet is and laugh hysterically. Anyways, so let's move on to
advanced in-map commands and or discovering networks. Now I'll involve I will follow
up with some scripting. I call it find routers. So basically the idea is there's a number of
things you can do. There's just some discovery scripts for in-map that you can say kind of
listen for broadcast traffic which is not super effective when you're trying to traverse
multiple networks. So the way networks work is if you're on the network you can hear the
traffic in general. If you're not within that LAN or that subnet you can't necessarily
hear the traffic unless it's intentionally being re-broadcasted out from the switch or
device or whatever the thing is they call stuff that moves back it's around nowadays.
So you've been dropped on site to do an assessment and you want to figure out what the network
looks like. First thing you do is plug in and see if you get an address. If you get an
address you're good. If you don't get an address and the port turns off and the color
disappears and the power goes from the port they have a thing called port monitoring. Usually
this is in the form of Cisco's ice and it has most of the time been misconfigured wherever
I see it because it's really hard to do proper port security and make sure that everything is
on the up and up and all your devices are compliant with certificates and things like that.
So what usually happens is if you don't get that light and you get kicked off the network
then you go find a phone, a printer, a fax machine, a thing that doesn't look like it's
going to have support for secure connections and encryption. You can basically assume the
identity of that device in most cases. So what you do is you flip the phone over or look
at the printer, do like we do with the local stuff and look for that MAC address. Assign
your computer's MAC address to that computer which MAC changer for Linux is what it's called.
Windows is a little bit more tricky from seven and up. You kind of have to do some shenanigans
to get that interface to change. There's not a whole lot of easy ways to do it. There's
a couple of UI ones that out there that actually seem to work. But the idea there is you're
taking the identity of a device that doesn't support certificates and when you set all this
up correctly, the only way to really validate a person on the network is to either have
a certificate or have them log in with some credentials. And you'll see this with like
corporate wireless. You'll log in with your wireless credentials and that will get you
on the wireless. And that's pretty secure actually in most cases. But for wire devices,
you have printers and back machines and God knows whatever internet devices that need
to be basically bypassed because they don't support encryption. They don't support certificates
or anything like that. So you assume the identity of that phone and then you start doing
saying where am I trying to get a DHCP address and most of the time 99.9% of the time your
phones are going to be DHCP because no one can manage the static address of a large number
of computers. So you might see static IPs in things like data centers or places where there's
very important data going across. But in general, you're not going to see static IPs anywhere else.
So work stations where there's people, where there's large numbers of devices, you're going
to see DHCP utilized and that's where you can kind of capitalize on that and use that to
take some else's identity. So you've taken the identity of a phone and guess what? It's not a
different network. It's not segmented. It's not a different VLAN. It's on the same VLAN as
everything else as all your work stations, which is also common because guess what? If you need to
print that printer needs to be in the same area or sometimes it's easy actually easier just to put
that printer in the same network as your desktop and not separate them out and have two different
networks for your printers and your phones and and have everything on a flat network makes it
a great easy great. But when you get an attacker on there, they can assume the identity of your phone
and then say, you know, I'm in this 10.net work and I want to try to figure out what other
devices are there. The first thing to do is obviously listen. You can sit on the network and listen
and I'll put in that. I'm trying to make myself some notes here in that. I'm listening
timeouts for discovery. Sorry, I have a very clicky keyboard. So you have timeouts for discovery,
you can set on the discovery plug-in port in that. In that, I'll sit there and listen for
an old broadcast protocols and we'll give you a dump of everything that is used in years.
There's some other scary stuff like carp. It's the Cisco Discovery Protocol CCEDP. You can
do some scary things like basically take over all the traffic on those. If they're misconfigured,
I wouldn't recommend doing that at a client site but you can pretty quickly use some of the tools
to figure out whether that's potentially possible or not. So you want to be mindful of Cisco
Discovery Protocol. Also things like ICE. Once you connect to the network, you can try to do
our poisoning and in some cases ICE, the Cisco ICE stuff prevents that. And in some cases,
it doesn't by nature of how some of these products are configured by default.
So I've been on client sites where they have this port monitoring which prevents anybody from
just arbitrary plugging in. We've identified that device on the network. We've taken the MAC
address of that device and assumed its identity and then we art boys in the whole network to
have all the traffic tunnel through our system which basically brought home down the whole
entire store because our traffic was getting no-routed because for whatever reason, part of ICE,
the protection for port monitoring was working but we were able to do art poisoning. So all of the
computers were basically logged out and had to re-log back in which was great because when they
rebooted or restarted or tried to reconnect and tried to reauthenticate, we were sitting there with
our traffic listeners and listening to all the traffic. So we were able to catch up that
get flametech passwords for root devices and other protocols and basically we had to go back
to the client and tell them explain to them how we were able to do it because they said they had
these controls in place and they assumed that they were all working and that's where we're at
today's. We have all these security controls but nobody knows that they're working like you know
when your computer's not working because it will turn on or you know if the internet's not working,
you can't get to the Facebook. But if your security protocols and your security controls aren't
working, there's no way to know. It's a stroating your cat. You don't know if it's there or not. So
that's why you have people like penetration testers and vulnerability assessment people to kind of
test those controls and make sure that they're actually working. What you paid millions of dollars
for is actually working. So I'll move in more to the more technical stuff. So we've listened for a
while and we've discovered several networks, whatever. We scan those networks and we get back some
information. Maybe we find some open protocols but nothing good. We want to do a full scan. We've
done enough listening. We've done enough manual probing and we want to do like a full scan of the
entire network. Now essentially what I ended up doing was there's kind of two pronged approach.
If you can locate a switch or a networking device and use the SMTP function which is a simple
network management protocol, simple SNNP, you always get those from switch around. So SNNP is
simple network management protocol which basically allows networking devices to talk to each other
and really get a feel for what the device is doing and kind of check it in.
Civil network management protocol is kind of an old protocol. It was open to begin with of course
with no authentication. So now we have V3 which has authentication. And then you have instances
where people will wrap them in a secure tunnel like a VPN or something. But in general you
some, I would say probably a fourth of the time or a third of the time you can find a network
management device and if you can find a network management device you can dump all, you can do a
walk, simple network management protocol walk and walk the tree of the protocol and it will dump out
all the networks that it knows about. And that will give you a pretty good idea of at least the
networks around you outside of your direct hop. And when I say hop that means the computer before
the computer that talked to your computer, the on the way to get to you.
So I'll check those, I'll dump those out and I'll use those as my initial crawling and then I'll
look for more SMTP servers if I feel like it. But both times I'll kind of listen and then I'll
do a full scan because I just don't have the time to be quiet to loud approach as quiet as that.
So what I'll do is, is yes. And the problem with scanning all the 10. Dot is all
explain kind of the local IP space. Private IP space is 192 is I don't know like 17,000 different
host. Okay, so I'm cheating. We've got 192 is 65,000. Our 172 is 1 million and our 10. Dot is
16 million. So even in a 172 environment, it's going to take anywhere from six hours to
an hour or two hours, four hours to do a 172 scan with and map. Now I'll briefly talk about
masking. Masking is a mmm stateless scanner and is extremely fast. With that said, it can bring
down networks pretty easily. And in most cases, you don't want to use it on an assessment unless
you really want to test and get some really quick scans done. Now we've had some success at some
of my other employers using masking to quickly scan the entire network. And so what would take
and map, you know, four hours to do or even days to do however long, masking can do it in a
tiny fraction of the time by sending lots of packets very quickly and not really waiting for them
to come back up. But in most cases, it's not something you want to run. There's other things like
unicorn scan or whatever, but masking has most of the features sets that you want to be able to
split up the network into manageable chunks and kind of go from there. So if you're scanning 172,
generally you can kind of do like a quick ping scan and go from there. If you're trying to scan
10.The approach that I come up with is a guessing approach. So if you're starting on a 10.You're going
to do something like 10.1 or 10.10 or 10.5, 10.15, 10.20, 10.30, 10.40, 56, 7.8, 900, you're going to start at
the normal 10th values, same for the other addresses. So it's going to be 10.5.5.10 or 10.5.5.1.
And that last item is where I'm looking for routers. So basically my script or my kind of one
liner that I have for M-MAP says, basically I'm looking for any address and guessing any address that
ends in .1, .2, .254 and I think 253, I've seen routers in those spaces. And the idea there is to
do a very small scan. So instead of a million hosts or was it 16 million, you're only scanning,
I don't know how many tens of thousands, but it's like 60,000 or something say. And because we're
only doing instead of 10 to the 10th or 10 to the 255 to the 255 to the 255, we're only doing
instead of 20, 255, we're doing each 10 and maybe a couple of five. So we'll do for the math,
we're going to do five or we're going to do zero, five, 10, 15, then 20, 30, 40, 56, 7, 8, 900,
then maybe 105 and maybe 115 and then all the way up to 250 and maybe 240, whatever. And then
the next one would be that same range. And then the last one would be .0 or .254. And the idea is to
try to find other networks. And there's no easy way to do this. To my knowledge, unless you can
get a full dump of a bunch of routers, there's no easy way to do this. So the only way to do it is
to scan all of 10. Which there's no point in scanning 10.143.133.208. There's no point in scanning
that IP address because chances are it's not going to be something that's at the beginning or the
end of an IP space. So you want to intelligently scan the 10 space and greatly reduce your time
to find those networks now. Once that output is done, it's a discovery and you can append and say,
okay, okay, we've got a 10.0.5. Whatever and we've got a .5.15 and start mapping that out and then
doing full scans within those ranges. So say you find 10.5.5. Whatever or 10.5.10 or 10.6 through
15. And you scan those within that manually. And instead of scanning the entire 255 block,
you're only scanning too because there's only two in there. And then you might add to that too.
So if there's a 5.10, then you want to scan 5 through 10. If there's a 10.10, you want to scan maybe 10
through 20. And if there's 20, you want to scan back and forth each direction. So if there's a 5,
maybe you want to scan 4 and 3. And it's a matter of guessing. And you're trying to guess where
their IP ranges are because no one's going to assign wonky IP ranges. Another great way to
find devices is just start adding together all your recon data. So as you get access to boxes,
as you compromise hosts, you start dumping these networks out and dumping all this information
into a single singular place and start mapping things out. And that's where things can get tricky
because you need to understand that, like I said, everything is connected to the internet. So
at the end of the day, you might be somewhere else is somebody else's backyard. So I kind of give
the analogy of digging. So you're told to dig in somebody's backyard for dead bodies. And you dig
and dig and dig and dig and you find a dead body and you're like, cool. And then there's a tag on
the body that says, you know, left 15 feet over here, there's another dead body. And you keep digging,
you keep digging, you're like, oh, look at all these bodies I found and you realize you're in
somebody else's yard and you just dug up their dead bodies and you have to go tell them, hey,
by the way, I found your dead bodies in your backyard and I'm sorry, this isn't my place to be
and I'm not supposed to be here. But, you know, you're connected to my neighbor. So I don't know,
it's not, it's your fault. You don't have a moat type of thing. So that can happen and it has
happened and I haven't had any luckily any bad experiences. Just, you know, white flushed out faces
because I freaked out. So the idea there is we've done our guess network and I'll improve my little
my scanner and do the math on it. I used to have a bash script similar to what Kenneth had for
the 10 dot and it would, you know, four, one, two, 10 and five, two, 15. It would like make the
space and map out and dump out an input file. Now I just do come separated values and one line
over in that. So there's no input text document that needs to be added. So I'll update that.
I don't do a lot of discovery or been testing and stuff. I don't do client engagements anymore.
I work for a company now. So, but I'll update that anyways because I like the idea of how I
discovered networks and how quickly you can discover networks too. So from a discovery standpoint,
you've, you know, done your scans, you find out your neighbors, you find out there's some five,
some tens and some 30s through 35 and maybe there's a 40 through 43 and in the 10 dot space,
you scan the 172 space just completely because it's a fast network and you've found everything
on there. 192 use scan because, you know, it's easy to scan. There's only 65,000 in there and
that's pretty, pretty, pretty quick to scan. And you have all your hosts. Now from a discovery
standpoint, you've done pretty much everything you can do from an IP space to discover other hosts
on the network. Now, when that starts to scale up is when you have access to another device.
So, for example, if a device has two interfaces and those two interfaces are connected to
two different networks that you may or may not be in scope or may or may not be part of the same
network. So, for example, you've got a security vendor and the security vendor, the way they do
their shenanigans is they, you know, set up a VPN from their corporate protected environment,
quote unquote, to your, you know, your environment. So, they're connected so they can do updates and
things like that. And you'll find that this happens a lot. Service providers, anybody that gives you
a box that does magical things, they usually have full blown admin rights remotely to that box
and they can do whatever they want, which is pretty scary in a enterprise environment because
you're trusting them to have keys to your house. It's essentially giving some vendor a key to your
house and hope that they don't, you know, some guy doesn't rob them of all their keys and, you know,
try to break into everybody's house at once over the weekend. So, there's a pretty strong,
it's a pretty strong chance that there's someone on the corporate network that is coming from
somewhere else or that's up in dirt and it's sitting on a different network. So, you have to be
careful with that and understand that, you know, maybe you pop a phone switch and that phone switch
got to be being a connection to a different network. And you need to look around and say, hey,
look, here's another interface. Let me look. Oops, this doesn't look like this has to do with phones.
This looks like somebody else's network. This is not my client, the naming conventions different.
Let me just make my notes and, you know, tell the client that, you know, we've discovered and we're
able to move laterally through someone else's connections, right? And I would say, I think that
pretty much covers network discovery. You know, there's other networks besides IP networks that
I don't really have time to get into or want to get into here, but I don't have a whole lot of
experience with anything outside of TCP networking and discovery. So, I think I pretty much
and talked about discovery to the fullest extent that I can. But I will say, if you do get the
chance to pilot masking, you can throttle it to different speeds. So, where masking or a scan
on in-map takes, you know, 30 minutes, it might take three seconds or 60 seconds with masking.
So, depending on the speed, you want to start slow, not even the default, you want to start
slow and then start ramping it up until people start reporting the things are out. Now, things
might actually go down and then you don't figure out till later because that's how businesses work.
They don't understand the networking and the networking infrastructure folks don't really know what
it looks like when someone goes after their network like that. You're essentially kind of denial
of servicing the entire network when you're using masking. So, you want to start slow and start
scaling it up and, you know, we were able to do masking from nine boxes on 100,000 hosts in
30 minutes, two hours, something like that. So, we can do an entire 10. scan, 172 scan,
and 192 scan all in under two hours. And I'll put that, my lame DM-map, lame DM-map, it's a distributed
in-map script that I wrote that I had assigned to another gentleman and, you know, he was trying to
kind of make it gold and I said, look, we just need to POC this, see if it works. And he wasn't
able to lip it in time, so I quickly wrote a script that would just work. It's not secure,
necessarily by any means, but just use this as HK's to run and perform scans on other boxes.
And it picks up batch jobs and all kinds of stuff and checks the remote host to see if they're
running in-map, if they're not, it picks up the next batch job. So, that's kind of interesting.
Anyways, I think that covers all network discovery that I'm aware of. Now, there's the whole
wireless thing, you know, you can do it with your phone, you can do it with an Uber-tooth,
on Uber-tooth, and Uber-one, whatever, you can do it with any number of things. But nowadays,
like wireless discovery is pretty simple as far as discovering networks, but as far as breaking
into them, you've got, you know, secure networks with certificates, you've got passwords,
you can try and brute force. There's home networks that have varying degrees of protocols,
which have issues or known routers that have issues or weak passwords that you can kind of brute
force keys and pins for those. But in general, wireless is a little more difficult to do
discovery on, especially if you don't have authentication to wireless, because in most cases,
your wireless is going to have authentication on it, but you'd be surprised. Your commercial
or your residential wirelesses aren't protected. Mine is a passphrase, but it's pretty weak.
So, I would like to do a thing on wireless discovery, but I haven't done it in honestly 10 years
professionally. I set up a couple of Linux boxes to do more driving stuff with Kizment,
and that's about closest I've gotten, so there's not a whole lot there. But in general,
I'll say some more in-app specific stuff. So, my favorite switches are, kind of go over my favorite
switches here. So, one thing people don't know is if you're running in-app kind of interactively,
you can use the D and V as in Victor and D as in Delta keys to increase the debug level and
the verbosity level and holding shift will decrease the relevant switch. So, shift D will decrease,
shift D will increase and V will increase and D will increase the debug level. Those are
little known, so you can turn them up and down. If in-app looks like it's being weird,
being walky, you can kind of turn the debug level up a couple and see what it's doing,
what it's getting stuck on and kind of adjust from there. But once you kind of tell in-app to run,
there's not a whole lot you can do to pick up where you left off. They do have some resume stuff,
but it's not 100% and it doesn't really scale to that big. Let's see, SV is like service
finger printing. I will do script arguments. I'll provide kind of my one-liner for in-map.
What's the other ones I like to use? To check for external connectivity,
the ports open, you can scan letmeoutofyour.net. So, if you scan like the top 2,000 ports with
letmeoutofyour.net and you get one open, and you hope that it's not using the packet inspection,
you can tell your traffic whatever you want over that port if you're lucky. Let's see,
there's heartbeat checkers and I'll put the link to my food script. I will say there's specific
ones around SMB stuff that I have some notes for. But in general, there's only like four switches
you need to know and they're kind of all in here. Let's see, there's the T5 setting,
which I try to use where possible that makes it faster and sets some things for you. I'll also do
max retries one and min parallelism 100. That seems to help make things a little bit quicker. It
really depends. You have to find your bottlenecks and kind of work around your bottlenecks sometimes.
I always use the dash dash open because I don't want closed or filtered ports in my
gobbling up my results. I also like top ports. That's a fun one to do. I'll use that
Genoise Speaking. I'll do output all, which is O and then capital A. Lowercase O capital A.
I'll do top ports. I'll do T5. I'll do SS, which is by default if you're running through anyways.
I have some custom Oracle script checking that will make a, in the list, you look for Oracle,
there's some notes around Oracle, do an Oracle scans to try to find default logins and stuff
for Oracle instances. There's a lot too in that. It's essentially a vulnerability scanner.
I'm working on a one-liner. I think it's called like work in progress, WIP, in that one-liner,
something like that, bone scan. It's pretty noisy, obviously, so it gets stuck in a lot of places.
I'm working on the more networks that get access to, the more I'll run that one-liner. If it
doesn't get stuck anywhere, or if it gets stuck somewhere, then I'll evaluate how I got stuck and
either add it in or work around that thing that it gets stuck on. There's a fair number of plugins
that run if you enable all the plugins and disable all the safety stuff, they will run and take
for flipping ever, and especially if it's something with throttle authentication, like SSH, whatever.
Anyways, there's a million things. I will link to somebody else's in-map training thing that
it's a really great job. He supports the community here nationally and goes to conferences and stuff.
Brimstone pretty sharp dude here in Atlanta, so I'll post his get repository for like in-map training
if you want to get into all the weeds of that. There's some really great stuff in there. Great
approach. Anyways, hope this helps out. If you have any questions, feel free to hit me up. If you're
doing an assessment, feel free to dial me in or reach out to me and get my number. I take calls
from folks fairly often, and it's great to hear somebody, hey, I got access to this box.
But I don't know what to do, or I think this thing is interesting over here. What do I do?
And there's not a whole lot of people out there that will spoon-feed you the right steps to do
things. You can hang out in Discord chat and read team and pen-testing forums and pen-testing chat
rooms and stuff, but really nobody's going to hold your hand and really help you out. But
hope for your reach out to me if that's your, that's your dig or if you're interested in it.
I'm going to go from there. Appreciate it. Thank you.
You've been listening to Hacker Public Radio at HackerPublicRadio.org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contribute link to find out
how easy it really is. Hacker Public Radio was founded by the Digital Dove Pound and the
Infonomicon Computer Club, and is part of the binary revolution at binwreff.com.
If you have comments on today's show, please email the host directly, leave a comment on the website
or record a follow-up episode yourself. Unless otherwise status, today's show is released on
creative comments, attribution, share a like, 3.0 license.