Tag: segmentation

Lateral movement: A conceptual overview

I’ve often been in the situation of explaining lateral movement to people who do not work in the offensive security field on a daily basis or have a different level of technical understanding. A lof of these times I’ve not really talked about the ways in which lateral movement is performed, but I’ve taken a step back and first talked about the ‘freedom of movement’ that an attacker obtains when they first enter your environment.

This small nuance helps a lot of people to shift their mindset from ‘I’m not an attacker, I don’t know how they move laterally, that sounds technical’ to a more curious thinking ‘How do you mean, freedom? Do you mean what the attacker can do to move around in our environment?’. Depending on their background & knowledge they’ll then be able to name some ways in which they think that an attacker has ‘the freedom to move’. Now don’t get me wrong, I’m not advocating to change the terminology, but helping people to shift their frame of reference goes a long way.

I think it would help a lot of those people to look at lateral movement from a conceptual point of view, instead of trying to understand all the techniques and ways in which lateral movement is achieved. Thus, here you are reading my attempt at explaining lateral movement in a conceptual manner. The goal is to hopefully enable more people to learn about how they can restructure or design their environments to be more resilient against lateral movement.

Simplified view of lateral movement

In the most basic form, the above image is what many people envision when we talk about lateral movement or network propagation. This however, is open to many interpretations, it also feels outdated, since we now have the cloud and the cloud isn’t a network right? Before we jump to conclusions, let’s first generalize lateral movement into the different areas that are always at play when somebody moves inside your environment. This blog post will explain the concepts of:

  • Network
  • Identity
  • Functionality

After which real world examples will be given of the (ab)use of these concepts to achieve lateral movement. The combination of these three concepts allow attackers to move within networks.

  1. The concepts
    1. Network
    2. Identity
    3. Functionality
  2. Real world examples
    1. Remote Desktop
    2. File transfer protocol
    3. Application servers
  3. Conclusion
Continue reading “Lateral movement: A conceptual overview”

vysolator: vyos virtual network isolation

Sometimes projects are just born out of pure frustration, this is one of those projects. I’ve probably build like a dozen VyOS configurations to virtually isolate networks and virtual machines on my host. I  briefly touched upon this subject a couple of years ago when I wrote about stashing ESXi inside VMware workstation to achive a portable lab. Since then I’ve build multiple versions, to either ensure that Red Team operations and regular penetration tests are able to contain the breach to a single virtual machine or to enable training networks with multiple networks and clients. If we visualize a simple setup it looks like this:

This compartmentalizes potential breaches to their own segment. In this case each segment has a single VM, but it could contain multiple VMs. Yes, the virtualization layer becomes a single point of failure. I still think it adds value from most attacks that you could suffer. Including the usual surfing the internet and getting pwned one.

So here is a repo which contains the instructions and example config file to get you (read: most probably future me) started. The current setup ensures that you have one mgmt segment and one internet only segment. That means, you can manage your VyOS from the mgmt segment if you place a VM in it. You can browse the internet and nothing else if you place a VM in the internet only segment.

Whenever I build more segments that lend themselves to be of generic use I’ll update the repo. Feel free to send pull requests with either alternative configurations or improvements and segment expansion on the current one. @donnymaasland, already had a sneak preview and submitted some improvements. You can view the historical commits to review the improvements as well as some personal preferences on rules.

On and yes, I do agree that Qubes OS is a superior solution, however this is more versatile. Also this does not have the same threat model that Qubes OS has. For those wondering about the threat model for this, here is a quick summary of it / the intended features:

      • Contain regular breaches to a single segment
      • Protect against regular attacks
      • Not intended to withstand targeted or advanced attacks
      • Avoid user mistakes by enforcing network ACLs from a central system
        • Improve ease of use by just requiring users to place VMs in the right segment
      • Aid Red Team / Pentest to not fuckup when they have to use specific exit IP addresses