Module 1 · The Network Is Never Flat 🔒

Every network diagram you’ve ever seen shows clean layers: DMZ → corporate LAN → server VLAN → database tier. Every real network has exceptions — the finance laptop with RDP to the database server, the printer that somehow bridges two VLANs, the forgotten test jump host with credentials to production. Attackers don’t read diagrams; they walk the cables. This module is about why segmentation promises and segmentation reality diverge — and how to find the divergences.

Why this happens

Network segmentation is implemented once during an architecture exercise, then erodes continuously. Every new project adds a cross-segment exception. Every vendor integration punches through a firewall rule. Every merger imports a parallel network with its own trust assumptions. Every “temporary” access grant becomes permanent. The diagram in the security team’s folder still shows clean zones; the routing table on the core switch reveals 400 rules, half undocumented.

Attackers exploit this entropy. They don’t need a zero-day to cross a firewall when there’s a legitimate RDP allowance from Marketing’s VLAN to the finance database, because three years ago someone needed to run a report.

How it happens — technical walkthrough

Your typical internal pentest or red team engagement starts with a low-privilege foothold — say, a Marketing user’s laptop via phishing. The attacker’s first job: understand what this foothold can reach. Standard workflow:

# Enumerate own subnet + default gateway
ip route show
arp -a

# Scan subnet (slow, quiet)
nmap -sT -Pn -p 22,445,3389,5985 --open -T2 10.20.30.0/24

# What internal networks are reachable? Trace routes.
traceroute 10.50.1.1
traceroute 10.60.1.1

# Active Directory path
nslookup -type=srv _ldap._tcp.corp.local

# Find internal services via DNS
for sub in vpn mail files app1 db1 admin; do
    host $sub.corp.local
done

In 20 minutes, the attacker has a rough map: which subnets are reachable, which aren’t, where the domain controllers live, what high-value service DNS names exist. Critically, the attacker now knows whether the supposed boundary between Marketing and Finance is actually enforced.

Real-world example: Target 2013

The Target breach — one of the most-studied retail breaches in US history — started with credentials from Fazio Mechanical, an HVAC vendor. Fazio had remote access for billing and contract management. Their network had a route into Target’s corporate network. From corporate, the attacker reached point-of-sale systems on a different VLAN. The segmentation between vendor-access and POS existed on paper; in practice, a flat-enough path existed to pivot from one to the other.

Indian banking sector parallel: the 2016 Union Bank attack traversed from a contractor’s network to the SWIFT terminal through a series of insufficiently-segmented paths. Different network, same pattern.

What we find

• VLAN sprawl without consistent ACLs. 40+ VLANs; most have routes to each other because “it was easier.”
• Jump hosts that bypass controls. The “bastion” is on every network so it can reach everything; compromise of bastion = compromise of everything.
• Legacy VPN concentrator with network-level access (not application-level), so any VPN user sees the whole internal network.
• Printer VLAN bridging. Printers on one VLAN, print servers on another, with static routes that bypass segmentation.
• Merger-era networks with overlapping RFC1918 space, translated via NAT, often with management interfaces on both sides.
• IoT/OT on the same VLAN as IT. Building automation, HVAC, security cameras — all on the corporate LAN because “it’s easier for IT to support.”
• Cloud-on-prem links that give cloud workloads access to internal data center without auth (Direct Connect / ExpressRoute misconfigurations).
• Exception ACLs never removed. Rule 147 allows “dev laptop 10.11.12.34 to prod DB 10.50.1.5”; the laptop was decommissioned in 2022. The rule remains. Attacker who gets the IP can transit.

Tooling for network reconnaissance

# Discover alive hosts quickly (masscan — much faster than nmap for discovery)
masscan -p22,80,443,445,3389 10.0.0.0/8 --rate=1000

# Full service fingerprinting on discovered hosts
nmap -sV -sC -Pn -p- -iL alive_hosts.txt -oA full-scan

# Find cross-segment reachability via Responder
sudo responder -I eth0 -v

# AD computer enumeration via SMB
crackmapexec smb 10.0.0.0/24 --gen-relay-list relay.txt

# Windows machines with signing disabled (SMB relay target)
crackmapexec smb 10.0.0.0/24 --gen-relay-list relay.txt 2>&1 | grep False

# Network topology via BloodHound (needs low-priv AD user)
bloodhound-python -u user -p pass -d corp.local -c All

The defender’s reality check

Want to know your real network segmentation state? Run this exercise: pick a random low-privilege user account. From their laptop, enumerate reachable services. Compare to the documented segmentation policy. The deltas are your findings.

Mature programs automate this. Commercial tools (Illumio, Guardicore/Akamai, Zscaler ZPA) continuously map east-west traffic and flag policy violations. Open-source options (osquery + Zeek + custom analytics) can approximate. The point isn’t the tool — it’s continuous measurement vs the policy.

Micro-segmentation as the modern answer

Zero-trust network access (ZTNA) flips the model. Instead of “you’re on the corporate LAN, you can reach the DB,” it becomes “you identified as user X on device Y with role Z, you can reach application A’s specific port for the next 15 minutes.” Identity-based, time-bounded, application-specific.

Adoption patterns in 2026:

• New deployments: ZTNA default for user access (BeyondCorp, Tailscale, Cloudflare Access, Zscaler)
• Brownfield: micro-segmentation layered on existing network (Illumio, Guardicore)
• Datacenter: service mesh (Istio, Linkerd) for workload-to-workload
• OT: separate strategy — usually Purdue model enforcement via specific industrial firewalls

Finding methodology for pentesters

1. Establish foothold (phishing, exposed service, credential reuse)
2. Enumerate immediate subnet + adjacent routable networks
3. Attempt connections to known-high-value destinations (DCs, DB servers, jump hosts, SCCM)
4. Note every firewall rule that permits unexpected paths; these are findings
5. Pivot systematically — each reached network becomes a new starting point
6. Build an ‘actual reachability graph’ and compare to documented segmentation (customer usually can’t produce documentation; that alone is a finding)

Mindset takeaway

The network diagram is aspirational. The firewall ruleset is reality. Every pentester and every defender should regularly enumerate what a foothold can actually reach — not what the policy says it should reach. The gap is where incidents are built. For red teams, every “unexpectedly reachable” path is an attack chain. For blue teams, every one is a remediation ticket.

The rest of this track walks specific protocol-level abuses (ARP/DNS/LLMNR poisoning, Kerberos attacks, VPN exploitation, DNS tunneling, wireless attacks) — all of which become vastly more impactful when the network isn’t segmented well. Segmentation is the atmospheric control that determines how far attackers can go with any individual technique.