From Spoofing to Tunneling: New Red Team's Networking Techniques for Initial Access and Evasion

Presented at DEF CON 33 (2025), Aug. 8, 2025, 3 p.m. (45 minutes).

Gaining initial access to an intranet is one of the most challenging parts of red teaming. If an attack chain is intercepted by an incident response team, the entire operation must be restarted. In this talk, we introduce a technique for gaining initial access to an intranet that does not involve phishing, exploiting public-facing applications, or having a valid account. Instead, we leverage the use of stateless tunnels, such as GRE and VxLAN, which are widely used by companies like Cloudflare and Amazon. This technique affects not only Cloudflare's customers but also other companies. Additionally, we will share evasion techniques that take advantage of company intranets that do not implement source IP filtering, preventing IR teams from intercepting the full attack chain. Red teamers could confidently perform password spraying within an internal network without worrying about losing a compromised foothold. Also, we will reveal a nightmare of VxLAN in Linux Kernel and RouterOS. This affects many companies, including ISPs. This feature is enabled by default and allows anyone to hijack the entire tunnel, granting intranet access, even if the VxLAN is configured on a private IP interface through an encrypted tunnel. What's worse, RouterOS users cannot disable this feature. This problem can be triggered simply by following the basic VxLAN official tutorial. Furthermore, if the tunnel runs routing protocols like BGP or OSPF, it can lead to the hijacking of internal IPs, which could result in domain compromises. We will demonstrate the attack vectors that red teamers can exploit after hijacking a tunnel or compromising a router by manipulating the routing protocols. Lastly, we will conclude the presentation by showing how companies can mitigate these vulnerabilities. Red teamers can use these techniques and tools to scan targets and access company intranets. This approach opens new avenues for further research. References: I have seen discussions about source IP address spoofing with stateless tunnels, similar to research on [CVE-2020-10136](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4) which uses IPIP tunnels. However, this research omits the possibility of using stateless tunnels for initial access. The PoC only provides methods to launch DoS attacks such as UDP flooding, TCP SYN attacks, and ARP spoofing, which do not require a response. Notably, there is no method to find a stateless tunnel in previous research, making real-world attacks impractical.

Presenters:

• Shu-Hao, Tung 123ojp
  Shu Hao, Tung (123ojp), a Threat Researcher at Trend Micro, specializing in Red Teaming. He mainly focuses on web, networking, and infrastructure vulnerabilities. He owns an ASN and is a bug hunter who has reported high-risk vulnerabilities via Bugcrowd.

Similar Presentations:

• Black Hat USA 2020 Virtual / Routopsy: Modern Routing Protocol Vulnerability Analysis and Exploitation
• Black Hat USA 2014 / Probabilistic Spying on Encrypted Tunnels