Using ZTNA tools to circumvent Network Security the easy way

As a penetration tester I have found that using ZTNA (Zero trust network access) tools to be a great way to access remote networks for internal penetration testing. I would setup a Virtual Machine, Kali or Parrot or even Windows (CommandoVM) in some cases. I would stage them with said ZTNA which once booted in the remote environment I can now access without a VPN.

As we know, scanning and some testing over a VPN can lead to performance issues, packet drops or some things just not being routed back to the testers side of the VPN.

There are several software claiming the ZTNA status, but there are several issues with this we will cover first.

ZTNA per Zero trust must perform continual authentication. So far the several I have dove into, not one of them do this. Each of them work very similar to SSH. When you install SSHD and then start the service the local daemon creates a host key. When you connect to that host you now have shared your key (the screen asking if you accept the host key) and it stores that joint key so that if the remote host key ever changes for whatever reason you see that there is a change and you must accept or reject it before you can fully connect.

OpenZiti, Tailscale, ngrok, zerotier and so on all seem to follow this same principle. There is no ‘continual authentication’ taking place. If there were then SSH would be considered a ZTNA which would also negate all of zero trust since, it has existed for 30 years. (See my previous post on when Zero trust was actually created in 1994 and by Stephen Paul Marsh)

Each of these ZTNA’s do operate a little differently and have some caveats. But of those above only zerotier and openziti can be self hosted. I case can be made that tailscale can as well but that goes against its licensing.

First, zerotier. In pen testing ive probably used this one the most. I have yet to have to request my data/ip be whitelisted. It just connects. It uses ICMP port 9993 but can be tuned to use TCP, and any port you want on either protocol. I leave the default and so far have never had issues with connections and have never been seen by a SOC. Zerotier installs a Virtual network interface on the hosts it runs on and assigns the appropriate private IP address. More details on the inner workings of zerotier can be found at https://docs.zerotier.com

Next on our list is OpenZiti. This one I expect we will see eventually used en masse by malware writers and phishers, if they aren’t already. Why? OpenZiti, while with only good intentions came out with an SDK. This allows you to ‘bake’ your tunnels into applications. But to a criminal, you can do the same, and bypass the need to install virtual interfaces since you can create a ‘zitified’ SSH client, or web browser or really anything networking with source code.

The SDKs for OpenZiti are written in various languages such as Go, Python, C, Java, C# and Swift. This is huge. This means you can zitify anything you can compile. You can even Zitify API connections. This is great if you dont want to host your API’s public facing and require the outside connectors to use a zitified API application to tunnel the traffic with no public view, not port forwarding, just high speed ‘direct connections’ so to speak. A good set of documents an info graphic are located on their site here What is OpenZiti? | OpenZiti

Now, as an attacker I can create a zitified SSH client and zitify my SSHD on the remote host. Again, I HAVE to suspect malicious attackers are already doing this. I can’t be the only one that has thought of this. We know its happening with ngrok based on the Miter ATT&CK site at ngrok, Software S0508 | MITRE ATT&CK® I can now, SSH to my host on the “victim network” and they cant even get to the SSHD, its silent, its blind to them. You HAVE to use the matching client with the service. WOW. Ill let that sink in for a moment……

Personally I see great benefit in OpenZiti. But Just like anything else, it can be hijacked for malicious use that FAR outweighs its benefits. But the genie is out of the bottle now. There is no going back.

Now considering all of this above, and I can host my own zerotier or OpenZiti ‘server’ (they both use different terminology) unlike ngrok where you can block *ngrok domains. Its the wild west. I can host my server in any country, and VPS, backups in various regions in case one goes down I have a backup to keep the connections going.

Here we are. Zero trust has saved the day…….or has it made things worse? I think the answer is quite obvious. The tools that were made to save security are actually giving criminals even more unfettered access to our data. And they are more creative than I, so whats next?