/ FAQs

Why Flat Networks Kill Security

2–3 minutes

Why Flat Networks Kill Security

If we had to pick one issue that shows up on almost every internal penetration test, regardless of industry or company size, it would be this:

Flat networks. No segmentation. Everything can talk to everything.

It’s not flashy. It doesn’t involve a zero day. And it’s usually not considered a “finding” anyone gets excited about fixing. But in practice, flat networks are the single biggest reason internal attacks succeed so quickly and so completely. We’ve seen environments with good EDR, strong perimeter controls, and decent patching still fall apart internally, not because those tools failed, but because the network gave the attacker freedom of movement.

What Are Flat Networks?

A flat network is one where:
● User workstations can talk to other workstations freely
● Workstations can directly reach system critical servers, think backups or certificate services
● Servers can reach domain controllers without restrictions
● VLANs exist (sometimes), but there are no meaningful access controls between them.
● “Internal” traffic is largely trusted, by default

In other words, once you’re inside, you’re everywhere. The below image demonstrates what a flat network may look like –

Sample Flat Network

Why It Matters?

Flat networks make name resolution attacks trivial:
● LLMNR / NBT-NS poisoning
● MDNS poisoning
● MITM6 in IPv6-enabled environments

When every host can see broadcast or multicast traffic, credential interception becomes easy. If SMB or LDAP signing is missing (often the case), those credentials can usually be relayed, not cracked.

ATTACK VECTORS

1. LLMNR/NBT-NS/MDNS Poisoning

Real-world attack chain, easy to execute, catastrophic to companies:

This is a very typical internal path:
1. Attacker either compromises a workstation, or connects their device to the network
2. LLMNR/NBT-NS poisoning captures NTLM credentials
3. SMB signing is disabled > NTLM relay succeeds
4. LDAP or ADCS abuse leads to privilege escalation
5. Lateral movement spreads rapidly
6. Domain compromise occurs within hours

Every step is made easier, sometimes only possible because the network is flat.

2. IPv6 DNS Poisoning

Click here to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

3. SMB/LDAP Relaying

Click here to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

REMEDIATIONS

How To Protect Your Company

Simple, realistic remediations – Segmentation doesn’t have to mean zero trust on day one.

Start small:
● Separate users, servers, and domain controllers
● Block workstation-to-workstation SMB
● Limit access to LDAP, SMB, and RPC from user networks
● Protect domain controllers, ADCS, and backup systems first
● Disable LLMNR and NBT-NS where possible
● Even partial segmentation dramatically raises the cost of internal attacks.

Flat networks don’t usually exist because of bad intentions, they exist because they’re convenient. Unfortunately, attackers love convenience.
You can have strong passwords, modern EDR, and good patching, but if your network is flat, a single mistake can still turn into full domain compromise. Segmentation isn’t about perfection, It’s about making sure one compromised system doesn’t become everyone’s problem.

Table of Contents
  1. Why Flat Networks Kill Security
  2. ATTACK VECTORS
  3. REMEDIATIONS

Categories

Latest Posts

Need a Security Assessment?

Our expert team is available to help you plan your next Penetration Test, Cloud Security Audit, or Cyber Essentials Assessment.

View all our security services >

Call our team on 0333 123 1234 >

Start a conversation by email >

Scroll to Top