Chapter 4: Network Attack Indicators
LAN Taps
Wi-Fi
Evil twin
Rogue Access Point
WEP Cracking
WiFi Scanners/Crackers
Kismet
Netstumbler
CoWPAtty
On-path Attacks
What we formerly called “Man in the Middle” (MitM) attacks have been renamed (in CompTIA terms, at least) to “On-path Attacks“. Lots of other organizations and materials will still refer to these as MitM.
Put simply, the attacker looks like the server to the client, and looks like the client to the server, thus intercepting traffic and information.
Layer 2 Attacks
TCP/IP Hijacking
This is setting up a device that appears to be valid to perform an On-path Attack.
Spoofing is the act of falsifying one’s IP address to do this.
Address Resolution Protocol (ARP) spoofing does this at the level of MAC addresses, by falsifying the MAC address resolution table.
To check the ARP table in Windows, use the shell command:
arp -a
Note that you can use the arp -s command to add new entries manually, and the arp -d command to delete them, arp /? for detailed information.
arp -s arp -d * arp /?
Spoofing with Ettercap
Denial of Service
Distributed Denial-of-Service (DDoS) Attacks – These attacks amplify the situation by using dozens, hundreds, or thousands of “zombie” computers. If you’re already in this situation, obviously, life is bad.
SYN/ACK Attacks
Understand the basic nature of client/server connections in order to understand these attacks. A client sends a SYN packet to a server as its opening request, to initiate a “handshake.” The server, if it receives this SYN packet, responds with a SYN ACK. The client, then, responds with an ACK. Recall the TCP (not UDP) three-way handshake:
Client
|
Server
|
|
SYN
|
—–>
|
|
<—–
|
SYN-ACK
|
|
ACK
|
—–>
|
This is a bit of an oversimplification, because after the very first packet from the client, every packet contains an ACKnowledgement of response, and the final packet exchange will be FIN packets (“we’re finished”).
Here lies the basis of the SYN flood attack.
See this Cloudflare page for a longer explanation:
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
and this Imperva page:
https://www.imperva.com/learn/application-security/syn-flood/).
Basically, if I’m an attacker, I can send a server a SYN package, but never acknowledge the SYN ACK that comes back. The server holds a half-open connection for me, but I never reply. Instead I send a new SYN packet from yet another spoofed IP address, opening but never acknowledging another connection. Before long the server is overwhelmed with these faked connections, and DoS results: this is a SYN flood.
Attacks Not On the 601 Exam, But Present On Most Hacking Cert Exams
A Ping Flood is a bombardment with ping requests, and also the reason ICMP is tightly controlled on secure networks. See Imperva’s page:
https://www.imperva.com/learn/application-security/ping-icmp-flood/
The similar Smurf attack occurs when an attacker sends forged ICMP echo request packets to every computer on a network, using a false source IP (usually a server’s). This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses (x.x.x.255).
https://www.youtube.com/results?search_query=smurf+attack
A Fraggle attack is the same technique, used over UDP rather than ICMP.
The Ping of Death is a variant of Smurf that sends deliberately oversized ICMP ping packets (larger than 65,535 bytes), attacking older OSs susceptible to this malformation. It won’t work any more.
A Land attack is also an older one that sends a packet with the same host (IP) specified as both sender and receiver. This locks up some systems.
DNS Attacks
DNS replication is based on Trusts, eg. a two-way trust between a Parent and Child domain
DNS Record Types
-
- A (“glue record”)
- AAAA
- MX
- CN
- NS
- SOA
- Start of Authority
- the critical record in DNS
- has a “magic” Serial Number that tracks the current version of records; that’s how secondary servers know when to get a Zone Transfer
- IXFR – small, incremental
- AXFR – all records
Primary and Secondary DNS Servers
Only the Primary can update records, ideally
Zone Transfers are a huge possible problem.
Using Dig and Doing a Zone Transfer
dig gnorman.org dig @nsctm1.digi.ninja -t axfr zonetransfer.me
https://flylib.com/books/en/2.684.1/transferring_a_zone_using_dig.html
Preventing unwanted zone transfers:
DNSSEC is the answer: trusted DNS servers only
Here’s a chatty discussion of why it’s needed and how it works:
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
Here’s an academic viewpoint:
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
Tools: Wireshark
Watch what’s happening with Wireshark.
Malicious Code or Script Execution
Using MSFvenom to create malicious executables: