Security+ SY0-601: 1.4: Network Attack Indicators

Chapter 4: Network Attack Indicators

LAN Taps

Wi-Fi

Evil twin

Rogue Access Point

WEP Cracking

WiFi Scanners/Crackers

Kismet

Netstumbler

CoWPAtty

On-path Attacks

What we formerly called “Man in the Middle” (MitM) attacks have been renamed (in CompTIA terms, at least) to “On-path Attacks“. Lots of other organizations and materials will still refer to these as MitM.

Put simply, the attacker looks like the server to the client, and looks like the client to the server, thus intercepting traffic and information.

Layer 2 Attacks

TCP/IP Hijacking

This is setting up a device that appears to be valid to perform an On-path Attack.

Spoofing is the act of falsifying one’s IP address to do this.

Address Resolution Protocol (ARP) spoofing does this at the level of MAC addresses, by falsifying the MAC address resolution table.

To check the ARP table in Windows, use the shell command:

arp -a

Note that you can use the arp -s command to add new entries manually, and the arp -d command to delete them, arp /? for detailed information.

arp -s
arp -d *
arp /?

Spoofing with Ettercap

Denial of Service

Distributed Denial-of-Service (DDoS) Attacks – These attacks amplify the situation by using dozens, hundreds, or thousands of “zombie” computers. If you’re already in this situation, obviously, life is bad.

SYN/ACK Attacks

Understand the basic nature of client/server connections in order to understand these attacks. A client sends a SYN packet to a server as its opening request, to initiate a “handshake.” The server, if it receives this SYN packet, responds with a SYN ACK. The client, then, responds with an ACK. Recall the TCP (not UDP) three-way handshake:

Client
Server
SYN
—–>
<—–
SYN-ACK
ACK
—–>

This is a bit of an oversimplification, because after the very first packet from the client, every packet contains an ACKnowledgement of response, and the final packet exchange will be FIN packets (“we’re finished”).

Here lies the basis of the SYN flood attack.

See this Cloudflare page for a longer explanation:

https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

and this Imperva page:

https://www.imperva.com/learn/application-security/syn-flood/).

Basically, if I’m an attacker, I can send a server a SYN package, but never acknowledge the SYN ACK that comes back. The server holds a half-open connection for me, but I never reply. Instead I send a new SYN packet from yet another spoofed IP address, opening but never acknowledging another connection. Before long the server is overwhelmed with these faked connections, and DoS results: this is a SYN flood.

Attacks Not On the 601 Exam, But Present On Most Hacking Cert Exams

A Ping Flood is a bombardment with ping requests, and also the reason ICMP is tightly controlled on secure networks. See Imperva’s page:
https://www.imperva.com/learn/application-security/ping-icmp-flood/

The similar Smurf attack occurs when an attacker sends forged ICMP echo request packets to every computer on a network, using a false source IP (usually a server’s). This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses (x.x.x.255).

https://www.youtube.com/results?search_query=smurf+attack

A Fraggle attack is the same technique, used over UDP rather than ICMP.

The Ping of Death is a variant of Smurf that sends deliberately oversized ICMP ping packets (larger than 65,535 bytes), attacking older OSs susceptible to this malformation. It won’t  work any more.

A Land attack is also an older one that sends a packet with the same host (IP) specified as both sender and receiver. This locks up some systems.

DNS Attacks

DNS replication is based on Trusts, eg. a two-way trust between a Parent and Child domain

DNS Record Types

    • A (“glue record”)
    • AAAA
    • MX
    • CN
    • NS
    • SOA
      • Start of Authority
      • the critical record in DNS
      • has a “magic” Serial Number that tracks the current version of records; that’s how secondary servers know when to get a Zone Transfer
        • IXFR – small, incremental
        • AXFR – all records

Primary and Secondary DNS Servers

Only the Primary can update records, ideally

Zone Transfers are a huge possible problem.

Using Dig and Doing a Zone Transfer

dig gnorman.org

dig @nsctm1.digi.ninja -t axfr zonetransfer.me

https://flylib.com/books/en/2.684.1/transferring_a_zone_using_dig.html

Preventing unwanted zone transfers:

https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/configure-all-dns-zones-only-to-allow-zone-transfers-to-specified-ip-addresses

DNSSEC is the answer: trusted DNS servers only

Here’s a chatty discussion of why it’s needed and how it works:

https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

Here’s an academic viewpoint:

https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

Tools: Wireshark

Watch what’s happening with Wireshark.

Malicious Code or Script Execution

Using MSFvenom to create malicious executables: