In the previous chapters, we learned about network structures, network security protocols, tools, and attack methods. Now we will dive into the finer details, focusing on attack targets and learning how to protect against them.
When we focus on the network, these attack targets can be categorized into two major areas:
In this chapter, you will learn about the first type of attack, that is, network-based attacks, how these attacks are carried out, how to discover them when they happen, and what measures to take in order to prevent them.
In this chapter, we will cover the following main topics:
We will start with how to plan and protect against a network-based attack.
Before attacking a network, or planning our defenses against these attacks, let's define exactly what the attacker would like to achieve when attacking the communication network.
Important Note
A cyber attack, as defined by the US National Institute of Standards and Technology (NIST), involves "targeting an enterprise's use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information."
If we summarize this definition, in general, cyber attacks are used for destroying information, stealing information, or preventing users from accessing IT resources. Network-based attacks can be used for the latter two actions:
Now, let's consider what we do for these two actions. These are the steps to take when planning network attacks. Some of these results can be achieved by attacks on network devices, which we will discuss in more detail in Chapter 7, Detecting Device-Based Attacks.
In both methods, the first thing to do is to gather information on the network we wish to attack. Then, we will use tools to steal information or prevent users from using IT resources. Let's start with information gathering.
Gathering information from the network can be done in several ways. The first way is, simply, when you connect to the network, run Wireshark, start the capture, and analyze the results.
Important Note
When we connect our laptop to a LAN switch, we will see broadcasts and, possibly, multicasts. Broadcasts are forwarded to all switch ports, so we will view all of the broadcasts. Multicasts are also forwarded to all ports on the LAN switch unless configured otherwise. For instance, if IGMP snooping is configured, multicasts packets will only be forwarded to ports from which clients have sent requests to receive multicast packets.
By understanding these differences between broadcasts and multicasts, we will be able to gather a lot of information, as you will discover in the Reconnaissance and information gathering section.
The second way, when possible, is to use port-mirror on important ports of the network and observe the traffic that passes there.
Important Note
Port-mirror, monitor-port, Switch-Port Analyzer (SPAN), and other similar terms, depending on the vendor, refer to ports that are configured on a LAN switch in order to listen to all traffic going in and out of another port. In general, you configure a monitor-port and a monitored port; you connect your laptop to the monitor-port and all the traffic from the monitored port is mirrored to you so that you can listen to it, analyze it, or save it. Some vendors also support features such as monitoring with filters, monitoring an entire VLAN, and more.
In other methods, we can impersonate someone else, for example, in ARP poisoning, DNS attacks, and more. We will discuss these methods in Chapter 10, Discovering LAN, IP, and TCP/UDP-Based Attacks, and Chapter 15, Enterprise Applications Security – Databases and Filesystems.
Stealing information from the network requires you to perform the following steps:
Important Note
You can connect to the network by physically connecting to a port switch directly or through a physical network socket in the wall. You can also do it by connecting to a wireless network.
To gather information from network devices, we can use several tools. The first method is to use Wireshark to listen to broadcasts:
To steal meaningful information, you must do one of the following:
In Chapter 8, Network Traffic Analysis and Eavesdropping, we will discuss this in further detail.
To prevent users from using the network, you will need to perform the following steps:
To protect against these methods, first, you must understand the attacks. Understanding the types of attacks means you are halfway there. In the later chapters on protocols, we will learn how to do this.
In general, active attacks are when you perform an action, and usually, passive attacks are when you just listen.
In network security, active attacks include the following types of attacks:
Let's discover how they work. We will examine both Linux- and Windows-based examples, just to keep it interesting.
These types of attacks occur when one entity pretends to be something it is not. For instance, this can be done by faking a MAC address or IP address so that packets that are intended to go to other destinations are forwarded to us instead. Let's take a look at how ARP poisoning occurs:
In the preceding screenshot, you can observe how the PC with a MAC address of 08:00:27:f8:40:f1 sends fake ARP responses – for instance, 10.0.0.138 is at 08:00:27:f8:40:f1, 10.0.0.19 is at 08:00:27:f8:40:f1, and 10.0.0.1 is at 08:00:27:f8:40:f1. The purpose of this is that the devices receiving these ARP responses will believe the address they are looking for is the attacker's address and, therefore, send data to it.
A modification attack happens when the attacker tries to interrupt, capture, modify, steal, or delete information in the system via network access or direct access using executable codes. In this section, we will discuss how to do so through the network.
To modify information that has been sent through the network, you need to draw the information in your direction, modify it, and send it to the intended recipient.
To draw the information to you, you can use ARP poisoning and tools such as Ethercap. We will discuss this, in more detail, in Chapter 10, Discovering LAN, IP, and TCP/UDP-Based Attacks. The purpose of these tools in the context of network-based attacks is for the manipulation of routing information, that is for example, to cause the routers to route packets to the attacker instead of the intended destination, as we will learn in Chapter 12, Attacking Routing Protocols; the manipulation of DNS information, as we will learn in Chapter 13, DNS Security; the manipulation of enterprise network applications, as we will learn in Chapter 15, Enterprise Applications Security – Databases and Filesystems; and for tampering to and manipulating voice calls, as we will learn in Chapter 16, IP Telephony and Collaboration Services Security.
DoS and DDoS attacks occur when we prevent users from accessing network resources, and there are many types of these attacks. In this chapter, we talked about network-based DoS/DDoS attacks, and here are three major types:
Now, after learning what we can actively generate, let's take a look at passive attacks.
In the context of network security, passive attacks are those that listen and collect information from the network and network resources without interfering with its operation. Listening to network traffic and analyzing it is entirely passive – in this scenario, we only listen. It will become active once we use it to attack the network resources.
Reconnaissance and information gathering are the acts of learning the network structure and resources in order to prepare to attack them. There are several methods that can be used in order to learn a network structure.
The first and most simple one is to simply listen. Let's explore how we can do it.
When you are connected to a port switch, and that could be when you physically connect to a network or you take control of a network device and install a capture tool on it, you will be able to view all of the broadcasts sent and received by this device and others. Let's view some examples of broadcasts that we can learn from.
In Figure 6.1, we can observe some typical Wireshark capture files from which we can learn several things about the network. First, we can see Spanning Tree Protocol (STP) updates, and the interesting thing is that the root bridge has a default priority of 32768.
Important Note
LAN Layer-2 devices, which we also refer to as switch, are called by the STP/RSTP standards of Bridge or Multi-Port Bridge. So, every time I refer to the standards, I will call them bridges, and in all the other places, I will refer to them as we are used to, that is, switches.
In STP, and its successors, Rapid STP (RSTP, which made STP obsolete) and Multiple STP (MST), the root bridge is the bridge that all the traffic passes through. The bridge with the lowest priority is chosen to be the root bridge, and when all bridges priorities are left to be the default, then the root is chosen to be the one with the lowest MAC address.
Important Note
Every Layer-2 switch, or bridge, has its own MAC address. Its MAC address is used in several control protocols, including STP, RSTP, and MST. This MAC address has nothing to do with the MAC addresses that are forwarded by the switch in the switching process.
In this example, inserting a switch with a switch priority of less than 32768 will make our switch the root of the STP network. This has two meanings:
There are several mechanisms that can protect the network from unrecognized switches. To do so, we can configure the Bridge Protocol Data Unit (BPDU) guard to block the reception of BPDU updates, we can configure the root guard on a switch port to disable a port from becoming a root port (a port that is connected to the root bridge), or we can use our Network Access Control (NAC) system to disconnect unauthorized devices. There are also other methods to protect against it. The important thing is to attempt to understand the problem; when you understand it, solving it just involves reading the user manuals. Please refer to the official documentation of Cisco at https://www.cisco.com/c/en/us/td/docs/optical/15000r8_5_1/ethernet/454/guide/454a851_ethconf/454a851_configstprstp.pdf, Juniper Networks at https://www.juniper.net/documentation/en_US/junos/topics/topic-map/spanning-tree-configuring-rstp.html, Extreme Networks at https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RSTP-in-EXOS, or you can refer to any other vendor that you are working with:
From the preceding screenshot, we can observe the Layer-2 structure of the network. Note that the root bridge is the one that ends with the MAC address of 4b:64:01 and a priority of 32,768. Now we have a good knowledge of the STP/RSTP protocols, that will enable us for example to connect a switch with lower priority will make it the root bridge and draw all traffic in our direction.
In the next example, we can observe the NetBIOS broadcast protocols. In the NetBIOS host announcements (that is, the broadcasts on TCP port 139), we can view information on the host that advertises their name and the services they provide. Let's view the example more closely.
In this example, I've configured the NetBIOS display filter: browser.server_type.server == 1.
(To configure displaying a filter, fill in the filter expression in the upper bar in the main Wireshark window.)
Since all Microsoft NetBIOS devices send periodic updates by sending broadcasts to the network, and since by using this filter, we can view from the packet header we receive from the sending device is a server, this is an excellent way in which to list all servers in the network:
From the preceding example, we can see that we have the 172.16.1.30 and 192.168.203.204 servers, along with some others. Additionally, clicking on 192.168.203.204 shows us that this is a domain controller, a SQL server, and a time source. These are important network functions – attacking this server will probably cause significant damage, and listening to what is coming in and going out from it will bring us a lot of information regarding the network and network users.
In this last example, when we listen to multicast packets on the network, we were using the eth.dst [0:3] == 01:00:5e Wireshark display filter. So, we will observe the following packets:
Here's what we can understand from these packets:
Now, let's take a look at what information we can get from routing updates:
As you can see in Figure 6.5, digging into the packet will give us more information. For example, when we look at the OSPF packet, we can view the IP address of the source router. In the source MAC address, we see the vendor (perhaps there are some known bugs/breaches in this vendor's routers); we can see the router area, that is, the OSPF area of 0.0.0.0 (if we send fake updates, we will send them to this area); and we can see that the Hello message has been sent to an address range with a subnet of 255.255.255.240, that is, a subnet of 14 hosts (this is 16 total hosts minus the first and last addresses).
Listening on a single device, or using a port-mirror to listen to a single device, will give you all the information you need. Here, you have two Wireshark features that will give you all the information you need. These are the Statistics Conversations and Statistics Protocol Distribution menus, as you can see in the following screenshot.
Figure 6.6 shows a simple example of what we can get from a simple capture on a switch port:
In this example, we use Statistics Protocol Hierarchy to view all protocols that were discovered. Right-clicking on a specific line in the protocol hierarchy and choosing Apply a filter Selected will show you the packets running this protocol.
The first example, on the right-hand side (as highlighted in blue), shows the SNMP GET commands from 10.1.2.4; from this, we know that 10.1.2.4 is an SNMP management system.
The second example, on the right-hand side (as highlighted in red), shows the SIP session initiated from 10.101.220.1 to 10.101.116.200; from this, we know that 10.101.116.200 is a SIP server.
The third example, on the right-hand side (as highlighted in green), shows (for example) NTP requests from 10.175.90.160 to 204.152.184.72; from this, we know that 204.152.184.72 is a time server.
Now that we have a solid understanding of this, we can start connecting to servers, attacking them, and more.
Now, let's explore one of the major types of network-based attacks: DoS/DDoS attacks and flooding.
A common method in which to prevent users from accessing IT resources in general, and network resources specifically, is to use DoS/DDoS mechanisms. The principle here is simple. A network resource can be a network device or a communication line. Loading the resource to the point it is blocked will prevent users from accessing this resource. It's as simple as that. Now the issue is how to load it.
There are two major types of DoS/DDoS attacks that target the network resources:
We will begin with network scanning, which is one of the methods in which to create volumetric attacks.
Scanners can be used on several levels. They can be used to discover network hosts, services on network hosts, usernames on applications, and more. In this section, we will talk about a scanning attack that can be used to flood the network.
To perform network scans, we have many tools and scripts that can be used. For Windows and Linux, we have nmap, which we have discussed already, Linux Scapy, Windows and Linux PacketSender, and more. However, the principle is the same – load the network to the point it can no longer provide connectivity services.
A flood or flooding is a type of DoS/DDoS attack in which the attacker attempts to constantly send traffic to a target network, network interface, communications link, or server to prevent legitimate users from accessing it by consuming its resources. There are various types of flooding attacks – examples include ICMP flooding, TCP or UDP flooding, and HTTP/HTTPs flooding. The first type of flooding we see is in an Internet Control Message Protocol (ICMP) DDoS, when a ping worm blocks the network:
In Wireshark, we can see (on the left-hand side) many ICMP packets sent from addresses on the 192.168.110.0/24 network to various IP destinations. On the right-hand side, we see the network structure: remote offices on networks 192.168.110.0/24, 192.168.111.0/24 up to 192.168.149.0/24, with a total of 50 remote offices.
To identify the problem, we can open the Statistics Conversations window. Let's examine this in the following screenshot:
On the left-hand side, you can view host 192.168.110.5. It starts the scan from 192.170.3.0 (even though this is not a legitimate address), continues to 192.170.3.1, then 192.170.3.2 until it gets to 192.170.3.255. Then, in the center screenshot, it starts from 192.170.4.0 to 192.179.4.1, and so forth. This is clearly a pattern of scanning.
When this worm catches one of the network's hosts, it pings the next host, then the next one, and so on. For instance, this problem started when someone inserted an external disk into their PC; the worm infected their PC and started to ping. Any PC that responded to the ping request was also infected, and all of the infected PCs generated ICMPs that blocked the communications line.
The funny (or very sad from the customer's point of view) point is that when a PC on the 192.168.110.0/24 network finishes a scan on this network and pings to 192.168.110.255, it continues to 192.168.111.0. The pings are forwarded to the default gateway, and on the way to the next network, the ping blocks the line from 192.168.110.0/0 to the center. The result of this can be observed on the screenshot on the right-hand side – the line to the center that was 0.8 Mbps is now blocked. This is a typical DDoS. In this case, it is a type of amplification attack – the worm spread itself through the network to amplify its behavior.
Unlike methods that are used to break into the network, to listen to information, or to cause any other damage to the network, the purpose of random traffic generation is to send traffic that is meant to flood the network to the point it will stop functioning.
In the next example, we can observe that the majority of the traffic consists of IPv6 packets. As you can see, there are many packets – up to 20,000 packets per second – indicating the massive usage of IPv6 or something suspicious:
Looking at the packets (which is always recommended), we can observe the following capture:
Here, we can notice several suspicious things:
When we open the Conversations window (from the Statistics menu), and click on the IPv6 tab, it becomes even more strange. Let's take a look at the following screenshot:
Here, we can observe the most typical scanning pattern, that is, all of the packets are going in one direction – from the addresses that start with a:627 to the addresses that start with 0:3d1. Additionally, we can see the non-standard IPv6 addresses.
In this section, we will examine how DoS/DDoS attacks are generated. We are doing this to better understand how these mechanisms work so that we can protect against them.
There are a large number of tools on the internet that can be used for loading the network, including general tools such as nmap (for Linux and Windows), the iPerf/jPerf client-server application (for Linux and Windows), and Colasoft Packet Builder.
As there are many tools and methods in which to generate network-based DoS/DDoS attacks, there are several simple measures to take in order to protect against them:
Let's go through the network layers and examine how to protect against attacks in each one of them.
With Layer 2 attacks, we are referring to attacks that interfere with the normal operation of the OSI Layer-2 network protocols. When in this category, we have LAN switching that includes MAC learning, VLANs, STP/RSTP, MAC security, and other attacks on the Layer-2 functionality of the network. Let's examine some examples and learn how to protect against them.
LAN switches contain a MAC table that holds all of the MAC addresses that were learned by the switch. In Chapter 2, Network Protocol Structures and Operations, we learned about the way switches operate, and we discovered that a LAN switch learns all of the MAC addresses that are connected to it, and forwards frames to these destination MAC addresses only to the physical ports the devices with these MAC addresses are connected to. Since every switch has a limitation in terms of the number of MAC addresses that it can learn, when the MAC address table is filled, the switch will not be able to add MAC addresses to it, and a frame that will be sent to the switch will be forwarded to all of the ports so that everyone will be able to view it.
To generate a MAC flooding attack, we have several tools that we can use in Windows and Kali Linux.
In Windows, you can use tools such as Colasoft Packet Generator, and in Linux, you can use macof, which is part of the dsniff package.
To use macof, perform the following steps:
The results of this attack can be viewed in the following screenshot:
Looking in the upper window of the preceding screenshot, we can see very short times between the packets. In the middle screenshot, there are 34,269 packets between 10.0.0.22 and 10.0.0.138. Additionally, we can see that all packets are from A to B, that is, from A, which is 10.0.0.22, to B, which is 10.0.0.138. In the lower screenshot, we can see random MAC addresses, strengthening our assumption that this is not the usual traffic.
To protect against MAC spoofing, you can take several countermeasures:
In the next section, we will examine spanning tree-based attacks and learn how to defend against them.
As discussed in Chapter 2, Network Protocol Structures and Operations, there are three types of potential attacks in STP:
Let's explore how to generate these attacks so that we can better understand how to protect against them.
In STP/RSTP attack, you cause the network to forward packets to you, . you can do one of two things.
First, if you are physically connected to the network, configure a switch with the lowest possible bridge priority. If the network is not protected, your switch will become the root and all network traffic will pass through it.
Knowing the STP protocols structure (STP, RSTP, and MST), you can use tools such as Colasoft Packet Builder (for Windows) by uploading an existing STP capture file (there are many of them on the internet; just google STP .pcap, and you will find many of them). In the following screenshot, you can see the Packet Builder window:
Note that you can also use various packet crafting tools in Linux, such as Scapy, packETH, and more.
To protect against STP protocols attacks, take the following measures:
In any case, read the vendor's manual on network device hardening.
Let's go one layer higher to the IP and learn and understand how attacks are carried out and how we can protect against them.
In this section, we will discuss ARP and IP attacks. Let's start with ARP poisoning, which is also known as ARP spoofing.
ARP is a protocol that resolves the destination MAC address from the destination IP address. Note that we discussed this in Chapter 2, Network Protocol Structures and Operations.
ARP poisoning (also known as ARP spoofing) is a type of attack that involves sending malicious ARP packets to a default gateway on a LAN in order to change the gateway ARP table.
The attack is used to alter the host-under-attack MAC address in the gateway ARP cache. This is so that instead of sending packets to the host under attack, the gateway will send these packets to the attacker that can copy their content.
Once the default gateway has changed its ARP cache with the faulty MAC entry, all of the traffic sent to the host under attack travels through the attacker's computer, allowing the attacker to inspect or modify it before forwarding it to its real destination.
ARP poisoning can be used as a DoS attack, preventing packets from getting to the host under attack. It can also be used as a MITM attack in which we get information sent to the host under attack and then send the information to it. It can be further used for session hijacking, causing users to open sessions to the attacker instead of the host under attack.
In the following diagram, we can view an example of ARP poisoning:
Let's take a look at the preceding example. The first step is when, as in regular operations, Alice wants to communicate with Bob. From address 192.168.1.1, Alice sends an ARP request looking for the MAC address of Bob, that is, the MAC address of 192.168.1.103. This broadcast is flooded to all ports of the switch. We can observe this in packet number 5 of the Wireshark capture file.
Both the attacker (Trudy) and the host under attack (Bob) send responses to the ARP request. Trudy's response is in packet 6 of the capture, and Bob's response is in packet 7.
Now, the question is what will happen when Alice receives these two ARP responses – the first is 192.168.1.103, which has the MAC address of 00:d0:59:12:9b:02, and the second has the MAC address of 00:d0:59:aa:af:80. The question of whether all packets will be sent to the first one that was learned or to both depends on the operation system.
In Wireshark, you will see a notification on a duplicate IP address because Wireshark sees the same IP (192.168.1.103) with two MAC addresses – the real and the fake ones.
Let's examine how to generate ARP poisoning and gain a good understanding of how it's done.
You have several tools that can generate false ARP responses.
For Linux, you can use the arpspoof command, under /usr/sbin.
The command's format is as follows:
arpspoof -i <interface-name> -t <device-under-attack> -r <gateway>
For example, consider the following:
arpspoof -i eth0 -t 10.0.0.6 -r 10.0.0.138
Similarly, for Windows, you can use packet builders such as Colasoft.
Since ARP poisoning is a LAN-based attack (ARP works on a single LAN or a single VLAN), first, you will need to use a NAC system so that unauthorized users will not be able to access your LAN. However, this is only a partial solution, and it will not help when the attack is coming from the internal network, as in the case of most attacks, in which an internal device is infected and generates attacks on the network it is connected to
For this reason, the second step to take is to configure the router for Rate Limiting of ARP Packets. This is a common feature on any brand router and is referred to as Dynamic ARP Inspection (DAI).
Now, let's take a look at DHCP and how it can be compromised.
As you might have gathered from the name, a DHCP starvation attack is where we generate a large number of DHCP requests with fake MAC addresses so that, eventually, there are no more IP addresses available to allocate to legitimate devices; therefore, the network becomes unavailable to users.
A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. There are many tools available on the internet that enable you to send out these sorts of frames. This kind of attack can be continued by the attacker installing its own DHCP server and responding to a client request for IP addresses, which will result in data being sent to the attacker and compromising company data.
Since DHCP also allocates DNS addresses, default gateways, and other parameters, the attacker can become the network server, causing all network traffic to be sent to their computer. Let's examine how it's done next.
There are several ways in which to bluff the DHCP protocol. If NAC is not configured, you can simply connect a home router to the network. Usually, these routers come with a DHCP server running by default. When you connect it to the network, every device that connects to the network or renews its IP address will get its IP either from the network DHCP server or from the new router, so complete chaos is guaranteed. If the network is NAC protected and you have gained control over one of its devices, you can install a DHCP server on it.
A simple and friendly tool to use for this purpose is Kali Linux's yersinia. You can use this to generate DHCP requests or as a rogue server:
Next, let's take a look at how we can protect against this attack.
To protect against DHSP attacks, take the following measures:
In this section, we learned about attacks on the network, from Layer-2 to Layer-3 attacks. Additionally, we learned how to generate these attacks and how to protect against them.
In this chapter, we discussed network-based attacks, that is, attacks that target network resources in order to prevent users from using the network.
We examined two major types of attacks – those that simply load the network to the point that users are not able to use them, and the network protocol-based attacks that target basic network functionality, such as ARP and DHCP, in an attempt to prevent the network from functioning.
In this chapter, you learned how to use traffic-generation tools and tools that are used to generate attacks on Layer-2 and Layer-3 protocols. Additionally, you learned how to protect against them.
In the next chapter, we will learn about attacks on network devices, how to perform them, how to discover them, and how to defend against them.