Network Attacks & Tools

Metasploit

multi-purpose computer security and penetration testing framework that is used worldwide for both legitimate security analysis and unauthorized activities. Developed by Rapid7, it is intentionally modular, as it allows the attacker to mix and match scanners, exploits, and payloads into a single attack.

Netcat

command-line utility used to read from, or write to, a TCP or UDP network connection. It can create or connect to a TCP server, act as a simple proxy or relay, transfer files, launch executables (such as a backdoor shell) when a connection is made, test services and daemons, and even scan ports.

Nmap

most widely used network scanner today. In addition to being used by network administrators to test the LAN, Nmap is the underlying scanning engine in a number of commercial and open-source vulnerability testing products.

Nmap Scripting Engine

An open-source collection of tools used when pentesting in a Windows environment. The Impacket library provides methods for several attacks such as an NTLM and Kerberos authentication attacks, pass the hash, credential dumping, and packet sniffing.

CrackMapExec (CME)

post-exploitation tool used to identify vulnerabilities in active directory environments.

Wireshark/tcpdump

packet capturing programs. tool 1 is a powerful open-source protocol analysis tool that has the ability to decrypt many of the protocols used to conceal data, such as IPsec, Kerberos, and SSL/TLS. tool 2 is often used to capture packets and tooll 1 is used to analyze the captured packets.

msfvenom

A very flexible and useful component of the Metasploit framework dedicated to generating many different payloads for different platforms and architectures.

Responder

An on-path type tool that can be used to exploit name resolution on a Windows network

Hydra

Parallel brute-forcer for network logins. It supports parallel testing of several network authentications. This too comes bundled with a tool called pw-inspect that allows for analyzing a dictionary and printing only the ones that match password requirements.

Domain Name System (DNS) cache poisoning

sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address. That will redirect traffic to the malicious actor's IP address instead of the web server's IP address.

Address Resolution Protocol (ARP) spoofing

transmits spoofed ARP messages out on the LAN. The spoofed messages falsely report a malicious actor's MAC address as being the victim's address. Similar to a DNS cache poisoning attack, this will redirect traffic to the malicious actor instead of the victim's MAC address.

MAC address spoofing

modify the MAC address on the malicious actor's NIC card so that it matches the MAC address on the victim's machine. Once done, the traffic will be directed to both the victim and the malicious actor.

DLL Hijacking

Many Windows applications and services load DLL files when started. The pentester may be able to replace a DLL file with one they have created that will run malicious code with the same access level as the service itself.

VLAN Hopping

act of illegally moving from one VLAN to another. To launch this attack, a malicious actor can do one of the following:

Mac Flooding

overflows the MAC table on a vulnerable switch so that it behaves like a hub, repeating frames out all ports.

Multihomed Hosts

any device on the network that is connected to two or more networks simultaneously.

On-Path Attack

The attacker intercepts the communications between two parties and forwards it on. This is often is to eavesdrop and grab credentials for the network or unsecured wireless networks.

Pass-the-Hash Attack

often used in a Windows environment. The attacker will capture the hashed credentials and passes them on to login as a legitimate user.

Pass-the-Ticket Attack

This attack is similar to a Pass-the-Hash attack, but intercepts Kerberos tickets instead.

Packet Framentation

Splitting the packets into small chunks so the IDS does not detect them.

TTL Evasion

Packets are crafted with a TTL value so they will expire before reaching the IDS, but not the target system.

Alternate Encodingn

The packets are encoded in a way so the IDS will not decode them, but the target system will (ie. base64).

Source Routig

Customizing the route the packet takes to reach the destination so that it avoids any security systems.

Manipulating Source Port

If the IDS is configured to trust or block traffic based on ports, the packet can be crafted to use an allowed port instead so it will bypass the IDS.