3.3 Attacks & exploits: Network Attacks

Question 1

Stress testing: what is it and what is tested during it?

Answer 1

A software testing method that evaluates how software performs under extreme load:
● Processor load
● Memory load
● Network load
● Storage load

Question 2

Stress testing: why should you do it?

Answer 2

Stress testing shows a server’s limits and architectural support

Question 3

Stress testing: how do you do the stress testing?

Answer 3

Methods:
● Python or PowerShell scripts
● Open-source software tools
● Software-as-a-Service solutions

Question 4

Exploit Resources: what is exploit-db.com?

Answer 4

A complete collection of public exploits and vulnerable software kept in a fully searchable database

Question 5

Exploit Resources: what is packetstormsecurity.com?

Answer 5

Contains news articles, advisories, whitepapers, tools, and exploits that can be reviewed and used in penetration tests

Question 6

Exploit Resources: what is Exploit Chaining?

Answer 6

▪ Combines multiple exploits to form a larger attack
▪ Chained exploits can be run simultaneously or sequentially

Ex1: Piggybacking => lock picking => Rogue WAP
Ex2: SQL injection => Privilege Escalation => Keylogging

Question 7

ARP Poisoning: what is Address Resolution Protocol (ARP)?

Answer 7

Address Resolution Protocol (ARP) is a protocol that connects an ever-changing Internet Protocol (IP) address to a fixed physical machine address, also known as a media access control (MAC) address, in a local-area network (LAN)

Question 8

ARP Poisoning: what is ARP Spoofing?

Answer 8

▪ Sending falsified ARP messages over a local area network to get the ARP caches to dynamically update with new information
▪ ARP spoofing attack can be used as a precursor to other attacks
▪ Anytime a frame claims to have a new IP address for a given MAC address, the routing switch will update its ARP cache

Question 9

ARP Poisoning: how to prevent from this attack?

Answer 9

Prevent ARP poisoning by setting up good VLAN segmentation and DHCP snooping

Question 10

ARP Poisoning: how do you perform this attack? Provide the tool names and the commands that you will run:

Answer 10

1/ Identify the MAC address and IP address using Wireshark or Nmap:
nmap -PR -sn <target></target>

2/ Use a spoofing tool such as Arpspoof or Metasploit:
o arpspoof -i eth0 -t <IP>
o msfconsole
o use axiliary/spoof/arp/arp_poisoning</IP>

Question 11

DNS Cache Poisoning: what is Domain Name System (DNS) used for?

Answer 11

Converts domain names to IP addresses every time a user clicks on a link or enters a domain name into their browser

Question 12

DNS Cache Poisoning: what is DNS Cache Poisoning?

Answer 12

Attempts to change the IP address of a domain name stored in the DNS cache of a given DNS server

Question 13

DNS Cache Poisoning: how do you perform the attack? Provide the command you use and explain the command

Answer 13

1/ Checks if a server uses recursion: nmap -sU -p 53 –script=dns-recursion <IP>
● -sU = UDP scans, DNS, SNMP, and DHCP are three of the most common UDP service
● -p 53 = port 53 for DNS</IP>

2/ Conducts a dynamic DNS update without authentication: nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=<domain>,dns-update.ip=<IP> <target></target></IP></domain>

Question 14

DNS Cache Poisoning: how to prevent from this attack (2)?

Answer 14

▪ Use DNSSEC: Uses digital signatures based on public-key cryptography to ensure DNS data is digitally signed by the owner. The zone owner and the resolvers need to configure their DNS servers to support DNSSEC
▪ Ensure servers have the latest security patches

Question 15

DNS Cache Poisoning: what is DNS Zone Transfer?

Answer 15

A method of replicating DNS database entries across a set of DNS servers

Question 16

DNS Cache Poisoning: what is DNS Harvesting?

Answer 16

A form of Open-Source Intelligence used to gather information about a domain name and its associated resources

Question 17

LLMNR/NBT-NS Poisoning: what is Link-Local Multicast Name Resolution (LLMNR)?

Answer 17

Based on the DNS packet formatting and allows both IPv4 and IPv6 hosts to perform name resolution on the host if they are on the same local link for Windows systems.
Instead of LLMNR, Linux systems rely on ZeroConf using the SystemD

Question 18

LLMNR/NBT-NS Poisoning: what is NetBIOS Name Service (NBNS or NBT-NS)?

Answer 18

▪ Part of the NetBIOS-over-TCP protocol suite that is used as a type of name resolution inside the internal network to translate internal names to IP addresses
▪ NBT-NS uses the host name of a system for its resolution

Question 19

LLMNR/NBT-NS Poisoning: what is the default protocol Windows will be use?

Answer 19

By default, Windows machines will first attempt to use LLMNR and then attempt to use NBT-NS

Question 20

LLMNR/NBT-NS Poisoning: what is the Responder?

Answer 20

A command-line tool in Kali Linux that is used to poison NetBIOS, LLMNR, and mDNS name resolution requests

Question 21

LLMNR/NBT-NS Poisoning: how does the attack is perform (in terms of process)?

Answer 21

1/ LLMNR broadcast looking for \FileServer
2/ Responder: Right over here at 192.168.1.5 (Attacker’s IP)
3/ Connection attempt

Question 22

MAC Spoofing: what is spoofing?

Answer 22

A category of network attacks that occurs when an attacker masquerades as another person by falsifying their identity

Question 23

MAC Spoofing: what is a Media Access Control (MAC) Address?

Answer 23

▪ A means for identifying a device physically and allowing it to operate on a logical topology
▪ Layer 2 devices use MAC addresses to associate which device is connected to which physical port

Question 24

MAC Spoofing: what is MAC Filtering?

Answer 24

Any PC whose MAC address is on a whitelist is allowed access to the network ports, while those on blacklists are denied access or blocked. This entire process is called MAC filtering.

Question 25

MAC Spoofing: how to overcome the problem of being blacklisted ? Explain the commands (2)

Answer 25

▪ sudo ifconfig en0 ether <MAC>
▪ macchanger -m <MAC> <interface></interface></MAC></MAC>

Question 26

VLAN Hopping: what is a VLAN and how is it related to VLAN hopping?

Answer 26

▪ Used to partition any broadcast domain and isolate it from the rest of the network at the data link layer or layer 2 of the OSI model
▪ Once you gain access to a workstation located in one VLAN, you must break out of that VLAN to gain access to other sensitive areas of the network

Question 27

VLAN Hopping: what is VLAN Hopping?

Answer 27

A technique exploiting a misconfiguration to direct traffic to a different VLAN without proper authorization

Question 28

VLAN Hopping: what attack you can use to perform a VLAN Hopping (3)?

Answer 28

o Double Tagging
o Switch Spoofing
o MAC Table Overflow Attack

Question 29

VLAN Hopping: what is Double Tagging?

Answer 29

▪ Attacker tries to reach a different VLAN using the vulnerabilities in the trunk port (= specific port on a switch configured to transmit data traffic for multiple VLANs) configuration

Question 30

VLAN Hopping: how to do a Double Tagging?

Answer 30

Double tagging is used as part of a blind attack (= One where commands are sent to the victim, but the attacker doesn’t get to see any of the responses) or as part of a DoS or stress testing attack

Question 31

VLAN Hopping: how to prevent from Double Tagging (2)?

Answer 31

● Change default configuration of native VLAN
● Never add user devices into the native VLAN

Question 32

VLAN Hopping: what is Switch Spoofing?

Answer 32

Attacker attempts to conduct a Dynamic Trunking Protocol (DTP) negotiation

Question 33

VLAN Hopping: how to prevent from Switch Spoofing?

Answer 33

Always configure switch ports to have dynamic switch port modes disabled by default

Question 34

VLAN Hopping: what is MAC Table Overflow Attack?

Answer 34

Overloaded CAM tables result to switches “failing open” and beginning to act like a hub:
● Switch (Selectively transmits frames)
● Hub (Repeats every frame it receives)

Question 35

NAC Bypass: what is Network Access Control (NAC)?

Answer 35

A technology that is used to keep unauthorized users or devices from accessing a private network

Question 36

NAC Bypass: list and explain the different type of NAC solutions (3)?

Answer 36

▪ Persistent: A piece of software installed on a device requesting access to the network
▪ Non-persistent: Requires the users to connect to the network and log in to a web-based captive portal to download an agent that scans their devices for compliance
▪ Agentless NAC/Volatile Agent: Installs the scanning engine on the domain controller instead of the endpoint device

Question 37

NAC Bypass: how to bypass the NAC?

Answer 37

▪ Exploit an authorized host
▪ Make device look like something else: Most networks segment out VoIP devices and printers into their own separate VLANs

Question 38

On-Path Attack: what is it?

Answer 38

Occurs when an attacker puts themself between the victim and the intended destination

Question 39

On-Path Attack: what attacks can you perform to do a on-path attack (4)?

Answer 39

● ARP poisoning
● DNS poisoning
● Introducing a rogue WAP
● Introducing a rogue hub/switch

Question 40

On-Path Attack: what is a Replay attack?

Answer 40

Occurs when valid data is captured by the attacker and is then repeated immediately, or delayed, and then repeated

Question 41

On-Path Attack: what is a Relay attack?

Answer 41

Occurs when the attacker inserts themselves in between the two hosts

Question 42

On-Path Attack: if encryption is enforced on hosts, what can you do in that case and explain each of the attacks (2)?

Answer 42

o SSL Stripping: Occurs when an attacker tricks the encryption application into presenting the user with an HTTP connection instead of an HTTPS connection
o Downgrade Attack: Occurs when an attacker attempts to have a client or server abandon a higher security mode in favor of a lower security mode

Question 43

Password Attacks: what is a hash?

Answer 43

Hash digest is the result of a one-way hashing algorithm that protects the passwords stored in the database

Question 44

Password Attacks: what is a Password Cracker and provide tools that do that (2)?

Answer 44

Used to attempt to break a user’s password by using either a dictionary attack or by using brute force techniques
● John the Ripper
● Cain and Abel

Question 45

Password Attacks: list the password attack:

Answer 45

o Dictionary Attack
o Brute Force Attack
o Rainbow Table
o Password Spraying
o Credential Stuffing

Question 46

Password Attacks: what is a Dictionary Attack?

Answer 46

Uses a list of common passwords, words, and phrases to attempt to guess the password

Question 47

Password Attacks: what is a Brute Force Attack?

Answer 47

Attempts to break a password by guessing every single possible combination of numbers, letters, and special characters

Question 48

Password Attacks: what is a Rainbow Table?

Answer 48

A precomputed hash value table that contains known passwords used for offline password cracking

Question 49

Password Attacks: what is a Password Spraying?

Answer 49

Uses a dictionary of common passwords on multiple accounts to bypass authentication mechanisms

Question 50

Password Attacks: what is Credential Stuffing?

Answer 50

Tests stolen user account names and passwords against multiple websites

Question 51

Password Attacks: how to prevent from Credential Stuffing?

Answer 51

● Do not reuse any passwords across different websites
● Utilize two-factor authentication

Question 52

Password Attacks: how to prevent password attack (4)?

Answer 52

▪ Strong password security policies
▪ Complex passwords
▪ Password change at least every 60 days
▪ Failed login attempt lockouts or delays

Question 53

Pass the Hash: