Lec 06-07 Network Infrastructure Attacks

In this module we cover some of the network attacks over network that hacker can execute to gain access to network infrastructure or compormise availability.

Legacy Protocols

There are lagacy protocols or services enabled on network devices by default. Like telnet, http, smtp, ntp, snmp. These are clear text protocols. Instead of telnet use SSH, http->https, smtp->smtps,ntp->ntp v3, snmp->snmp v3.

TCP/IP Hijacking

Assume, there is a session between client and server. Client is authenticated with  server, using telnet. After some time, attacker comes in between client and server, disconnecting client by sending fin packet on behalf of server and resume TCP/IP Session. So, in order to Hijack TCP/IP Session, hacker must know sequence number before executing attack.

There are two tools used for this purpose:

1- shijack

2- hunt

Null Sessions

Null sessions is vulnerability in windows NT/2000 which allow anonymous user to connect for network share named IPC$. After null session is established, attacker can execute certain commands for system fingerprinting like what services are running, system information, network configuration, routing tables.


Spoofing is masquerading attack. Spoofing could be at L2 or L3. On L2, MAC address is replaced with either legitimate or dummy mac address in order to hide attackers mac address. On L3, IP Address is replaced with different ip address to hide attackers own ip address.

Replay attack

Replay attack is type of attack in which legitimate squence of date is resent to server after modification to bypass security controls.


DOS, denial of attack, is the attack on availability.

Domain name Kiting

Domain Kiting exploits 5 days add grace period, AGP in domain name registeration system. Attacker periodically register and delete domain name, and own domain with paying domain registration fee.

DNS Poisoning

Domain Name System is responsible for translating domain name to ip address and vice versa. DNS Poisoning attack target dns server or client system cache to replace orignal ip address of certain domain with that of attacker.

ARP Poisoning

ARP address resolution protocol, resolve ip address to mac address. arp table holds ip address to mac address entries. This is stateless protocol. In ARP Poisoning attack, attacker send unsolicited ARP response packets to victim. After victim receive unsolicited ARP response packets, victim updates arp table.

Weak Passwords

Weak or guessable password is very common vulnerability. Automated tools contineously scan and try to login with commonly used credentials.


Attacker hide backdoor on hacked system to maintain access.

Default Accounts

Default accounts should change password for account. If possible, also change account name as well.

Ping of Death

Ping packet with length greater that 65536 length will crash victim system. ICMP packet with length larger than 65536 is fragmented on attacker machine. Victim when reassemble ICMP fragmented packets, system is crashed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s