In this module we cover some of the network attacks over network that hacker can execute to gain access to network infrastructure or compormise availability.
There are lagacy protocols or services enabled on network devices by default. Like telnet, http, smtp, ntp, snmp. These are clear text protocols. Instead of telnet use SSH, http->https, smtp->smtps,ntp->ntp v3, snmp->snmp v3.
Assume, there is a session between client and server. Client is authenticated with server, using telnet. After some time, attacker comes in between client and server, disconnecting client by sending fin packet on behalf of server and resume TCP/IP Session. So, in order to Hijack TCP/IP Session, hacker must know sequence number before executing attack.
There are two tools used for this purpose:
Null sessions is vulnerability in windows NT/2000 which allow anonymous user to connect for network share named IPC$. After null session is established, attacker can execute certain commands for system fingerprinting like what services are running, system information, network configuration, routing tables.
Spoofing is masquerading attack. Spoofing could be at L2 or L3. On L2, MAC address is replaced with either legitimate or dummy mac address in order to hide attackers mac address. On L3, IP Address is replaced with different ip address to hide attackers own ip address.
Replay attack is type of attack in which legitimate squence of date is resent to server after modification to bypass security controls.
DOS, denial of attack, is the attack on availability.
Domain name Kiting
Domain Kiting exploits 5 days add grace period, AGP in domain name registeration system. Attacker periodically register and delete domain name, and own domain with paying domain registration fee.
Domain Name System is responsible for translating domain name to ip address and vice versa. DNS Poisoning attack target dns server or client system cache to replace orignal ip address of certain domain with that of attacker.
ARP address resolution protocol, resolve ip address to mac address. arp table holds ip address to mac address entries. This is stateless protocol. In ARP Poisoning attack, attacker send unsolicited ARP response packets to victim. After victim receive unsolicited ARP response packets, victim updates arp table.
Weak or guessable password is very common vulnerability. Automated tools contineously scan and try to login with commonly used credentials.
Attacker hide backdoor on hacked system to maintain access.
Default accounts should change password for account. If possible, also change account name as well.
Ping of Death
Ping packet with length greater that 65536 length will crash victim system. ICMP packet with length larger than 65536 is fragmented on attacker machine. Victim when reassemble ICMP fragmented packets, system is crashed.