Module 5:Exploiting Wired and Wireless Networks

  1. Windows Name Resolution and SMB Attacks Name resolution is one of the most fundamental aspects of networking, operating systems and applications. There are several name-to-IP address resolution technologies and protocols, including Networking Basic Input/Output System(NetBIOS), Link-Local Multicast Name Resolution(LLMNR) and Domain Name System(DNS). The sections that follow cover vulnerabilities and exploits related to these protocols. NetBIOS Name Service and LLMNR — NetBIOS and LLMNR are protocol that are used primarily by Microsoft Windows for Host identification. LLMNR, which is based on the DNS protocol format, allows hosts on the same local link to perform name resolution for other hosts. NetBIOS provides three different services: → NetBIOS Name Service(NetBIOS-NS)for name registration and resolution → Datagram Service(NetBIOS-DGM)for connectionless communication → Session Service(NetBIOS-SSN)for connection-oriented communication NetBIOS-related operations use the following ports and protocols: → TCP port 135: Microsoft Remote Procedure Call(MS-RPC)endpoint mapper, used for client-to-client and server-to-client communication. → UDP port 137: NetBIOS Name Service. → UDP port 138: NetBIOS Datagram Service. → TCP port 139: NetBIOS Session Service. → TCP port 445: SMB protocol, used for sharing files between different operating systems, including Windows and Unix-based systems. SMB Exploits — As you learned in the previous section, SMB has historically suffered from numerous catastrophic vulnerabilities. You can easily see this by just exploring the dozens of well-known exploits in the Exploit Database by using the searchsploit command.
  2. DNS Cache Poisoning DNS cache poisoning popular attack leveraged by threat actors. In short, DNS cache poisoning involves the manipulation of the DNS resolver cache through the injection of corrupted DNS data. This is done to force the DNS server to send the wrong IP address to the victim and redirect the victim to the attacker's system. Step 1 — The attacker corrupts the data of the DNS server cache to impersonate the website theartofhacking.org. Before the attacker executes the DNS server successfully resolves the IP address of the theartofhacking.org to the correct address. Step 2 —After the attacker executes the DNS poisoning attack, the DNS server resolves theartofhacking.org to the IP address of the attacker's system. Step 3 — The victim sends a request to the DNS server to obtain the IP address of the domain theartofhacking.org. Step 4 — The DNS server replies with the IP address of the attacker's system. Step 5 — The victim sends an HTTP GET to the attacker's system, and the attacker impersonates the domain theartofhacking.org.
  3. SNMP Exploits Simple Network Management Protocol(SNMP)is a protocol that many individuals and organizations use to manage network devices. SNMP uses UDP port 161. In SNMP implementations, every network device contains an SNMP agent that connects with an independent SNMP server. An administrator can use SNMP to obtain health information and the configuration of a networking device, to change the configuration and to perform other administrative tasks. As you can imagine, this is very attractive to attackers because they can leverage SNMP vulnerabilities to perform similar actions in a malicious day.
  4. SMTP Exploits Attackers may leverage insecure SMTP servers to send spam and conduct phishing and other email-based attacks. SMTP is a server-to-server protocol, which is different from client/server protocols such as POP3 or IMAP. SMTP Open Relays — SMTP open relay is the term used for an email server that accepts and relays emails from any user. It is possible to abuse these configurations to send spoofed emails, spam, phishing, and other email-related scams. Nmap has an NSE script to test for open relay configuration. SMTP commands → HELO → EHLO → STRATTLS → RCPT → DATA → RSET → MAIL → QUIT → HELP → AUTH → VRFY → EXPN
  5. FTP Exploits Attackers often abuse FTP servers to steal information. The legacy FTP protocol doesn't use encryption or perform any kind of integrity validation. Recommended practice dictates that you implement a more secure alternative, such as File Transfer Protocol Secure(FTPS)or Secure File Transfer Protocol(SFTP). The SFTP and FTPS protocols use encryption to protect data; however, some implementation - such as Blowfish and DES — offer weak encryption ciphers. You should use stronger algorithms, such as AES. Similarly, SFTP and FTPS servers use hashing algorithms to verify the integrity of the file transmission.
  6. Pass-the-Hash Attacks All versions of Windows store passwords as hashes in a file called the Security Accounts Manager(SAM)file. The operating system does not known what the actual password is because it stores only a hash of the password. Instead of using a well-known hashing algorithm, Microsoft created it's own implementation that has developed over the years. Microsoft also has a suite of security protocols for authentication, called this New Technology LAN Manager(NTLM). NTLM had two versions: NTLMv1 and NTLMv2. Since Windows 2000, Microsoft has used Kerberos in Windows domains. However, NTLM may still be used when the client is authenticating to a server via IP address or if a client is authenticating to a server in a different Active Directory(AD)forest configured for NTLM trust instead of a transitive inter-forest trust. In addition, NTLM might also still be used if the client is authenticating to a server that doesn't belong to a domain or if the Kerberos communication is blocked by a firewall.
  7. Kerberos and LDAP-Based Attacks Kerberos is an authentication protocol defined in RFC 4120 that has been used by Windows for a number of years. Kerberos is also used by numerous application and other operating systems. The Kerberos Consortium's website provides detailed information about Kerberos at https://www.kerberos.org. A Kerberos implementation contains three basic elements: →Clients →Server →Key distribution center(KDC), including the authentication server and the ticket-granting server. Step 1 — The client sends a request to the authentication server within the KDC. Step 2 — The authentication server sends a session key and a ticket-granting ticket(TGT)that is used to verify the client's identity. Step 3 — The client sends the TGT to the ticket-granting server. Step 4 — The ticket-granting server generates and sends a ticket to the client. Step 5 — The client presents the ticket to the server. Step 6 — The server grants access to the client. Active Directory uses Lightweight Directory Access Protocol as an access protocol. The Windows LDAP implementation supports Kerberos authentication. LDAP uses an inverted-tree hierarchical structure called the Directory Information Tree(DIT). In LDAP, every entry has a defined position. The Distinguished Name(DN) represents the full path of the entry. One of the most common attacks is the Kerberos golden ticket attack. An attacker can manipulate Kerberos tickets based on available hashes by compromising a vulnerable system and obtaining the local user credentials and password hashes. If the system is connected to a domain, the attacker can identify a Kerberos TGT password hash to get the golden ticket.
  8. Kerberoasting Another attack against Kerberos-based deployments is Kerberoasting is a post-exploitation activity that is used by an attacker to extract service account credential hashes from Active Directory for offline cracking. It is a pervasive attack that exploits a combination of weak encryption implementation and improper password practices. Kerberoasting can be an effective attack because the threat actor can extract service account credential hashes without sending any IP packets to the victim and without having domain admin credentials.
  9. On-Path Attacks In an on-path attack, an attacker places himself or herself in-line between two devices r individuals that are communicating in order to eavesdrop or manipulate the data being transferred. On-path attacks can happen at Layer 2 or Layer 3. ARP Spoofing and ARP Cache Poisoning ARP cache poisoning (also known as ARP spoofing) is an example of an attack that leads to an on-path attack scenario. An ARP spoofing attack can target hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and intercepting traffic intended for other hosts on the subnet. In Figure 5–5, the attacker spoofs Layer 2 MAC addresses to make the victim believe that the Layer 2 address of the attacker is the Layer 2 address of its default gateway (10.2.3.4). The packets that are supposed to go to the default gateway are forwarded by the switch to the Layer 2 address of the attacker on the same network. The attacker can forward the IP packets to the correct destination in order to allow the client to access the web server (10.2.66.77). Media Access Control (MAC) spoofing is an attack in which a threat actor impersonates the MAC address of another device (typically an infrastructure device such as a router). The MAC address is typically a hard-coded address on a network interface controller. In virtual environments, the MAC address could be a virtual address (that is, not assigned to a physical adapter). An attacker could spoof the MAC address of physical or virtual systems to either circumvent access control measures or perform an on-path attack. NOTE: A common mitigation for ARP cache poisoning attacks is to use Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.
  10. Route Manipulation Attacks Although many different route manipulation attacks exist, one of the most common is the BGP hijacking attack. Border Gateway Protocol(BGP)is a dynamic routing protocol used to route Internet traffic. An attacker can launch a BGP hijacking attack by configuring or compromising an edge router to announce prefixes that have not been assigned to his or her organization. If the malicious announcement contains a route that is more specific than the legitimate advertisement or that presents a shorter path, the victim's traffic could be redirected to the attacker. In the past, threat actors have leveraged unused prefixes for BGP hijacking in order to avoid attention from the legitimate advertisement or that presents a shorter path, the victim's traffic could be redirected to the attacker.
  11. DoS and DDoS Attacks Denial-of-service(DoS)and distributed DoD(DDoS)attacks have been around for quite some time, but there has been heightened awarenss of them over the past few years. DoS attacks can generally be divided into three categories, described in the following sections: → Direct — A direct DoS attack occur when the source of the attack generates the packets, regardless of protocol, application, and so on, that are sent directly to the victim of the attack. Cybercriminals can also use DoS and DDoS attacks to produce added costs for the victim when the victim is using cloud services. In most cases, when you use a cloud service such as Amazon Web Services(AWS), Microsoft Azure, or Digital Ocean, you pay per usage. Attackers can launch DDoS attacks to cause you to pay more for usage and resource. → Botnet — Many attacker use botnets to launch DDoS attacks. A _botnet_is a collection of compromised machines that the attacker can manipulate from a command and control system to participate in a DDoS attack, send spam emails, and perform other illicit activities. The botnet is composed of compromised user endpoints, home wireless routers, and Internet of Things(IOT)devices such as IP cameras. → Reflected — With reflected DoS and DDoS attacks, attackers send to sources spoofed packets that appear to be from the victim, and then the sources become unwitting participants in the reflected attack by sending the response traffic back to the intended victim. → Amplification — An amplification attack is a form of reflected DoS attack in which the response traffic is made up of packets that are much larger than those that were initially sent by the attacker.
  12. Network Access Control(NAC)Bypass NAC is a technology that is designed to interrogate endpoints before joining a wired or wireless network. It is typically used in conjunction with 802.1X for identify management and enforcement. In short, a network access switch or wireless access point(AP)can be configured to authenticate end users and perform a security posture assessment of the endpoint device to enforce policy. In addition, NAC-enabled devices can use several detection techniques to detect the endpoint trying to connect to the network. A NAC-enabled device intercepts DHCP requests from endpoints. A broadcast listener is used to look for network traffic, such as ARP requests from endpoints. A broadcast listener is used to look for network traffic, such as ARP requests and DHCP requests generated by endpoints.
  13. VLAN Hopping One way to identify a LAN is to say that all the devices in the same LAN have a common Layer 3 IP network address and they also are all located in the same Layer 2 broadcast domain. A virtual LAN(VLAN)is another name for a Layer 2 broadcast domain. A VLAN is controlled by a switch. The switch also controls which ports are associated with which VLANs.
  14. DHCP Starvation Attacks and Rogue DHCP Servers Most organization run DHCP servers. The two most popular attacks against DHCP servers and infrastructure are DHCP starvation and DHCP spoofing. In a DHCP starvation attack, an attacker broadcasts a large number of DHCP REQUEST messages with spoofed source MAC addresses. If the DHCP server responds to all these fake DHCP REQUEST messages, available IP addresses in the DHCP server scope are depleted within a few minutes or seconds. After the available number of IP addresses in the DHCP server and respond to new DHCP requests from network DHCP clients.
  15. Rogue Access Points One of the most simplistic wireless attacks involves an attacker installing a rogue AP in a network to fool users to connect to that AP. Basically, the attacker can use that rogue AP to create a backdoor and obtain access to the network and its systems .
  16. Evil Twin Attacks In an evil twin attack, the attacker creates a rogue access point and configures it exactly the same as the existing corporate network. Typically, the attacker uses DNS spoofing to redirect the victim to a cloned captive portal or a website. When users are logged on to the evil twin, a hacker can easily inject a spoofed DNS record into the DNS cache, changing the DNS record injected into the cache. An attacker who performs a DNS cache poisoning attack wants to get the DNS cache to accept a spoofed record. Some ways to defend against DNS spoofing are using packet filtering, cryptographic protocol, and spoofing detection features provided by modern wireless implementation.
  17. Disassociation(or Deauthentication)Attacks An attacker can cause legitimate wireless clients to deauthenticate from legitimate wireless APs or wireless routers to either perform a DoS condition or to make those clients connects to an evil twin. This type of attack is also known as a disassociation attack because the attacker disassociates the user from the authenticating wireless AP and then carries out another attack to obtain the user's valid credentials. A service set identifier (SSID) is the name or identifier associated with an 802.11 wireless local area network (WLAN). SSID names are included in plaintext in many wireless packets and beacons. A wireless client needs to know the SSID in order to associate with a wireless AP. It is possible to configure wireless passive tools like Kismet or KisMAC to listen to and capture SSIDs and any other wireless network traffic.
  18. Preferred Network List Attacks Operating systems and wireless supplicants (clients), in many cases, maintain a list of trusted or preferred wireless networks. This is also referred to as the preferred network list (PNL). A PNL includes the wireless network SSID, plaintext passwords, or WEP or WPA passwords. Clients use these preferred networks to automatically associate to wireless networks when they are not connected to an AP or a wireless router. It is possible for attackers to listen to these client requests and impersonate the wireless networks in order to make the clients connect to the attackers' wireless devices and eavesdrop on their conversation or manipulate their communication.
  19. Wireless Signal Jamming and Interference The purpose of jamming wireless signals or causing wireless network interference is to create a full or partial DoS condition in the wireless network. Such a condition, if successful, is very disruptive. Most modern wireless implementation provide built-in features that can help immediately detect such attacks. In order to jam a Wi-Fi signal or any other type of radio communication, an attacker basically generates random noise on the frequencies that wireless network use. With the appropriate tools and wireless adapters that support packet injection, an attacker can cause legitimate clients to disconnect from wireless infrastructure devices.
  20. War Driving War driving is a method attackers use to find wireless access points wherever they might be. By just driving(or walking) around, an attacker can obtain a significant amount of information over a very short period of time. Another similar attack is war flying, which involves using a portable computer or other mobile device to search for wireless networks from an aircraft, such as a drone or another unmanned aerial vehicle(UAV).
  21. Initialization Vector(IV) Attacks and Unsecured Wireless Protocols An attacker can cause some modification on the initialization vector(IV) of a wireless packet that is encrypted during transmission. The goal of the attacker is to obtain a lot of information about the plaintext of a single packet and generate another encryption key that can then be used to decrypt other packets using the same IV. WEP is susceptible to many different attacks, including IV attacks. Attack Against WEP Because WEP is susceptible to many different attacks, it is considered an obsolete wireless protocol. WEP must be avoided, and many wireless network devices no longer support it. WEP key exist in two sizes: 40-bit(5-byte) and 104-bit(13-byte)keys. In addition, WEP uses a 24-bit IV, which is prepend to the pre-shared key(PSK). When you configure a wireless infrastructure device with WEP, the IVs are sent in plaintext. Attack Against WPA WPA and WPA version 2(WPA2)are susceptible to different vulnerabilities. WPA version 3(WPA3)addresses all the vulnerabilities to which WPA and WPA2 are susceptible, and many wireless professionals recommend WPA3 to organizations and individuals. Attack Against WPA WPA and WPA version 2(WPA2)are susceptible to different vulnerabilities to which WPA and WPA2 are susceptible, and many wireless professionals recommend WPA3 to organizations and individuals. All versions of WPA support different authentication methods, including PSK. WPA is not susceptible to the IV attacks that affect WEP; however, it is possible to capture the WPA four-way handshake between a client and a wireless infrastructure device and then brute-force the WPA PSK. Step 1 — An attacker monitors the Wi-Fi network and finds wireless clients connected to the Corp-net SSID. Step 2 — The attacker sends DeAuth packets to deauthenticate the wireless client. Step 3 — The attacker captures the WPA four-way handshake and cracks the WPA PSK. It is possible to use word lists and tools such as Aircrack-ng to perform this attack. Step 4 — The attacker uses the Aircrack-ng command to crack the WPA PSK by using a word list. Step 5 — The tool takes a while to process, depending on the computer power and the complexity of the PSK. After it cracks the WPA PSK, a window. KRACK Attacks Mathy Vanhoef and Frank Piessens, from the University of Leuven, found and disclosed a series of vulnerabilities that affect WPA and WPA2. These vulnerabilities — also referred to as KRACK (which stands for key reinstallation attack) — and details about them, are published at https://www.krackattacks.com. Exploitation of these vulnerabilities depends on the specific device configuration. Successful exploitation could allow unauthenticated attackers to reinstall a previously used encryption or integrity key (either through the client or the access point, depending on the specific vulnerability). When a previously used key has successfully been reinstalled (by exploiting the disclosed vulnerabilities), an attacker may proceed to capture traffic using the reinstalled key and attempt to decrypt such traffic. In addition, the attacker may attempt to forge or replay previously seen traffic. An attacker can perform these activities by manipulating retransmissions of handshake messages. NOTE For details about KRACK attacks, see https://blogs.cisco.com/security/wpa-vulns. Most wireless vendors have provided patches that address the KRACK vulnerabilities, and WPA3 also addresses these vulnerabilities.
  22. KARMA Attacks KARMA is an on-path attack that involves creating a rogue AP and allowing an attacker to intercept wireless traffic. A radio machine could be a mobile device, a laptop, or any Wi-Fi enabled device. In a KARMA attack scenario, the attacker listens for the probe requests from wireless devices and intercepts them to generate the same SSID for which the device is sending probes. This can be used to attack the PNL, as discussed earlier in this module.
  23. Fragmentation Attacks Wireless fragmentation attacks can be used to acquire 1500 bytes of pseudo-random generation algorithm(PRGA)elements. Wireless fragmentation attacks can be launched against WEP-configured devices. These attacks do not recover the WEP key itself but can use the PRGA to generate packets with tools such as Packetforge-ng to perform wireless injection attacks.
  24. Credential Harvesting Credential harvesting is an attack that involves obtaining or compromising user credentials. Credential harvesting attacks can be launched using common social engineering attack such as phishing attacks, and they can be performed by impersonating a wireless AP or a captive portal to convince a user to enter his or her credentials. Tools such as Ettercap can spoof DNS replies and divert a user visiting a given website to an attacker's local system.
  25. Bluejacking and Bluesnarfing Bluejacking is an attack that can be performed using Bluetooth with vulnerable devices in range. An attacker sends unsolicited messages to a victim over Bluetooth, including a contact card (vCard) that typically contains a message in the name field. This is done using the Object Exchange (OBEX) protocol. A vCard can contain name, address, telephone numbers, email addresses, and related web URLs. This type of attack has been mostly performed as a form of spam over Bluetooth connections. Another Bluetooth-based attack is Bluesnarfing. Bluesnarfing attacks are performed to obtain unauthorized access to information from a Bluetooth-enabled device. An attacker can launch Bluesnarfing attacks to access calendars, contact lists, emails and text messages, pictures, or videos from the victim. Bluesnarfing is considered risker than Bluejacking because whereas Bluejacking attacks only transmit data to the victim device, Bluesnarfing attacks steal information from the victim device. Bluesnarfing attacks can also be used to obtain the international Mobile Equipment Identity(IMEI)number for a device. Attackers can then divert incoming calls and messages to another device without the user's knowledge.
  26. Bluetooth Low Energy(BLE)Attacks Numerous IoT devices use Bluetooth Low Energy(BLE) for communication. BLE communications can be susceptible to on-path attacks, and an attacker could modify the BLE messages between systems that would think that they are communicating with legitimate systems. DoS attacks can also be problematic for BLE implementation. Several research efforts have demonstrated different BLE attacks. For instance, Ohio State University researchers have discovered different fingerprinting attacks that can allow an attacker to reveal design flaws and misconfiguration of BLE devices.
  27. Radio-Frequency Identification(RFID)Attacks Radio-frequency identification(RFID) is a technology that uses electromagnetic fields to identify and track tags that hold electronically stored information. There are active and passive RFID tags. Passive tags use energy from RFID readers and active tags have local power sources and can operate from longer distances. Many organizations use RFID tags to track inventory or in badges used to enter buildings or rooms. RFID tags can even be implanted into animals or people to read specific information that can be stored in the tags. Low-frequency(LF)RID tags and devices operate at frequencies between 120KHz and 140KHz, and they exchange information at distances shorter than 3 feet. High-frequency(HF) RFID tags and devices operate at the 13.56MHz frequency at distances between 3 and 10 feet. Ultra-high-frequency(UHF)RFID tags and devices operate at frequencies between 80MHz and 960MHz and exchange information at distances of up to 30 feet.
  28. Password Spraying Password Spraying is a type of credential attack in which an attacker brute-force logins based on a list of usernames with default passwords of common systems or applications. A similar attack is credential stuffing. In this type of attack, the attackers performs automated injection of usernames and passwords that have been exposed in previous breaches.
  29. Exploit Chaining Most sophisticates attacks leverage multiple vulnerabilities to compromise systems. An attacker may "chain" exploits against known or zero-day vulnerabilities to compromise systems, steal, modify, or corrupt data.