Today we are going to talk about a few common attack vectors, which are often taken when performing network penetration testing in enterprise and business sizing from medium to large.
I. Common Attacks Against Routers
- Packing Sniffing
Packing sniffing is the art of capturing network traffic for analysis. When encryption is not in place, we can read sensitive information flowing back and forth.
Many companies have web and share servers, which are used internally among employees. And they assume there’s no way for hackers to get in so it’s safe to not add encryption to them.
But guess what, they’re wrong. Even with encryption in place, if hackers compromised one of the hosts he cloud even decrypt the traffic live.
- Packet Misrouting and Routing Table Poisoning
Packing misrouting happens when a router’s configuration is manipulated so that traffic is no longer router properly. Such as traffic might be routed to non-existent network locations. Or traffic might be sent back to a previous router which resulted in a routing loop.
On the other hand, a routing table poisoning attack happens when hackers can modify the victim’s router routing table, such that hackers convince a router to update its routing table, resulting in traffic redirection. And this redirection might redirect traffic to router of the hacker’s choosing.
- Denial of Service
Denial of Service or DoS could result in a complete and total impact on the availability of the device, router in this case. So make sure you talk to customers first before executing this attack.
- Distributed Denial of Service
Distributed Denial of Service or DDoS attacks are from more than one machines and locations. We can see many examples on the Internet where the traffic is originated from thousands of machines (bot) and many locations over around the world which resulted the target web service being unresponsive or even gone offline for a few hours.
II. Attacks against Switches
- CDP Information Disclosure
CDP or Cisco Discovery Protocol is a discovery protocol and utilized in switches developed by Cisco Systems.
The information provided by a network discovery protocol might be crucial to the switch’s operation but also useful to hackers. If hackers can sniff such protocol, they can capture valuable information such as the name of the switch vendor, the version of the OS software installed, the usernames of administrative accounts used to login to the switch, and so much more.
- MAC Flooding
In a MAC flooding attack, an attacker convinces a switch that new devices continue to connect in an almost non-stop, continual fashion. Eventually, the switch will reach a point where it no longer has enough memory to record each new MAC address that connects to it. Then the switch will start to enter an error condition where it functions as a hub. Once that happens, it allows for the sniffing of all network communication.
- DHCP Manipulation
This attack takes place when an attacker is in a sufficient position on a victim network, they can monitor for DHCP request (DORA) that are being sent from a computing device. If the attacker takes action quick enough, he can provide an answer of the DHCP request before the legitimate DHCP server does. In doing so, the attacker has gained control of the network configuration information which then the computing devices will use for its network configuration.
- STP Manipulation
Spanning Tree Protocol or STP manipulation attacks are in part similar to CDP attack in which CDP is plaintext which makes the job of attackers much easier.
Moreover, with sufficient access to the network, attacker might be able to impersonate STP communication and manipulate it to their advantage. If successful, the result will be switch re-configuration.
- VLAN Hopping
Virtual Local Area Network or VLAN is a concept of network segmentation which enforces the concept that devices should not be allowed to communicate with one another simply by the nature of being connected.
Network segmentation, such as in the form of VLAN makes the life of attacker much more difficult.
In VLAN hopping attack, an attacker will manipulate the characteristics of network packets in such a way that a switch will allow an attacker to ‘hop’ from one VLAN to another in a way that would otherwise be prohibited.
III. Conclusion
These are just a few common network attacks that we usually see during penetration testing especially in the enterprise environment. But the member this is not an exhausted list, there are many more attacks and protocols related to AD in a hybrid environment which I will cover in the next post.
Thank you for taking your time reading this and I’ll see you soon.
References:
hxxps[://]www[.]ciscopress[.]com/articles/article[.]asp?p=1681033&seqNum=3
hxxps[://]www[.]geeksforgeeks[.]org/what-are-cdp-cisco-discovery-protocol-attacks/
hxxps[://]www[.]ccexpert[.]us/authentication-proxy/stp-manipulation-attacks[.]html