Open in app

Sign in

Write

Sign in

Notes on CEH — Part 3

Mattia Zignale
6 min readJul 26, 2021

07: Sniffing

Sniffing concepts

Network Sniffing

Packet sniffing is a process of monitoring and capturing all packets passing through a network through the use of dedicated software or hardware.

Types of Sniffing

PASSIVE SNIFFING: refers to a technique of sniffing through hubs (which are no longer in use today) and can only be done in a network where packets are sent to all devices.

ACTIVE SNIFFING: is a technique that is used in a network where there are switches, it consists of injecting ARP packets into the network to fill the CAM (content addressable memory) of the switch. Techniques used include: MAC flooding, DHCP attacks, DNS Poisoning, Switch Port Stealing, ARP Poisoning, and spoofing attacks. The NIC must be in promiscuous mode.

MAC Attacks

When the CAM on a switch is full, packets are sent to all ports on the switch, effectively turning it into a hub, the switch is then reset and reenters in “learning mode”. The CAM is typically filled with dummy IP/MACs.

Switch Port Stealing

This technique uses MAC Flooding to sniff packets. The attacker floods the switch with specially modified ARP packets: the packet has the MAC of the target as the source and the MAC of the attacker as the recipient; if the attacker is fast enough compared to the switch then the packets will be redirected to him and not to the legitimate target.

DHCP Attacks

DHCP servers maintain TCP/IP configurations in a database, they are classified as valid parameters.

DHCP Starvation Attack

This type is a DoS attack on the DHCP server. The attacker broadcasts DHCP requests and gets IP addresses “released”, which inhibits the user from obtaining or renewing their IP address.

Rouge DHCP Server

The attacker enables a dummy DHCP server in the network to respond to DHCP requests, this attack is used with the help of DHCP Starvation: the attacker sends TCP/IP configurations to users who request them after delegitimizing the genuine DHCP server.

ARP Poisoning

The ARP protocol is stateless and is used to map the IPs and MACs of devices. All devices make ARP requests in broadcast to find the MAC of a device. With ARP it is possible to send responses even if a specific request has not been made, so in a network it is possible, before any device asks for it, to make a request such as “Hello I am A and I have the MAC XX:XX:XX”, the target will still record the information.

Threats

Using fictitious ARP requests an attacker can break into the communication between two hosts resulting in a de facto man-in-the-middle.

Other threats:

  • Packet sniffing
  • Session Hijacking
  • VOIP Call Tapping
  • Data Manipulation
  • MITM Attacks
  • Data interception
  • Connection Hijacking
  • Connection reset
  • Credentials theft
  • DoS Attacks

DNS Poisoning

DNS Poisoning is a technique that tricks a DNS server into believing it has received authentic information, in fact, wrong/false IP addresses are inserted into the DNS configuration that is responsible for translating web addresses into IPs.

Intranet DNS Spoofing

The attacker’s system must be connected to the LAN and enabled for packet sniffing, it works very well against switches with ARP Poisoning routing.

Host File

Modifying the hosts file of the system allows the attacker to be very successful: in fact, if the system finds the searched query in its hosts file, it will not make any query to the DNS server.

Proxy Server DNS Poisoning

An attacker can change the settings of the victim’s proxy server and all requests will go through not the original proxy but the one set by the attacker.

DNS Cache Poisoning

This type of attack consists of altering the DNS cache (or adding DNS records) in the DNS resolver cache in order to redirect traffic to malicious sites.

08: Denial of Service

Introduction to DoS and DDoS

Denial of Service (DoS) attack is a type of attack that targets computers or networks and reduces, restricts, or prevents access to resources by legitimate users. The attacker floods the victim with non-legitimate requests or simple traffic to overload the victim’s resources.

DDoS (Distributed Denial of Service) is a coordinated DoS attack that involves a large number of zombie computers (previously compromised systems, botnets) to attack a single target.

DoS/DDoS Attack techniques

VOLUMETRIC ATTACK: Consume the bandwidth of the target (network or service).

PROTOCOL ATTACK: It uses resources such as connection state tables present in network equipment.

APPLICATION LAYER ATTACK: Consume application (or service) resources in a way that renders it non-functional to legitimate users.

UDP Flood

The attacker sends spoofed UDP packets at a high frequency, on random ports. This will result in the server being forced to “check” if there are any applications that can respond on the selected ports.

SYN Flood

The attacker sends a massive amount of SYN requests to the target with fictitious source IP address, the target will reply with SYN+ACK waiting for the final ACK. The target will not receive a response because the source IP is fake; an incomplete three-way handshake can be waiting up to 75 seconds.

Fragmentation Attack

This type of attack drastically reduces the target’s ability to reassemble packets. The target, inundated with fragmented TCP or UDP packets, will attempt to reassemble them and this will lead to a reduction in performance. Fragmented packets usually pass through network defense systems unnoticed, as reassembling and inspecting large fragmented packets would consume an excessive amount of system resources.

Multi-Vector Attack

The attacker in this case uses a combination of volumetric, protocol and application layer attacks. They can be launched one vector at a time or in parallel to confuse analysts.

Detection e mitigation techniques

Detection techniques are based on the identification and discrimination of malicious traffic (constant traffic increases or spikes) and circumstantial events of unanticipated increase of legitimate packets. All detection techniques define an attack as an abnormal and noticeable deviation from predetermined thresholds during normal network traffic.

  • ACTIVITY PROFILING: This type of analysis studies the average packet rate in the network, and in individual segments, to verify the presence of malicious traffic.
  • SEQUENTIAL CHANGE-POINT DETECTION: These are algorithms that filter traffic by address, port or protocol and index the results on a time scale.
  • WAVELET-BASED SIGNAL ANALYSIS: The wavelet analysis describes an incoming signal in spectral terms, this analysis allows to filter out anomalous traffic from normal traffic.

Countermeasures

Absorb the attack: Use additional resources (bandwidth, system resources)

Degrading services: Turn off non-critical and unnecessary services

Turn off services: Turn off all services until the attack is over

Prevention

  • EGRESS FILTERING: Scan the headers of IP packets leaving the network, make sure that unauthorized or malicious traffic leaves the internal network.
  • INGRESS FILTERING: Prevent source address spoofing, protects against flooding attacks.
  • TCP INTERCEPT: The TCP Intercept feature in routers protects TCP servers from SYN flooding attacks. It prevents DoS attacks by validating TCP connections.
  • RATE LIMITING: Controls the rate of inbound and outbound traffic, reduces high inbound traffic.

Reflection

There are systems that are set up with a low level of security (honeypot) and act as bait for attackers. A honeypot is used to gather information about the attacker and attack techniques. Use a defense-in-depth approach at different points in the network to divert suspicious DoS traffic to honeypots.

Mitigation

  • LOAD BALANCING: Balancing the load in a multi-server architecture allows you to mitigate DDoS attacks.
  • THROTTLING: This method helps routers take on too much incoming traffic so that servers can handle it properly.
  • DROP REQUESTS: Servers and routers begin dropping packets when the load increases excessively.

09: Session Hijacking

Session Hijacking concepts

Session Hijacking is an attack methodology in which the attacker attempts to insert himself into a TCP communication between two computers. By sniffing the traffic, the attacker can compromise the victim with fraud, identity and/or credential theft.

Types of Session Hijacking

ACTIVE ATTACK: In such an attack, the attacker finds an active session and takes it over.

PASSIVE ATTACK: In a passive attack, on the other hand, traffic is sniffed and recorded.

Session Hijacking in OSI model

NETWORK LEVEL HIJACKING: Interception (sniff) of packets during a TCP/UDP transmission between client and server.

APPLICATION LEVEL HIJACKING: Obtaining the application user session (e.g. HTTP) via session ID.

Session Hijacking at applicative level

In a session hijacking attack, a session token must be stolen or predicted in order to allow unauthorized access to the web server (HTTP).

Compromise of session IDs with client-side attacks

  • XSS allows attackers to inject malicious scripts and have them executed by other users visiting the page
  • Malicious code written in JS can be included in a web page and capture user sessions
  • A Trojan could change the proxy settings in the browser and send sessions through a machine operated by the attacker

Session Hijacking with CRIME attack

CRIME (Compression Ratio Info-leak Made Easy) is a client-side attack that exploits vulnerabilities present in compression protocols such as SSL/TLS, SPDY and HTTPS.

Session Hijacking at network level

This type of session hijacking is based on the protocols used by web applications at the application layer, the attacker obtains critical information which is then used to attack the application layer.

TCP/IP Hijacking

It uses spoofed packets to take over the connection between the victim and the target, but the attacker must reside in the same network.

Cybersecurity
Ethical Hacking
Ceh Certification

--

--

Mattia Zignale

Written by Mattia Zignale

162 Followers

Cybersecurity lover —Security Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams