Networking Attacks

Learning How to Exploit Networking Protocols

Gregory M. Kapfhammer

October 21, 2024

Network protocols are vulnerable to attacks!

All protocols have an attack surface
Attack surface is the set of vulnerabilities
Hackers exploit these vulnerabilities
Protocol designers must anticipate attacks

Network Protocol Lifecycle

Design Protocol
- Define rules for communication
- Specify message structure and semantics
Discover Vulnerability
- Identify security weaknesses
- Analyze attack vectors
Patch Protocol
- Implement security fixes
- Update protocol specifications
Repeat Process
- Continuously monitor for new threats
- Iterate to enhance protocol security

What are some common attacks on computer networking protocol?

Interception attacks
Network layer attacks
Internet layer attacks
Name-resolution attacks
Web-based attacks

“Man-in-the-Middle” Attack

flowchart LR
  subgraph Client
    A(Client) --> B[Send Message]
  end

  subgraph Attacker
    B --> X[Intercept & Modify]
    X --> C[Send Modification]
  end

  subgraph Server
    C --> D[Process Message]
    D --> Y[Send Response]
  end

  subgraph Attacker
    Y --> Z[Intercept & Modify]
    Z --> F[Send Modification]
  end

  subgraph Client
    F --> A
  end

  style Client fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style Server fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style Attacker fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style A fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style B fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style C fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style D fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style F fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style X fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style Y fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  style Z fill:#fff,color:#1c1c1c,stroke:#1c1c1c,stroke-width:2px
  linkStyle 0,1,2,3,4,5,6,7 stroke:#1c1c1c,color:#1c1c1c

Client sends message
Attacker intercepts message
Attacker modifies message
Server processes modified request
Server sends response
Attacker intercepts response
Attacker modifies response

Replays and One-Time Passwords

Replay Attacks
- Attacker intercepts and reuses valid data
- Exploits repeated transmission
- Compromises authentication
Thwarting with One-Time Passwords (OTPs)
- Unique password for each session
- Valid for a single use only
- Prevents reuse of intercepted data

OTPs enhance security and data integrity and thwart replay attacks!

Attacking the MAC Address

MAC Spoofing/Cloning
- Attacker changes a device’s MAC address
- Now possible to bypass network access controls
- Enables the impersonation of legitimate devices

MAC Flooding
- Switches track MAC to IP address mapping
- Overloads the switch with fake MAC addresses
- Compromises network performance

Attack performed at the network layer
Exploits the inherent weaknesses of MAC addresses
How can we mitigate this type of attack?

Mitigating the MAC Address Attacks

Port Security
- Configure switch ports to allow only specific MAC addresses
- Limit the number of MAC addresses per port
- Use sticky MAC addresses to learn and restrict MAC addresses
802.1X Authentication
- Network access controls to authenticate devices before network access
- Ensure that only authorized devices can connect to the network
VLAN Segmentation
- Segment the network into smaller VLANs
- Limit the broadcast domain and reduce the impact of MAC spoofing

IP Spoofing

Inherent Insecurity
- IP was not designed with security
- Easy to forge IP addresses
Protocol Limitations
- No built-in authentication
- No integrity checks
IPSec Solution
- Adds security to IP layer
- Provides authentication and encryption
Layered Security
- Secure solutions needed at multiple layers

Combine application and transport layer security to achieve a network that is more secure overall! Nice!

DNS Cache Poisoning

Attack Overview
- Attacker corrupts DNS cache
- Redirects users to malicious sites
Vulnerability
- Exploits lack of DNS query validation
- Alters DNS responses
Consequences
- Phishing attacks
- Data theft
Mitigation
- Use DNSSEC for validation!

What are the greatest security vulnerabilities at the application level of the network protocol stack? How to control?

OWASP Top Ten

Broken access control
Cryptographic failures
Injection
Insecure design
Security misconfiguration
Vulnerable and outdated components
Identification and authentication failures
Software and data integrity failures
Security logging and monitoring failures
Server-side request forgery

Let’s talk about prominent types of injection attacks at the application layer!

Cross-site scripting attacks
SQL injection attacks

Cross-Site Scripting (XSS)

Attack Overview
- Attacker injects malicious scripts
- Executes in user’s browser
Vulnerability
- Poor input validation
- Inadequate output encoding
Consequences
- Data theft
- Session hijacking
Mitigation
- Validate and sanitize inputs

SQL Injection Attacks

Attack Overview
- Attacker injects malicious SQL queries
- Executes in the database
Vulnerability
- Poor input validation
- Directly embedding user input in SQL queries
Consequences
- Data leakage
- Unauthorized data modification
Mitigation
- Use prepared statements and validate and sanitize inputs

Outcomes from Successful Attacks

Remote code execution
Privilege escalation
Data exfiltration
Denial of service

Let’s learn more about each of these outcomes! How do they work? How can we practically detect and/or prevent them?

Remote Code Execution

Gives attacker ability to run arbitrary code
Start a shell with administrative privileges
Gains full control of the system, its users, and data
The “launching pad” for attacks like a denial of service

The buffer overflow attack is a common method for achieving remote code execution! What is it? How can we prevent this attack?

Privilege Escalation

Details about the attack
- Gain access to protected resources
- Example: CVE-2021-4034 in Linux pkexec
- Exploit gives regular user a root shell

Methods of privilege escalation
- Credential exploitation
- Vulnerabilities or misconfigurations
- Social engineering

Privilege escalation types
- Horizontal: move between user accounts
- Vertical: gain higher-level access (e.g., user to admin)

Denial of Service (DoS)

DoS Attack
- Overwhelm system with requests
- DDoS means multiple machines work together

Types of DoS Attacks
- SYN Floods: multiple SYN packets
- ICMP Floods: pinging to overwhelm
- Buffer Overflows: unexpected data

Prevention
- SYN cookies for SYN Floods
- Rate limit ICMP packets
- Secure software design

Can we build a network monitoring tool?

Client sends messages to server
Server receives messages from clients
Intercept network communication
Client and server are not aware!

Network Monitoring Tool

Let’s build a client and a server and intercept network communication!
networkmonitor start a process in one of these modes:
- Client and Server Protocols:
  - Socket Server: Start a server using sockets
  - Socket Client: Start a client using sockets
  - XML-RPC Server: Start a server using XML-RPC
  - XML-RPC Client: Start a client using XML-RPC
- Interception Mechanisms:
  - Socket Interception: Intercept socket network communication
  - XML-RPC Interception: Intercept XML-RPC network communication
See the course web site’s project description for more details!