https://charlesreid1.com/w/index.php?action=history&feed=atom&title=Kali%2FLayer_6_AttacksKali/Layer 6 Attacks - Revision history2026-06-20T04:16:13ZRevision history for this page on the wikiMediaWiki 1.39.12https://charlesreid1.com/w/index.php?title=Kali/Layer_6_Attacks&diff=30663&oldid=prevAdmin: Create Layer 6 (Presentation) Attacks page (via create-page on MediaWiki MCP Server)2026-06-19T05:53:53Z<p>Create Layer 6 (Presentation) Attacks page (via create-page on MediaWiki MCP Server)</p>
<p><b>New page</b></p><div>=Presentation (Layer 6) Attacks=<br />
<br />
This page covers the use of Kali to carry out attacks on layer 6, the presentation layer. Also see [[Kali/Workflow]].<br />
<br />
==Review==<br />
<br />
Let's review the network stack before we launch into network layer attacks.<br />
<br />
{{NetworkStack}}<br />
<br />
Layer 6 is the Presentation layer. It handles data representation and formatting, including character encoding, data compression, and encryption/decryption.<br />
<br />
==Scenario==<br />
<br />
The presentation layer is where data is transformed into a format that the application layer can understand. This includes SSL/TLS encryption and decryption, character encoding conversions, and data compression. Attacks at this layer typically focus on manipulating how data is represented, encrypted, or encoded.<br />
<br />
Unlike lower-layer attacks that require physical proximity or network access, presentation-layer attacks can often be carried out remotely, since they target the way data is formatted before it reaches the application.<br />
<br />
==SSL/TLS Downgrade Attacks==<br />
<br />
{{Main|SSLStrip}}<br />
<br />
While SSL/TLS straddles multiple layers, the encryption/decryption function is squarely a presentation-layer concern. [[SSLStrip]] is a tool that performs an SSL downgrade attack, forcing HTTPS connections to fall back to HTTP. This allows an attacker to read traffic in cleartext that would otherwise be encrypted.<br />
<br />
==SSL/TLS Cipher Attacks==<br />
<br />
{{Main|MITM/HTTPS}}<br />
<br />
Tools like [[Sslscan]] and [[Testssl.sh]] can probe a server's supported ciphers, identifying weak or deprecated ciphers that can be exploited. The attacker may force the server to negotiate a weaker cipher suite (a downgrade attack at the cipher level), making encrypted traffic easier to crack. This is a presentation-layer attack because it targets the encryption algorithm negotiation that occurs during the TLS handshake.<br />
<br />
==Certificate Attacks==<br />
<br />
{{Main|Certificates}}<br />
{{Main|SSLSniff}}<br />
<br />
The X.509 certificate system, part of the presentation layer's encryption framework, can be attacked in several ways. [[SSLSniff]] allows an attacker to serve up fake certificates to sheep during a man-in-the-middle attack. Self-signed certificates or certificates from compromised certificate authorities can be presented to a sheep, who may not verify them properly.<br />
<br />
See [[Certificates]] for more detail on forging and manipulating certificates.<br />
<br />
==Encoding Attacks==<br />
<br />
Because the presentation layer handles character encoding, attacks can target encoding conversions. Double-encoding attacks, Unicode normalization attacks, and overlong UTF-8 sequences can be used to bypass security filters at higher layers. These attacks exploit the fact that the presentation layer may interpret encoded data differently than the application layer expects.<br />
<br />
For example, a web application firewall might reject <code>../</code> in a URL, but the presentation layer might first decode <code>%2e%2e%2f</code> into <code>../</code> — and if the WAF checks before decoding occurs, the traversal passes through.<br />
<br />
==Format String Attacks==<br />
<br />
Format string vulnerabilities occur when a program uses user-controlled input as a format string in functions like <code>printf()</code>. This is a presentation-layer concern because format strings control how data is represented when displayed or processed. Tools like [[GDB]] and the [[MSF|Metasploit Framework]] can be used to develop format string exploits.<br />
<br />
==Compression Side-Channel Attacks==<br />
<br />
Attacks like CRIME (Compression Ratio Info-leak Made Easy) and BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) exploit data compression in HTTPS to leak encrypted session cookies. These attacks work at the presentation layer because compression and decompression are presentation-layer functions. By injecting controlled plaintext into a compressed HTTPS stream and measuring the resulting size, an attacker can infer the value of secret tokens like session cookies.<br />
<br />
=Flags=<br />
<br />
{{KaliAttackLayersFlag}}</div>Admin