Revision as of 18:46, 19 August 2016

Network (Layer 3) Attacks

This page covers the use of Kali to carry out attacks on layer 3. Also see Kali/Workflow.

Review

Let's review the network stack before we launch into network layer attacks.

Layer	Name	Function
7	Application	Topmost layer, provides users a means to access network resources (only level seen by end user)
6	Presentation	Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5	Session	Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4	Transport	Provide reliable data transport services to lower layers.
3	Network	Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2	Data Link	Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1	Physical	The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

(Phys Dat Net Trans Sesh Prezzy App)

Layer 3 is the Network layer. It handles IP addresses and translating between MAC addresses and IP addresses.

Scenario

Now, supposing you are on the same network as a sheep - what is your next step?

The next step is to join the network, and elevate the level of access you have to the sheep. Naturally, communications are much easier to monitor on a network layer (i.e., dealing with network packet traffic) than on a physical layer (i.e., dealing with raw packet captures or captured radio signals).

Now the question of intentions or goals comes up. You may have a couple of different goals in mind:

Monitor traffic passively, record and extract information from unencrypted (non-https) streams
Monitor traffic actively, force https connections to be http connections to make all traffic unencrypted
Tamper with traffic, by injecting/removing/modifying information in the traffic stream
Jamming communications, causing denials of service, or blocking specific traffic

Alternatively, you may be thinking of taking an invasive route. After all, the easiest way to monitor traffic without the victim ever knowing a thing is if you can monitor network traffic from their machine directly. At this point you're talking about breaking into the sheep's system to install monitoring software. This moves the attack to another layer.

ARP Poisoning

If your intention is to monitor a sheep's traffic, you can use ARP Poisoning to reroute traffic at the network/router level so that you intercept all communications intended for the sheep. This allows you to tamper with all traffic, or just listen to everything. This is a low level of involvement, and involves modifying ARP lookup tables (which associate IP addresses to MAC addresses) so that computers send traffic intended for the sheep to your computer instead.

Sniffing for Goodies

If you intend to sniff traffic, you can also use Dsniff.

Tampering On The Fly

If you want to tamper with traffic, or view images passing through a traffic stream live, use... Ettercap?

Wormhole Attacks

Another type of network-layer attack is one in which the attacker creates a wormhole between two networks - all network traffic received is tunneled (possibly selectively) to another location in the network, where the packets are rebroadcast. This can be accomplished through the use of network device tunneling, for example, forwarding all traffic from one network device (like wifi antenna number 1) to another (like wifi antenna number 2).

(It is not totally clear what you can do with these types of attacks, but it's basically tampering with the network topology.)

Black Hole Attack

A black hole attack involves an attacker node falsely advertising shortest paths to a sheep destination node during the path-finding process (on-demand routing protocols) or in route update messages (table-driven routing protocols).

This can be done to interfere with the normal flow of network traffic, or to intercept all packets being sent from a sheep to a particular destination.

Byzantine Attack

In a Byzantine attack, a set of intermediate (def?) nodes are compromised by an attacker, and attacks are carried out to interfere with the normal flow of traffic through the intermediate node. This may involve creating routing loops to slow down traffic, re-routing packets on non-optimal paths, or dropping packets. These types of attacks are hard to detect.

Information Leaks

Sometimes a node can leak critical information about a network to unauthorized nodes. This may include topology, geographical location, or optimal routes to authorized nodes.

Resource Consumption Attack

A malicious node tries to consume limited resources of other network nodes. Battery power, bandwidth, and CPU power are all potential targets. This could include:

Frequent beacon packets
Stale packets forwarded to nodes

Sleep Deprivation Attack

A sleep deprivation attack involves consuming battery power on another node by creating a flood of packets, preventing the radio from sleeping and consuming significant additional power.

Routing Attacks

The routing protocol is what keeps the network operational. There are multiple vectors for attacking how routing works on a network.

Routing Table Overflow

A malicious node advertises routes to non-existent nodes to authorized nodes present on the network. Authorized nodes add these to routing tables, and eventually causes a routing table overflow, preventing creation of new entries corresponding to new routes to authorized nodes.

Proactive routing protocols are more vulnerable than reactive routing protocols.

Routing Table Poisoning

A malicious node crafts fake routing updates or modifies route update packets it sees on the network, and sends them to neighbor nodes on the network. This results in routing table poisoning, which can cause sub-optimal routing, network congestion, or network inaccessibility.

Packet Replication

A malicious node crafts stale packets and sends them to neighbor nodes on the network. This consumes bandwidth, battery power, and CPU resources, and creates confusion in the routing process.

Route Cache Poisoning

For on-demand routing protocols, each node keeps a route cache about routes that it has seen in the recent past. Like a routing table, the route cache can also be poisoned, which can cause sub-optimal routing, network congestion, or network inaccessibility.

=Rushing Attack

On-demand routing protocols are vulnerable to this type of attack. A malicious node receives a RouteRequest packet from a particular source node. It floods the network with that packet. If its RouteRequest packet gets to neighbor nodes first, neighbor nodes will assume it is a legitimate RouteRequest packet. When they receive the genuine RouteRequest packet, they will assume it is a duplicate and discard it.

This type of attack ensures that any route discovered by the source node will contain the malicious node as one of the intermediate routes. This means that nodes cannot find secure routes that avoid malicious nodes.

These types of attacks are extremely difficult to detect in ad-hoc networks.

Flags

@@ Line 33: / Line 33: @@
 If you intend to sniff traffic, you can also use [[Dsniff]].
-==Tampering with Traffic On The Fly==
+==Tampering On The Fly==
 If you want to tamper with traffic, or view images passing through a traffic stream live, use... [[Ettercap]]?

Kali/Layer 3 Attacks: Difference between revisions

From charlesreid1