Module 5: Exploiting Wired and

Wireless Networks

Ethical Hacker
Module Objectives
Module Title: Exploiting Wired and Wireless Networks
Module Objective: Explain how to exploit wired and wireless network vulnerabilities.

Topic Title Topic Objective

Exploiting Networking-Based
Explain how to exploit network-based vulnerabilities.
Vulnerabilities
Exploiting Wireless Vulnerabilities Explain how to exploit wireless vulnerabilities.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
5.1: Exploiting Network-Based
Vulnerabilities

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Exploiting Network-Based Vulnerabilities
Overview
Llevaremos a cabo la enumeración de activos de la red interna como precursor del análisis de
vulnerabilidades.
Queremos centrarnos en los sistemas que potencialmente nos darán el mayor acceso a los datos
propietarios, pero necesitamos ejecutar análisis de vulnerabilidades en todos los objetivos dentro del
alcance.
Una vez que se identifican los activos y sabemos qué protocolos y servicios se están ejecutando en la red,
podemos idear exploits como base para el análisis de riesgos.
También tenemos que desafiar a los sistemas de gestión de identidades y accesos para ver si son
adecuados para bloquear incluso el acceso no autorizado simple por parte de usuarios internos, así como
las amenazas externas más complejas.
• Por último, llevaremos a cabo la enumeración de recursos compartidos de red e intentaremos varios
ataques en ruta (MITM) para obtener más acceso no autorizado a las cuentas y los datos.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Exploiting Network-Based Vulnerabilities
Overview (Cont.)
Las vulnerabilidades y exploits basados en la red pueden ser catastróficos debido a los tipos de daño e
impacto que pueden causar en una organización.
A continuación, se muestran algunos ejemplos de ataques y exploits basados en la red:
Ataques y exploits basados en la resolución de nombres de Windows
Ataques de envenenamiento de caché de DNS
Ataques y vulnerabilidades de seguridad contra implementaciones de Server Message Block (SMB)
Vulnerabilidades y exploits del Protocolo simple de administración de red (SNMP)
Vulnerabilidades y exploits del Protocolo simple de transferencia de correo (SMTP)
Vulnerabilidades y exploits del Protocolo de transferencia de archivos (FTP)
Ataques Pass-the-hash
Ataques en ruta (anteriormente conocidos como ataques de intermediario [MITM])
Ataques de eliminación de SSL
Ataques de denegación de servicio (DoS) y ataques de denegación de servicio distribuido (DDoS)
Omisión de control de acceso a la red (NAC)
• Ataques de salto de red de área local virtual (VLAN)

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Exploiting Network-Based Vulnerabilities
Windows Name Resolution and SMB Attacks
La resolución de nombres es uno de los aspectos más fundamentales de las redes, los sistemas operativos y las aplicaciones.
Algunas de las tecnologías y protocolos de resolución de nombre a dirección IP son NetBIOS, LLMNR y DNS.
NetBIOS y LLMNR son protocolos utilizados principalmente por Microsoft Windows para la identificación de hosts.
• LLMNR, que se basa en el formato de protocolo DNS, permite que los hosts en el mismo enlace local realicen la resolución
de nombres para otros hosts.

Por ejemplo, un host de Windows que intenta comunicarse con una

impresora o con una carpeta compartida de red puede usar NetBIOS,
como se muestra en la figura.
NetBIOS proporciona tres servicios diferentes:
Servicio de nombres NetBIOS (NETBIOS-NS) para el registro y la
resolución de nombres
Servicio de datagramas (NetBIOS-DGM) para la comunicación sin
conexión
• Servicio de sesión (NetBIOS-SSN) para la comunicación
orientada a la conexión
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Exploiting Network-Based Vulnerabilities
Windows Name Resolution and SMB Attacks (Cont.)

Las operaciones relacionadas con NetBIOS utilizan los siguientes puertos y protocolos:
Puerto TCP 135: asignador de puntos de conexión MS-RPC, utilizado para la comunicación de cliente a cliente
y de servidor a cliente
Puerto UDP 137: Servicio de nombres NetBIOS
Puerto UDP 138: Servicio de datagramas NetBIOS
Puerto TCP 139: Servicio de sesión NetBIOS
Puerto TCP 445: protocolo SMB, utilizado para compartir archivos entre diferentes sistemas operativos,
incluidos los sistemas basados en Windows y Unix
En Windows, un grupo de trabajo es una red LAN punto a punto que puede admitir un máximo de 10 hosts en la
misma subred y no tiene administración centralizada.
Básicamente, cada usuario controla los recursos y la seguridad localmente en su sistema.
Una implementación basada en dominio es una red de cliente a servidor que puede admitir miles de hosts que
están dispersos geográficamente en muchas subredes.
Un usuario con una cuenta en el dominio puede iniciar sesión en cualquier sistema informático sin tener una
cuenta en ese equipo.
• Para ello, se autentica en un controlador de dominio.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Exploiting Network-Based Vulnerabilities
Windows Name Resolution and SMB Attacks (Cont.)

Históricamente, ha habido docenas de vulnerabilidades en NetBIOS, SMB y LLMNR.

Un ejemplo sencillo: muchos usuarios dejan su grupo de trabajo configurado con el nombre predeterminado
(WORKGROUP) y configuran el uso compartido de archivos o impresoras con credenciales débiles.
Es muy fácil para un atacante enumerar las máquinas y potencialmente comprometer el sistema mediante la
fuerza bruta de contraseñas o el aprovechamiento de otras técnicas.
Una vulnerabilidad común en LLMNR implica que un atacante suplante una fuente autorizada para la
resolución de nombres en un sistema víctima respondiendo al tráfico LLMNR a través del puerto UDP 5355
y al tráfico NBT-NS a través del puerto UDP 137.
Básicamente, el atacante envenena el servicio LLMNR para manipular el sistema de la víctima.
Si el host solicitado pertenece a un recurso que requiere identificación o autenticación, el nombre de usuario
y el hash NTLMv2 se envían al atacante.
A continuación, el atacante puede recopilar el hash enviado a través de la red mediante el uso de
herramientas como los rastreadores.
• Posteriormente, el atacante puede usar la fuerza bruta o descifrar los hashes fuera de línea para obtener
las contraseñas de texto sin formato.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Exploiting Network-Based Vulnerabilities
Windows Name Resolution and SMB Attacks (Cont.)

Se pueden utilizar varias herramientas para llevar a cabo este tipo de ataque, como NBNSpoof, Metasploit y
Responder.
Metasploit es una de las herramientas y marcos más populares utilizados por los probadores de penetración y
los atacantes.
Otra herramienta de código abierto que es muy popular e incluso ha sido utilizada por malware es Pupy.
Pupy es una herramienta de administración remota y postexplotación multiplataforma basada en Python que
funciona en Windows, Linux, macOS e incluso Android.
Una de las mitigaciones comunes para estos tipos de ataques es deshabilitar LLMNR y NetBIOS en la
configuración de seguridad del equipo local o configurar una directiva de grupo.
Además, puede configurar políticas (reglas) adicionales de controles de acceso basados en red o host para
bloquear el tráfico LLMNR/NetBIOS si estos protocolos no son necesarios.
Una de las técnicas de detección comunes para los ataques de envenenamiento de LLMNR es supervisar la
clave del Registro HKLM\Software\Policies\Microsoft\Windows NT\DNSClient para ver si hay cambios en el
valor DWORD de EnableMulticast.
• Si ve un cero (0) para el valor de esa clave, sabrá que LLMNR está deshabilitado.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Exploiting Network-Based Vulnerabilities
Windows Name Resolution and SMB Attacks (Cont.)
• En la figura se muestra un ejemplo muy breve del exploit EternalBlue en Metasploit.
El uso exploit/windows/smb/ms17_010_eternalblue
para usar el exploit EternalBlue.
El comando show options muestra todas las opciones
configurables para el exploit EternalBlue.
Como mínimo, se debe configurar la dirección IP del host
remoto (RHOST) y la dirección IP del host con el que desea
que la víctima se comunique después de la explotación
(LHOST).
Para configurar el RHOST, utilice el comando set RHOST
• seguido de la dirección IP del sistema remoto (10.1.1.2).

Para configurar el LHOST, utilice el comando set LHOST seguido de la dirección IP del sistema remoto
(10.10.66.6).
El puerto remoto (445) ya está configurado de forma predeterminada.
• Después de ejecutar el comando de exploit, Metasploit ejecuta el exploit contra el sistema de destino e
inicia una sesión de Meterpreter para permitirle controlar y comprometer aún más el sistema.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Exploiting Network-Based Vulnerabilities
Windows Name Resolution and SMB Attacks (Cont.)

Exploits de pymes
Históricamente, las pymes han sufrido
numerosas vulnerabilidades catastróficas.
Simplemente explore las docenas de exploits
conocidos en la base de datos de exploits
(exploit-db.com) utilizando el comando
searchsploit smb como se muestra en la
figura (el comando ouput está truncado).

Uno de los exploits de SMB más utilizados en los últimos tiempos ha sido el exploit EternalBlue.
La explotación exitosa de EternalBlue permite que un atacante remoto no autenticado comprometa un
sistema afectado y ejecute código arbitrario.
• Este exploit se ha utilizado en ransomware como WannaCry y Nyeta y se ha portado a muchas
herramientas diferentes, incluida Metasploit.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Exploiting Network-Based Vulnerabilities
Lab - Scanning for SMB Vulnerabilities with enum4linux
En este laboratorio, completará los siguientes objetivos:
Inicie enum4linux y explore sus capacidades.
Identifique los equipos con servicios SMB en ejecución.
Utilice enum4linux para enumerar usuarios y recursos compartidos de archivos de red.
Utilice smbclient para transferir archivos entre sistemas.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Exploiting Network-Based Vulnerabilities
DNS Cache Poisoning
• El envenenamiento de la caché de DNS es otro ataque popular aprovechado por los actores de
amenazas que implica la manipulación de la caché de resolución de DNS mediante la inyección de
datos de DNS dañados.

Esto se hace para obligar al servidor DNS a enviar la

dirección IP incorrecta a la víctima y redirigir a la víctima al
sistema del atacante.
• La figura ilustra la mecánica del envenenamiento de la
caché de DNS.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Exploiting Network-Based Vulnerabilities
DNS Cache Poisoning (Cont.)
Los siguientes pasos son:
Paso 1. El atacante corrompe los datos de la caché del servidor DNS para hacerse
pasar por el sitio web theartofhacking.org. Antes de que el atacante ejecute el
ataque de envenenamiento de DNS, el servidor DNS resuelve correctamente la
dirección IP del theartofhacking.org en la dirección correcta (104.27.176.154)
mediante el comando nslookup.

• Paso 2. Una vez que el atacante ejecuta el ataque de envenenamiento de

DNS, el servidor DNS resuelve el theartofhacking.org a la dirección IP del
sistema del atacante (10.2.3.4).

Paso 3. La víctima envía una solicitud al servidor DNS para obtener la

dirección IP del dominio theartofhacking.org.
• Paso 4. El servidor DNS responde con la dirección IP del sistema del
atacante.

• Paso 5. La víctima envía un HTTP GET al sistema del atacante y el atacante se hace pasar por el
dominio theartofhacking.org.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
14
Exploiting Network-Based Vulnerabilities
SNMP Exploits (Cont.)
SNMP es un protocolo que muchas personas y organizaciones utilizan para administrar dispositivos de red
que utilizan el puerto UDP 161.
En las implementaciones SNMP, cada dispositivo de red contiene un agente SNMP que se conecta con un
servidor SNMP independiente (también conocido como administrador SNMP).
Un administrador puede usar SNMP para obtener información de estado y la configuración de un dispositivo
de red, para cambiar la configuración y para realizar otras tareas administrativas.
Esto es muy atractivo para los atacantes porque pueden aprovechar las vulnerabilidades SNMP para realizar
acciones similares de forma maliciosa.
Hay varias versiones de SNMP, pero las dos más populares hoy en día son SNMPv2c y SNMPv3.
SNMPv2c usa cadenas de comunidad, que son contraseñas que se aplican a un dispositivo de red para
permitir que un administrador restrinja el acceso al dispositivo de dos maneras: proporcionando acceso de
solo lectura o de lectura/escritura.
La información del dispositivo administrado se mantiene en una base de datos denominada Base de
información de administración (MIB).
• Un ataque SNMP común implica que un atacante enumere los servicios SNMP y, a continuación,
compruebe las contraseñas SNMP predeterminadas configuradas.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Exploiting Network-Based Vulnerabilities
SNMP Exploits (Cont.)
Desafortunadamente, este es uno de los principales defectos de muchas implementaciones porque muchos usuarios dejan
credenciales SNMP débiles o predeterminadas en los dispositivos de red.
SNMPv3 utiliza nombres de usuario y contraseñas, y es más seguro que todas las versiones anteriores de SNMP.
Sin embargo, los atacantes aún pueden realizar ataques de diccionario y de fuerza bruta contra implementaciones de SNMPv3.
Una implementación más moderna y de seguridad implica el uso de NETCONF con dispositivos de infraestructura más nuevos
(como enrutadores y conmutadores).
• Puede aprovechar los scripts de Nmap Scripting Engine (NSE) para recopilar información de dispositivos habilitados para
SNMP y para forzar credenciales débiles.

En Kali Linux, los scripts NSE se encuentran en /usr/share/nmap/scripts

de forma predeterminada.
La figura muestra los scripts NSE relacionados con SNMP disponibles
en un sistema Kali Linux.
• Además de los scripts NSE, puede utilizar la herramienta snmp-
check para realizar un recorrido SNMP con el fin de recopilar
información sobre los dispositivos configurados para SNMP.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Exploiting Network-Based Vulnerabilities
SMTP Exploits
Los atacantes pueden aprovechar los servidores SMTP inseguros para enviar spam y realizar phishing y otros ataques
basados en correo electrónico.
SMTP es un protocolo de servidor a servidor, que es diferente de los protocolos cliente/servidor como POP3 o IMAP.
Antes de que pueda comprender cómo aprovechar las vulnerabilidades del protocolo de correo electrónico, debe familiarizarse
con los puertos TCP estándar utilizados en los diferentes protocolos de correo electrónico:
Puerto TCP 25: el puerto predeterminado utilizado en SMTP para comunicaciones no cifradas.
Puerto TCP 465: El puerto registrado por la IANA para SMTP sobre SSL (SMTPS). SMTPS ha quedado en desuso en favor de
STARTTLS.
Puerto TCP 587: El protocolo SMTP seguro (SSMTP) para comunicaciones cifradas, tal como se define en RFC 2487,
mediante STARTTLS. Los agentes de usuario de correo (MUA) utilizan el puerto TCP 587 para el envío de correo electrónico.
STARTTLS también se puede utilizar a través del puerto TCP 25 en algunas implementaciones.
Puerto TCP 110: El puerto predeterminado utilizado por el protocolo POP3 en las comunicaciones no cifradas.
Puerto TCP 995: el puerto predeterminado utilizado por el protocolo POP3 en las comunicaciones cifradas.
Puerto TCP 143: el puerto predeterminado utilizado por el protocolo IMAP en las comunicaciones no cifradas.
• Puerto TCP 993: el puerto predeterminado utilizado por el protocolo IMAP en las comunicaciones cifradas (SSL/TLS).

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Exploiting Network-Based Vulnerabilities
SMTP Exploits (Cont.)
La retransmisión abierta SMTP es el término utilizado para un servidor de correo electrónico que
acepta y retransmite (es decir, envía) correos electrónicos de cualquier usuario.
Es posible abusar de estas configuraciones para enviar correos electrónicos falsos, spam, phishing y
otras estafas relacionadas con el correo electrónico.
Nmap tiene un script NSE para probar configuraciones de retransmisión abiertas.
• En la figura se muestra cómo se puede utilizar el script en un servidor de correo electrónico
(10.1.2.14).

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Exploiting Network-Based Vulnerabilities
SMTP Exploits (Cont.)
A continuación se muestran algunos ejemplos de comandos SMTP que pueden ser útiles para realizar una evaluación de
seguridad de un servidor de correo electrónico:
HELO: Se utiliza para iniciar una conversación SMTP con un servidor de correo electrónico. El comando va seguido de una
dirección IP o un nombre de dominio (por ejemplo, HELO 10.1.2.14 ).
EHLO: Se utiliza para iniciar una conversación con un servidor SMTP extendido (ESMTP). Este comando se utiliza de la misma
manera que el comando HELO.
STARTTLS: Se utiliza para iniciar una conexión de seguridad de la capa de transporte (TLS) a un servidor de correo electrónico.
RCPT: Se utiliza para denotar la dirección de correo electrónico del destinatario.
DATOS: Se utilizan para iniciar la transferencia del contenido de un mensaje de correo electrónico.
RSET: Se utiliza para restablecer (cancelar) una transacción de correo electrónico.
MAIL: Se utiliza para denotar la dirección de correo electrónico del remitente.
QUIT: Se utiliza para cerrar una conexión.
AYUDA: Se utiliza para mostrar un menú de ayuda (si está disponible).
AUTH: Se utiliza para autenticar un cliente en el servidor.
VRFY: se utiliza para verificar si existe el buzón de correo electrónico de un usuario.
• EXPN: Se utiliza para solicitar, o expandir, una lista de correo en el servidor remoto.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Exploiting Network-Based Vulnerabilities
SMTP Exploits (Cont.)

En la figura se muestra un ejemplo de cómo puede utilizar algunos de estos comandos para revelar las
direcciones de correo electrónico que pueden existir en el servidor de correo electrónico.
En este caso, se conecta al servidor de correo electrónico mediante telnet seguido del puerto 25. (En este
ejemplo, el servidor SMTP utiliza la comunicación de texto sin formato a través del puerto TCP 25).
• A continuación, utilice el comando VRFY (verificar) con el nombre de usuario de correo electrónico para
verificar si la cuenta de usuario existe en el sistema.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Exploiting Network-Based Vulnerabilities
SMTP Exploits (Cont.)

La herramienta smtp-user-enum (que está instalada de forma

predeterminada en Kali Linux) le permite automatizar estos pasos
de recopilación de información.
• En la figura se muestran las opciones de smtp-user-enum y
ejemplos de cómo utilizar la herramienta.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Exploiting Network-Based Vulnerabilities
SMTP Exploits (Cont.)

En la figura se muestra cómo utilizar el comando smtp-user-enum para verificar si el usuario omar existe en el
servidor.
La mayoría de los servidores de correo electrónico modernos desactivan los comandos VRFY y EXPN.
Se recomienda encarecidamente que deshabilite estos comandos SMTP.
• Los firewalls modernos también ayudan a proteger y bloquear cualquier intento de conexión SMTP
mediante estos comandos.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Exploiting Network-Based Vulnerabilities
SMTP Exploits (Cont.)

Exploits conocidos del servidor SMTP

Es posible aprovechar los exploits que se han
creado para aprovechar las vulnerabilidades
conocidas relacionadas con SMTP.
La figura muestra una lista de exploits SMTP
conocidos utilizando el comando searchsploit en
Kali Linux (la salida está truncada).

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Exploiting Network-Based Vulnerabilities
FTP Exploits
Los atacantes a menudo abusan de los servidores FTP para robar información.
El protocolo FTP heredado no utiliza cifrado ni realiza ningún tipo de validación de integridad.
La práctica recomendada dicta implementar una alternativa más segura, como FTPS o SFTP.
Los protocolos SFTP y FTPS utilizan el cifrado para proteger los datos; sin embargo, algunas implementaciones, como Blowfish
y DES, ofrecen cifrados de cifrado débiles (algoritmos de cifrado).
Debe utilizar algoritmos más fuertes, como AES.
Del mismo modo, los servidores SFTP y FTPS utilizan algoritmos de hash para verificar la integridad de la transmisión de
archivos.
SFTP usa SSH y FTPS usa FTP a través de TLS.
Las prácticas recomendadas exigen deshabilitar los protocolos de hash débiles, como MD5 o SHA-1, y utilizar algoritmos más
seguros de la familia SHA-2 (como SHA-2 o SHA-512).
Además, los servidores FTP a menudo permiten la autenticación de usuarios anónimos, de la que un atacante puede abusar
para almacenar archivos no deseados en su servidor, potencialmente para la exfiltración.
• Por ejemplo, un atacante que pone en peligro un sistema y extrae información confidencial puede almacenar esa
información (como un trampolín) en cualquier servidor FTP que pueda estar disponible y permite que cualquier usuario se
conecte mediante la cuenta anónima.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Exploiting Network-Based Vulnerabilities
FTP Exploits (Cont.)

La figura muestra un escaneo (usando Nmap) contra un servidor

con la dirección IP 172.16.20.136.
• Nmap puede determinar el tipo y la versión del servidor FTP
(en este caso, vsftpd versión 3.0.3).

La siguiente figura muestra cómo probar el inicio de sesión anónimo en un servidor FTP mediante Metasploit.
La línea resaltada muestra que el servidor FTP está configurado para el inicio de sesión anónimo.
La mitigación en este ejemplo es editar el archivo de configuración del servidor FTP para deshabilitar el inicio de sesión
anónimo.
• En este ejemplo, el servidor está usando vsFTPd, y por lo tanto el archivo de configuración se encuentra en
/etc/vsftpd.conf.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Exploiting Network-Based Vulnerabilities
FTP Exploits (Cont.)

• The following are several additional best practices for mitigating FTP server abuse and attacks:
• Use strong passwords and multifactor authentication. A best practice is to use good credential
management and strong passwords. When possible, use two-factor authentication for any critical
service or server.
• Implement file and folder security, making sure that users have access to only the files they are
entitled to access.
• Use encryption at rest – that is, encrypt all files stored in the FTP server.
• Lock down administration accounts. You should restrict administrator privileges to a limited number of
users and require them to use multifactor authentication. In addition, do not use common
administrator usernames such as root or admin.
• Keep the FTPS or SFTP server software up-to-date.
• Use the U.S. government FIPS 140-2 validated encryption ciphers for general guidance on what
encryption algorithms to use.
• Keep any back-end databases on a different server than the FTP server.
• Require re-authentication of inactive sessions.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Exploiting Network-Based Vulnerabilities
Pass-the-Hash Attacks

• All Windows versions store passwords as hashes in the Security Accounts Manager (SAM) file.

• The operating system does not know what the actual password is because it stores only a hash of it.

• Instead of using a well-known hashing algorithm, Microsoft created its own implementation that has
developed over the years.

• Microsoft also has a suite of security protocols for authentication, called New Technology LAN Manager
(NTLM) that had two versions: NTLMv1 and NTLMv2.

• Since Windows 2000, Microsoft has used Kerberos in Windows domains.

• However, NTLM may still be used when the client is authenticating to a server via IP address or if
a client is authenticating to a server in a different Active Directory (AD) forest configured for NTLM
trust instead of a transitive inter-forest trust.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Exploiting Network-Based Vulnerabilities
Pass-the-Hash Attacks (Cont.)
• In addition, NTLM might also still be used if the client is authenticating to a server that doesn’t belong to
a domain or if the Kerberos communication is blocked by a firewall.

• So, what is a pass-the-hash attack?

• Because password hashes cannot be reversed, instead of trying

to figure out what the user’s password is, an attacker can just
use a password hash collected from a compromised system and
then use the same hash to log in to another client or server
system.

• The Windows operating system and Windows applications ask

users to enter their passwords when they log in.

• The system then converts the passwords into hashes (in most cases, using an API called LsaLogonUser). ​

• A pass-the-hash attack goes around this process and just sends the hash to the system to authenticate. ​
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Exploiting Network-Based Vulnerabilities
Kerberos and LDAP-Based Attacks
• Kerberos is an authentication protocol defined in RFC 4120 that has been used by Windows for several
years and by numerous applications and other operating systems.
• A Kerberos implementation contains three basic elements: Client, Server and Key distribution center
(KDC), including the authentication server and the ticket-granting server.
• The steps in Kerberos authentication are:
• Step 1. The client sends a request to the
authentication server within the KDC.
• Step 2. The authentication server sends a session
key and a ticket-granting ticket (TGT) that is used to
verify the client’s identity.
• Step 3. The client sends the TGT to the ticket-
granting server.
• Step 4. The ticket-granting server generates and sends
a ticket to the client.
• Step 5. The client presents the ticket to the server.
• Step 6. The server grants access to the client.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Exploiting Network-Based Vulnerabilities
Kerberos and LDAP-Based Attacks (Cont.)
• Active Directory uses Lightweight Directory Access Protocol (LDAP) as an access protocol.

• The Windows LDAP implementation supports Kerberos authentication.

• LDAP uses an inverted-tree hierarchical structure called the Directory Information Tree (DIT), and every
entry has a defined position.

• The Distinguished Name (DN) represents the full path of the entry.

• One of the most common attacks is the Kerberos golden ticket attack.
• An attacker can manipulate Kerberos tickets based on available hashes by compromising a
vulnerable system and obtaining the local user credentials and password hashes.
• If the system is connected to a domain, the attacker can identify a Kerberos TGT (KRBTGT)
password hash to get the golden ticket.

• Empire is a post-exploitation framework that includes a pure-PowerShell Windows agent and a Python
agent, that can be used to perform golden ticket and many other types of attacks.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Exploiting Network-Based Vulnerabilities
Kerberos and LDAP-Based Attacks (Cont.)
• A similar attack is the Kerberos silver ticket attack.

• Silver tickets are forged service tickets for a given service on a particular server.

• The Windows Common Internet File System (CIFS) allows to access files on a particular server, and the
HOST service allows to execute schtasks.exe or Windows Management Instrumentation (WMI) on a given
server.

• In order to create a silver ticket, you need the system account (ending in $), the security identifier (SID) for the
domain, the fully qualified domain name, and the given service (for example, CIFS, HOST).

• Another weakness in Kerberos implementations is the use of unconstrained Kerberos delegation.

• Kerberos delegation is a feature that allows an application to reuse the end-user credentials to access
resources hosted on a different server.

• Typically, you should allow Kerberos delegation only if the application server is ultimately trusted;
however, allowing it could have negative security consequences if abused, and Kerberos delegation is
therefore not enabled by default in Active Directory. © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Exploiting Network-Based Vulnerabilities
Kerberoasting
• Another attack against Kerberos-based deployments is Kerberoasting.

• Kerberoasting is a post-exploitation activity that is used by an attacker to extract service account credential
hashes from Active Directory for offline cracking.

• It is a pervasive attack that exploits a combination of weak encryption implementations and improper
password practices.

• Kerberoasting can be an effective attack because the threat actor can extract service account credential
hashes without sending any IP packets to the victim and without having domain admin credentials.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Exploiting Network-Based Vulnerabilities
On-Path Attacks
• In an on-path attack (previously known as a MITM attack), an
attacker places himself or herself in-line between two devices or
individuals that are communicating to eavesdrop or manipulate the
data being transferred.
• On-path attacks can happen at L2 or L3.

• ARP cache poisoning (also known as ARP spoofing) is an attack

that leads to an on-path attack scenario.
• It can target hosts, switches, and routers connected to a L2
network by poisoning the ARP caches of systems connected
to the subnet and intercepting traffic intended for other hosts
on the subnet.
• In the figure the attacker spoofs L2 MAC addresses to make the victim believe that the L2 address
of the attacker is the L2 address of its default gateway (10.2.3.4).
• The packets that are supposed to go to the default gateway are forwarded by the switch to the L2
address of the attacker on the same network.
• The attacker can forward the IP packets to the correct destination in order to allow the client to
access the web server (10.2.66.77). © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Exploiting Network-Based Vulnerabilities
On-Path Attacks (Cont.)
• Media Access Control (MAC) spoofing is an attack in which a threat actor impersonates the MAC address
of another device (typically an infrastructure device such as a router).
• In virtual environments, the MAC address could be a virtual address (that is, not assigned to a physical
adapter).
• An attacker could spoof the MAC address of physical or virtual systems to either circumvent access
control measures or perform an on-path attack.

• Another example of a L2 on-path attack involves placing a switch in the network and manipulating Spanning
Tree Protocol (STP) to make it the root switch.
• It can allow an attacker to see any traffic that needs to be sent through the root switch.
• An attacker can carry out an on-path attack at L3 by placing a rogue router on the network and then
tricking the other routers into believing that this new router has a better path than other routers.

• It is also possible to perform an on-path attack by compromising the victim’s system and installing malware
that can intercept the packets sent by the victim.
• The malware can capture packets before they are encrypted if the victim is using SSL/TLS/HTTPS or
any other mechanism.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Exploiting Network-Based Vulnerabilities
On-Path Attacks (Cont.)
• The following are some additional L2 security best practices for securing your infrastructure:
• Do not use VLAN 1 as the native VLAN for all your trunks and for any of your enabled access ports.
• Administratively configure switch ports as access ports so that users cannot negotiate a trunk; do not allow DTP.
• Limit the number of MAC addresses learned on a given port by using the port security feature.
• Control Spanning Tree to stop users or unknown devices from manipulating it, using the BPDU Guard and Root
Guard features.
• Turn off CDP on ports facing untrusted or unknown networks that do not require CDP for anything positive.
• On a new switch, shut down all ports and assign them to a VLAN that is not used for anything other than a
parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed.
• Use Root Guard to control which ports are not allowed to become root ports to remote switches.
• Use DAI.
• Use IP Source Guard to prevent spoofing of L3 information by hosts.
• Implement 802.1X to authenticate and authorize users before allowing them to communicate to the rest of the
network.
• Use DHCP snooping to prevent rogue DHCP servers from impacting the network.
• Use storm control to limit the amount of broadcast or multicast traffic flowing through a switch. An attacker could
perform a packet storm (or broadcast storm) attack to cause a DoS condition.
• Deploy access control lists (ACLs), such as L3 and L2 ACLs, for traffic control and policy enforcement.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Exploiting Network-Based Vulnerabilities
On-Path Attacks (Cont.)
• In a downgrade attack, an attacker forces a system to favor a weak encryption protocol or hashing
algorithm that may be susceptible to other vulnerabilities.

• An example of a downgrade vulnerability and attack is the Padding Oracle on Downgraded Legacy
Encryption (POODLE) vulnerability in OpenSSL, which allowed the attacker to negotiate the use of a lower
version of TLS between the client and server.

• POODLE was an OpenSSL-specific vulnerability and has been patched since 2014.

• However, in practice, removing backward compatibility is often the only way to prevent any other
downgrade attacks or flaws.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Exploiting Network-Based Vulnerabilities
Lab - On-Path Attacks with Ettercap
• In this lab, you will complete the following objectives:
• Part 1: Launch Ettercap and Explore Its Capabilities
• Part 2: Perform the On-Path (MITM) Attack
• Part 3: Use Wireshark to observe the ARP Spoofing Attack

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Exploiting Network-Based Vulnerabilities
Route Manipulation Attacks
• Although many different route manipulation attacks exist, one of the most common is the BGP hijacking
attack.
• Border Gateway Protocol (BGP) is a dynamic routing protocol used to route Internet traffic.
• An attacker can launch a BGP hijacking attack by configuring or compromising an edge router to announce
prefixes that have not been assigned to his or her organization.
• If the malicious announcement contains a route that is more specific than the legitimate advertisement or that
presents a shorter path, the victim’s traffic could be redirected to the attacker.
• In the past, threat actors have leveraged unused prefixes for BGP hijacking to avoid attention from the
legitimate user or organization.
• The figure illustrates a BGP hijacking route manipulation attack, where the attacker compromises a router and
performs a BGP hijack attack to intercept traffic between Host A and Host B.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Exploiting Network-Based Vulnerabilities
DoS and DDoS Attacks
• Denial-of-service (DoS) and distributed DoS (DDoS) attacks have been around for quite some time, but there
has been heightened awareness of them over the past few years.

• DoS attacks can generally be divided into three categories, described in the following sections:
• Direct
• Botnet
• Reflected
• Amplification

• As a penetration tester, you might be tasked with performing different types of stress testing for
availability and demonstrating how a DDoS attack can potentially affect a system or a network.

• In most cases, those types of stress tests are performed in a controlled environment and are typically out of
scope in production systems.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Exploiting Network-Based Vulnerabilities
DoS and DDoS Attacks (Cont.)
• Direct DoS Attacks occurs when the source of the attack generates the packets, regardless of protocol,
application, and so on, that are sent directly to the victim of the attack.
• In the figure, the attacker launches a direct DoS attack to a web server (the victim) by sending numerous TCP
SYN packets.
• This type of attack (SYN flood attack) is aimed at flooding the victim with an overwhelming number of
packets to oversaturate its connection bandwidth or deplete the target’s system resources.
• Cybercriminals can also use DoS and DDoS attacks to produce added costs for the victim when the victim is
using cloud services.

• In most cases, when you use a cloud service such

as AWS, Microsoft Azure, or Digital Ocean, you pay
per usage.
• Attackers can launch DDoS attacks to cause you to
pay more for usage and resources.
• Another type of DoS attack involves exploiting vulnerabilities such as buffer overflows to cause a server
or even a network infrastructure device to crash, subsequently causing a DoS condition.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Exploiting Network-Based Vulnerabilities
DoS and DDoS Attacks (Cont.)
• Many attackers use botnets to launch DDoS attacks.

• A _botnet _is a collection of compromised machines that the

attacker can manipulate from a command and control (CnC,
or C2) system to participate in a DDoS attack, send spam
emails, and perform other illicit activities.

• The figure shows how an attacker may use a botnet to

launch a DDoS attack.

• The botnet is composed of compromised user endpoints

(laptops), home wireless routers, and IoT devices such as IP
cameras.

• In the figure, the attacker sends instructions to the C2;

subsequently, the C2 sends instructions to the bots within
the botnet to launch the DDoS attack against the victim
server. © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Exploiting Network-Based Vulnerabilities
DoS and DDoS Attacks (Cont.)
• With reflected DoS and DDoS attacks, attackers send to sources spoofed packets that appear to be from
the victim, and then the sources become unwitting participants in the reflected attack by sending the
response traffic back to the intended victim.

• UDP is often used as the transport mechanism in such attacks

because it is more easily spoofed due to the lack of a three-
way handshake.

• In the figure, the attacker sends a packet to Host A.

• The source IP address is the victim’s IP address (10.1.2.3), and

the destination IP address is Host A’s IP address (10.1.1.8).

• Subsequently, Host A sends an unwanted packet to the victim.

• If the attacker continues to send these types of packets, not only does Host A flood the victim, but the
victim might also reply with unnecessary packets, thus consuming bandwidth and resources.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Exploiting Network-Based Vulnerabilities
DoS and DDoS Attacks (Cont.)
• An amplification attack is a form of reflected DoS attack in which the response traffic (sent by the
unwitting participant) is made up of packets that are much larger than those that were initially sent by the
attacker (spoofing the victim).

• An example of this type of attack is an attacker sending DNS

queries to a DNS server configured as an open resolver.

• Then the DNS server (open resolver) replies with responses

much larger in packet size than the initial query packets.

• The result is that the victim’s machine gets flooded by large

packets for which it never actually issued queries.

• The figure shows an example.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Exploiting Network-Based Vulnerabilities
Network Access Control (NAC) Bypass
• NAC is a technology designed to interrogate endpoints before joining a wired or wireless network, and
typically used in conjunction with 802.1X for identity management and enforcement.

• A network access switch or wireless AP can be configured to authenticate end users and perform a security
posture assessment of the endpoint device to enforce policy.
• It can check whether you have security software such as antivirus, anti-malware, and personal
firewalls before it allows you to join the network.
• It can also check whether you have a specific version of an operating system and whether your
system has been patched for specific vulnerabilities.

• In addition, NAC-enabled devices (switches, wireless APs, and so on) can use several detection techniques
to detect the endpoint trying to connect to the network.

• A NAC-enabled device intercepts DHCP requests from endpoints.

• A broadcast listener is used to look for network traffic, such as ARP requests and DHCP requests
generated by endpoints.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Exploiting Network-Based Vulnerabilities
Network Access Control (NAC) Bypass (Cont.)
• Several NAC solutions use client-based agents to perform endpoint security posture assessments to
prevent an endpoint from joining the network until it is evaluated.

• In addition, some switches can be configured to send an SNMP trap message when a new MAC address
is registered with a certain switch port and to trigger the NAC process.

• NAC implementations can allow specific nodes such as printers, IP phones, and video conferencing
equipment to join the network by using an allow list (or whitelist) of MAC addresses corresponding to such
devices.

• This process is known as MAC authentication (auth) bypass. MAC auth bypass is a feature of NAC.

• The network administrator can preconfigure or manually change these access levels.

• For example, a device accessing a specific VLAN (for example, VLAN 88) must be manually predefined
for a specific port by an administrator, making deploying a dynamic network policy across multiple ports
using port security extremely difficult to maintain.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Exploiting Network-Based Vulnerabilities
Network Access Control (NAC) Bypass (Cont.)
• An attacker could easily spoof an authorized MAC address (in a process called MAC address spoofing )
and bypass a NAC configuration.

• For example, it is possible to spoof the MAC address of an IP phone and use it to connect to a network.

• This is because a port for which MAC auth bypass is enabled can be dynamically enabled or disabled
based on the MAC address of the device that connects to it.

• The figure illustrates this scenario.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Exploiting Network-Based Vulnerabilities
VLAN Hopping
• One way to identify a LAN is to say that all the devices in the
same LAN have a common L3 IP network address and that
they also are all located in the same L2 broadcast domain.

• A virtual LAN (VLAN) is another name for a Layer 2 broadcast

domain and is controlled by a switch.

• The switch also controls which ports are associated with which
VLANs.

• In the figure, if the switches are in their default configuration, all ports by default are assigned to VLAN 1,
which means all the devices, including the two users and the router, are in the same broadcast domain,
or VLAN.

• As you start adding hundreds of users, you might want to separate groups of users into individual subnets
and associated individual VLANs.
• To do this, you assign the switch ports to the VLAN, and then any device that connects to that
specific switch port is a member of that VLAN. © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Exploiting Network-Based Vulnerabilities
VLAN Hopping (Cont.)
• Hopefully, all the devices that connect to switch ports that are assigned to a given VLAN also have a
common IP network address configured so that they can communicate with other devices in the same
VLAN.

• Often, DHCP is used to assign IP addresses from a common subnet range to the devices in a given VLAN.

• One problem with having two users in the same VLAN but not on the same physical switch is that Switch 1
tells Switch 2 that a broadcast or unicast frame is supposed to be for VLAN 10.
• The solution is simple: For connections between two switches that contain ports in VLANs that exist in
both switches, you configure specific trunk ports instead of configuring access ports.

• If the two switch ports are configured as trunks, they include additional information called a tag that
identifies which VLAN each frame belongs to.

• 802.1Q is the standard protocol for this tagging.

• The most critical piece of information (for this discussion) in this tag is the VLAN ID.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Exploiting Network-Based Vulnerabilities
VLAN Hopping (Cont.)
• Currently, Host A and Host B in the figure cannot communicate because they are in separate VLANs (VLAN
10 and VLAN 20, respectively).
• The inter-switch links (between the two switches) are configured as trunks.

• A broadcast frame sent from Host A and received by Switch 1 would forward the frame over the trunk tagged
as belonging to VLAN 10 to Switch 2.

• Switch 2 would see the tag, know it was a broadcast associated

with VLAN 10, remove the tag, and forward the broadcast to all
other interfaces associated with VLAN 10, including the switch
port that is connected to Host B.

• These two core components (access ports being assigned to a

single VLAN and trunk ports that tag the traffic so that a
receiving switch knows which VLAN a frame belongs to) are the
core building blocks for Layer 2 switching, where a VLAN can
extend beyond a single switch.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Exploiting Network-Based Vulnerabilities
VLAN Hopping (Cont.)
• Host A and Host B communicate with each other, and they can communicate with other devices in the
same VLAN (which is also the same IP subnet), but they cannot communicate with devices outside their
local VLAN without the assistance of a default gateway.

• A router could be implemented with two physical interfaces: one connecting to an access port on the
switch that is been assigned to VLAN 10 and another physical interface connected to a different access
port that has been configured for a different VLAN.

• With two physical interfaces and a different IP address on each, the router could perform routing between
the two VLANs.

• Virtual local area network (VLAN) hopping is a method of gaining access to traffic on other VLANs that
would normally not be accessible.
• There are two primary methods of VLAN hopping: switch spoofing and double tagging.
• When you perform a switch spoofing attack, you imitate a trunking switch by sending the respective
VLAN tag and the specific trunking protocols.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Exploiting Network-Based Vulnerabilities
VLAN Hopping (Cont.)
• Several best practices can help mitigate VLAN hopping and other Layer 2 attacks.
• You should always avoid using VLAN 1 anywhere because it is a default.
• Do not use this native VLAN for any of your enabled access ports.
• On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else
other than a parking lot.
• Then bring up the ports and assign correct VLANs as the ports are allocated and needed.

• Following these best practices can help prevent a user from maliciously negotiating a trunk with a switch
and then having full access to each of the VLANs by using custom software on the computer that can both
send and receive dot1q-tagged frames.

• A user with a trunk established could perform VLAN hopping to any VLAN desired by just tagging frames
with the VLAN of choice.

• Other malicious tricks could be used as well, but forcing the port to an access port with no negotiation
removes this risk.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Exploiting Network-Based Vulnerabilities
VLAN Hopping (Cont.)
• Another 802.1Q VLAN hopping attack is a double-tagging VLAN hopping attack.

• Most switches configured for 802.1Q remove only one 802.1Q tag.

• An attacker could change the original 802.1Q frame to add two VLAN tags: an outer tag with his or her
own VLAN and an inner hidden tag of the victim’s VLAN.

• When the double-tagged frame reaches the switch, it only processes the outer tag of the VLAN that the
ingress interface belongs to.

• The switch removes the outer VLAN tag and forwards the frame to all the ports belong to native VLAN.

• A copy of the frame is forwarded to the trunk link to reach the next switch.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Exploiting Network-Based Vulnerabilities
DHCP Starvation Attacks and Rogue DHCP Servers
• The two most popular attacks against DHCP servers and infrastructure are DHCP starvation and DHCP
spoofing (which involves rogue DHCP servers).

• In a DHCP starvation attack, an attacker broadcasts several DHCP REQUEST messages with spoofed
source MAC addresses, as illustrated in the figure.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Exploiting Network-Based Vulnerabilities
DHCP Starvation Attacks and Rogue DHCP Servers (Cont.)

• If the DHCP server responds to all these fake DHCP REQUEST

messages, available IP addresses in the DHCP server scope are
depleted within a few minutes or seconds.

• After the available number of IP addresses in the DHCP server is

depleted, the attacker can then set up a rogue DHCP server and
respond to new DHCP requests from network DHCP clients, as
shown in the figure.

• The attacker sets up a rogue DHCP server to launch a DHCP

spoofing attack.

• The attacker can set the IP address of the default gateway and
DNS server to itself so that it can intercept the traffic from the
network hosts.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Exploiting Network-Based Vulnerabilities
DHCP Starvation Attacks and Rogue DHCP Servers (Cont.)

• The figure shows an example of a tool called Yersenia that can be used to create a rogue DHCP
server and launch DHCP starvation and spoofing attacks.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
5.2 Exploiting Wireless
Vulnerabilities

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Exploiting Wireless Vulnerabilities
Overview

• Customers are concerned about the security of their Wi-Fi networks, as they should be.

• Because wireless signals can be received outside of facilities, and wireless networks are essentially
internal networks, it is essential to periodically verify the effectiveness of Wi-Fi security measures.

• Not directly related to Wi-Fi, but equally crucial, is the strength of network access security so that if
an attacker can gain access to the wireless network, they still cannot access sensitive resources.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Exploiting Wireless Vulnerabilities
Rogue Access Points

• One of the most simplistic wireless attacks involves an

attacker installing a rogue AP in a network to fool users to
connect to that AP.

• Basically, the attacker can use that rogue AP to create a

backdoor and obtain access to the network and its systems,
as illustrated in the figure.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Exploiting Wireless Vulnerabilities
Evil Twin Attacks

• In an evil twin attack, the attacker creates a rogue access point

and configures it the same as the existing corporate network, as
illustrated in the figure.
• Typically, the attacker uses DNS spoofing to redirect the victim to
a cloned captive portal or a website.
• When users are logged on to the evil twin, a hacker can easily
inject a spoofed DNS record into the DNS cache, changing the
DNS record for all users on the fake network.
• Any user who logs in to the evil twin will be redirected by the
spoofed DNS record injected into the cache.
• An attacker who performs a DNS cache poisoning attack wants
to get the DNS cache to accept a spoofed record.
• Some ways to defend against DNS spoofing are using packet filtering, cryptographic protocols, and
spoofing detection features provided by modern wireless implementations.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Exploiting Wireless Vulnerabilities
Disassociation (or Deauthentication) Attacks
• An attacker can cause legitimate wireless clients to deauthenticate from legitimate wireless APs or wireless
routers to either perform a DoS condition or to make those clients connect to an evil twin.
• This type of attack is also known as a disassociation attack because the attacker disassociates (tries to
disconnect) the user from the authenticating wireless AP and then carries out another attack to obtain the
user’s valid credentials.
• A service set identifier (SSID) is the name or identifier associated with an 802.11 WLAN, that is included in
plaintext in many wireless packets and beacons.
• A wireless client needs to know the SSID in order to associate with a wireless AP.
• It is possible to configure wireless passive tools like Kismet
or KisMAC to listen to and capture SSIDs and any other
wireless network traffic.
• Tools such as Airmon-ng (which is part of the Aircrack-ng
suite) showed in the figure can perform this reconnaissance.
• The system in this example has five different wireless
network adapters, and the adapter wlan1 is used for
monitoring.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Exploiting Wireless Vulnerabilities
Disassociation (or Deauthentication) Attacks (Cont.)
• The Airodump-ng tool (also part of the Aircrack-ng suite) can be used to sniff and analyze wireless
network traffic, as shown in the figure.
• It can be used to sniff wireless networks and obtain their SSIDs, along with the channels they are
operating.
• Many corporations and individuals configure their wireless APs to not advertise (broadcast) their SSIDs
and to not respond to broadcast probe requests.
• However, if you sniff on a wireless network long enough, you will eventually catch a client trying to
associate with the AP and can then get the SSID.
• In the figure you can see the BSSID and the ESSID for
every available wireless network.
• Basically, the ESSID identifies the same network as
the SSID.
• You can also see the ENC encryption protocol.
• The encryption protocols can be WPA version 1,
WPA2, WPA3, WEP, or OPN.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Exploiting Wireless Vulnerabilities
Disassociation (or Deauthentication) Attacks (Cont.)
• A deauthentication attack can be performed using the Aireplay-ng utility.

• An example is illustrated in the figure.

• The 802.11w standard defines the Management Frame Protection (MFP) feature.
• MFP protects wireless devices against spoofed management frames from other wireless devices that
might otherwise deauthenticate a valid user session.
• In other words, MFP helps defend
against deauthentication attacks.

• MFP is negotiated between the wireless

client (supplicant) and the wireless
infrastructure device (AP, wireless router,
and so on).

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Exploiting Wireless Vulnerabilities
Preferred Network List Attacks
• Operating systems and wireless supplicants (clients), in many cases, maintain a list of trusted or preferred
wireless networks.

• This is also referred to as the preferred network list (PNL).

• A PNL includes the wireless network SSID, plaintext passwords, or WEP or WPA passwords.

• Clients use these preferred networks to automatically associate to wireless networks when they are not
connected to an AP or a wireless router.

• It is possible for attackers to listen to these client requests and impersonate the wireless networks to make
the clients connect to the attackers’ wireless devices and eavesdrop on their conversation or manipulate
their communication.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Exploiting Wireless Vulnerabilities
Wireless Signal Jamming and Interference
• The purpose of jamming wireless signals or causing wireless network interference is to create a full or
partial DoS condition in the wireless network.

• Such a condition, if successful, is very disruptive.

• Most modern wireless implementations provide built-in features that can help immediately detect such
attacks.

• In order to jam a Wi-Fi signal or any other type of radio communication, an attacker basically generates
random noise on the frequencies that wireless networks use.

• With the appropriate tools and wireless adapters that support packet injection, an attacker can cause
legitimate clients to disconnect from wireless infrastructure devices.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Exploiting Wireless Vulnerabilities
War Driving
• War driving is a method attackers use to find wireless access points wherever they might be.

• By just driving (or walking) around, an attacker can obtain a significant amount of information over a very
short period.

• Another similar attack is war flying, which involves using a portable computer or other mobile device to
search for wireless networks from an aircraft, such as a drone or another unmanned aerial vehicle (UAV).

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols
• An attacker can cause some modification on the initialization vector (IV) of a wireless packet that is
encrypted during transmission.
• The goal of the attacker is to obtain a lot of information about the plaintext of a single packet and generate
another encryption key that can then be used to decrypt other packets using the same IV.
• WEP is susceptible to many different attacks, including IV attacks, so it is considered obsolete.
• WEP must be avoided, and many wireless network devices no longer support it.
• WEP keys exist in two sizes: 40-bit (5-byte) and 104-bit (13-byte) keys.
• In addition, WEP uses a 24-bit IV, which is prepended to the pre-shared key (PSK).
• When you configure a wireless infrastructure device with WEP, the IVs are sent in plaintext.
• WEP uses RC4 in a manner that allows an attacker to crack the PSK with little effort.
• The problem is related to how WEP uses the IVs in each packet.
• When WEP uses RC4 to encrypt a packet, it prepends the IV to the secret key before including the key in
RC4.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols (Cont.)

• Subsequently, an attacker has the first 3 bytes of an allegedly “secret” key used on every packet.
• To recover the PSK, an attacker just needs to collect enough data from the air.
• An attacker can accelerate this type of attack by just injecting ARP packets (because the length is
predictable), which allows the attacker to recover the PSK much faster.
• After recovering the WEP key, the attacker can use it to access the wireless network.
• An attacker can also use the Aircrack-ng set of tools to crack (recover) the WEP PSK.
• To perform this attack using the Aircrack-ng suite, an attacker first launches Airmon-ng, as shown:

root@kali# airmon-ng start wlan0 11

• The wireless interface is wlan0, and the selected wireless channel is 11.
• Now the attacker wants to listen to all communications directed to the BSSID 08:02:8E:D3:88:82.
• The command below writes all the traffic to a capture file called omar_capture.cap.
• The attacker only has to specify the prefix for the capture file.

root@kali# airodump-ng -c 11 --bssid 08:02:8E:D3:88:82 -w omar_capture wlan0

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols (Cont.)

• The attacker can use Aireplay-ng to listen for ARP requests and then replay, or inject, them back into the
wireless network, as shown:

root@kali# aireplay-ng -3 -b 08:02:8E:D3:88:82 -h 00:0F:B5:88:AC:82 wlan0

• The attacker can use Aircrack-ng to crack the WEP PSK, as

demonstrated:

root@kali# aircrack-ng -
b 08:02:8E:D3:88:82 omar_capture.cap
• After Aircrack-ng cracks (recovers) the WEP PSK, the output in
the example on the side is displayed.

• The cracked (recovered) WEP PSK is shown in the highlighted

line.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless
Protocols (Cont.)
• WPA and WPA2 are susceptible to different vulnerabilities.

• WPA3 addresses all the vulnerabilities to which WPA and

WPA2 are susceptible, and many wireless professionals
recommend WPA3 to organizations and individuals.

• All versions of WPA support different authentication methods,

including PSK.

• WPA is not susceptible to the IV attacks that affect WEP;

however, it is possible to capture the WPA four-way
handshake between a client and a wireless infrastructure
device and then brute-force the WPA PSK.

• The figure illustrates the WPA four-way handshake.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols (Cont.)

• The figure illustrates the following steps:

• Step 1 . An attacker monitors the Wi-Fi network

and finds wireless clients connected to the corp-net
SSID.

• Step 2 . The attacker sends DeAuth packets to

deauthenticate the wireless client.

• Step 3 . The attacker captures the WPA four-way

handshake and cracks the WPA PSK. (It is possible
to use word lists and tools such as Aircrack-ng to
perform this attack.)

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols (Cont.)

• The following steps show how to perform this attack by using the Aircrack-ng suite of tools.
• Step 1 . The attacker uses Airmon-ng to start the wireless interface in monitoring mode, using the
airmon-ng start wlan0 command. The figure displays three terminal windows. The second
terminal window from the top shows the output of the airodump-ng wlan0 command, displaying
all adjacent wireless networks.

• Step 2 . After locating the corp-net network, the

attacker uses the airodump-ng command, shown in
the first terminal window, to capture all the traffic to a
capture file called wpa_capture, specifying the
wireless channel (11, in this example), the BSSID,
and the wireless interface (wlan0).

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols (Cont.)

• Step 3 . The attacker uses the aireplay-ng command, as shown in the figure, to perform a
deauthentication attack against the wireless network. In the terminal shown at the top of the figure,
you can see that the attacker has collected the WPA handshake.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless
Protocols (Cont.)
• Step 4 . The attacker uses the aircrack-ng command to crack the WPA PSK by using a word list,
as shown in the figure. (The filename is words in this example.)

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols (Cont.)

• Step 5 . The tool takes a while to process, depending on the computer power and the complexity of
the PSK. After it cracks the WPA PSK, a window similar to the one shown in the figure shows the
WPA PSK (corpsupersecret in this example).

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless
Protocols (Cont.)
• KRACK (key reinstallation attack) is a series of vulnerabilities that affect WPA and WPA2.

• Exploitation of these vulnerabilities depends on the specific device configuration.

• Successful exploitation could allow unauthenticated attackers to reinstall a previously used encryption or
integrity key (either through the client or the access point, depending on the specific vulnerability).

• When a previously used key has successfully been reinstalled (by exploiting the disclosed vulnerabilities),
an attacker may proceed to capture traffic using the reinstalled key and attempt to decrypt such traffic.

• In addition, the attacker may attempt to forge or replay previously seen traffic.

• An attacker can perform these activities by manipulating retransmissions of handshake messages.

• Most wireless vendors have provided patches that address the KRACK vulnerabilities, and WPA3 also
addresses these vulnerabilities.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols (Cont.)

• No technology or protocol is perfect.

• Several vulnerabilities in WPA3 have been discovered in recent years.

• The WPA3 protocol introduced a new handshake called the “dragonfly handshake” that uses Extensible
Authentication Protocol (EAP) for authentication.

• Several vulnerabilities can allow an attacker to perform different side-channel attacks, downgrade
attacks, and DoS conditions.

• FragAttacks (which stands for fragmentation and aggregation attacks) is another type of vulnerability
that can allow an attacker to exploit WPA3.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Exploiting Wireless Vulnerabilities
Initialization Vector (IV) Attacks and Unsecured Wireless Protocols (Cont.)

• Wi-Fi Protected Setup (WPS) is a protocol that simplifies the deployment of wireless networks.

• It is implemented so that users can simply generate a WPA PSK with little interaction with a wireless
device.

• Typically, a PIN printed on the outside of the wireless device or in the box that came with it is used to
provision the wireless device.

• Most implementations do not care if you incorrectly attempt millions of PIN combinations in a row, which
means these devices are susceptible to brute-force attacks.

• A tool called Reaver makes WPS attacks very simple and easy to execute.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Exploiting Wireless Vulnerabilities
Karma Attacks

• KARMA (karma attacks radio machines automatically) is an on-path attack that involves creating a rogue
AP and allowing an attacker to intercept wireless traffic.

• A radio machine could be a mobile device, a laptop, or any Wi-Fi-enabled device.

• In a KARMA attack scenario, the attacker listens for the probe requests from wireless devices and
intercepts them to generate the same SSID for which the device is sending probes.

• This can be used to attack the PNL.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Exploiting Wireless Vulnerabilities
Fragmentation Attacks
• Wireless fragmentation attacks can be used to acquire 1500 bytes of
pseudo-random generation algorithm (PRGA) elements.

• Wireless fragmentation attacks can be launched against WEP-configured

devices.

• These attacks do not recover the WEP key itself but can use the PRGA to
generate packets with tools such as Packetforge-ng (which is part of the
Aircrack-ng suite of tools) to perform wireless injection attacks.

• The example on the side shows Packetforge-ng tool options.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Exploiting Wireless Vulnerabilities
Credential Harvesting
• Credential harvesting is an attack that involves obtaining or compromising user credentials.

• These attacks can be launched using common social engineering attacks such as phishing attacks, and
they can be performed by impersonating a wireless AP or a captive portal to convince a user to enter his
or her credentials.

• Tools such as Ettercap can spoof DNS replies and divert a user visiting a given website to an attacker’s
local system.

• For example, an attacker might spoof a site like Twitter, and when the user visits the website (which looks
like the official Twitter website), he or she is prompted to log in, and the attacker captures the user’s
credentials.

• Another tool that enables this type of attack is the Social-Engineer Toolkit (SET).

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Exploiting Wireless Vulnerabilities
Bluejacking and Bluesnarfing
• Bluejacking attacks can be performed using Bluetooth with vulnerable devices in range.

• An attacker sends unsolicited messages to a victim over Bluetooth, including a contact card (vCard)
that typically contains a message in the name field.

• This is done using the Object Exchange (OBEX) protocol.

• A vCard can contain name, address, telephone numbers, email addresses, and related web URLs.

• This type of attack has been mostly performed as a form of spam over Bluetooth connections.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Exploiting Wireless Vulnerabilities
Bluejacking and Bluesnarfing (Cont.)
• Bluesnarfing attacks are performed to obtain unauthorized access to information from a Bluetooth-enabled
device.
• An attacker can launch attacks to access calendars, contact lists, emails and text messages, pictures,
or videos from the victim.

• It is considered riskier than Bluejacking because Bluejacking attacks only transmit data to the victim
device and Bluesnarfing attacks steal information from the victim device.

• It can also be used to obtain the International Mobile Equipment Identity (IMEI) number for a device.

• Attackers can then divert incoming calls and messages to another device without the user’s
knowledge.

• The example below shows how to obtain the name (omar_phone) of a Bluetooth-enabled device with
address DE:AD:BE:EF:12:23 by using the Bluesnarfer tool.

root@kali:~# bluesnarfer -b DE:AD:BE:EF:12:23 -i

device name: omar_phone © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Exploiting Wireless Vulnerabilities
Radio-Frequency Identification (RFID) Attacks
• Radio-frequency identification (RFID) is a technology that uses electromagnetic fields to identify and track
tags that hold electronically stored information.

• There are active and passive RFID tags.

• Passive tags use energy from RFID readers (via radio waves), and active tags have local power
sources and can operate from longer distances.

• Many organizations use RFID tags to track inventory or in badges used to enter buildings or rooms.

• RFID tags can even be implanted into animals or people to read specific information that can be stored in
the tags.

• Low-frequency (LF) RFID tags and devices operate at frequencies between 120kHz and 140kHz, and they
exchange information at distances shorter than 3 feet.

• High-frequency (HF) RFID tags and devices operate at the 13.56MHz frequency and exchange information
at distances between 3 and 10 feet.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Exploiting Wireless Vulnerabilities
Bluetooth Low Energy (BLE) Attacks
• Numerous IoT devices use Bluetooth Low Energy (BLE) for communication.

• BLE communications can be susceptible to on-path attacks, and an attacker could modify the BLE
messages between systems that would think that they are communicating with legitimate systems.

• DoS attacks can also be problematic for BLE implementations.

• Several research efforts have demonstrated different BLE attacks.

• For instance, Ohio State University researchers have discovered different fingerprinting attacks that can
allow an attacker to reveal design flaws and misconfigurations of BLE devices.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Exploiting Wireless Vulnerabilities
Radio-Frequency Identification (RFID) Attacks (Cont.)
• Ultra-high-frequency (UHF) RFID tags and devices operate at frequencies between 860MHz and 960MHz
(regional) and exchange information at distances of up to 30 feet.

• A few attacks are commonly launched against RFID devices:

• Attackers can silently steal RFID information (such as a badge or a tag) with an RFID reader such as
the Proxmark3 by just walking near an individual or a tag.

• Attackers can create and clone an RFID tag (in a process called RFID cloning). They can then use
the cloned RFID tags to enter a building or a specific room.

• Attackers can implant skimmers behind RFID card readers in a building or a room.

• Attackers can use amplified antennas to perform NFC amplification attacks. Attackers can also use
amplified antennas to exfiltrate small amounts of data, such as passwords and encryption keys, over
relatively long distances.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Exploiting Wireless Vulnerabilities
Password Spraying
• Password spraying is a type of credential attack in which an attacker brute-forces logins (that is, attempts
to authenticate numerous times) based on a list of usernames with default passwords of common systems
or applications.

• For example, an attacker could try to log in with the word password1 using numerous usernames in a
wordlist.

• A similar attack is credential stuffing.

• In this type of attack, the attacker performs automated injection of usernames and passwords that
have been exposed in previous breaches.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Exploiting Wireless Vulnerabilities
Exploit Chaining
• Most sophisticated attacks leverage multiple vulnerabilities to compromise systems.

• An attacker may “chain” (that is, use multiple) exploits against known or zero-day
vulnerabilities to compromise systems, steal, modify, or corrupt data.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
5.3 Exploiting Wired and Wireless
Networks Summary

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Exploiting Wired and Wireless Networks Summary
What Did I Learn in this Module?
• NetBIOS and LLMNR are protocols primarily used by Microsoft Windows for host identification.
• LLMNR is based on the DNS protocol format.
• NetBIOS provides three services: Name Service (NetBIOS-NS), Datagram Service (NetBIOS-DGM), and
Session Service (NetBIOS-SSN).
• These operations use specific TCP and UDP ports for communication.
• Windows workgroups are LAN peer-to-peer networks, while domain-based implementations are client-to-
server networks supporting numerous hosts across multiple subnets.
• Historically, there have been many vulnerabilities in NetBIOS, SMB, and LLMNR.
• A common LLMNR vulnerability involves an attacker spoofing an authoritative source for name resolution,
poisoning the LLMNR service, and obtaining the victim's username and NTLMv2 hash.
• Tools like NBNSpoof, Metasploit, and Responder can be used to conduct these attacks.
• Pupy, an open-source Python-based cross-platform remote administration tool, is also popular among
penetration testers and attackers.
• One of the most used SMB exploits in recent times has been the EternalBlue exploit that has been used in
ransomware like WannaCry and Nyeta.
• Metasploit is one tool that has ported the EternalBlue exploit.
• Once executed, Metasploit launches a Meterpreter session for further system control and compromise.
• Enumeration is an essential aspect of penetration testing, and tools like Nmap and Enum4linux can gather
information on vulnerable SMB systems, which can then be exploited using Metasploit.
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89