Network attacks

Question 1

2 types of VLAN hopping?

Answer 1

allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit.

• Double tagging
• Switched spoofing

Question 2

switched port vs trunk port

Answer 2

On a switch, a port is either configured as an access port or a trunking port.

An access port is typically used when connecting a host to a switch. With the implementation of VLANs, each access port is assigned to only one VLAN.

A trunking port is used when connecting two switches or a switch and a router together. Trunking ports allow for traffic from multiple VLANs.

Question 3

Double tagging attack

Answer 3

Double tagging: attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN.

This attack takes advantage of how many switches process tags: they only remove the outer tag and forward the frame to all native VLAN ports.

• This exploit is only successful if the attacker belongs to the native VLAN of the trunk link.
• This attack is strictly one way as it is impossible to encapsulate the return packet.

Question 4

Switched Spoofing VLAN Attack

Answer 4

–> DTP NEGOCIATION

An attacker acts as a switch to trick a legitimate switch into creating a trunking link between them. packets from any VLAN are allowed to pass through a trunking link. Once the trunk link is established, the attacker then has access to traffic from any VLAN.

This exploit is only successful when the legitimate switch is configured to negotiate a trunk. This occurs when an interface is configured with dynamic/ trunk mode.

the attacker then can generate a DTP message and a trunk link can be formed.

Question 5

How to prevent double tagging attack?

Answer 5

To prevent a Double Tagging attack, keep the native VLAN of all trunk ports different from user VLANs.

Question 6

How to prevent switch spoofing attack?

Answer 6

1. Do not configure any access points with dynamic/trunk modes
2. Manually configure access ports and disable DTP on all access ports.
3. Manually configure all trunk ports and disable DTP on all trunk ports.
4. Shutdown all interfaces that are not currently in use.

Question 7

What is RDG?

Answer 7

Remote Desktop Gateway: provides a secure connection using SSL/TLS to the server via RDP

Benefits: encrypted connection, enforce authorisation policies, control access to N resources based on permissions, monitor status of the gateway and any RDP connections passing through the gateway

Question 8

what needs to be in place for an rdp session?

Answer 8

before starting rdp session, a vpn needs to be in place

Question 9

what is VNC?

Answer 9

Virtual Network Computing
port 5900

designed for thin client architectures and VDIs, cross platform

Question 10

4 Authentication methods

Answer 10

1. PAP (outdated: plaintext)
2. CHAP: random phrase (challenge) encrypted with the password hash (password never transmitted)
3. MS-CHAP: MS proprietary CHAP (stronger encryption and mutual authentication)
4. EAP : uses more secure authentication methods (such as Kerberos, digital certificates) in conjunction with RADIUS/ TACACS+

Question 11

Clientless VPN

Answer 11

clientless VPN tunnels between machines are sent and received from a web browser without requiring software.

used with HTTPS : SSL/TLS (using TCP, so can slow down connection)

Question 12

Split tunnel vs. full tunnel VPN

Answer 12

Full tunnel: all the traffic goes through the VPN
-more security, but slower

Split tunnel: only traffic to the HQ through VPN, rest outside the tunnel

• less secure and attacker can pivot from outside the tunnel to the VPN
• better performance

Question 13

what is DTLS?

Answer 13

UDP-based version of the TLS protocol, which operates faster (less overhead)

– good for VOIP, video streaming

Question 14

4 VPN protocols to establish VPN:

Answer 14

1. IPSec - most popular
2. L2TP - still in use, but no encryption, so need to be combined with an encryption layer
3. L2F- provides tunnelling for point to point protocol, but lacks encryption (no longer used)
4. PPTP - dial-up networks (originally no encryption, but windows added encryption, so ok to use)

Question 15

VPN Tunneling Mode

Answer 15

encapsulates the entire packet and puts another header on top of it (thus increasing the size of the overall packet –> could go above the 1500 bytes default)

• -> use in Site-to-site vpn (where you can control the MTU/ enable jumbo frames on your LAN)
• -> use AH & ESP to provide integrity and encryption of the end payload (new header added)

Question 16

vpn transport mode

Answer 16

uses packets original IP header (no additional padding)

• -> client to site vpn
• -> use AH to provide integrity for the TCP header and use ESP to encrypt it (! but it does not encrypt the end-to-end header, so people on the Internet can see the origin/ destination of the traffic)

Question 17

syslog ports

Answer 17

ups 514

tcp 1468

Question 18

RA-Guard (IPv6)

Answer 18

Router Advertisement Guard: mitigates attack vectors based on forged ICMPV6 router advertisement messages

Question 19

Control Plane Policing (CPP)

Answer 19

configures a QoS filter that manages the traffic flow of control plane packets to protect the control plane of Cisco routers and switches