6. 14.5 VLAN Hopping Attacks
In this video, we want to consider how an attacker can launch a VLAN hopping attack. And we’ll take a look at a couple of examples of how they might do that. And a VLAN hopping attack is where an attacker in one VLAN is accessing their victim in another VLAN without routing. Normally, to get from one VLAN to the other, we have to route. And let’s say that VLAN one in this case does not have permission to get to VLAN and five. So how is the attacker going to reach their victim in that other VLAN? Well, there are a couple of options. One is switch spoofing. What the attacker can do is convince switch SW one. In this case, the switch to which they’re plugged in. It can convince that switch that the attacker’s computer is a switch also.
And it can convince switch one to set up a trunk between switch one and the attacker’s computer. You see, a lot of ethernet switches have the ability to dynamically form a trunk. If one side of the connection says, hey, let’s form a trunk, a lot of ethernet switches by default will say, yes, let’s do it. And the attacker might use a utility like yercenia to convince switch SW one in this case that the attacker’s computer is a switch. And by the way, I want you to use this information to better protect yourself. I don’t want you to use your cinema on any system that you don’t have permission to use it on. But your cinema can speak DTP the dynamic trucking protocol. And the attacker in VLAN one can send out a DTP frame saying to switch SW one, hey, do you want to set up a trunk and switch SW one will get that and it will say, sure, let’s do it. And a one q trunk is formed. Now, the attacker can tag the frame that it wants to send to the victim with a VLAN tag of five.
And it’s sending it over a trunk it has access to speak on VLAN five. So that frame goes over to switch one. Switch one says, oh, looks like we’re destined for VLAN five. I’ll send it over the trunk to switch two. And switch two says, all right, let’s send it out this VLAN five port. I’ll remove the VLAN five tag and the frame reaches the victim. Another way of doing VLAN hopping is to do double tagging. This can be done when the attacker is in the same VLAN as a trunk’s native VLAN. Remember that a native VLAN is the unique VLAN. On a oneq trunk that does not have a tag, it does not have those four extra tag bytes added. So when a frame comes in over a trunk port that’s not tagged, that the switch assumes, oh, that belongs to my native VLAN. And on a lot of ethernet switches, by default, the native VLAN is set to a one and all the open ethernet ports are set to one. That means by default, in this case, if I leave the native VLAN at one between switch one and switch two, and the attacker plugs into an open port that’s not yet been configured on switch one, it also belongs to VLAN one. Now, how is it going to use that to get over to VLAN five? Well, the attacker is going to do double tagging. They’re going to put two VLAN tags on their frame.
The outer tag is going to be for the native VLAN between switch one and two. And the inner tag is going to be for VLAN five where the victim lives. You see, when switch SW one receives this frame, it says, looks like this person tagged this for VLAN one. They were already on VLAN one. And VLAN one is my native VLAN. I don’t need to send that tag over to switch SW two because it’s the native VLAN, it’s untagged. So what the switch does is get rid of the VLAN one tag and send the frame over to switch two with just the VLAN five tag. And when switch two gets that, it says, okay, let me send this out of a VLAN five port, I’ll take off the VLAN five tag and send the frame down to the victim.
That’s a way that we were able to get traffic from the attacker’s computer to the victim. However, the victim does not have a way to get back to the attacker. So this is going to be unidirectional traffic. Still, the attacker could use a flood of unidirectional traffic to launch launch a denial of service attack against the victim. But we’re not going to be able to interact with that victim because the victim does not have a way to get back to us. They’re not doing the double tagging that the attacker is doing. And that’s a look at two ways that an attacker might hop from one VLAN to a VLAN that they are not authorized to access.
7. 14.6 Social Engineering Attacks
With a social engineering attack, the attacker isn’t so much exploiting a vulnerability in software, they’re exploiting the behavior of a user. Here’s what I mean. One example is a phishing attack spelled with a PH. This is where the victim might receive an email saying something like this is your bank and your password has expired. Or someone has has tried to access your account. Log in immediately to fix this issue. And they give a link to try to make the user think they’re logging into their bank. And when they do, they’re really attaching to the attacker’s website and they’re giving their legitimate bank credentials, which the attacker will then use to get into their bank. You might have received a text or an email along those lines.
That’s a phishing attack. And a protection against that is to educate your users to not click on links that appear in emails or in texts. Another type of social engineering attack is called tailgating, and that’s also known as piggybacking. Let’s say that somebody is going to go through a door and they have a key card to get through that door.
But somebody runs up behind them carrying a box and they say, yeah, I’m doing a delivery, can you hold the door for me? And by sort of tailgating or piggybacking on the legitimate user that swipe their card to get in the door, they’re able to get through the door as well. Or maybe the employee doesn’t even know that somebody is behind them. They just sort of sneak in before the door closes. That’s tailgating or piggybacking. Or sometimes an attacker will do shoulder surfing. That’s where they’re looking over someone’s shoulder to see what they’re entering, maybe on their keyboard for a password. Or maybe they’re entering a pin on a keypad, their personal identification number.
They’re just looking over the shoulder. That’s one reason that some people put these screen guards on their laptops. So if they’re on an airplane, for example, someone’s sitting next to them, they’re not going to be able to read the screen. They’re not going to be able to shoulder serve and see what this person is doing. And again, the best protection for all these social engineering attacks really is user education.
8. 14.7 Other Common Attacks
In this video, we want to consider a few other types of network attacks. One common type of network attack that often gets overlooked is an insider threat. Oftentimes large efforts are made to protect our network from somebody on the outside. But we may have an employee that’s disgruntled and they do something bad to our system. So we need to make sure that employees don’t have more access than they need to have. And we need some sort of an audit trail to see what they did. When they logged on an employee that might be a programmer. They might build what’s called a logic bomb. This is a piece of code that’s just running somewhere in the background and it might be checking the corporate database for employees.
And if one day that programmer’s name disappears from the employee database, the conclusion is they may have been fired or they’re going to get back at the company by doing something bad to a system or to a network. It might delete a database. For example, that logic bomb goes off when a certain condition occurs. It’s like an if then statement. If this employee is no longer in the employee database, then delete the entire directory tree on this Linux machine. As an example, an attacker might have a rogue access point that they plug into a vacant Ethernet port in a building and hide it where they can get access to this rogue access point, maybe from their car in the parking lot. It’s a way for them to get on the network just like they were plugged in, except they can do it remotely and more secretively. And this rogue access point might be hiding its SSID, its wireless name, so people don’t see that wireless network show up and wonder what’s going on.
A lot of wireless networks, though, they’ll have management capabilities that can detect rogue access points. Another type of rogue access point that someone might install is not one they install and they’re trying to hide the network name. They’re matching the network name of whatever the company’s network is. Let’s say the company network is ABC Net. Well, they might have a rogue access point installed that is advertising ABC Net. And when somebody is getting a device on the network, they might see their access point being advertised and that employee connects to the evil twin, thinking they’re connecting to the corporate network, but really they’re connecting to somebody else. And speaking of wireless threats, some people do war driving.
This is where they drive around a geographical area, maybe a neighborhood, maybe an office park, and they have a good antenna and they try to pick up wireless signals from nearby buildings. And they’re checking to see if any of those wireless networks are not protected. They’re open, or maybe they have weak protection, something like WEP wired equivalent privacy, which is very easy to break. And if they find an open or a weekly protected password, if they’re going to be doing something bad later on, they may want to drive up close to that building in their car and conduct their business from there. So if anybody tries to track back who did that, it’s going to be this network that they identified as being weak. It’s not going to be their personal home. Let’s consider a few other types of network attacks. We often hear the term malware.
And malware is more of a generic term. It refers to just about any kind of software that can infect or do damage to a system. Some people wonder what the difference is between malware and a virus. Well, a virus is just a specific type of malware. So malware is a more generic term. Another type of attack is a DNS poisoning attack. This is where an attacker might set up a DNS server and they can send false DNS advertisements to a DNS server. So when somebody goes to that server and they try to resolve the IP address of a domain name, they’re going to get false information. They might be directed to the attacker’s computer. Or another way of corrupting DNS is to use a rogue DHCP server. And that rogue DHCP server can hand out DNS information to the victim. And if the victim believes the information from that rogue DHCP server, it’s going to be pointing to the attacker’s DNS server. When we said that malware was a broad category of software that can do bad things, another type of malware is ransomware. And an example of that that was very big in the news was wanna cry because it made the user want to cry. What it did was encrypt the data on the victim’s hard drive. And they got this big message up on their screen that said, your data has been encrypted. And it had been. And if you want to get your data back, you need to send us this much money in Bitcoin to this Bitcoin address. And if the victim did not comply, then their data was going to be inaccessible. And some victims, they did pay in Bitcoin and they got their data back. But some other victims, they paid and they did not get their data back. So ransomware is where the attacker is really holding someone’s data for ransom.
They’re holding it for payment. Let’s consider a few other types of common network attacks. One is spoofing. An attacker might spoof or pretend to be a different IP address or a different Mac address. By pretending to be a different IP address, that attacker might, among other things, launch a denial of service attack at the victim. They could claim to be the victim’s IP address and have a flood of traffic sent to that victim’s IP address. Or maybe there is some sort of security set up that would allow that IP address to a sensitive area of the network. They could pretend to be that IP address. Or some networks have Mac based security where only certain Mac addresses may communicate on a specific ethernet switch port. Or maybe only a certain Mac address is able to gain access to the wireless network. Well, if the attacker knows a Mac address that has that access, then they can spoof their Mac address. So, again, spoofing is where we’re one IP address or Mac address.
Let’s say we’re 192, 168, 100, but we spoof or we pretend to be someone else. Maybe we pretend to be 170, 216, 1100. And in many wireless networks, an attacker can send a deauthentication frame. They can say on this IP address, they’re spoofing the IP address of their victim, and I want to deauthenticate, I want to disassociate, in other words, from this wireless access point. And if they do that successfully, it will kick the victim off of the wireless access point. And when the victim tries to reattach, they’re trying to reattach to the same network name, the same SSID. Well, what if that attacker has set up an evil twin? The evil twin is advertising the same network name from which the victim just got kicked out of. So when the victim tries to reattach to that network, they might attach to the evil twin, allowing the attacker to monitor their information.
And as one other common network attack, let’s consider passwords. We often hear about the importance of having strong passwords, and that’s for good reason, because if somebody has a weak password, they’re vulnerable to different types of password attacks. One type of password attack is a brute force attack. This is where somebody can try one password, and if that doesn’t work, they just try another password. For example, there’s an application that a lot of attackers use that will start a brute force attack as an example, with a lowercase A, and then they’ll try a lowercase B all the way through lowercase Z. That didn’t work. All right, let’s go AA through ZZ and then AAA through ZZZ. They just keep adding on extra digits. You can even tell the program to use numbers and special characters and a mixture of upper and lower case.
And if it’s a fairly weak password, yeah, a brute force attack is going to be able to determine what that password is. Another type of password attack is a dictionary attack. And there are collections of commonly used passwords out there that attackers might use. Those are called dictionaries, and that attacker might try to use that dictionary, that database of commonly used passwords, to try to get access to someone’s account. So you don’t want to use a commonly used password and you don’t want to use a weak password. You want to use something that is fairly complex, maybe a mixture of upper and lower case and numbers and special characters and of a sufficient length, like eight characters or more to give herself more defense against a brute force or a dictionary attack.