Network And Application Layer Attacks

DNS Cache
• There are many public DNS servers that the
DNS Resolver can use to speed up the
resolution process.
• However it's much faster to have a local
copy (even a temporary one) of the DNS
"phone book." This is exactly where DNS
caches come into play.
• Each operating system (OS) (Windows and
MAC OS by default, and UNIX via a
Daemon) stores a temporary DNS cache
database that contains a list of all recently
accessed domain names and the addresses
that DNS calculated for them the first time a
request was made.

How does the “Poisoning”
of the DNS Cache occur?
• A DNS cache becomes “poisoned” or polluted when
unauthorized domain names or IP addresses are inserted into
it. The corruption of the DNS cache can be achieved either by: -
- Computer malware, or
- Network attacks that insert invalid DNS entries into the cache.
Attackers have devised a way to “spoof” DNS responses - to forge
DNS responses that look as if they are coming from legitimate
DNS servers. If an attacker successfully spoofs a DNS response, it
can make the receiving DNS server cache a poisoned record.

But how
does that
help the
attackers?
• By being redirected to a wrong destination,
we may end up suffering from a phishing
attack – which is the ultimate goal of this
type of Man-in-the-Middle attacks!

DNS Spoofing
Demonstration
The demonstration is carried on a LAN network
composed of the following three elements:
- Default Gateway (IP address 192.168.224.2)
- Attacker computer (IP address 192.168.224.13)
- Target computer (IP address 192.168.224.211)
The application used to carry out the DNS Spoofing
is Ettercap: a free and open source network
security tool for man-in-the-middle attacks.

Prepare for the attack by configuring the
attack parameters:
• Step 1: Make a fake OWASP HTML web-
page (phishing web-page). Set it up on an
Apache Web Server hosted on the Attacker
computer (the fake web-site will be
accessed by typing the IP address of the
Attacker computer onto a browser).
• Step 2: Go to the Ettercap directory and
open the “etter.dns” using a text editor. At
the bottom of the file, add the name to
the website that we want to want to attack
(in this case, “www.owasp.org”) and also
add the IP that we want the Target
computer to be redirected to (in this case,
the IP address of the Attacker computer,
hosting the fake web-page).

Step 3: Open Ettercap in sudo mode
and select Sniff>Unified Sniffing
Step 4: Go to Hosts>Scan for Hosts to find
devices connected to the LAN
Step 5: Go to Hosts>Hosts List to
display the list of devices
Step 6: From the list, select the IP address of the Target
computer and add it to Target 1 and also select the IP address
of the default gateway and add it to Target 2

Step 7: Go to Plugins>Manage the Plugins Step 8: From the list of plugins select “dns_spoof”

Step 9: The plugin activates the process of
bombarding the target machine with fake DNS
responses that resolve owasp.org to IP address
192.168.224.13 (where the fake webpage is
hosted by web server on the Attacker machine)
As a result, instead of being directed to the real
web-page the Victim is directed to the fake web-
page

A topological illustration of the attack

Security
mechanisms
developed for
DNS server
operators:
UDP Source Port Randomization (UDP SPR):
What this does is setting the UDP source port
randomly, so an attacker would have to guess
both the transaction ID and the source port in a
short time window - which is usually not feasible
(since they would need to make 232
combinations).
DNS Security Extensions (DNSSEC): It is a
protocol designed to create a unique
cryptographic signature and store it alongside
other DNS records. Thus, DNSSEC provides DNS
with an additional methods of verification by
digitally signing the DNS information. This is
done on all levels of the DNS Resolution process.

Avoiding DNS
Cache
Poisoning
Keep your Antivirus/Anti-malware apps “Cooking
and Up-to-Date”
If you have the possibility, browse the internet via
a Virtual Machine
Don’t download suspicious files. If you insist, do it
through a “sand-boxed app” or a Virtual Machine
Use a respected DNS Server and a reputable ISP
Always double-check websites you visit (check if
there is HTTPS encryption)
Flush computer DNS cache as well as DNS cache
stored in the router

Functioning
of ICMP
Normally, ping requests are used to test the
connectivity of two computers by measuring
the round-trip time from when an ICMP echo
request is sent to when an ICMP echo reply is
received.

What is an
ICMP Flood
Attack?
• A ping flood is a denial-of-service attack
in which the attacker attempts to
overwhelm a targeted device with ICMP
echo-request packets, causing the target
to become inaccessible to normal
traffic. When the attack traffic comes
from multiple devices, the attack
becomes a DDoS or distributed denial-
of-service attack.

What Are the Signs of
an ICMP Flood Attack?
An ICMP flood attack requires that the attacker knows the IP
address of the target. Attacks can be separated into three
categories, determined by the target and how the IP address
is resolved:
• Targeted local disclosed – In this type of attack, a ping flood
targets a specific computer on a local network. In this case,
the attacker must obtain the IP address of the destination
beforehand.
• Router disclosed – Here, a ping flood targets routers with
the objective of interrupting communications between
computers on a network. In this type of attack, the attacker
must have the internal IP address of a local router.
• Blind ping – This involves using an external program to
reveal the IP address of the target computer or router
before launching an attack.

Why Are
ICMP Flood
Attacks
Dangerous?
What makes this volumetric attack vector even
more dangerous is that in the past, attackers
would spoof a false IP address in order to
mask the sending device. But with today’s
sophisticated botnet attacks (especially IoT-
based bots), the attackers don’t even bother
masking the bot’s IP. Instead, they utilize an
extensive network of un-spoofed bots to
overwhelm the target server.

ICMP Flooding
Demonstration
The tool used to carry out the ICMP Flooding is hping : a
command-line oriented TCP/IP packet assembler/analyzer.
Below are the basic elements used :
• Victim IP : 192.168.5.129
• -p : port, in this case the destination port is 445
• --ICMP : ICMP mode, by default hping3 will send ICMP echo-
request
• --flood : flood mode, send packets as fast as possible and will not
show replies
• --rand-source : random the source address mode (Spoofing)

hping3 --flood --rand-source --icmp -p
445 (Victim IP)

A topological illustration
of the attack

How to
Mitigate and
Prevent an
ICMP Flood
Attack?
Disabling a ping flood is most
easily accomplished by disabling
the ICMP functionality of the
targeted router, computer or
other device.
Another approach to combating
ICMP attacks is to rate limit the
processing of incoming ICMP
messages; alternatively limit the
allowed size of the ping requests.

What is SQLi?
On a Web Application, When user
ask for any resource from the
database in backend an SQL query
request is been sent.
If an attacker is able to tamper
that way of communication and
insert his own modified query
then the attacker will be able to
fetch the sensitive information
from the database.

How and
Where you
can perform
SQLi?
• SQL injection can be classified
into 5 types:
1. Union Based
2. Error Based
3. Blind Boolean Based
4. Blind Time Based
5. Second – Order SQLi
• Ways of Attacks:
1. Get Based – URL Parameter
2. Post Based – Form Data
3. Cookie Based – Cookie
Parameter
4. Header Based – Like in Refer,
User-agent, location, etc.

SQLi Demonstration
We will be exploiting Union
Based SQL injection
vulnerability in an web-
application by using GET
Request.

Step 1: Identify SQL Injection
Step 2: Fix and Balance Query
Step 3: Find Total no. of Vulnerable Columns

Step 4: Find Exact no. of Vulnerable Columns
Step 5: On Reflected, Execute Commands

How to
Mitigate and
Prevent an
SQLi Attack?
Using parameterized queries:
PreparedStatement statement = connection.prepareStatement("SELECT
* FROM products WHERE category = ?");
statement.setString(1, input);
ResultSet resultSet = statement.executeQuery();
Validate User Inputs:
Only allow inputs as per requirements.
Limit the data to be sent back to the Web Application.

XML external entity (XXE) injection

What is XML external entity injection?
When a Web Application that
allows an attacker to interfere with
an application's processing of XML
data.
If an attacker is able to modify the
XML Document with its DTD,
Which is parsed by the application
without any validation the XXE will
arise.

What are the
types of XXE
attacks?
There are various types of XXE attacks:
• File retrieval using LFI
• SSRF Attack
• Denial Of Service Attack

XXE Attack Demonstration
• In XML , unlike HTML there is no
predefined tags and attributes, So
we can use any tag but should be
defined into the Document type
Definition.
• DTD can also be defined inside
the XML Document.
• To fetch the content at the time
of parsing and insert the value into
document entity is been used.
Example output of a simple web application that
accepts XML input, parses it, and outputs the result.

File retrieval using XXE
SSRF using XXE

Billion laughs attack
After all the entity expansions
have been processed, this small
(< 1 KB) block of XML will
actually contain 109 = a billion
"lol"s, taking up almost
3 gigabytes of memory.

How to
Mitigate and
Prevent an XXE
Attack?
Disable potentially dangerous XML
features like disable resolution of
external entities and disable support
for Xinclude.
Validate User Inputs:
Only allow inputs as per requirements.
Capping the memory allocated in an
individual parser.

Network And Application Layer Attacks

More Related Content

What's hot

Similar to Network And Application Layer Attacks

Recently uploaded

Network And Application Layer Attacks