Kali/Layer 6 Attacks
From charlesreid1
Presentation (Layer 6) Attacks
This page covers the use of Kali to carry out attacks on layer 6, the presentation layer. Also see Kali/Workflow.
Review
Let's review the network stack before we launch into network layer attacks.
| Layer | Name | Function |
|---|---|---|
| 7 | Application | Topmost layer, provides users a means to access network resources (only level seen by end user) |
| 6 | Presentation | Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data |
| 5 | Session | Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex. |
| 4 | Transport | Provide reliable data transport services to lower layers. |
| 3 | Network | Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer. |
| 2 | Data Link | Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses. |
| 1 | Physical | The physical medium for the network communication signals. |
(Please Do Not Touch Steve's Pet Alligator)
(Phys Dat Net Trans Sesh Prezzy App)
Layer 6 is the Presentation layer. It handles data representation and formatting, including character encoding, data compression, and encryption/decryption.
Scenario
The presentation layer is where data is transformed into a format that the application layer can understand. This includes SSL/TLS encryption and decryption, character encoding conversions, and data compression. Attacks at this layer typically focus on manipulating how data is represented, encrypted, or encoded.
Unlike lower-layer attacks that require physical proximity or network access, presentation-layer attacks can often be carried out remotely, since they target the way data is formatted before it reaches the application.
SSL/TLS Downgrade Attacks
While SSL/TLS straddles multiple layers, the encryption/decryption function is squarely a presentation-layer concern. SSLStrip is a tool that performs an SSL downgrade attack, forcing HTTPS connections to fall back to HTTP. This allows an attacker to read traffic in cleartext that would otherwise be encrypted.
SSL/TLS Cipher Attacks
Tools like Sslscan and Testssl.sh can probe a server's supported ciphers, identifying weak or deprecated ciphers that can be exploited. The attacker may force the server to negotiate a weaker cipher suite (a downgrade attack at the cipher level), making encrypted traffic easier to crack. This is a presentation-layer attack because it targets the encryption algorithm negotiation that occurs during the TLS handshake.
Certificate Attacks
The X.509 certificate system, part of the presentation layer's encryption framework, can be attacked in several ways. SSLSniff allows an attacker to serve up fake certificates to sheep during a man-in-the-middle attack. Self-signed certificates or certificates from compromised certificate authorities can be presented to a sheep, who may not verify them properly.
See Certificates for more detail on forging and manipulating certificates.
Encoding Attacks
Because the presentation layer handles character encoding, attacks can target encoding conversions. Double-encoding attacks, Unicode normalization attacks, and overlong UTF-8 sequences can be used to bypass security filters at higher layers. These attacks exploit the fact that the presentation layer may interpret encoded data differently than the application layer expects.
For example, a web application firewall might reject ../ in a URL, but the presentation layer might first decode %2e%2e%2f into ../ — and if the WAF checks before decoding occurs, the traversal passes through.
Format String Attacks
Format string vulnerabilities occur when a program uses user-controlled input as a format string in functions like printf(). This is a presentation-layer concern because format strings control how data is represented when displayed or processed. Tools like GDB and the Metasploit Framework can be used to develop format string exploits.
Compression Side-Channel Attacks
Attacks like CRIME (Compression Ratio Info-leak Made Easy) and BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) exploit data compression in HTTPS to leak encrypted session cookies. These attacks work at the presentation layer because compression and decompression are presentation-layer functions. By injecting controlled plaintext into a compressed HTTPS stream and measuring the resulting size, an attacker can infer the value of secret tokens like session cookies.
Flags
 |
Attack Layers pages addressing attack vectors, tools, and methodologies for each layer of the network stack.
1 Physical Attacks: Kali/Layer 1 Attacks 2 Data/MAC Attacks: Kali/Layer 2 Attacks 3 Network Attacks: Kali/Layer 3 Attacks 4 Transport Attacks: Kali/Layer 4 Attacks 5 Session Attacks: Kali/Layer 5 Attacks 6 Presentation Attacks: Kali/Layer 6 Attacks 7 Application Attacks: Kali/Layer 7 Attacks
Template:MITMFlag · Template:DoSFlag · Template:MetasploitableFlag Category:Attacks · Category:Kali Attack Layers Flags · Template:KaliAttackLayersFlag · e |