From charlesreid1

Network (Layer 3) Attacks

This page covers the use of Kali to carry out attacks on layer 3. Also see Kali/Workflow.


Let's review the network stack before we launch into network layer attacks.

NetworkStack  · e

Layer Name Function
7 Application Topmost layer, provides users a means to access network resources (only level seen by end user)
6 Presentation Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5 Session Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4 Transport Provide reliable data transport services to lower layers.
3 Network Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2 Data Link Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1 Physical The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

Layer 3 is the Network layer. It handles IP addresses and translating between MAC addresses and IP addresses.


Now, supposing you are on the same network as a sheep - what is your next step?

The next step is to join the network, and elevate the level of access you have to the sheep. Naturally, communications are much easier to monitor on a network layer (i.e., dealing with network packet traffic) than on a physical layer (i.e., dealing with raw packet captures or captured radio signals).

Now the question of intentions or goals comes up. You may have a couple of different goals in mind:

  • Monitor traffic passively, record and extract information from unencrypted (non-https) streams
  • Monitor traffic actively, force https connections to be http connections to make all traffic unencrypted
  • Tamper with traffic, by injecting/removing/modifying information in the traffic stream
  • Jamming communications, causing denials of service, or blocking specific traffic

Alternatively, you may be thinking of taking an invasive route. After all, the easiest way to monitor traffic without the victim ever knowing a thing is if you can monitor network traffic from their machine directly. At this point you're talking about breaking into the sheep's system to install monitoring software. This moves the attack to another layer.

ARP Poisoning

If your intention is to monitor a sheep's traffic, you can use ARP Poisoning to reroute traffic at the network/router level so that you intercept all communications intended for the sheep. This allows you to tamper with all traffic, or just listen to everything. This is a low level of involvement, and involves modifying ARP lookup tables (which associate IP addresses to MAC addresses) so that computers send traffic intended for the sheep to your computer instead.

Sniffing Traffic

If you intend to sniff traffic, you can also use Dsniff. Notes on the page linked to above are on how to use Dsniff to sniff traffic in a man in the middle attack.

Tampering With Traffic

To modify traffic on the fly, you can use any number of tools. Bettercap or MITMf are probably the most straightforward and most capable tools.

Wormhole Attack

Note: this is classified as a DoS attack, but it is a general technique that can be used in a variety of different attack types.

Wormhole attack is a network-layer attack in which the attacker creates a wormhole between two networks - all (or selected) network traffic received is tunneled to another location in the network, where the packets are rebroadcast. This can be accomplished through the use of network device tunneling, for example, forwarding all traffic from one network device (like wifi antenna number 1) to another (like wifi antenna number 2).

(It is not totally clear what you can do with these types of attacks, but it's basically tampering with the network topology.)

Black Hole Attack

A black hole attack involves an attacker node falsely advertising shortest paths to a sheep destination node during the path-finding process (on-demand routing protocols) or in route update messages (table-driven routing protocols).

This can be done to interfere with the normal flow of network traffic, or to intercept all packets being sent from a sheep to a particular destination.

Byzantine Attack

In a Byzantine attack, a set of intermediate nodes are compromised by an attacker, and attacks are carried out to interfere with the normal flow of traffic being passed through the intermediate node. This may involve creating routing loops to slow down traffic, re-routing packets on non-optimal paths, or dropping packets. These types of attacks are hard to detect.

Information Leaks

Sometimes a node can leak critical information about a network to unauthorized nodes. This may include topology, geographical location, or optimal routes to authorized nodes.

Resource Consumption Attack

A malicious node tries to consume limited resources of other network nodes. Battery power, bandwidth, and CPU power are all potential targets. This could include:

  • Frequent beacon packets
  • Stale packets forwarded to nodes

Sleep Deprivation Attack

A sleep deprivation attack involves consuming battery power on another node by creating a flood of packets, preventing the radio from sleeping and consuming significant additional power.

Port Stealing

Port stealing is a technique similar to ARP spoofing, in which an attacker confuses the router about traffic destination, but it works on a single port level. This enables stealing traffic for a node on a network that is on a particular port.

NDP Spoofing

NDP is the IPv6 replacement for ARP in IPv4.

Routing Attacks

The routing protocol is what keeps the network operational. There are multiple vectors for attacking how routing works on a network.

Routing Table Overflow

Tools: Macof, Dsniff

A malicious node advertises routes to non-existent nodes to authorized nodes present on the network. Authorized nodes add these to routing tables, and eventually causes a routing table overflow, preventing creation of new entries corresponding to new routes to authorized nodes.

Proactive routing protocols are more vulnerable than reactive routing protocols.

Here is a deeper dive into routing table overlow and what's possible: [1]

CAM (content addressable memory) table:

  • A CAM table is the table that maps physical hardware MAC addresses to IP addresses on the LAN.
  • All CAM tables have a fixed size.

Network arrangement:

  • Alice is on port 1
  • Bob is on port 2
  • Charlie is on port 3
  • Alice wishes to communicate securely with Bob.
  • Charlie wishes to eavesdrop on Alice and Bob.

Normal CAM behavior:

  • (Periodically) Alice sends ARP packet for Bob. It travels to the hub, and out to all other ports. The ARP packet says, "This is Alice at port 1. If you're Bob, please respond and tell me your port." Charlie receives this traffic and ignores it.
  • Bob responds with a packet that says, "I'm Bob, at port 2."
  • Suppose Alice wishes to send traffic to Bob and only Bob.
  • Alice uses the CAM table to determine that Bob is on port 2, and initiates a connection over port 2 and only over port 2. No traffic for Bob goes to port 3.

CAM overflow:

  • Due to the limited size of CAM memory, it is possible to fill up the CAM table.
  • macof tool - written in Perl - part of Dsniff suite - dates back to 1999! wow!
  • Yersina - another attack tool

CAM overflow attack:

  • Charlie wishes to eavesdrop on traffic between Alice and Bob.
  • Charlie conducts a CAM overflow attack by sending Alice lots of crafted packets that associate fake MAC addresses to ports.
  • For example, Charlie sends packets for Alice that say "Xanjedejardin is at port 3" and "Shamankalankamana is at port 3" and "Chewbacca is at port 3" and "John Wayne is at port 3" and "Seymour Butts is at port 3" and "Master Shake is at port 3" and so on until Alice's CAM table is full.
  • When Bob joins the network, Alice has no room to store an entry mapping Bob to a port. Sorry Bob.

CAM overflow attack behavior:

  • Alice does not send an ARP packet for Bob - the CAM table is full, so there's nothing Alice can do with the information anyway.
  • Suppose Alice wishes to send traffic to Bob and only Bob.
  • There is no entry for which port Bob is on. The CAM table is too full of important information, like which port Master Shake is on. The traffic is therefore broadcast to all ports.
  • Charlie and Bob both receive traffic intended for Bob.

Routing Table Poisoning

A malicious node crafts fake routing updates or modifies route update packets it sees on the network, and sends them to neighbor nodes on the network. This results in routing table poisoning, which can cause sub-optimal routing, network congestion, or network inaccessibility.

Packet Replication

A malicious node crafts stale packets and sends them to neighbor nodes on the network. This consumes bandwidth, battery power, and CPU resources, and creates confusion in the routing process.

Route Cache Poisoning

For on-demand routing protocols, each node keeps a route cache about routes that it has seen in the recent past. Like a routing table, the route cache can also be poisoned, which can cause sub-optimal routing, network congestion, or network inaccessibility.

Rushing Attack

On-demand routing protocols are vulnerable to this type of attack. A malicious node receives a RouteRequest packet from a particular source node. It floods the network with that packet. If its RouteRequest packet gets to neighbor nodes first, neighbor nodes will assume it is a legitimate RouteRequest packet. When they receive the genuine RouteRequest packet, they will assume it is a duplicate and discard it.

This type of attack ensures that any route discovered by the source node will contain the malicious node as one of the intermediate routes. This means that nodes cannot find secure routes that avoid malicious nodes.

These types of attacks are extremely difficult to detect in ad-hoc networks.

Mitnick Attack

More info:

The Mitnick attack utilized a SYN flood to keep a server busy, then abused a TCP/IP trust mechanism in place to hijack a port.