From charlesreid1

Layer 4 cheat sheet: wow:

More good info in this presentation:

Transport (Layer 4) Attacks

This page covers the use of Kali to carry out attacks on layer 4, the transport layer. Also see Kali/Workflow.


Let's review the network stack before we launch into network layer attacks.

NetworkStack  · e

Layer Name Function
7 Application Topmost layer, provides users a means to access network resources (only level seen by end user)
6 Presentation Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5 Session Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4 Transport Provide reliable data transport services to lower layers.
3 Network Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2 Data Link Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1 Physical The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

Layer 4 is the Transport layer. It handles the transport of packets. This includes conversation protocols, packet types, and creating encrypted transport layers.


Once you're on a network and have been assigned an IP, you can see various packets flying around the network. The routing and transport of these packets is Layer 4. Attacks that can occur on this layer occur through the use and manipulation of packet traffic.

Transport layer attacks can have different approaches:

  • Passive monitoring - recording all traffic, no tampering
  • Active monitoring - actively monitoring traffic and injecting, removing, or modifying traffic on the fly
  • Active attacks - denial of service, modification


The transport layer is a rich source of information. You can learn all sorts of things by monitoring network traffic in Wireshark. Often, packet payloads are unencrypted HTTP connections, and contain images, web URLs, and other web content in the clear. This traffic can be monitored by tricking the network into forwarding all network traffic to an attacker's machine, not just traffic intended for it.

The most common Layer 3/Layer 4 attack is ARP Poisoning, which allows an attacker to redirect traffic at the network transport layer.

For an implementation of ARP poisoning, see MITM Labs/Bettercap SSL Over Wifi

Packet Sniffing Tools

Various tools that may be used:


Passive monitoring can be thwarted through the use of SSL and TLS, both encryption protocols that are implemented on Layer 4. These protocols create a way for computers to transport encrypted packets back and forth, with the packets passing encrypted across the public channel and being decrypted by both parties at either end.


Active sniffing/monitoring attacks force sheep to use insecure protocols like HTTP instead of HTTPS. SSLStrip is an example of an active monitoring Layer 4 Transport attack. The intent is to actively tamper with the content stream the sheep is receiving in order to strip out any content that would redirect the sheep to the more secure HTTPS protocol. This enables a Man in the Middle attack at Layer 4.


SSLSniff is a slightly different tool that focuses on serving up certificates. Whereas SSLStrip focuses on bypassing HTTPS, avoiding the need to present certificates, SSLSniff is for those who are attempting to present valid certificates to the sheep.

Moxie0 has shown several attacks against SSL certification checking mechanisms. Other attacks may be attempted, and carried out, with the help of SSLSniff.

Denial of Service

There are also ways of creating chaos on Layer 4. For example, suppose an attacker's goal is to create a denial of service on a computer. On the physical layer, or Layer 1, an attacker would create a denial of service by jamming the radio signal, or physically tampering with a network line. On the transport layer, or Layer 4, a denial of service is created by jamming up the workings of the transport layer. This is done by abusing the TCP handshake protocol.

Syn Flood

Normally, when two computers are making a connection, they perform a three-way handshake: the client sends a SYN packet, the server responds with a SYN-ACK packet, and the client responds back with an ACK packet. The TCP connection between the two machines is then officially established. To abuse this handshake process, an attacker can send a SYN Flood, a flood of SYN packets, and do nothing when the server responds with a SYN-ACK packet. The server politely waits for the other end to respond with an ACK packet, and because bandwidth is fixed, the hardware only has a fixed number of connections it can make. Eventually, the SYN packets max out the available connections to a server with hanging connections. New visitors will experience a denial of service.

A SYN Flood can bring down your servicer if it isn't configured properly - each SYN packet will use up another spot in the queue, which will quickly eat up all available TCP connections, and lead to a denial of service. By using a reverse proxy, and putting different rules in place, these kinds of attacks can be thwarted.

This attack occurs on the transport layer - it jams up the normal workings of the transport layer and interferes with the normal delivery of packets.

Smurf Attack/Ping Flood

The smurf attack leverages the power of numbers, without needing to control a large number of machines. Normally, when you send a computer a ping packet, the computer will respond with an ICMP echo packet. This is the packet equivalent of the client saying "Hi, are you there?" and the server saying "Hi, I'm here." But this can also be abused by crafting packets that look like they came from a sheep machine, saying "Hi, are you there?" By crafting a huge number of these packets and blasting them to every computer on a network, it generates an enormous number of replies saying "Hi, I'm here," all of which will hammer the sheep machine.

This is an older attack, and many networks make themselves immune to participating in smurf attacks (meaning, the crafted packets are dropped by the network router, preventing them from reaching machines on the network that would otherwise respond to such packets). However, this does not provide protection from being a target of a smurf attack.

A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack. Smurf amplifiers act to worsen the severity of a Smurf attack because they are configured in such a way that they generate a large number of ICMP replies to the victim at the spoofed source IP address.

More info:

DHCP Attacks

How DHCP works:

  • Client sends a request to the DHCP server: "Please send me my configuration info"
  • DHCP server responds with IP address, subnet mask, default gateway, DNS servers, and lease time
  • IP addresses are assigned on demand, pool of IP addresses configured by admin

Normal handshake procedure:

  • Client to DHCP server: DHCP discover (broadcast)
  • DHCP server to Client: DHCP offer (unicast)
  • Client to DHCP server: DHCP request (broadcast)
  • DHCP server to Client: DHCP ack (unicast)

DHCP defined by RFC 2131

DHCP Starvation Attack

A starvation attack is a denial of service on DHCP leases. An attacker runs a "gobbler" machine that sends out a huge number of DHCP requests.

Abused handshake procedure:

  • Attacker to DHCP server: DHCP discover (broadcast) x (size of scope)
  • DHCP server to attacker: DHCP offer (unicast) x (size of DHCPScope)
  • Attacker to DHCP server: DHCP request (broadcast) x (size of scope)
  • DHCP server to attacker: DHCP ack (unicast) x (size of scope)

Gobbler/DHCPx look at the whole DHCP scope, try to lease all addresses available in that scope.

This is a Denial of Service on DHCP leases, meaning no new devices can join the network.

Countermeasures: limit number of MACs on a single port, number of IPs = number of MACs,

Rogue DHCP Server Attack

A rogue DHCP server attack involves an attacker setting up their own DHCP server and responding to DHCP requests before the local DHCP server, thus controlling the DHCP process.

Abused handshake procedure:

  • Client to DHCP server: DHCP discover (broadcast) <--- this step is same as before
  • Rogue DHCP server to Client: DHCP offer (unicast) <--- rogue DHCP server responds first
  • Client to Rogue DHCP server: DHCP request (broadcast)
  • Rogue DHCP server to Client: DHCP ack (unicast)

Why is this useful?

This type of attack gives you total control over the network configuration of a sheep. This makes it easy to do what you'd like - sniff traffic, tamper with traffic, or create a denial of service. As an example, suppose a sheep and a rogue DHCP are on the same network, 192.168.10.X. The sheep sends out a DHCP request packet, broadcast to all ports. The rogue DHCP responds. The DHCP request is sent from the sheep, and the rogue DHCP server responds with an acknowledgement and assigns the following network configuration:

IP Address:
Subnet Mask:
Default Routers:
DNS Servers:,
Lease Time: 10 day

What's wrong with this picture?

  • First, the IP address and default routers are a different set of IP addresses than the rest of the network. This means the attacker is performing a denial of service on the entire IP layer.
  • The attacker is the gateway, meaning all network traffic to and from the client passes through the attacker.
  • The attacker is the DNS server, meaning they can monitor and/or tamper with DNS requests from the client, and redirect them to, e.g., fake versions of various websites.


  • DHCP snooping
  • maintain connection to trusted DHCP
  • identification of new DHCP servers

DNS Attacks

How DNS works: Linux/DNS

DNS Hijacking

DNS Hijacking consists in modifying the way the sheep's DNS system works. This can be achieved at multiple levels (e.g., at the system level, by breaking into and modifying the client's system to permanently point to a pirate DNS server; or at the network level, by conducting a MITM attack on DNS requests.) By poisoning routes, the attacker receives the sheep's DNS requests and can respond to specific DNS requests from the sheep to a destination of the attacker's choosing.

Also see EvilFOCA tool.

DNS DoSing

To DoS a sheep through their DNS channel is fairly straightforward - you simply create a DNS black hole, so that no network requests coming from the sheep can be properly translated to IP addresses. This renders a majority of the sheep's network operations inoperable.