Domain name system (DNS) is used to resolve a hostname to an IP address.
When a user attempt to connect to a system with Fully Qualified Domain Name (FQDN), the user's system will query it's DNS server for a record which has the IP address for the FQDN.
The DNS Server will respond to the client with the IP address of the FQDN.
The client will then use the IP address to connect to the remote server.
If the DNS server does not know the IP address for a DNS Query, the DNS server will query the Root DNS server for the domain.
In a DNS poisoning attack, the attacker sends a fake DNS response containing the information of a FQDN that matches a fake IP address.
The fake DNS response is cache on the DNS server, when any user performs a query to the DNS server for the specific FQDN, the DNS server will provide the fake IP address.
This type of attack causes the user to be directed to a different website.
In a DNS hijacking attack, the attacker is able to change the DNS server settings on the victim's system.
This causes the victim's system to send queries to a malicious DNS server which contains bogus DNS records.
This causes the victim's system to be redirected to fake and malicious websites.
Keep in mind, this type of attack is where the DNS server is the malicious component.
In this type of attack, the threat actor takes ownership of a legitimate domain and modifies the associated IP address for the domain name.
The attacker is also able to move the compromised domain to a register that is preferred by the threat actor.
These are various types of attacks which affects the Data Link layer of the OSI reference model and the TCP/IP protocol suite.
These type of attacks usually occur on an internal network as the attacker attempts to exploit vulnerabilities within Layer 2 protocols.
At layer 2, devices exchange frames using source and destination MAC addresses.
On a local area network (LAN), devices uses MAC addresses to communicate with each other.
If a sender device knows the destination IP address but not the destination MAC address, it will broadcast a ARP Request message on the LAN to ask who has the MAC address of the destination IP address.
To put simply, the ARP is used to resolve IP address to MAC address for devices on a local network to communicate.
In an ARP poisoning attack, an attacker is on the local network and sends gratuitous ARP messages which contains bogus IP to MAC address details.
When a victim device receives the gratuitous ARP message, it will process the message update its local ARP cache.
This will cause the victim device to forward messages to a different destination host rather to the legitimate destination device.
An attack can use this technique to cause a the victim device and the default gateway to send their traffic to the attacker's machine, creating a Man-in-the-Middle (MiTM) attack.
In this type of attack, the attacker attempts to flood the switch a lots of bogus frames contains unique source MAC addresses.
Since each switch as a certain memory size to store unique MAC addresses, a MAC flooding attack will attempt to overflow the switch's memory.
Once the switch memory is filled, if more unique source MAC addresses are flooded to the switch, it will operated in a fail-open state.
In a fail-open state, any inbound message on the switch will be forwarded out of all other ports on the same switch.
An attack can also capture any messages that are being flooded out of the switch to look for any sensitive data.
In a MAC cloning attack, the attacker can change (spoof) the MAC address of another device onto their network interface card (NIC).
This type of attack allows a threat actor to pretend to be another machine on the network.
A denial of service (DoS) is designed to interrupt the availability of a system, network, resource or facility.
In a DoS, the attack is launched from a single geographic location to a target system.
Security engineers can simply stop the attack because its originating from a single location (IP address).
In a DDoS, the attack is originating from multiple geographic locations while attacking a single target.
This an amplified version of a DoS and is more difficult to stop a DDoS attack.
In a reflected DDoS attack, the threat actor spoofs the target's IP address.
The threat actor then uses the spoofed source IP address to flood messages to a public server.
When the public server receives the messages from the threat actor, it will respond to the spoofed IP address which belongs to the actual target.
Therefore, the target will receive the flooding of message from the unaware public server.
In an amplified DDoS attack, the may use a botnet to flood unsolicited messages to multiple public servers using the spoofed IP address of the target as their source IP address.
This attack is a combination of a reflected and an amplified DDoS.
In this type of attack, its more than one system that is all working together to create a DDoS attack against a target.
It can be multiple threat actors controlling the systems to perform the attack.
A MiTM attack is where the attacker sits in-between network traffic looking for any sort of confidential data passing along the network.
The attacker intercepts the traffic between a victim device and its destination.
The attacker uses this of attack to gather sensitive information that is being sent along the network.
In this type of attack, the threat actor attempts to inject malicious payloads from a victim's web browser to a web application.
The attacker can steal session information, session cookie data, and even exploit a vulnerability on the web application.
Many organizations has a wireless network which allows users to connect their wireless-enabled devices to access the resources on the wired network.
Threat actors can perform various types of wireless attacks, to gain unauthorized access and even gather information of the network traffic.
In a rogue access point type of attack, the attacker will create a fake access point.
This will trick users into connecting to the rogue access point where the attacker can intercept and redirect their traffic.
In this type of wireless attack, the threat actor creates a fake access point which has the Service Set Identifer (SSID) as the target network.
This is trick employees into connecting the evil twin access point where the attacker is able to intercept the traffic, gather sensitive information and redirect the traffic.
In a disassociation attack, the threat actor can send specially crafted IEEE 802.11 messages to the target access point which will force associated clients to disassociate from the access point.
This is a type of denial of service (DoS) attack and a threat actor may use this attack to force clients to associate to the evil twin access point.
An initialization vector (IV) is a random string that is generated by the system to perform encryption of IEEE 802.11 messages on a wireless network.
The IV (random value) is combined with the secret key (constant value) to create an additional layer of security during the data encryption process.
Without the IV, encrypting data with the secret key will allow attackers to observe similarity on the output (ciphertext) and therefore allow the threat actor to perform reversing techniques to determine the secret key.
This type of attack is usually successful on wireless networks which uses the Wired Equivalent Privacy (WEP) security standard as it uses a 24-bit IV.
Radio Frequency Identification is used on badges to access areas on a compound.
RFID is used on anything that needs to tracking.
RFID badges don’t have a power source, a RFID reader can be used to power the card when the card is placed very near to RFID reader.
Attackers can read the data on an RFID tag and create signal jamming.
Near field Communication allows two devices to exchange data within very close proximity .
NFC is used to established a Bluetooth connection automatically
Attacker can capture the signal by perform eavesdropping.
An attacker can capture the signal from a victim's device and relay the signal to a NFC reader.
In a wireless jamming attack, an attacker creates a wireless signal which operates on the same frequency of the target wireless device.
When two or more signals on the same frequency is operating within the same proximity, one signal creates interference for the other signal.
In a bluesnarfing attack, the attacker attempts to intercept the messages that’s are being sent between sender and receiver device.
In a bluejacking attack, the attacker sends unsolicited messages to a Bluetooth-enabled device.