Network Attacks & Threats

Every network attack leaves evidence somewhere — in firewall logs, pcap files, DHCP records, or DNS query logs. This chapter maps the major attack categories that appear in the FACT syllabus to the traces they leave, so you know both how the attack works and how to detect it.

8.1Passive Attacks — Eavesdropping & Sniffing

A passive attack is one where the attacker only observes traffic — they never send a forged packet or modify any data. Because nothing anomalous is injected into the network, the victim may never detect that the attack occurred.

Packet sniffing is the core technique: capturing raw network frames using tools like Wireshark, tcpdump, or Ettercap. On a hub-based network (Layer 1 device), every frame is broadcast to all ports, so any connected device sees everything. On a modern switched network, the switch delivers frames only to the intended port, so additional techniques are needed before sniffing can work.

To capture frames that are not addressed to it, the attacker puts the NIC into promiscuous mode — a setting that tells the NIC to accept and pass up every frame it physically receives, regardless of the destination MAC. Sniffers always operate in this mode. Detecting it on your own network: an ARP broadcast followed by an unusually fast response, or tools like arpwatch, can reveal a host operating in promiscuous mode.

Traffic types that are fully visible in a cleartext capture:

• HTTP — entire web page content, cookies, form data
• FTP — username and password visible in plain text
• Telnet — every keystroke, including login credentials
• SNMP v1/v2 — community strings (effectively passwords) in cleartext
• POP3 and SMTP without TLS — email content and credentials

Evidence of sniffing is almost never on the victim's machine — there is no trace of someone silently listening. Evidence is on the attacker's machine: pcap capture files, sniffer software installed, NIC mode set to promiscuous in system logs (on Linux: ip link show output, interface flags in /proc/net/dev; on Windows: event logs from packet-capture drivers).

8.2Spoofing Attacks

Spoofing means forging an identity to deceive a target or a network device. The identity forged can be an IP address, a MAC address, an ARP response, or a DNS answer.

IP Spoofing — the attacker forges the source IP address in a packet header. This is trivial to do in software when sending UDP or raw IP packets. It bypasses IP-based access controls (firewalls that allow a specific source IP) and makes attribution harder. The critical limitation: the attacker cannot receive reply packets, because replies go to the forged IP's real owner. IP spoofing is therefore most useful for one-way flood attacks — DoS/DDoS — where replies are irrelevant.

MAC Spoofing — on Linux: ip link set eth0 address AA:BB:CC:DD:EE:FF; on Windows: Device Manager NIC properties. Purpose: bypass MAC-address-based access controls on Wi-Fi (MAC filtering on the AP), or impersonate an already-trusted device on a LAN. Evidence: switch logs or wireless AP logs showing a MAC address appearing on a different port or at an unexpected time.

ARP Poisoning (ARP Spoofing) — ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network segment. ARP has no authentication: any host can send an unsolicited ARP reply. The attacker sends fake "gratuitous ARP" replies claiming that their MAC address corresponds to the gateway's IP. Victims update their ARP cache with the false mapping. All traffic destined for the gateway now flows to the attacker — this is a Man-in-the-Middle (MITM) position. The attacker can read, modify, or forward the traffic. Evidence: duplicate IP-to-MAC mappings in the victim's ARP table (arp -a), unusual traffic volume on the attacker's port in switch logs.

DNS Spoofing (DNS Cache Poisoning) — the attacker sends a forged DNS response to a resolver before the legitimate response arrives. If the resolver accepts the forged response, it caches the attacker's IP for the domain. All clients using that resolver then connect to the attacker's server instead of the legitimate one. Evidence: DNS TTL anomalies (unusually short or zero TTLs), a mismatch between the expected IP for a domain (from an independent lookup) and the resolved IP, sudden change in DNS response from a stable domain.

8.3Web-based Attacks

Web attacks target the application layer — browsers, web servers, and the databases behind them.

XSS (Cross-Site Scripting) — the attacker injects malicious JavaScript into a trusted website. When a victim visits the page, their browser executes the script in the context of the trusted site, potentially stealing session cookies, redirecting to phishing pages, or logging keystrokes. There are three types:

• Reflected XSS — the malicious script is embedded in a URL. The victim must click the crafted link. The script is reflected back from the server in the response.
• Stored (Persistent) XSS — the script is saved in the server's database (e.g., in a comment or profile field) and served to every user who views that content. More dangerous because no crafted link is needed.
• DOM-based XSS — the attack occurs entirely in the browser; the malicious script manipulates the page's DOM without a server round trip.

Evidence: web server access logs showing unusual characters (<script>, javascript:, %3Cscript%3E) in GET/POST parameters; stored script tags found in database content.

Web Jacking — the attacker takes control of a domain to redirect legitimate visitors to a malicious server. Methods include compromising the domain's registrar account (credential theft, social engineering to the registrar's support team) or DNS hijacking. Typosquatting is a related technique: registering a domain that looks like the target (goggle.com vs google.com) to capture mistyped traffic. Evidence: DNS change logs at the registrar, WHOIS modification timestamps, sudden change in DNS A record, registrar access logs showing login from an unexpected IP.

Clickjacking — the attacker places an invisible <iframe> over a legitimate button on a real page. The user thinks they are clicking the legitimate element but actually clicks the hidden attacker element (e.g., a "Confirm transfer" button on a banking page). Evidence: unusual <iframe> elements in page source, browser security headers (X-Frame-Options set to DENY protects against this).

CSRF (Cross-Site Request Forgery) — the attacker tricks an authenticated user into unknowingly submitting a forged request. The malicious link or image tag on the attacker's site causes the victim's browser to send a request (with the victim's cookies) to a trusted site — transferring money, changing an email address, or granting access. Evidence: server-side logs showing authenticated actions the user did not initiate.

SQL Injection — covered in depth in Chapter 10. Briefly: the attacker inserts SQL code into a form field, manipulating the database query executed on the server. Evidence: web server logs containing ', --, UNION SELECT, OR 1=1 in input parameters.

8.4Wireless Network Attacks

Wireless networks introduce a physical layer that anyone within radio range can access without being plugged in — which changes the attack surface significantly.

WEP Cracking — WEP (Wired Equivalent Privacy) is the original, now completely broken, Wi-Fi encryption protocol. It uses the RC4 stream cipher with a 24-bit Initialisation Vector (IV) that is sent in cleartext alongside each packet. Because the IV space is small, IVs repeat frequently. An attacker captures enough packets (approximately 50,000 using aircrack-ng) to statistically recover the encryption key from the repeated IVs. WEP should never be used; it is cracked in minutes. Evidence of WEP cracking on an attacker's machine: .cap capture files and aircrack-ng installation.

WPA2 Cracking — WPA2 with CCMP (AES) is far stronger than WEP. The attack targets the 4-way handshake that occurs when a client authenticates to the access point. The attacker captures this handshake (by waiting for a legitimate client or by sending de-authentication frames to force a reconnection) and then runs an offline dictionary or brute-force attack against the captured hash. The password never leaves the attacker's machine. Tools: aircrack-ng for dictionary attacks, hashcat for GPU-accelerated brute force. Evidence on attacker's machine: .cap file containing the 4-way handshake.

Evil Twin / Rogue AP — the attacker deploys a Wi-Fi access point configured with the same SSID as a legitimate network. Clients connecting to it see the familiar network name and connect, especially if the attacker's signal is stronger or the real AP is de-authenticated. The attacker then acts as a transparent proxy, seeing all traffic. Evidence: two access points with the same SSID but different BSSIDs (MAC addresses) visible on a wireless scan; clients associated to an unexpected BSSID; unusual AP in corporate wireless inventory.

De-authentication Attack — IEEE 802.11 management frames (including deauthentication frames) are unauthenticated in the original 802.11 standard. Any device can send a spoofed deauth frame that disconnects a client. Attackers use this to: (1) force a WPA2 client to reconnect, capturing the 4-way handshake for offline cracking; (2) conduct a denial-of-service against a specific client or the entire AP. Evidence: repeated deauth frames in a wireless capture (Wireshark filter: wlan.fc.type_subtype == 0x0c).

WPS Vulnerability — Wi-Fi Protected Setup uses an 8-digit PIN. Because of a design flaw in how the PIN is verified in two halves, the effective keyspace is only about 11,000 combinations rather than 10⁸. Tools like Reaver can brute-force the WPS PIN in hours. Mitigation: disable WPS on all access points.

8.5Social Engineering

Social engineering bypasses technical security entirely by manipulating people rather than attacking systems. Most successful large-scale breaches combine a social engineering entry with a technical payload. No firewall blocks a convincing phone call.

Phishing is the most common form: a mass email impersonating a trusted entity (bank, tax authority, internal IT) with a link to a fake login page or a malicious attachment. Spear-phishing is the targeted variant — the email references the victim's name, job title, colleague, or recent event to appear legitimate. Spear-phishing defeats simple awareness training because the email does not look generic.

Pretexting — the attacker creates a fabricated scenario (posing as IT support, an auditor, or a new supplier) to extract information or physical access. For example, calling an employee saying "I'm from IT, we're seeing an alert from your machine, I need your password to check it remotely." Evidence: call records, voicemails, unusual account access from unfamiliar IP addresses immediately after the call.

Baiting — physical media (USB drives, SD cards) labelled with enticing text ("Salary Q1 2024", "Confidential") are left in public areas near the target organisation. Curious employees plug them in. The USB executes an autorun payload or the user manually opens a file that drops malware. Evidence: Windows USBSTOR registry key (HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR) records every USB storage device ever connected — device type, serial number, and timestamps.

Vishing (Voice Phishing) — phishing conducted over a phone call. The attacker impersonates a bank fraud team, tax authority, or tech support. Call records (CDR — Call Detail Records) and voice recordings obtained from the carrier are the primary evidence.

Tailgating / Piggybacking — physically following an authorised person through a secure door without using credentials. The attacker relies on social norms (holding the door for someone) or a disguise (uniform, ID-badge lookalike). Evidence: physical access control logs, CCTV footage showing two people passing through a single card-swipe event.

Defences: security awareness training that specifically covers these techniques; call-back verification procedures (hang up and call the organisation's published number); clean desk policy; two-person rule for high-value actions.