By Glen E. Clarke, Edward Tetz, Timothy Warner

You need to ensure that you are familiar with the different types of network-based attacks for the A+ Exams when seeking your CompTIA A+ Certification. A network-based attack uses networking technologies or protocols to perform the attack. Here are the most popular types.

Password attacks

There are a number of different types of password attacks. For example, a hacker could perform a dictionary attack against the most popular user accounts found on networks. With a dictionary attack, hackers use a program that typically uses two text files:

  • One text file contains the most popular user accounts found on networks, such as administrator, admin, and root.
  • The second text file contains a list of all the words in the English dictionary, and then some. You can also get dictionary files for different languages.

The program then tries every user account in the user account file with every word in the dictionary file, attempting to determine the password for the user account.

To protect against a dictionary attack, be sure employees use strong passwords that mix letters and numbers. This way, their passwords are not found in the dictionary. Also, passwords are normally case sensitive, so educate users on the importance of using both lowercase and uppercase characters. That way, a hacker not only has to guess the password but also the combination of uppercase and lowercase characters.

Also remind users that words found in any dictionary are unsafe for passwords. This means avoiding not only English words, but also French, German, Hebrew . . . even Klingon!

Hackers can also perform a brute force attack. With a brute force attack, instead of trying to use words from a dictionary, the hacker uses a program that tries to figure out your password by trying different combinations of characters. The figure shows a popular password-cracking tool known as LC4. Tools like this are great for network administrators to audit how strong their users’ passwords are.

comptia-certification-network-attacks
Cracking passwords with LC4.

To protect against password attacks, users should use strong passwords, which is a password comprising of letters, numbers, and symbols with a mix of uppercase and lowercase characters and a minimum length of eight characters.

Denial of service

Another popular network attack is a denial of service (DoS) attack, which can come in many forms and is designed to cause a system to be so busy that it cannot service a real request from a client, essentially overloading the system and shutting it down.

For example, say you have an email server, and a hacker attacks the email server by flooding the server with email messages, causing it to be so busy that it cannot send anymore emails. You have been denied the service that the system was created for.

There are a number of different types of DoS attacks: for example, the ping of death. The hacker continuously pings your system, and your system is so busy sending replies that it cannot do its normal function.

To protect against denial of service attacks you should have a firewall installed and also keep your system patched.

Spoofing

Spoofing is a type of attack in which a hacker modifies the source address of a network packet, which is a piece of information that is sent out on the network. This packet includes the data being sent but also has a header section that contains the source address (where the data is coming from) and the destination address (where the data is headed). If the hacker wants to change “who” the packet looks like it is coming from, the hacker modifies the source address of the packet.

There are three major types of spoofing — MAC spoofing, IP spoofing, and email spoofing. MAC spoofing is when the hacker alters the source MAC address of the packet, IP spoofing is when the hacker alters the source IP address in a packet, and email spoofing is when the hacker alters the source email address to make the email look like it came from someone other than the hacker.

An example of a spoof attack is the smurf attack, which is a combination of a denial of service and spoofing. Here is how it works:

  1. The hacker pings a large number of systems but modifies the source address of the packet so that the ping request looks like it is coming from a different system.
  2. All systems that were pinged reply to the modified source address — an unsuspecting victim.
  3. The victim’s system (most likely a server) receives so many replies to the ping request that it is overwhelmed with traffic, causing it to be unable to answer any other request from the network.

To protect against spoof attacks, you can implement encryption and authentication services on the network.

Eavesdropping attack

An eavesdropping attack occurs when a hacker uses some sort of packet sniffer program to see all the traffic on the network. Hackers use packet sniffers to find out login passwords or to monitor activities. This figure shows Microsoft Network Monitor, a program that monitors network traffic by displaying the contents of the packets. There are other sniffer programs available such as WireShark and Microsoft’s Message Analyzer.

comptia-certification-network-monitor
Using Network Monitor to analyze FTP logon traffic.

Notice that the highlighted packet (frame 8) shows someone logging on with a username of administrator; in frame 11, you can see that this user has typed the password P@ssw0rd. In this example, the hacker now has the username and password of a network account by eavesdropping on the conversation!

To protect against eavesdrop attacks you should encrypt network traffic.

Man-in-the-middle

A man-in-the-middle attack involves the hacker monitoring network traffic but also intercepting the data, potentially modifying the data, and then sending out the modified result. The person the packet is destined for never knows that the data was intercepted and altered in transit.

To protect against man-in-the-middle attacks you should restrict access to the network and implement encryption and authentication services on the network.

Session hijacking

A session hijack is similar to a man-in-the-middle attack, but instead of the hacker intercepting the data, altering it, and sending it to whomever it was destined for, the hacker simply hijacks the conversation — a session — and then impersonates one of the parties. The other party has no idea that he is communicating with someone other than the original partner.

To protect against session hijacking attacks, you should restrict access to the network and implement encryption and authentication services on the network.

Wireless attacks

There are a number of different attacks against wireless networks that you should be familiar with. Hackers can crack your wireless encryption if you are using a weak encryption protocol such as WEP. Hackers can also spoof the MAC address of their system and try to bypass your MAC address filters. Also, there are wireless scanners such as Kismet that can be used to discover wireless networks even though SSID broadcasting is disabled.

To protect against wireless attacks, you should implement encryption protocols such as WPA2 and use an authentication server such as a RADIUS server for network access.

Zero-day attack

A zero-day attack is an attack against a system that exploits a security vulnerability that is unknown to the vendor of the system or software. Zero-day attacks are hard to protect against because the weakness in the product is not yet known, and the vendor does not have any patches or fixes for it.

Zombie/botnet attack

A system that a hacker has compromised and has full control of is known as a zombie system. A hacker will typically use a zombie system, or multiple zombie systems (known as a botnet), to attack another system in a distributed denial of service (DDoS) attack.