Chapter 13: Further Reading — Network-Based Attacks

Essential Books

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg (Doubleday, 2019) The definitive account of the NotPetya attack and the Sandworm group behind it. Greenberg's investigative journalism brings to life the devastating real-world impact of network-based lateral movement. Essential reading for understanding how nation-state actors weaponize the techniques covered in this chapter.

Network Security Assessment: Know Your Network by Chris McNab (O'Reilly, 3rd Edition, 2016) A comprehensive guide to assessing network security, covering everything from network mapping to protocol-level attacks. McNab's systematic approach mirrors professional penetration testing methodology. Particularly strong on DNS, SMTP, and SNMP attacks.

The Practice of Network Security Monitoring by Richard Bejtlich (No Starch Press, 2013) Written from the defender's perspective, this book explains how to detect the network-based attacks covered in this chapter. Covers network monitoring architecture, traffic analysis, and intrusion detection with practical examples using open-source tools.

Attacking Network Protocols by James Forshaw (No Starch Press, 2018) A deep technical dive into how network protocols work and how they can be attacked. Forshaw covers protocol analysis, packet capture, and exploitation techniques with detailed examples. Excellent for readers who want to understand the underlying mechanisms of network-based attacks.

Counter Hack Reloaded by Ed Skoudis and Tom Liston (Prentice Hall, 2nd Edition, 2006) While older, Skoudis's treatment of network-level attacks remains one of the clearest and most comprehensive. The ARP, DNS, and session hijacking chapters are particularly well-written. A foundational text that every security professional should read.

Online Resources

Bettercap Documentation https://www.bettercap.org/ The official documentation for Bettercap, the modern Swiss Army knife for network attacks and monitoring. Includes tutorials for ARP spoofing, DNS spoofing, HTTPS proxying, and Wi-Fi attacks. The modular scripting system allows custom attack automation.

MITRE ATT&CK — Lateral Movement (TA0008) https://attack.mitre.org/tactics/TA0008/ The definitive catalog of lateral movement techniques used by real-world adversaries. Each technique includes examples from observed APT campaigns, detection strategies, and mitigations. Essential for understanding how the techniques in this chapter map to real threats.

Impacket GitHub Repository https://github.com/fortra/impacket Impacket is the premier Python library for working with network protocols, particularly in Windows environments. Its example scripts (psexec.py, wmiexec.py, ntlmrelayx.py, responder.py) are essential tools for penetration testers. Well-documented source code that teaches protocol-level attack implementation.

Cisco Security Configuration Guide https://www.cisco.com/c/en/us/support/ Cisco's official documentation for Layer 2 security features including DAI, DHCP snooping, port security, and STP protection. While vendor-specific, the concepts apply broadly to all managed switches.

SANS Reading Room — Network Security Papers https://www.sans.org/white-papers/ Thousands of free papers on network security topics. Search for "ARP spoofing," "VLAN hopping," "DNS tunneling," and "lateral movement" for detailed technical analyses.

Practice Environments

GNS3 and EVE-NG Network emulation platforms that allow you to build virtual networks with real router and switch images. Essential for practicing VLAN hopping, STP attacks, and Layer 2 security configuration without requiring physical network equipment.

Hack The Box — Pro Labs https://www.hackthebox.com/ The RastaLabs and Offshore pro labs provide realistic Active Directory environments where you can practice lateral movement techniques including pass-the-hash, PsExec, WMI, and Kerberos attacks.

PentesterLab https://pentesterlab.com/ Offers progressive exercises for network-based attacks, from basic ARP spoofing to advanced NTLM relay and Kerberos exploitation. The structured learning path is well-suited for building skills systematically.

DVWA and WebGoat Free, intentionally vulnerable web applications for practicing MITM-related web attacks. Useful for understanding how intercepted traffic can be manipulated.

Research Papers and Technical Resources

"New Tricks for Defeating SSL in Practice" by Moxie Marlinspike (Black Hat DC, 2009) The seminal presentation on SSL stripping. Marlinspike demonstrated how trivially easy it was to intercept HTTPS connections through MITM attacks, spurring the development of HSTS and other defenses.

"An Illustrated Guide to the Kaminsky DNS Vulnerability" by Steve Friedl (2008) One of the clearest explanations of the Kaminsky DNS cache poisoning attack. Uses diagrams and step-by-step descriptions to make the complex attack understandable.

"Responder — MultiRelay to Domain Admin" by Laurent Gaffie The creator of Responder documents the techniques for capturing and relaying NTLM authentication. Essential reading for understanding LLMNR/NBT-NS poisoning and NTLM relay attacks in Windows environments.

"The Darkhotel APT" by Kaspersky Lab GReAT (2014) The original technical report on the Darkhotel campaign. Provides detailed analysis of the MITM techniques, malware components, and targeting methodology used in real-world hotel network attacks.

"Practical Attacks Against NTLMv1 and NTLMv2" by Mike Pilkington (SANS, 2020) A detailed examination of NTLM authentication attacks including relay, pass-the-hash, and cracking techniques. Includes practical examples and defensive recommendations.

Certifications and Training

Offensive Security Experienced Penetration Tester (OSEP) Focuses on advanced network-based attacks, including lateral movement, Active Directory exploitation, and evasion techniques. Builds on OSCP with more complex network environments.

GIAC Network Penetration Tester (GPEN) SANS certification covering network-level penetration testing techniques, including many of the attacks in this chapter. The associated SEC560 course provides hands-on labs.

Certified Network Defender (CND) — EC-Council Focused on the defensive side, CND covers network security architecture, monitoring, and incident response. Useful for understanding how the attacks in this chapter are detected and defended.

eLearnSecurity Certified Professional Penetration Tester (eCPPT) Includes extensive coverage of network-based attacks and pivoting. The practical exam requires demonstrating these skills in a realistic environment.

Tools Reference