Chapter 13: Key Takeaways — Network-Based Attacks

Core Concepts

  1. The network itself is an attack surface. Beyond individual host vulnerabilities, the protocols and infrastructure that connect systems—ARP, DNS, STP, VLANs—contain exploitable weaknesses that can be leveraged for interception, redirection, and lateral movement.

  2. ARP spoofing is the foundation of local network MITM. Because ARP is stateless and unauthenticated, any device on a network segment can claim to be any other device. Dynamic ARP Inspection (DAI) and DHCP snooping are the primary defenses and should be enabled on all managed switches.

  3. SSL stripping exploits the HTTP-to-HTTPS transition. HSTS and HSTS preloading are the definitive defenses. Every organization should enable HSTS with includeSubDomains and submit to browser preload lists.

  4. DNS is critical infrastructure with a vast attack surface. DNS spoofing, cache poisoning, and DNS tunneling exploit the protocol's lack of built-in authentication. DNSSEC, DNS-over-HTTPS, and DNS monitoring are essential defensive layers.

  5. VLAN segmentation is only as strong as the switch configuration. Default switch configurations often allow VLAN hopping through DTP negotiation or double tagging. Every access port must be explicitly configured with switchport mode access and switchport nonegotiate.

  6. Lateral movement is how initial access becomes total compromise. Tools like PsExec, WMI, and PowerShell remoting are legitimate administration tools that attackers abuse. Credential hygiene, network segmentation, and monitoring for unusual authentication patterns are critical defenses.

  7. Encryption is the universal defense against interception. TLS, IPsec, SSH, and encrypted application protocols render captured traffic unreadable. "Encrypt everything" is not just a slogan—it is the most effective defense against network-level attacks.

Practical Skills Checklist

After completing this chapter, you should be able to:

  • [ ] Perform ARP spoofing and establish a MITM position in a lab environment
  • [ ] Use Bettercap or Ettercap for traffic interception and manipulation
  • [ ] Conduct DNS spoofing attacks from a MITM position
  • [ ] Set up and detect DNS tunneling with dnscat2
  • [ ] Understand and test VLAN hopping through switch spoofing and double tagging
  • [ ] Perform lateral movement using PsExec, WMI, and pass-the-hash techniques
  • [ ] Capture NTLM hashes with Responder
  • [ ] Configure Layer 2 switch security (DAI, DHCP Snooping, Port Security, BPDU Guard)
  • [ ] Analyze network traffic for indicators of MITM attacks
  • [ ] Design network segmentation that resists lateral movement

Critical Reminders

  • Network attacks have collateral effects. ARP spoofing affects all devices on the segment. Always coordinate with network administrators and test during maintenance windows.
  • Healthcare networks carry life-critical traffic. Disrupting network connectivity on a clinical VLAN could affect patient monitoring. Never test network attacks on production clinical segments.
  • Layer 2 hardening is foundational. Most organizations neglect switch-level security. A complete assessment includes verifying that DAI, DHCP snooping, port security, and BPDU guard are properly configured.
  • Defense requires encryption at every layer. Network segmentation limits exposure, but encryption ensures that intercepted traffic is useless to the attacker.

Connection to Next Chapter

Chapter 14 shifts focus from network protocols to the most fundamental authentication mechanism: passwords. You will learn how attackers crack, spray, stuff, and relay passwords—and how defenders can implement password policies, multi-factor authentication, and credential management that resist even the most sophisticated attacks.