This module from Hack The Box Academy dives deep into intermediate network traffic analysis techniques, empowering students to detect and mitigate a plethora of cyber threats. The content is broken down as follows:
Detecting Link Layer Attacks:
- Mastery over ARP-based vulnerabilities, encompassing spoofing, scanning, and denial-of-service attacks.
- Insights into 802.11 threats, including denial-of-service and deauthentication.
- Strategies to identify and mitigate Rogue Access Points and the malicious "Evil-Twin" attacks.
Detecting Network Abnormalities:
- Techniques to uncover fragmentation attacks and the nefarious intentions behind IP spoofing.
- Detecting TCP handshake irregularities and connection anomalies such as resets and hijacking.
- Unveiling covert channels like ICMP tunneling.
Detecting Application Layer Attacks:
- Detecting web-based threats from HTTP/HTTPS enumeration and oddities in HTTP headers.
- Skills to identify and tackle injection attacks like XSS and Command Injection, as well as the subtle SSL renegotiation attacks.
- Strategies for identifying suspicious DNS activities and unusual Telnet & UDP connections.
This module is broken into sections with accompanying hands-on exercises to practice the techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
As you work through the module, you will see detection examples for the topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the target host provided in the interactive sections or your virtual machine.
You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "easy" and assumes basic knowledge of how Windows/Linux operate and common attack principles.
A firm grasp of the following modules can be considered prerequisites for successful completion of this module:
- Intro to Network Traffic Analysis
Intermediate Network Traffic Analysis Overview
The importance of mastering network traffic analysis in our fast-paced, constantly evolving, and intricate network environments cannot be overstated. Confronted with an overwhelming volume of traffic traversing our network infrastructure, it can feel daunting. Our potential to feel ill-equipped or even overwhelmed is an inherent challenge we must overcome.
In this module, our focus will be on an extensive set of attacks that span crucial components of our network infrastructure. We will delve into attacks that take place on the link layer, the IP layer, and the transport and network layers. Our exploration will even encompass attacks that target the application layer. The goal is to discern patterns and trends within these attacks. Recognizing these patterns equips us with the essential skills to detect and respond to these threats in an efficacious manner.
Further, we will discuss additional skills to augment our abilities. We will touch upon anomaly detection techniques, delve into facets of log analysis, and investigate some Indicators of Compromise (IOCs). This comprehensive approach not only bolsters our capacity for proactive threat identification but also enhances our reactive measures. Ultimately, this will empower us to identify, report, and respond to threats more effectively and within a shorter time frame.
Note: For participating in this module and completing the hands-on exercises, please download
pcap_files.zip from the
Resources section (upper right corner).
You can download and uncompress
pcaps.zip to a directory named
pcaps inside Pwnbox as follows.
[!bash!]$ wget -O file.zip 'https://academy.hackthebox.com/storage/resources/pcap_files.zip' && mkdir tempdir && unzip file.zip -d tempdir && mkdir -p pcaps && mv tempdir/Intermediate_Network_Traffic_Analysis/* pcaps/ && rm -r tempdir file.zip --2023-08-08 14:09:14-- https://academy.hackthebox.com/storage/resources/pcap_files.zip Resolving academy.hackthebox.com (academy.hackthebox.com)... 18.104.22.168, 22.214.171.124, 2606:4700::6812:147e, ... Connecting to academy.hackthebox.com (academy.hackthebox.com)|126.96.36.199|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 19078200 (18M) [application/zip] Saving to: ‘file.zip’ file.zip 100%[===============>] 18.19M 71.4MB/s in 0.3s 2023-08-08 14:09:14 (71.4 MB/s) - ‘file.zip’ saved [19078200/19078200] Archive: file.zip creating: tempdir/Intermediate_Network_Traffic_Analysis/ inflating: tempdir/Intermediate_Network_Traffic_Analysis/ARP_Poison.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/ARP_Scan.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/ARP_Spoof.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/basic_fuzzing.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/CRLF_and_host_header_manipulation.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/deauthandbadauth.cap inflating: tempdir/Intermediate_Network_Traffic_Analysis/decoy_scanning_nmap.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/dns_enum_detection.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/dns_tunneling.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/funky_dns.pcap inflating: tempdir/Intermediate_Network_Traffic_Analysis/funky_icmp.pcap inflating: tempdir/Intermediate_Network_Traffic_Analysis/icmp_frag.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/ICMP_rand_source.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/ICMP_rand_source_larg_data.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/ICMP_smurf.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/icmp_tunneling.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/ip_ttl.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/LAND-DoS.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/nmap_ack_scan.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/nmap_fin_scan.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/nmap_frag_fw_bypass.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/nmap_null_scan.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/nmap_syn_scan.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/nmap_xmas_scan.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/number_fuzzing.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/rogueap.cap inflating: tempdir/Intermediate_Network_Traffic_Analysis/RST_Attack.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/SSL_renegotiation_edited.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/SSL_renegotiation_original.pcap inflating: tempdir/Intermediate_Network_Traffic_Analysis/TCP-hijacking.pcap inflating: tempdir/Intermediate_Network_Traffic_Analysis/TCP_rand_source_attacks.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/telnet_tunneling_23.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/telnet_tunneling_9999.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/telnet_tunneling_ipv6.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/udp_tunneling.pcapng inflating: tempdir/Intermediate_Network_Traffic_Analysis/XSS_Simple.pcapng