When connected to a network, whether it is wired or wireless, there are a lot of packets being sent back and forth between hosts. Some of these packets may contain sensitive and confidential information, such as usernames, passwords, password hashes, and documents, which are valuable to a penetration tester. While there are many secure network protocols that provide data encryption, there are many insecure network protocols that transmit data in plaintext.
While networking technologies have evolved over time, this is not the case for many network protocols with the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite and the Open Systems Interconnection (OSI) networking model. There are many applications and services that operate on a client-server model that send sensitive data in plaintext, allowing a penetration tester to both intercept and capture such data. Capturing user credentials and password hashes will allow you to easily gain access to clients and servers within the organization’s network.
As shown in the preceding diagram, if the Windows host wants to communicate with the web server, both devices need to know the Media Access Control (MAC) address of each other. Because a Local Area Network (LAN) is mostly made up of switches that operate at Layer 2 of the OSI networking model, these devices only read the MAC addresses found within the Layer 2 header of the frame – not the IP addresses within the Layer 3 header. Therefore, for communication with two or more devices on the same network, the destination MAC address is vital for the switch to make its forwarding decision.
If a device such as the Windows host does not know the MAC address of the web server, it will broadcast an Address Resolution Protocol (ARP) request message to all devices within the same network segment (also known as a broadcast domain). The ARP request message will contain the destination host’s IP address, which is referred to as the target IP address. The host on the network that is assigned/configured with the target IP address will respond with its MAC address with an ARP reply message. Within each host device, there is an ARP cache, which temporarily stores the IP-to-MAC address mapping of devices.
ARP is a network protocol used to resolve IP addresses to MAC addresses within a network. Most host devices have a default inactivity timer of 300 seconds on their ARP cache.
However, ARP is one of the many protocols that wasn’t designed with security in mind. Penetration testers can modify the entries within the ARP cache within a network host machine.
The following are the phases of a MITM attack:
- To perform a MITM attack, the penetration tester needs to ensure their attack system, such as Kali Linux, is connected to the same network as the targets.
- Next, the attacker sends gratuitous ARP messages that contain false IP-to-MAC address information. The attacker will send gratuitous ARP messages to the Windows host and to the web server with their
MAC ADDRESSES - Once both targets’ ARP cache is poisoned with the false information, their traffic is sent through the attacker’s machine when both targets are communicating with each other, as shown:
This attack allows the penetration tester to intercept all communications between multiple hosts on the network and simply forward the packets to their destinations! An unsuspecting user will not be aware that their traffic is being intercepted. While intercepting network packets, penetration testers usually run a packet capture/sniffer tool, such as the following:
Wireshark: A free graphical user interface tool used by both networking and cybersecurity professionals to capture network packets and perform protocol analysis and troubleshooting. In addition to packet capture and analysis, Wireshark offers features such as protocol dissection, filtering, and statistical analysis. These capabilities are important for identifying patterns, anomalies, and potential security issues within network traffic.Tcpdump: A command line-based tool that allows cybersecurity professionals to capture network traffic for analysis.
Intercepting traffic with MiTM attacks:
- Power on
kali linux, Metasploitable 2 linux and THESPIDERMANmachine. - Then identify the
ip + MACaddress of those machines usingnmap
nmap -sn 172.30.1.0/24
3. On Kali Linux, use the following Ettercap commands to perform a MiTM attack between the two targets:
sudo ettercap -i eth2 -T -q -S -M arp:remote /172.30.1.134// /172.30.1.129//
COMMAND BREAKDOWN:
• -i: Allows you to specify the interface on your attacker machine that is connected to the network with your targets.
• -T: Specifies the user interface as text-based output only.
• -q: Specifies quiet mode, which does not print the packet information on the terminal.
• -S: Specifies not to perform Secure Sockets Layer (SSL) forging.
• -M arp:remote: Specifies to perform a MITM attack using ARP poisoning of the target’s cache and sniffer remote IP connections. The remote command is usually used when performing a MITM attack between a client and a gateway.
4. Next, open Wireshark on Kali Linux and start capturing packets on eth2, which is connected to the 172.30.1.0/24 network:
5. Open the web browser in kali and search http://metasploitable-2-linux_ip/ to generate traffic in between.
6. Let’s verify Ettercap is performing ARP poisoning on the Windows host. The following screenshot shows the ARP cache on THESPIDERMAN virtual machine:
7. Let’s see that arp traffic for windows machine:

DNS TUNNELING:
- DNS tunneling is a type of cyberattack that allows hackers to bypass network security by using the Domain Name System (DNS) as a transport for malicious traffic. By hiding non-DNS traffic within DNS packets, attackers can often bypass network security measures. Successful DNS tunneling attacks allow hackers to bypass network security, exfiltrate data, control other computers, collect user credentials, or explore a network’s footprint for future attacks.
What are DNS queries and DNS traffic?
DNS is like GPS for the internet. DNS servers translate the human-readable names that users type into a web browser into machine-readable IP addresses — a string of numbers such as 2001:db8:3e8:2a3::b63 — that allow the browser to load the correct site. DNS lets people navigate the web using easy-to-remember domain names rather than keeping track of the IP address for the sites they want to visit.

How do hackers use DNS tunneling?
DNS tunneling enables attackers to perform a variety of malicious activities.
- Installing malware. Attackers may use DNS tunneling to install malware on additional systems.
- Collecting credentials. Once they have command and control of a device, attackers can use keyloggers and other methods to collect user credentials that can be used to mount additional attacks or be sold on the dark web.
- Exploring the network. DNS queries from within an infected network can help attackers build a map of the network, identifying systems and high-value assets.
- Exfiltrating data. Cybercriminals may use DNS tunneling to transfer data out of the network, including sensitive or confidential user information.
- Controlling devices. With the ability to control an infected device, attackers can trigger other threats such as DDoS attacks.
CREDITS: akamai-dns-tunneling-blog