Embedded Files
LAN Threat Scenario Rotation
1. Which of your original hypotheses you feel most confident about and why
2. Which scenario was hardest to interpret
3. How talking with another pair strengthened or changed your thinking
4. Patterns you started to notice across multiple scenarios
Task A - LAN Observation
This screenshot contains a bunch of valuble information from the VM1, which emulates a regular person computer. showing the neighbors could open up new devices to attack
This screenshot contains a bunch of valuable information from the VM2, which is made after a server. seeing the MAC and IP could make this vulnerable to impersonation
If an attacker had this information, they could:
Impersonate an IP, steal information going to that IP.
Impersonate a MAC address
Impersonate a neighboring device
Impersonate a step on the route
Impersonate this device itself, steal any information going here.
Task B - Evidence-to-Threat Analysis
Task C - Threat Mini-Simulation
Unauthorized plug in device
An unauthorized plug in device is any device that is connected as a peripheral to a lan/device on a lan, that was not authirized to be done so. These can include wifi sniffers, that connect to the network and try to impersonate/fake their way into gaining valuble packets. It can act like any host on a network, and receive packets meant for the real one. A good example is impersonating a printer, which, if used to print, will simply send the PDF files away to a foreign server.
For this, theres very little an attacker would need to know. As it is connected via ethernet, it is given a level of trust that wired devices dont get, and therefore would get access to the network straight away. It could then start running scan commands (ip neigh) to see its neighbors, and with intelligent code/a command and control server could be made to do whatever.
This could target anything from a specific host to attempting to impersonate the gateway.
It would be pretty easily noticed if not hidden well, as it would both show up on the network as an unknown new device, and also be something physical plugged in, maybe not that hidden.
The device could impersonate any device, but would probably find the highest value from impersonating a server that connects to a bunch of computers.
Five Common Internal LAN Threats
• ARP Spoofing
Pretending to be the ARP table
can route packets basically wherever the device wants
• MAC Flooding
Flooding a bunch of fake MAC devices onto a router
Basically a DDOS attack, overwhelms and shuts down
• Rogue DHCP Server
Similar to the ARP spoofing
Pretends to be a router, routes packets to the wrong/malicous place
• Unauthorized Plug-In Device
Connects to a network physically
Can serve as the other 3 devices
• Lateral Movement
Not gaining higher tiers of access, but finding data within the current tier
Looks for a "weak link" or exposed endpoint
Final Reflection
The most threatening attack is probably the Unauthorized Plug-In Device. Especially for being detected, it literally becomes a game of hide and seek with the administrators to detect where its connected, and shut it off/unplug it. looking at the ip neigh command, if the device was configured to act like a standard computer, it would be impossible to tell that it was malicious. It also serves as the base for other attacks, and could be used repeatedly while shut down between strikes to conserve either power or increase concealment. Focusing on normalcy, it could hide both by being a really small device tucked into a really hard to reach corner of a lab, and on the network side pretend to be a device that only turns on for a very short amount of time during an attack, and stays idle awaiting command otherwise.
Page updated
Report abuse