*blush* it's finally happening.
So I assume you want to work with network penetration as well as security. Well done in picking a true elitist field, and welcome to the club. Don't let anybody else talk you out of it, they're jealous.
Alright, first things first, where exactly do you wish to start? Remote connectivity and RAT vulnerability testing, dosing, VoIP hacking, going after network devices, wireless hacking, hardware hacking, hacking systems such as windows, or just securing against every imaginable thing?
Or lord I don't even know where to start.
Let's cover the basics, first we'll start with OSI layers.
Network device hacking comes down to a matter of perspective. If your network is secure with difficult to guess ssh passwords, SNMP community names, limited access/usage, and logging for everything (assuming somebody monitors these logs) then most vulnerabilities aren't actually a problem. If however, your network is large and complex to manage, then there will be some boxes with less-than-ideal security, meaning you want to check out these following issues.
The networking standard we depend on today was originally two separate standards, OSI and IEEE. With the development of the OSI model, network processes are broken into various responsibilities, and packets must go through a number of steps to get from point to point. The OSI model summarizes a lot, so I won't go in to a whole lot of detail.
OSI Layer 1-3:
No matter what device you choose to communicate with, the communication has to run over a transit power. This includes things like a local telephone company, a satellite, or local television provider. All forms of media are run through telephone closets and via miles of copper or fiber wire. These wires are either open to the public or hidden away, guarded only by simple locks. This is part of the physical security side of things. Physical security is usually looked over, but is probably the weakest link in actual network security.
Fiber is one of the hardest media types to break into because it is noticeable and the equipment is expensive. Most intercity connections are run via fiber, and while difficult to break in to, they are sometimes worth the effort. The odds are not in the attacker's best interest however. Coax cables are easy to intercept, although they are not very prevalent. Ethernet (10, 100, 1000BaseT) is the most widely used in network closets and can easily be intercepted without notice. The easiest target of Layer 1 hacking is T1 links. Because they consist of two simple pairs of wires, T1 links are easy to listen in on, and under the right conditions one could insert a man in the middle device capturing all outside connections. Shared phone closets are an easy target and provide anonymous access that information thieves strive for. With only a low end 1600 Cisco router at hand, a perfect man in the middle device can be created. Most circuits are labeled with the company name and circuit ID. By using a small router device with two CSUs/DSUs and one ethernet interface, a thief can insert a simple bridge, with only 5-10 seconds of downtime, that's invisible to the end users.
With a man in the middle working, traffic can be sniffed and parsed out. Secure protocols are partially safe; any normal traffic can be manipulated. Interoffice connects are a must in corporate business. Point to point T1 links are easy to deploy, with one slight problem... A man in the middle attack on an internal office T1 allows an attacker not just regular access, but full access to the internal network. This scenario has been found in many large and secure companies, and is often overlooked.
Layer 2 is the layer where the electrical impulses from layer 1 have mac addresses associated with them. This layer can be a weak link if not configured correctly.
(detecting layer 2 media)
Using shared media (both Ethernet and Token Ring) has been the traditional means of transmitting data traffic for decades. Traditional Ethernet works by sending the destination traffic to every node on the segment. This way, the destination receives its traffic (including everybody else) and shares the transmission speed with everybody on the wire. There's the problem. By sending traffic on shared media, you are also sending your traffic to every other listening device on the segment. From a security perspective, shared Ethernet is a formula for compromise. Unfortunately, although shared Ethernet does not dominate the world of networks today, it remains an often used network medium.
However, that original Ethernet technology is a far cry from the switched technology available today and is similar only in name. Switching technology works by building up a large table of Media Access Control (MAC) addresses and sending traffic destined for a particular MAC through a very fast silicon chip. As a result, the packet arrives at only the intended destination and is not seen my anybody else (so they say). It is possible to provide packet-capturing capabilities on a switched media. Cisco provides this ability in its Cisco Catalyst switches with its SPAN technology. (SPAN stands for Switches Port Analyzer for those who don't know). By mirroring certain ports or virtual local area networks (VLANs) to a single port, admins can capture packets just as if they were on a shared segment. Today, this is often performed for intrusion detection system (IDS) implementations to allow the IDS to listen to traffic and analyze it for attacks.
You just put in your new switch in hopes of achieving a network nirvana with both improved speed and security. The prospects of the increased speed and ability to keep those curious users from sniffing sensitive traffic on your network may make you feel warm in fuzzy inside right? Think again.
The Address Resolution Protocol (RFC 826) provides a dynamic mapping of a 32-bit IP address to a 48-bit physical hardware address. When a system needs to communicate with its neighbors on the same network (including the default gateway), it will send out ARP broadcasts looking for the hardware request with its hardware address, and communications can begin. Unfortunately, ARP traffic can be easily spoofed to reroute traffic from the originating system to the attacker's system, even in a switched environment. Rerouted traffic can be viewed using a network packet analyzer and then forwarded to the real destination. This scenario is another example of a man in the middle attack, and is relatively easy to accomplish.
There are countless other attacks, including Broadcast Sniffing, VLAN Jumping, Inter-network Routing Protocol Attack Suite and Cisco Discovery Protocol (CDP), STP (Spanning Tree Protocol) attacks, and VLAN Trunking Protocol (VTP) attacks. I'll let you read up on these yourself, it'd take literally forever for me to type out.
(Pro tip) As with most system equipment, a security checklist should exist before any equipment is plugged in.
Internet protocol version 4 has no built in security measures. Most all internet traffic depends on IPv4 and is at risk. A good strategy is to acknowledge the lack of security and plan ahead. Allot time to implement some type of defense, because reliable security measures are not found "out of the box".
TCP Sequence Number Prediction.
A SYN packet is sent to start every TCP session. The first SYN packet contains an initial random number called a sequence number. Every packet in the TCP session follows in sequence, increasing by one each time. If a host receives a packet on a correct port and source IP, it checks the sequence number. If this number matches, the packet and data are trusted. With some older IOS versions, this sequence number could be guessed. That problem has been fixed long ago however.
IPv6 is the replacement for IPv4, mostly due to the supposed lack of IPv4 addressing space. IPv6 uses a 128-bit IP address made up of eight 16-bit integers, separated by colons.
IPv6 contains many new features, including native security (thank god). Many high-security VPNs can make use of the IPSec Encryption framwork. With IPv6, all traffic will be secured to high standards with IPv6 IPSec. Two different encryption methods can be utilized. Tunnel mode encrypts the entire IP packet, protocol data, and payload. Transport mode just encrypts the transport layer (TCP, UDP, ICMP). Either method gives a dependable replacement for IPv4.
As IPv6 becomes more and more developed by vendors and adopted by customers, it will pose all new risks just as its predecessors have.
Tcpdump is one of the most popular network traffic sniffers. it can be used to print out the headers of packets or to view exact network traffic headers and all. Use this tool to track down network problems, detect "ping attacks" (time to get back at those punks, right?) or monitor network activity. You'll need to read more about this yourself.
The classic way to mitigate network eavesdropping attacks is segmentation, whether physically or logically.
For the more prevalent security, encryption is probably the most effective way to limit access to information traversing the network. Typically, encryption is performed either at the infrastructure level using a technology like IPSec, or more granularly within the application itself using SSL/TLS (Secure Socket Layer/Transport Layer security).
Sniffing tools like tcpdump (and many others) are simply unable to do dirty work if they cannot receive packets carrying lovely, private information.
I would look in to dsniff, something a bit more useful than tcpdump, as it actually obtains passwords.
The traditional countermeasure for sniffing cleartext passwords has always been to change your Ethernet-shared media to switched media. However, unhardened switches provide little to no protection in preventing sniffing attacks, so be sure to actually secure them.
The best countermeasure for dsniff is to employ some sort of encryption for all your traffic. Use a product such as SSH to tunnel all normal traffic through an SSH system before sending out in cleartext, or use an IPSec based tunnel to perform end-to-end encryption for all your traffic.
For the most part you can read in to this one yourself. Ettercap can perform full-duplex sniffing and seamless data insertion with the power of a graphical interface.
Also look in to Read/Write MIB, Cisco's weak encryption, TFTP Downloads, RIP spoofing, Interior Gateway Routing Protocol (IGRP), Open Shortest Path First (OSPF), BGP and spoofed BGP Packet Injection, and SNMP request and trap handling
Another problem is Cisco can be hit with a Cisco IOS System Timers Heap Buffer Overflow. Look in to this as well.
I would go more in to this but this should cover some basics and see if you are interested in the field. I bothered to type all this out, so I'm going to be submitting it as an article. Next up, Wireless hacking.
Information obtained from various sources, including many many MANY certification courses. This information and more can be obtained from books like Hacking Exposed 6 however. I suggest you pick up a copy if you're truly interested in the field.
“True hacking is like skydiving, you want to make sure you have arms, because nobody’s going to be there to pull the chute for you.”