Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Network Attack Research

Network Attack Research

Section titled “Network Attack Research”

5 automated security scanners

Advanced DDoS Techniques

Section titled “Advanced DDoS Techniques”

Purpose: The Advanced DDoS Techniques Scanner is designed to detect and analyze potential amplification attacks and TCP state exhaustion by examining network traffic and utilizing threat intelligence feeds. It aims to identify malware types, command and control (C&C) server references, known exploited vulnerabilities, and data exposure or breaches that may indicate compromised systems used in DDoS attacks.

What It Detects:

  • Amplification Attack Indicators: Identifies mentions of malware types such as ransomware and trojan which could be utilized in amplification attacks.
  • TCP State Exhaustion Patterns: Detects references to command and control (C&C) servers, potentially indicating the use of compromised resources for DDoS attacks.
  • Vulnerability Indicators from Shodan: Looks for Common Vulnerabilities and Exposures (CVE) IDs that are known to be exploited in amplification attacks.
  • Domain/IP Reputation Analysis: Identifies terms related to data exposure or breaches, suggesting compromised systems used in DDoS attacks.
  • Known Exploited Vulnerabilities (CISA KEV): Detects references to unauthorized access, a common indicator of exploited vulnerabilities that can be leveraged for DDoS attacks.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com.
  • ip_range (string): The IP range to scan for vulnerabilities, such as 192.168.1.0/24.

Business Impact: This scanner is crucial for organizations aiming to safeguard their networks from sophisticated DDoS attacks and potential exploitation of compromised systems. By identifying potential attack vectors and vulnerabilities early, it helps in implementing preventive measures and enhancing overall security posture.

Risk Levels:

  • Critical: Conditions that directly lead to significant system compromise or unauthorized access are critical.
  • High: Conditions that indicate high risk of data exposure or severe network impact are considered high.
  • Medium: Conditions with moderate risk of exploitation or breach are classified as medium.
  • Low: Informational findings indicating potential risks but without immediate threat are labeled as low.
  • Info: Findings providing general insights into system health and security practices are categorized as informational.

If specific conditions for each risk level are not detailed in the README, they have been inferred based on the scanner’s purpose and impact.

Example Findings: The scanner might flag a domain with references to unauthorized access or potential data breaches, indicating a critical risk due to possible exploitation of known vulnerabilities. Alternatively, it could detect an IP address associated with command and control activities that suggest ongoing DDoS attacks, also classified as high risk.

IPv6 Attack Vectors

Section titled “IPv6 Attack Vectors”

Purpose: The IPv6 Attack Vectors Scanner is designed to identify potential security vulnerabilities in IPv6 networks by detecting transition mechanisms and malicious use of IPv6 extension headers. This tool aims to help organizations assess their network’s resilience against exploitation by identifying and mitigating risks associated with dual-stack deployments, tunneling protocols, and harmful extension header attacks.

What It Detects:

  • Transition Mechanisms Detection: The scanner identifies dual-stack deployments using techniques such as NAT64, DNS64, or 6to4, as well as detects tunneling protocols like Teredo and ISATAP.
  • Extension Header Attacks: It looks for malicious use of IPv6 extension headers including Hop-by-Hop Options, Destination Options, Routing, Fragmentation, and Authentication Headers. The scanner also identifies potential fragmentation attacks that could lead to buffer overflows or other vulnerabilities.
  • Vulnerability Indicators from Threat Intelligence Feeds: This includes scanning the Shodan API for exposed services and known vulnerabilities, checking the VirusTotal API for domain/IP reputation, cross-referencing CISA KEV for known exploited vulnerabilities, validating IP reputation using AbuseIPDB, and looking up vulnerabilities in the NVD/CVE database.
  • Real Pattern Examples: The scanner detects specific patterns such as CVE identifiers, malware-related keywords, command and control indicators, and phrases indicative of phishing or credential harvesting.
  • Exposure Indicators: It identifies exposure-related keywords, unauthorized access attempts, and data dump indicators that suggest potential security breaches.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • ip_range (string): IPv6 range to scan (e.g., 2001:db8::/32)

Business Impact: This scanner is crucial for organizations operating in an increasingly digital environment, as it helps in identifying and addressing vulnerabilities that could be exploited by malicious actors targeting IPv6 networks. By detecting and mitigating these risks, the organization can enhance its security posture against potential cyber threats.

Risk Levels:

  • Critical: Identifies critical vulnerabilities directly affecting network functionality or exposing sensitive data without mitigation.
  • High: Detects high-risk patterns that could lead to unauthorized access or significant data exposure without immediate action.
  • Medium: Indicates medium-level risks requiring attention for potential enhancement in security measures.
  • Low: Flags minor issues that might be addressed over time as part of ongoing network monitoring and maintenance.
  • Info: Provides informational findings about general network configurations or patterns not currently posing a significant risk.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  1. A domain has a low reputation score indicating potential exposure to phishing or malware activities.
  2. An IP address in the scanned range is found to have multiple known vulnerabilities that could be exploited for malicious purposes.

DNS Rebinding

Section titled “DNS Rebinding”

Purpose: The DNS Rebinding Scanner is designed to identify and detect techniques used by malicious actors to bypass DNS rebinding filters and same-origin policies, which can lead to unauthorized access and data exfiltration. This tool helps in the detection of potential vulnerabilities in network configurations and web applications that could be exploited for malicious purposes.

What It Detects:

  • Domain Name Resolution Anomalies: Identifies DNS responses that resolve a domain to multiple IP addresses within a short time frame, indicating possible attempts at rebinding filter bypass.
  • Rebinding Filter Bypass Attempts: Looks for patterns of rapid switching between internal and external IP addresses, suggesting efforts to circumvent DNS rebinding filters.
  • Same-Origin Policy Evasion: Detects HTTP requests from a domain attempting to access resources on another domain using methods like DNS rebinding, which could be part of evasion tactics against same-origin policies.
  • Malicious Subdomain Usage: Scans for subdomains that exhibit suspicious behavior such as frequent IP address changes or unusual DNS query patterns, potentially indicating malicious activity.
  • Threat Intelligence Correlation: Cross-references detected anomalies with threat intelligence feeds to identify known malicious activities associated with the domain and IP range.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This is necessary for DNS resolution analysis and same-origin policy evasion detection.
  • ip_range (string): IP range to monitor for DNS rebinding attempts (e.g., 192.168.1.0/24). This helps in identifying potential bypasses of network restrictions set by the IP range.

Business Impact: The primary business impact of this scanner is to enhance the security posture of organizations by proactively detecting and mitigating risks associated with DNS rebinding vulnerabilities and same-origin policy evasion techniques, which are critical for protecting sensitive data and maintaining secure online environments.

Risk Levels:

  • Critical: Conditions that directly lead to unauthorized access or significant data exposure, such as rapid changes in IP addresses resolving a domain name.
  • High: Conditions where the risk of unauthorized access increases significantly, such as repeated attempts to bypass DNS rebinding filters using internal and external IP addresses.
  • Medium: Conditions where risks are moderately high but still require attention, such as subdomain usage patterns that suggest potential evasion tactics against same-origin policies.
  • Low: Informal findings or conditions with minimal risk, such as minor anomalies in domain name resolution without significant impact on security.
  • Info: General informational findings about DNS queries and IP address resolutions that do not directly affect security but can be useful for monitoring network activity.

If specific risk levels are not detailed in the README, these inferred levels should guide interpretation of potential risks based on the scanner’s purpose and impact.

Example Findings: The scanner might flag a domain attempting to bypass DNS rebinding by rapidly switching between public IP addresses or subdomains that resolve to internal IPs but exhibit no historical threat intelligence.

BGP Hijacking

Section titled “BGP Hijacking”

Purpose: The BGP Hijacking Scanner is designed to detect unauthorized route advertisements and prefix hijacking by analyzing network traffic and threat intelligence feeds. It aims to identify discrepancies in routing information that could lead to malicious redirection of internet traffic, thereby safeguarding the integrity and security of network infrastructure.

What It Detects:

  • Unauthorized Route Advertisements: The scanner identifies IP prefixes announced by autonomous systems (AS) not owned by the advertised AS, indicating potential unauthorized modifications in routing tables.
  • Prefix Hijacking Indicators: It looks for patterns such as malware, ransomware, trojan, and exploits listed in CISA KEV that suggest malicious intent behind prefix hijacking attempts.
  • Exposure Indicators: The scanner flags mentions of exposed data, leaked information, and unauthorized access related to BGP hijacking, which are critical indicators of potential security breaches.

Inputs Required:

  • domain (string): A primary domain is required for analyzing the presence of vulnerabilities and exposure in network configurations.
  • ip_range (string): An IP range is essential for monitoring specific networks to detect BGP hijacking activities within that range.

Business Impact: Detecting unauthorized changes in routing information through BGP hijacking can have severe consequences, including data leakage, financial loss, and significant disruption of network services. This real-time threat detection capability helps organizations mitigate risks associated with compromised BGP configurations, ensuring the integrity and security of their internet connectivity.

Risk Levels:

  • Critical: The scanner identifies unauthorized route advertisements or prefix hijacking that could lead to immediate malicious traffic redirection affecting critical infrastructure networks.
  • High: Significant exposure indicators in threat intelligence reports suggest a high risk of BGP hijacking, potentially compromising sensitive data and network configurations.
  • Medium: Vulnerabilities detected through domain analysis may indicate potential risks if not addressed promptly, impacting the overall security posture but less severely than critical issues.
  • Low: Informational findings might include minor exposure or indicators that do not pose a significant risk to network integrity but are still worth monitoring for trends and future assessments.
  • Info: These findings provide basic insights into network configurations and can be used for continuous improvement in security practices and threat detection mechanisms.

Example Findings:

  • The scanner flags an unauthorized advertisement of IP prefix 192.168.0.0/24 by a non-owning AS, indicating potential hijacking attempts.
  • It detects malware patterns in the latest Shodan data, suggesting compromised systems and increased risk of BGP hijacking.

Protocol Downgrade Attacks

Section titled “Protocol Downgrade Attacks”

Purpose: The Protocol Downgrade Attacks Scanner is designed to identify and mitigate potential vulnerabilities in network services that could allow for the forced use of weaker, less secure protocols or features. This can help protect systems against known exploits and data breaches by detecting TLS version downgrade attacks, cipher suite weaknesses, and other protocol misconfigurations.

What It Detects:

  • TLS Version Downgrade: Identifies attempts to force the use of older, insecure TLS versions such as TLS 1.0 and TLS 1.1 instead of more secure versions like TLS 1.2 or TLS 1.3.
  • Cipher Suite Downgrade: Recognizes the use of weak cipher suites that offer less security compared to stronger alternatives. Examples include DES-CBC3-SHA and RC4-MD5.
  • Feature Downgrades: Detects scenarios where essential features like Perfect Forward Secrecy (PFS) are disabled or not utilized, which can significantly reduce the overall security of a connection.
  • Known Vulnerabilities: Scans for existing vulnerabilities in protocols and services using threat intelligence feeds to identify potential risks.
  • Exposed Services: Identifies services that are vulnerable to downgrade attacks due to misconfigurations or outdated software.

Inputs Required:

  • domain (string): The primary domain to be analyzed, such as acme.com.
  • ip_range (string): The IP range to scan for exposed services, e.g., 192.168.1.0/24.

Business Impact: Detecting and mitigating TLS version downgrade attacks is crucial for maintaining the security of network communications. Weak cipher suites and disabled features can lead to significant data breaches and compromise the integrity of sensitive information exchanged over networks.

Risk Levels:

  • Critical: Conditions that are highly critical, such as unsupported or downgraded TLS versions being actively used in service configurations.
  • High: Conditions where weak cipher suites are employed or known vulnerabilities exist without mitigation strategies in place.
  • Medium: Conditions indicating potential risks but with some level of protection mechanisms already implemented.
  • Low: Informative findings that do not pose immediate threats, such as the discovery of unsupported TLS versions on a test environment rather than production systems.
  • Info: Non-critical issues that provide useful information about network configurations for awareness and future improvement.

Example Findings:

  1. A critical finding might be detected when an organization’s primary domain (acme.com) is found to support older TLS versions like TLS 1.0 and TLS 1.1, which are known to be vulnerable to attacks.
  2. A high-severity issue could arise from the use of weak cipher suites (e.g., DES-CBC3-SHA) in cryptographic protocols, significantly reducing the security posture of network communications.