Network Protocols are a set of established rules which control and govern the interchange of information by following a secure, reliable, and easy method. These sets of rules are present for various applications. Some well-known examples of protocols include wired networking (like Ethernet), wireless networking (like WLANs), and Internet communication. The Internet protocol suite, which is used for broadcasting and transmitting data over the Internet, comprises dozens of protocols.
There are numerous vulnerabilities in these protocols which lead to their active exploitation and pose serious challenges to network security. Let us understand 14 of the most common networking protocols and the corresponding vulnerabilities present in them.
1. Address Resolution Protocol (ARP)
A communication layer protocol (mapping process between the data link layer and network layer) which is used to identify a media access control (MAC) address given the IP address. There is no way that the host can validate where the network packet came from in the peer to peer network. This is a vulnerability and gives rise to ARP spoofing. The attacker can exploit this if the attacker is on the same LAN as the target or uses a compromised machine that is on the same network. The idea is that the attacker associates his MAC address with the IP address of the target so that any traffic meant for the target is received by the attacker.
2. Domain Name System (DNS)
IP addresses are of numerical format and hence they are not easily readable or remember-able to humans. DNS is a hierarchical system that converts these IP addresses into a human-readable hostname. The most common vulnerability in DNS is cache poisoning. Here the attacker replaces the legitimate IP address to send the target audience to malicious websites. DNS amplification can also be exploited on a DNS server which permits recursive lookups and uses recursion to amplify the magnitude of the attack.
3. File Transfer Protocol/Secure (FTP/S)
It is a network protocol based on the client and server model architecture which is used to transfer files between the client and the server on a computer network. Most common FTP attacks use Cross-Site scripting when the attacker uses a web application to send malicious code, in the form of a browser-side script (or cookies) to the user. The remote File Transfer Protocol(FTP) does not control connections and encrypt its data. The usernames along with passwords are transmitted in clear text which can be intercepted by any network sniffer or can even result in a man-in-the-middle attack(MITM).
4. HyperText Transfer Protocol/Secure (HTTP/S)
It is used for secure communication on a computer network. Its main features include authentication of the website accessed and then protecting the privacy and integrity of the data that is exchanged. A major vulnerability in HTTPS is the Drown attack which helps attackers to break the encryption, steal credit card info and passwords. Another serious bug is the Heartbleed bug which allows stealing of the information which is protected by the TLS/SSL encryption which is used to secure the Internet. Some other vulnerabilities include Factoring RSA export keys and Compressing Ratio Info-leak Made Easy.
5. Internet Message Access Protocol (IMAP)
It is an Internet email protocol that stores emails on the mail server but allows the end-user to retrieve, see, and manipulate the messages as they were stored locally on the user’s devices. Firstly, when an email is sent via the internet, it goes through unprotected communication channels. Usernames, passwords, and messages can be intercepted themselves. A Denial of Service(DoS) attack can also be carried out on the mail server which results in unreceived and unsent emails. Also, the email server can be injected with malware, which in turn can be sent to clients using infected attachments.
6. Post Office Protocol (POP3)
An application-layer Internet protocol is used to retrieve emails from the remote server to the client’s personal local machine. It can be used to view messages even when you’re offline. Vulnerabilities that target mailbox storage comprise of a Firewire direct memory access or DMS attack that relies on using direct hardware access to read or write directly to the main memory without any operating system interaction or supervision. Login processes allow the user to connect via unencrypted pathways resulting in login credentials being sent across the network as clear text.
7. Remote Desktop Protocol (RDP)
Developed by Microsoft, it is a protocol that provides users with a Graphical Interface to connect to another computer over a network connection, where one user runs RDP client software while another runs RDP server software. A vulnerability called BlueKeep could allow malware like ransomware to propagate through vulnerable systems. BlueKeep allows attackers to connect to RDP services. After this, they can issue commands to steal or modify data, install dangerous malware, and may conduct other malicious activities. The exploitation of vulnerability doesn’t require authentication by the user. It doesn’t even require the user to click anything to activate.
8. Session Initiation Protocol (SIP)
It is a signaling protocol that is used for initiating, maintaining, altering, and terminating real-time sessions. These sessions can include voice, video, messaging, and other communications applications and services that are between two or more endpoints on the IP networks. It can suffer security threats such as buffer overflow, injection attack, hijacking, etc. These adversaries are quite easy to mount with the least charges or close to no cost to the attacker. Flooding attacks occur when an attacker sends a high volume of traffic that causes the target system to consume all of its resources and renders it unable to serve legitimate customers. Flooding in the SIP network infrastructure can easily occur since there is no separation of the channels for signaling and data transfer.
9. Server Message Block (SMB)
It is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also gives an authenticated and authorized inter-process communication mechanism. Vulnerability in SMB is the SMB Relay attack and is used to carry Man-in-the-middle attacks. Another attack is the EternalBlue attack. The SMBv1server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
10. Simple Mail Transfer Protocol (SMTP)
It is a communication application layer protocol and is used to send emails. Spammers and hackers can use an e-mail server to send spam or malware through email under the guise of the unsuspecting open-relay owner. Hackers also perform a directory harvest attack, which is a way of gleaning valid email addresses from a server or domain for hackers to use. Vulnerabilities also include buffer overflow attacks, trojan horse attacks, shell script attacks, etc.
11. Simple Network Management Protocol (SNMP)
It is an Internet Standard protocol for gathering and organizing information regarding managed devices on the IP networks and is also used for altering and modifying that information to change device behavior. The SNMP reflection is a kind of Distributed Denial of Service or DDoS attack. These attacks can generate attack volumes of hundreds of gigabits per second that can be directed at attack targets from various broadband networks. The adversary sends out a huge number of SNMP queries with a forged IP address (that is the victim’s IP) to multiple connected devices which, in turn, reply to that forged IP address. The attack volume grows severe as more and more devices continue replying until the target network is brought down under the collective volume of these responses.
12. Secure SHell (SSH)
It is a cryptography-based network protocol for operating network services securely and reliably over an unsecured network. Some particular applications include remote command-line, remote command execution, login, but any network service can be made secure with the help of SSH. A man-in-the-middle(MITM) attack may allow the adversary to completely destabilize and bring down encryption and may gain access to the encrypted contents that can include passwords. A successful adversary is a cable to inject commands into the terminal to modify or alter data in transit or to steal data. The attack can also allow the injection of harmful malware into any binary files and other software updates downloaded through the system. This technique has been used by various attack groups and malware packages in the past.
13. Telnet
It is an application protocol that is used on the Internet or local area network (LAN) that provides bidirectional interactive text-oriented communication that uses a virtual terminal connection. The biggest security issue in the telnet protocol is the lack of encryption. Every communication sent to a networking device from a remote device that is being configured is sent in the form of plain text. The attacker can easily see what we are configuring on that device and he can see the password that we have used to connect to the device and enter configuration mode. Another type of Telnet attack is the DoS, the attacker sends many not useful and irrelevant data frames and in this manner suffocates the connection.
14. Virtual Network Computing (VNC)
Virtual network computing is used to establish remote desktop sharing which is a form of remote access on computer networks. VNC displays the visual desktop display of another computer and controls that computer over a network connection. All attacks are caused by incorrect memory usage, with attacks exploiting them leading to denial of service states, malfunctions, as well as unauthorized access to the users’ info, and the option to run malicious code on a target’s device. Vulnerabilities and attacks include DoS attacks, buffer overflow, buffer underflow, and remote code execution.