Home Learning OSI Through Layer-specific Attacks
Learning OSI Through Security

Learning OSI Through Layer-specific Attacks

I go by the handle ‘attacktheosi’ on Hackthebox and Tryhackme because attacking the different layers of the OSI (Open Systems Interconnection) model helped me to learn each layer. The OSI model is a fundamental concept in the world of networking, providing a systematic approach to understanding how different networking protocols communicate with each other. Understanding the OSI model in the context of layer-specific attacks can make the learning process even more engaging and practical. Let’s go through some layer-specific attacks, their implications, and strategies to mitigate them.

1. Physical Layer and Wiretapping Attack

First layer in the OSI model is the physical layer. The physical layer is responsible for handling the actual transmission of raw data over a physical medium, such as cables, fiber optics, or wireless channels. Its primary role is to establish and maintain a physical connection between network devices and ensure that bits are transmitted and received accurately. At this layer, data is represented as electrical signals, light pulses, or radio waves, depending on the medium used for communication. The physical layer is concerned with various aspects of data transmission, including the type of cable or medium, the voltage levels used to represent 0s and 1s, the physical connectors and pins, the timing of data transmission, and the physical topology of the network.

The physical layer is responsible for converting the digital bits from higher-layer protocols into a suitable physical format for transmission over the network medium. It also handles tasks like signal modulation, encoding, and error detection to ensure reliable data delivery. The physical layer deals with issues related to signal attenuation, interference, and noise that may affect data integrity during transmission. The successful functioning of higher OSI layers heavily depends on the reliability and efficiency of the physical layer, as any flaws at this level can lead to data loss or corruption.

How Wiretapping Attacks are Performed

Wiretapping attacks involve attackers gaining unauthorized access to the physical medium used for data transmission, such as network cables or communication lines, to intercept and eavesdrop on the communication between network devices. Attackers can use various techniques to perform these attacks, including tapping directly into the cables, using special devices to intercept electromagnetic signals, or placing covert listening devices along the communication path. By doing so, attackers can capture sensitive information, such as login credentials, financial data, or confidential communications, passing through the compromised physical connection. Physical layer wiretapping attacks are particularly challenging to detect and prevent, as they do not typically leave digital traces and require physical access to the network infrastructure.

Mitigating Wiretapping Attacks

Implementing strong physical security is crucial to mitigating wiretapping attacks. This includes restricting access to critical network infrastructure, securing network closets and data centers, and using tamper-evident seals to detect unauthorized access. Regular inspections of communication lines and cables for signs of tampering are essential to identify potential threats promptly. Employing encryption technologies, such as VPNs (Virtual Private Networks) or TLS (Transport Layer Security), ensures that even if attackers intercept data, it remains encrypted and unreadable to them. Using advanced intrusion detection systems that can detect anomalies in network traffic patterns can also help in identifying potential wiretapping activities. A layered security approach that combines physical security, encryption, and intrusion detection is the most effective way to mitigate physical layer wiretapping attacks and safeguard sensitive data from physical layer attacks.

Second layer is the data link layer. The data link layer is situated above the physical layer and below the network layer. Its primary purpose is to provide a reliable and error-free data transmission between two directly connected nodes in a local area network (LAN) or point-to-point communication link. The data link layer breaks the data received from the network layer into frames and adds necessary header and trailer information, including source and destination MAC (Media Access Control) addresses, frame sequence numbers, and error-checking information (such as cyclic redundancy check, CRC). This layer ensures that data packets are correctly delivered to their intended recipients and retransmits any lost or corrupted frames, enhancing the overall reliability of data transmission.

The data link layer is also responsible for managing access to the shared communication medium when multiple devices are connected to the same network segment. It uses Media Access Control (MAC) protocols to govern how devices on the network contend for access to the transmission medium, avoiding data collisions and ensuring fair usage of the network bandwidth. One common MAC protocol is CSMA/CD (Carrier Sense Multiple Access with Collision Detection) used in Ethernet networks. In point-to-point communication, the data link layer establishes and terminates connections between the two nodes using protocols like PPP (Point-to-Point Protocol). The data link layer plays a critical role in enabling reliable and efficient data communication within a local network and facilitating error detection and correction mechanisms to maintain data integrity.

How VLAN Hopping Attacks are Performed

Attackers exploit vulnerabilities in network switch configurations to gain unauthorized access to different VLANs (Virtual Local Area Networks). One common technique involves sending forged or manipulated frames with 802.1Q tags, which are used to identify VLAN membership. By altering these tags, attackers can trick the switch into believing that the frames belong to a different VLAN than their original one, allowing them to traverse between VLANs and potentially access sensitive information or exploit resources in other segments. Attackers can also use double-tagging or Q-in-Q attacks, where they add multiple VLAN tags to the frames, confusing the switch and potentially gaining access to unintended VLANs.

Mitigating VLAN Hopping Attacks

Network administrators should configure switches to disable unused ports or put them in an inactive state to minimize potential attack vectors. Enabling port security features, such as MAC address filtering or dynamic ARP inspection, helps prevent MAC spoofing and address resolution protocol (ARP) attacks that attackers might use to gain unauthorized access. Implementing VLAN pruning ensures that frames are only forwarded to the appropriate VLANs, limiting the potential for VLAN hopping. Utilizing techniques like Private VLANs can isolate sensitive devices within a VLAN, preventing communication between them and other devices on the same VLAN.

3. Network Layer and Ping Sweep Attack

The network layer is responsible for routing data across different networks. Its main purpose is to manage network traffic, determine the best path for data packets to reach their destination, and facilitate communication between devices in separate networks. The network layer receives data from the transport layer above it and encapsulates it into packets, adding the source and destination IP addresses to each packet. These IP addresses enable routers in the network to make intelligent decisions on how to forward the packets towards their destination. Routing protocols, such as OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol), are used by routers to exchange routing information and build a routing table that helps guide data to its intended destination. The network layer ensures that data packets can traverse complex networks with multiple routers and links, allowing for efficient and reliable data transmission across interconnected networks.

This layer shields the upper layers from the complexities of the underlying physical and data link layers and provides logical addressing through IP addresses, making global communication possible. It enables the implementation of various network services, such as network segmentation, subnetting, and network address translation (NAT), to optimize network performance, conserve IP address space, and enhance security. By providing routing capabilities and addressing services, the network layer plays a pivotal role in enabling data to flow smoothly and efficiently across diverse networks.

How Ping Sweep Attacks are Performed

Attackers attempt to identify active hosts within a target network by sending ICMP echo requests (ping) to a range of IP addresses. The attackers systematically send these ping packets to a large number of IP addresses within a specific network or IP address range, sequentially or using automated tools. If a host responds to the ICMP echo request, it indicates that the host is active and reachable, revealing potential targets for further attacks. By identifying active hosts through ping sweeps, attackers can gain valuable information about the network’s structure, discover potential vulnerabilities, and plan subsequent targeted attacks against specific systems or devices within the network.

Mitigating Ping Sweep Attacks

Network administrators can configure firewalls or access control lists (ACLs) to restrict or block ICMP traffic, particularly ICMP echo requests, from external or unauthorized sources. By limiting the exposure of the network to such probing, attackers’ ability to perform ping sweeps is significantly reduced. Deploying intrusion detection and prevention systems (IDPS) can help detect and respond to ping sweep attempts in real-time, allowing administrators to take appropriate actions promptly. Regular monitoring of network traffic and analyzing log data can also aid in identifying and mitigating suspicious activities, including ping sweeps.

4. Transport Layer and Port Scanning Attack

The fourth layer in the OSI model is the transport layer. Its primary function is to provide communication between applications running on different devices. The transport layer achieves this through two main protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP ensures reliable data delivery by establishing a connection-oriented communication channel. It performs segmentation of data received from the application layer into smaller packets, adds sequence numbers to these packets, and manages the reassembly and acknowledgment of received packets to guarantee that data is transmitted without loss or corruption. UDP, on the other hand, offers a connectionless, lightweight communication option, suitable for applications where low overhead and quick data transfer are more important than reliability. The transport layer manages the flow control, congestion control, and error correction mechanisms, optimizing data delivery while adapting to varying network conditions.

The transport layer also supports port numbers to uniquely identify specific applications on a device. These port numbers, in combination with IP addresses, allow data to be correctly routed to the appropriate application running on the destination device. Additionally, the transport layer provides multiplexing and demultiplexing functions, enabling multiple applications on the same device to share the network connection.

How Port Scanning Attacks are Performed

Port scanning attacks are performed when attackers systematically probe a target network or host to identify open ports and services available on the system. They do this by sending network packets to various port numbers and analyzing the responses to determine which ports are open and actively listening for connections. Attackers use different scanning techniques, such as TCP SYN scans, TCP connect scans, UDP scans, and FIN scans, to elicit different responses from the target’s ports and infer their status. By discovering open ports, attackers gain insight into potential entry points for exploiting vulnerabilities, launching further attacks, or identifying active services that could be potential targets for exploitation. Port scanning is a common reconnaissance technique used by attackers to gather information about a target’s network architecture and identify potential weaknesses.

Mitigating Port Scanning Attacks

Implementing firewalls and access control lists (ACLs) can restrict access to specific ports, blocking unauthorized scanning attempts. Network administrators should also regularly monitor network traffic and look for patterns indicative of port scanning activities. Intrusion detection and prevention systems (IDPS) can be used to detect and respond to scanning attempts in real-time, triggering alerts or automated countermeasures. Employing port security tools, like port knocking or port randomization, can further make it difficult for attackers to identify open ports. Regularly patching and updating systems and applications helps eliminate known vulnerabilities that attackers might exploit during scanning.

5. Session Layer and RPC Attack

The session layer’s primary purpose is to establish, manage, and terminate sessions or connections between applications running on different devices. The session layer ensures that data exchange between applications remains synchronized and reliable, providing mechanisms for session establishment, synchronization, and checkpointing. It facilitates session management functions like session establishment, maintenance, and termination. When two applications want to communicate, the session layer establishes a session and assigns a unique identifier to the connection, allowing the data to be exchanged in an orderly manner. If the session is interrupted or needs to be resumed later, the session layer supports checkpointing, allowing data to be saved and resumed from a specific point. In the event of communication errors or failures, the session layer provides mechanisms to recover or reestablish the session to maintain a continuous flow of data.

This layer is responsible for managing session security by implementing features like authentication, authorization, and encryption. It ensures that only authorized users or applications can establish sessions and access data, enhancing overall network security. Additionally, the session layer can manage multiple simultaneous sessions, allowing applications to maintain separate communication streams and switch between them efficiently. By providing these session management services, the session layer simplifies the communication process for applications and fosters reliable and secure data exchange.

How RPC Attacks are Performed

RPC (Remote Procedure Call) attacks happen when attackers exploit vulnerabilities in the remote procedure call mechanism to gain unauthorized access or execute malicious code on a remote system. RPC is a protocol that allows programs running on different devices to communicate and request services from each other over a network. Attackers target these RPC mechanisms to inject crafted or malicious data into the communication stream, leading to various types of attacks. For instance, attackers can perform RPC injection attacks by sending manipulated data that tricks the remote system into executing unintended commands or functions. They can also engage in session hijacking, where they intercept and take over an established RPC session to impersonate legitimate users or applications, gaining unauthorized access to sensitive information or services. By exploiting vulnerabilities in the session layer RPC, attackers can potentially compromise the security and integrity of remote communications and systems.

Mitigating RPC Attacks

It is important to implement strong authentication and access controls to ensure that only authorized users or applications can initiate RPC sessions. Employing encryption mechanisms, such as SSL/TLS, can safeguard the communication channel and protect sensitive data from interception or tampering. Regularly updating and patching the RPC software and underlying systems help address known vulnerabilities. Input validation and output encoding should be applied to prevent RPC injection attacks and other forms of data manipulation. Implementing intrusion detection and prevention systems can aid in detecting and responding to suspicious RPC activities, ensuring timely mitigation of potential threats.

6. Presentation Layer and Man-in-the-Middle Attack

The presentation ensures that data is exchanged between applications in a format that is mutually understandable and independent of the underlying network or data representation. The sixth layer takes care of data formatting, translation, and encryption to facilitate seamless communication between different systems with varying data formats. It is responsible for data compression to reduce the amount of data transmitted over the network, optimizing network bandwidth and improving overall performance. The presentation layer handles data encryption and decryption, providing confidentiality and security during data transmission. It also handles data transformation, converting data from one representation (such as ASCII) to another (such as Unicode) to ensure that applications on different systems can interpret the data correctly.

Presentation layer manages data syntax and semantics, ensuring that data is accurately interpreted by the receiving application. It deals with endianness issues, which are differences in the byte order of data representation in different computer architectures. The presentation layer also handles character encoding and decoding, necessary for supporting multilingual data exchange. By providing these services, the presentation layer abstracts the complexities of data representation from the application layer, simplifying the development of applications and fostering interoperability between different systems with diverse data formats and architectures.

How Man-in-the-Middle Attacks are Performed

Man-in-the-middle (MITM) attacks occur when attackers intercept and manipulate data exchanged between applications or systems to eavesdrop on communication or alter the content. The attacker positions themselves between the communicating parties, impersonating both the sender and the receiver, making them the intermediary for data transmission. When data is sent from the sender, the attacker captures it, makes changes as desired, and then forwards the modified data to the intended receiver, while also impersonating the receiver to the original sender. This allows the attacker to monitor sensitive information, such as login credentials, financial data, or confidential communications, and potentially gain unauthorized access to secure systems. Presentation layer MITM attacks can be particularly insidious as they allow attackers to modify the content being exchanged, leading to data corruption, unauthorized access, or deception of both communicating parties.

Mitigating Man-in-the-Middle Attacks

Employing secure communication protocols such as SSL/TLS ensures data encryption and authentication, making it difficult for attackers to intercept or tamper with data in transit. Verifying the authenticity of communication partners through digital certificates helps prevent attackers from impersonating legitimate entities. Implementing strong endpoint security measures, such as antivirus and intrusion detection systems, can help detect and respond to potential MITM attacks. Additionally, educating users about the risks of MITM attacks and promoting secure communication practices, like using VPNs when accessing public networks, helps reduce the likelihood of falling victim to such attacks.

7. Application Layer and SQL Injection Attack

The application layer is responsible for providing a platform for end-user applications to interact with the network and exchange data. It serves as the interface between the user and the underlying network services, enabling various applications to access network resources and communicate with remote systems. The application layer supports a wide range of services and protocols tailored to specific applications, including web browsing (HTTP), email communication (SMTP, POP3, IMAP), file transfer (FTP), and domain name resolution (DNS), among others. Each application protocol defines the rules and conventions for data exchange, ensuring that the data is accurately formatted and interpreted on both the sending and receiving sides. This layer abstracts the complexities of lower OSI layers, allowing developers to focus on creating applications without worrying about network intricacies.

The seventh layer enables the implementation of sophisticated network services and functionalities, such as data compression, encryption, and authentication. It handles data formatting and presentation to ensure that information is presented in a readable and user-friendly manner. Additionally, the application layer supports user authentication and access control mechanisms, providing security and privacy features to restrict access to sensitive resources. The versatility and variety of services offered by the application layer make it an essential component of the OSI model, enabling a wide range of applications to seamlessly and securely communicate over the network.

How SQL Injection Attacks are Performed

SQL injection attacks can occur when attackers exploit vulnerabilities in web applications that do not properly validate or sanitize user input. They insert malicious SQL code into input fields, such as search boxes or login forms, with the intention of manipulating the application’s database. When the application processes the input, the malicious SQL code is executed, allowing the attacker to extract, modify, or delete sensitive data from the database. In worst-case scenarios, SQL injection attacks can lead to unauthorized access to the entire database or even the compromise of the entire web server.

Mitigating SQL Injection Attacks

Developers should implement proper input validation and sanitize user input by filtering out potentially harmful characters. Parameterized queries or prepared statements should be used to ensure that user-supplied data is treated as data rather than executable code. Implementing least privilege access controls for database users limits the damage an attacker can cause if a successful SQL injection occurs. Regular security assessments and code reviews can help identify and fix potential vulnerabilities in the application code. Deploying web application firewalls (WAFs) can help detect and block SQL injection attempts in real-time.


I found it a lot easier to remember the different layers in the OSI model by understanding how they can be exploited, and what mitigation steps can be taken to protect each layer.


This post is licensed under CC BY 4.0 by the author.