Network-Based Attack Surface
Vulnerabilities in network infrastructure including unsecure wireless networks, wired network weaknesses, Bluetooth vulnerabilities, open service ports, and default credentials on network devices.
Understanding Network-Based Attack Surface
The network is a primary attack surface where vulnerabilities in wireless, wired, and Bluetooth connections create opportunities for attackers. Poor network security allows unauthorized access, traffic interception, and lateral movement within organizations.
Key network attack surface areas: • Wireless networks — Open or poorly secured Wi-Fi • Wired networks — Physical access and protocol weaknesses • Bluetooth — Short-range wireless vulnerabilities • Open ports — Unnecessary services exposed • Default credentials — Factory passwords never changed
Attackers probe networks constantly, looking for misconfigurations and weaknesses that provide entry points.
Why This Matters for the Exam
Network security is fundamental to SY0-701 and appears across multiple domains. Questions test understanding of specific vulnerabilities (evil twin, Bluetooth attacks) and appropriate controls (WPA3, port management).
Understanding network attack surfaces helps with security architecture decisions—which services to expose, how to segment networks, and what monitoring to implement.
Default credentials and open ports are among the most common real-world vulnerabilities, making them frequent exam topics.
Deep Dive
Wireless Network Vulnerabilities
Wireless networks broadcast signals that attackers can intercept without physical access.
Wireless Attack Types:
Evil Twin Attack
- •Attacker creates fake access point
- •Same SSID as legitimate network
- •Stronger signal attracts victims
- •Intercepts all traffic through fake AP
Rogue Access Point
- •Unauthorized AP connected to network
- •May be malicious or just unauthorized
- •Bypasses network security controls
- •Creates backdoor into network
Wireless Eavesdropping
- •Capturing wireless traffic
- •Unencrypted traffic readable
- •Even encrypted traffic can reveal metadata
- •Packet analysis for reconnaissance
Deauthentication Attacks
- •Forcing clients to disconnect
- •Capture handshake for offline cracking
- •Denial of service
- •Force reconnection to evil twin
Wireless Security Protocols:
| Protocol | Security Level | Status |
|---|---|---|
| WEP | Very weak | Deprecated, never use |
| WPA | Weak | Deprecated |
| WPA2 | Good | Acceptable |
| WPA3 | Strong | Recommended |
Wireless Security Controls:
- •Use WPA3 or WPA2-Enterprise
- •Disable SSID broadcast (limited value)
- •Implement 802.1X authentication
- •Regular rogue AP detection
- •Wireless IDS/IPS
Wired Network Vulnerabilities
Physical network infrastructure creates attack opportunities.
Physical Access Attacks:
- •Plugging into unused network jacks
- •Inserting devices inline (man-in-the-middle)
- •Accessing network closets/data centers
- •Connecting rogue devices
Protocol Vulnerabilities:
| Attack | Description |
|---|---|
| ARP Spoofing | Redirect traffic through attacker |
| MAC Flooding | Overwhelm switch, force broadcast mode |
| VLAN Hopping | Escape VLAN isolation |
| STP Attacks | Manipulate spanning tree, intercept traffic |
Wired Network Controls:
- •802.1X port authentication
- •MAC address filtering (limited)
- •Port security (limit MACs per port)
- •Disable unused ports
- •Physical security for jacks
Bluetooth Vulnerabilities
Short-range wireless technology with its own attack surface.
Bluetooth Attacks:
Bluejacking
- •Sending unsolicited messages
- •Nuisance, not typically harmful
- •No data theft
Bluesnarfing
- •Unauthorized access to device data
- •Can steal contacts, messages, files
- •Exploits Bluetooth vulnerabilities
Bluebugging
- •Taking control of device
- •Can make calls, send messages
- •Most severe Bluetooth attack
BlueBorne
- •Spreading malware via Bluetooth
- •No user interaction required
- •Can affect unpatched devices
Bluetooth Security Controls:
- •Turn off Bluetooth when not needed
- •Use non-discoverable mode
- •Keep devices updated
- •Pair only with known devices
- •Use Bluetooth 5.0+ when possible
Open Service Ports
Every open port is a potential entry point.
Port Risk Categories:
| Port Category | Risk | Examples |
|---|---|---|
| Management | High | SSH (22), RDP (3389), Telnet (23) |
| Database | High | SQL (1433), MySQL (3306), Oracle (1521) |
| File sharing | Medium | SMB (445), FTP (21) |
| Web services | Varies | HTTP (80), HTTPS (443) |
Port Management Best Practices:
- •Disable unnecessary services
- •Regular port scanning/auditing
- •Firewall rules to restrict access
- •Change default ports (limited value)
- •Monitor for new listeners
Default Credentials
Factory-set passwords that are never changed.
Commonly Affected:
- •Network devices (routers, switches)
- •IoT devices (cameras, sensors)
- •Management interfaces (IPMI, iLO)
- •Applications and databases
- •Wireless access points
Why Defaults Are Dangerous:
- •Published in manuals/online
- •Automated scanning for defaults
- •Instant full access if found
- •Often administrative privileges
Mitigations:
- •Change all defaults immediately
- •Use password managers for complexity
- •Implement credential policies
- •Regular audits for defaults
- •Automated scanning for default creds
How CompTIA Tests This
Example Analysis
Scenario: A security audit discovers multiple issues: The guest Wi-Fi uses WPA2-Personal with "Guest123" as the password, several network switches still use "admin/admin" credentials, and port 23 (Telnet) is open on network devices.
Analysis of Vulnerabilities:
Weak Wi-Fi Password: • Easy to guess/brute force • Once cracked, affects all guests • Consider WPA2-Enterprise with individual creds • Or at minimum, complex pre-shared key
Default Switch Credentials: • "admin/admin" is commonly known default • Full administrative access if exploited • Should change immediately • Implement centralized authentication (RADIUS)
Telnet Open: • Telnet transmits in cleartext • Credentials can be captured • Should use SSH instead • If Telnet needed, restrict by ACL
Priority of Fixes: 1. Default credentials — Highest risk, easiest fix 2. Telnet → SSH — Eliminates cleartext exposure 3. Wi-Fi password — Strengthen or upgrade auth method
Key insight: Multiple basic security failures compound risk. Each issue alone is dangerous; together they create easy entry points for attackers.
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
"WOW-BP" - Network Attack Surfaces
- •Wireless (Wi-Fi attacks)
- •Open ports (unnecessary services)
- •Wired (physical network)
- •Bluetooth (short-range wireless)
- •Passwords (default credentials)
- •Bluetooth Attacks: "JackSnarf Bug"
- •Bluejacking = Sending messages (nuisance)
- •Bluesnarfing = Stealing data
- •Bluebugging = Taking control (worst)
Wireless Security Evolution: WEP → WPA → WPA2 → WPA3 Weak → Weak → Good → Best
Evil Twin Memory: "EVIL" twin has the "SAME" SSID Stronger signal = Users connect to wrong one
Test Your Knowledge
Q1.An attacker sets up a wireless access point with the same SSID as a coffee shop's legitimate Wi-Fi, but with a stronger signal. This attack is called:
Q2.Which Bluetooth attack allows an attacker to steal data from a victim's device without authorization?
Q3.What is the MOST effective mitigation for the risk of default credentials on network devices?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on network-based attack surface and other Objective 2.2 concepts.