CEH - Attacks, Utilities, Tools, Malware

Ghost Eye Worm

- hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts.

Netcat

-"Swiss army knife" of tcp/ip hacking -Provides all sorts of control over a remote shell on a target -Connects via nc -e IPaddress Port# -From attack machine nc -l -p 5555 opens a listening port on 5555 -Can connect over TCP or UDP, from any port -Offers DNS forwarding, port mapping and forwarding and proxying

FTP Port

20, 21 TCP

HTTP

80 TCP

Fraggle Attack

A DDoS attack type on a computer that floods the target system with a large amount of UDP echo traffic responses same as smurf but with UDP packets

Botnet Trojan'

A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Chewbacca Skynet

KRACK - Key Reinstallation Attack

A replay attack that works by exploiting Wi-Fi Protected Access 2 (WPA2)'s four-way handshake process. The WPA standard requires only one shared secret during the process, which means that an attacker could capture the shared secret and trick the victim into reinstalling a key that is already in use; re-installation causes packet sequences to be reset to their initial values.

Reverse Social Engineering

A social-engineering attack that manipulates the victim into calling the attacker for help. getting someone to call you and give information Often happens with tech support - an email is sent to user stating they need them to call back (due to technical issue) and the user calls back Can also be combined with a DoS attack to cause a problem that the user would need to call about

SYN flood

A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service. sends thousands of SYN packets; does not spoof IP but doesn't respond to the SYN/ACK packets; eventually bogs down the computer, runs out of resources

Replay attack

A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network. Usually performed within context of MITM attack Hacker repeats a portion of cryptographic exchange in hopes of fooling the system to setup a communications channel Doesn't know the actual data - just has to get timing right

TCP Flags - ACK

Acknowledgement - Set as an acknowledgement to the SYN flag. Always set after initial SYN

Smurf Attack

An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim. large number of pings to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target

Phishing

An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information crafting an email that appears legitimate but contains links to fake websites or to download malicious content

Teardrop Attack

Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine overlaps a large number of garbled IP fragments with oversized payloads; causes older systems to crash due to fragment reassembly

Side-Channel Attack

Attack that uses information (timing, power consumption) that has been gathered to uncover sensitive data or processing functions. Monitors environmental factors such as power consumption, timing and delay

Adaptive chosen plain-text attack

Attacker send a lot of cipher texts to be decrypted Uses the results of the decryption to select different, but closely related cipher texts attacker makes a series of interactive queries choosing subsequent plaintexts based on the information from the previous encryptions; idea is to glean more and more information about the full target cipher text and key

Application attacks

Attacks, usually in the form of intrusive penetration tests, directed at public-facing web servers, applications, and back-end databases. Attacks that are targeted at web-based and other client-server applications. consume the resources necessary for the application to run Note - application level attakcs are against weak code; application attacks are just the general term

Chose Cipher Attack

Chooses a particular cipher-text message Attempts to discern the key through comparative analysis RSA is particularly vulnerable to this

APT Lifecycle - 6

Cleanup During this phase of the APT Lifecycle, an attacker will attempt to evade detection by removing any evidence of intrusion or compromise.

Covert Channels

Communications mechanisms hidden from the access control and standard monitoring systems of an information system. used to transport data in unintended ways

TCP State-Exhaustion Attacks

Consumes the connection state tables present in the network infrastructure components such as load-balancers, firewalls, and application servers go after load balancers, firewalls and application servers

TCP Flags - URG

Data inside is being sent out of band. Example is cancelling a message.

LAND Attack

DoS attack that uses a spoofed SYN packet that includes the victim's IP address as both source and destination. sends a SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes

Ping of Death

Exceeds maximum packet size and causes receiving system to fail. Fragments ICMP messages; after reassembled, the ICMP packet is larger than the maximum size and crashes the system Packets in excess of 65535 bytes sent targeted machine

APT Lifecycle - 3

Expansion During this phase of the APT Lifecycle, an attacker will attempt to expand access within the target environment, typically by obtaining administrative access or by spreading malware to other systems within the environment.

TCP Flags - FIN

Finish - Ordered close to communications

Shoulder Surfing

Gaining compromising information through observation (as in looking over someone's shoulder). looking over someone's shoulder to get info Can be done long distance with binoculars, etc.

Cavity Virus

Hides in the empty areas of an executable overwrite portions of host files as to not increase the actual size of the file; uses null content sections. The helps cavity viruses avoid detection.

Cipher-text-only attack

In this attack, the hacker gains copies of several messages encrypted in the same way (with the same algorithm). Statistical analysis can then be used to reveal, eventually, repeating code, which can be used to decode messages later.

APT Lifecycle - 2

Initial intrusion During this phase of the APT lifecycle, an attacker will attempt to infiltrate the target environment. Infiltration can be attempted by sending spear-phishing emails, performing social engineering, or exploiting a vulnerability. Malware is typically deployed.

Dumpster Diving

Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away looking for sensitive information in the trash Shredded papers can sometimes indicate sensitive info

Wrappers

Is a program used to combine two or more executables into a single packaged program. programs that allow you to bind an executable to an innocent file

Shell Virus

Just like boot sector virus - wraps itself around an application's code, inserting its code before the application's. Virus is run before application

Trinity

Linux based DDoS Tool

Multipartite Virus

Literally meaning "multipart" virus; a type of computer virus that attempts to infect both the boot sector and executable files at the same time.

Fragmentation Attacks

Overwhelms targets ability of re-assembling the fragmented packets

APT Lifecycle - 4

Persistence During this phase of the APT lifecycle, an attacker will attempt to create additional footholds within the target environment in order to maintain access.

Smishing (SMS Phishing)

Phishing using text messages

APT Lifecycle - 1

Preparation During this phase of the APT lifecycle, an attacker will identify a target and research it. Research might include gathering email addresses, IP addresses, and domain information. Org charts and phone directories.

R-U-Dead-Yet (RUDY)

This attack targets web applications by starvation of available sessions on the web server DoS with HTTP POST via long-form field submissions

Cryptography Attack Tools

Tools Carnivore and Magic Lantern - used by law enforcement for cracking codes L0phtcrack - used mainly against Windows SAM files John the Ripper - UNIX/Linux tool for the same purpose PGPcrack - designed to go after PGP-encrypted systems CrypTool Cryptobench Jipher

DNS port

UDP 53

TFTP

UDP 69

Perform DHCP Starvation Attack

Use tool such as: Dhcpstarv

Perform MAC Spoofing

Use tools such as: SMAC

Perform ARP Poisoning

Use tools such as: Cain & Abel WinArpAttacker Ufasoft Snif

Perform Mac Flooding Attack

Use tools such as: Yersinia and macof

Tailgating

When an unauthorized individual enters a restricted-access building by following an authorized user. attacker has a fake badge and walks in behind someone who has a valid one

Active Sniffing

When sniffing is performed on a switched network.

E-banking Trojans

Zeus Spyeye

Wireless Jamming

a form of Denial of Service (DoS) attack that is used against wireless network clients. This DoS attack involves flooding a network device with traffic so that resources on the device become overwhelmed or otherwise disrupting normal service between a client and server or access point (AP).

Spear Phishing

a phishing expedition in which the emails are carefully designed to target a particular person or organization targeting a person or a group with a phishing attack Can be more useful because attack can be targeted

Stealth Virus

a virus that hides its tracks after infecting the computer. Once the computer has been infected, the virus can make modifications to allow the computer to appear that it has not lost any memory or that the file size has not changed known as a tunneling virus; attempts to evade AVs by intercepting their requests and returning them instead of letting them pass to the OS

DROWN (Decrypting RSA with Obsolete and Weakened encryption)

affects SSL and TLS services Allows attackers to break the encryption and steal sensitive data Uses flaws in SSL v2 Not only web servers; can be IMAP and POP servers as well

Insider Attack

an attack from an employee, generally disgruntled Sometimes subclassified (negligent insider, professional insider)

Chosen plain-text attack

attacker encrypts multiple plain-text copies himself in order to gain the key

Piggybacking

attacker pretends they lost their badge and asks someone to hold the door

Volumetric attacks

bandwidth attacks; consume all bandwidth for the system or service

File Extension Virus

changes the file extensions of files to take advantage of most people having them turned off (readme.txt.vbs shows as readme.txt)

POODLE (Paddling Oracle On Downgraded Legacy Encryption)

downgrade attack that used the vulnerability that TLS downgrades to SSL if a connection cannot be made SSl 3 uses RC4, which is easy to crack

SYN attack

flood with synch requests never acknowledged sends thousands of SYN packets to the machine with a false source address; eventually engages all resources and exhausts the machine

Low Orbit Ion Cannon (LOIC)

free DDoS application that supports TCP connection floods, UDP floods, or HTTP floods (most common) DDoS tool that floods a target with TCP, UDP or HTTP request

Known plain-text attack

has both plain text and cipher-text; plain-text scanned for repeatable sequences which is compared to cipher text

Exploit Kits

help deliver exploits and payloads Infinity Bleeding Life Crimepack Backhole Exploit Kit

Encryption Virus

is a computer virus that encrypts its payload with the intention of making detecting the virus more difficult

KoreK Chop Chop

is an attack that can decrypt a wired equivalent privacy (WEP) packet without requiring the key. The attacker does not recover the WEP key when performing a KoreK chopchop attack; however, he or she is able to view the plain text of the wireless packet without needing a key.

Proxy Server Trojan

is that which, when installed on a victim computer accepts incoming connection requests and forwards the traffic to the intended destination by the party sending the traffic.

Boot Sector Virus

known as system virus; moves boot sector to another location and then inserts its code in the original location

Overt Channels

legitimate communication channels used by programs Use of FTP, instant messaging, peer-to-peer, email, and other obvious file and data sharing tools

Eavesdropping

listening secretly to a conversation listening in on conversations about sensitive information

Phlashing

malicious code embedded into BIOS or firmware -frequently used to remote control DoS attack that causes permanent damage to a system, usually to the hardware also. aka bricking the system.

FREAK (Factoring Attack on RSA-EXPORT Keys)

man-in-the-middle attack that forces a downgrade of RSA key to a weaker length

Cluster Virus

modifies directory table entries so every time a file or folder is opened, the virus runs

Polymorphic Code Virus

mutates its code by using a polymorphic engine; difficult to find because code is always changing

Sparse Infector Virus

only infects occasionally (e.g. every 10th time)

Impersonation

pretending to be someone you're not Can be anything from a help desk person up to an authoritative figure (FBI agent) Posing as a tech support professional can really quickly gain trust with a person

Passive Sniffing

refers to sniffing from a hub-based network.

Metamorphic Virus

rewrites itself every time it infects a new file.

Perform Rogue Server Account

run rogue DHCP server

RFID Identity Theft - (RFID skimming)

stealing an RFID card signature with a specialized device

DHCP port

udp/68 and udp/67

Crypters

use a combination of encryption and code manipulation to render malware undetectable to security programs Software used by hackers to hide viruses , keyloggers or tool in any kind of file so they are not easily detected

Trible Flood Network

uses voluntary botnet systems to launch massive flood attacks

Macro Virus

written in VBA; infects template files - mostly Word and Excel

Command Shell Trojan

Provides a backdoor to connect to through command-line access Netcat

TCP Flags - PSH

Push - Forces the delivery of data without concern for buffering

Remote Access Trojans (RAT)

RAT MoSucker Optix Pro Blackhole

TCP Flags - RST

Reset - Forces the termination of a connection (in both directions)

Perform Proxy Server DNS Poisoning

Run Rouge DNS

APT Lifecycle - 5

Search and Exfiltration During this phase of the APT Lifecycle, an attacker will finally gain access to the targeted resource. The resource can then be stolen, destroyed, or both. Data can be encrypted to prevent detection by data loss prevention (DLP) technologies.

ICMP flood

Sends ICMP Echo packets to the target with spoofed source address. Target responds to each packet and reaches limit of packets per second sent. sends ICMP Echo packets with a spoofed address; eventually reaches limit of packets per second sent

vishing (voice phishing)

Social engineering activity over the telephone system, most often using features facilitated by VoIP, to gain unauthorized access to sensitive data. a phone scam that attempts to defraud people by asking them to call a bogus telephone number to confirm their account information

Virus Makers

Sonic Bat PoisonVirus Maker Sam's Virus Generator JPS Virus Maker

TCP Flags - SYN

Synchronize - Set during initial communication. Negotiating of parameters and sequence numbers.

Registry Monitoring Tools

SysAnalyzer Tiny Watcher Active Registry Monitor Regshot

SSH

TCP 22

Telnet

TCP 23

SMTP

TCP 25

Defacement trojan

The Defacement Trojan allows you to view and edit almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the icons. Windows applications are defaced by User-styled Custom Application