CEH - Attacks, Utilities, Tools, Malware
Ghost Eye Worm
- hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts.
Netcat
-"Swiss army knife" of tcp/ip hacking -Provides all sorts of control over a remote shell on a target -Connects via nc -e IPaddress Port# -From attack machine nc -l -p 5555 opens a listening port on 5555 -Can connect over TCP or UDP, from any port -Offers DNS forwarding, port mapping and forwarding and proxying
FTP Port
20, 21 TCP
HTTP
80 TCP
Fraggle Attack
A DDoS attack type on a computer that floods the target system with a large amount of UDP echo traffic responses same as smurf but with UDP packets
Botnet Trojan'
A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Chewbacca Skynet
KRACK - Key Reinstallation Attack
A replay attack that works by exploiting Wi-Fi Protected Access 2 (WPA2)'s four-way handshake process. The WPA standard requires only one shared secret during the process, which means that an attacker could capture the shared secret and trick the victim into reinstalling a key that is already in use; re-installation causes packet sequences to be reset to their initial values.
Reverse Social Engineering
A social-engineering attack that manipulates the victim into calling the attacker for help. getting someone to call you and give information Often happens with tech support - an email is sent to user stating they need them to call back (due to technical issue) and the user calls back Can also be combined with a DoS attack to cause a problem that the user would need to call about
SYN flood
A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service. sends thousands of SYN packets; does not spoof IP but doesn't respond to the SYN/ACK packets; eventually bogs down the computer, runs out of resources
Replay attack
A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network. Usually performed within context of MITM attack Hacker repeats a portion of cryptographic exchange in hopes of fooling the system to setup a communications channel Doesn't know the actual data - just has to get timing right
TCP Flags - ACK
Acknowledgement - Set as an acknowledgement to the SYN flag. Always set after initial SYN
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim. large number of pings to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target
Phishing
An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information crafting an email that appears legitimate but contains links to fake websites or to download malicious content
Teardrop Attack
Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine overlaps a large number of garbled IP fragments with oversized payloads; causes older systems to crash due to fragment reassembly
Side-Channel Attack
Attack that uses information (timing, power consumption) that has been gathered to uncover sensitive data or processing functions. Monitors environmental factors such as power consumption, timing and delay
Adaptive chosen plain-text attack
Attacker send a lot of cipher texts to be decrypted Uses the results of the decryption to select different, but closely related cipher texts attacker makes a series of interactive queries choosing subsequent plaintexts based on the information from the previous encryptions; idea is to glean more and more information about the full target cipher text and key
Application attacks
Attacks, usually in the form of intrusive penetration tests, directed at public-facing web servers, applications, and back-end databases. Attacks that are targeted at web-based and other client-server applications. consume the resources necessary for the application to run Note - application level attakcs are against weak code; application attacks are just the general term
Chose Cipher Attack
Chooses a particular cipher-text message Attempts to discern the key through comparative analysis RSA is particularly vulnerable to this
APT Lifecycle - 6
Cleanup During this phase of the APT Lifecycle, an attacker will attempt to evade detection by removing any evidence of intrusion or compromise.
Covert Channels
Communications mechanisms hidden from the access control and standard monitoring systems of an information system. used to transport data in unintended ways
TCP State-Exhaustion Attacks
Consumes the connection state tables present in the network infrastructure components such as load-balancers, firewalls, and application servers go after load balancers, firewalls and application servers
TCP Flags - URG
Data inside is being sent out of band. Example is cancelling a message.
LAND Attack
DoS attack that uses a spoofed SYN packet that includes the victim's IP address as both source and destination. sends a SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes
Ping of Death
Exceeds maximum packet size and causes receiving system to fail. Fragments ICMP messages; after reassembled, the ICMP packet is larger than the maximum size and crashes the system Packets in excess of 65535 bytes sent targeted machine
APT Lifecycle - 3
Expansion During this phase of the APT Lifecycle, an attacker will attempt to expand access within the target environment, typically by obtaining administrative access or by spreading malware to other systems within the environment.
TCP Flags - FIN
Finish - Ordered close to communications
Shoulder Surfing
Gaining compromising information through observation (as in looking over someone's shoulder). looking over someone's shoulder to get info Can be done long distance with binoculars, etc.
Cavity Virus
Hides in the empty areas of an executable overwrite portions of host files as to not increase the actual size of the file; uses null content sections. The helps cavity viruses avoid detection.
Cipher-text-only attack
In this attack, the hacker gains copies of several messages encrypted in the same way (with the same algorithm). Statistical analysis can then be used to reveal, eventually, repeating code, which can be used to decode messages later.
APT Lifecycle - 2
Initial intrusion During this phase of the APT lifecycle, an attacker will attempt to infiltrate the target environment. Infiltration can be attempted by sending spear-phishing emails, performing social engineering, or exploiting a vulnerability. Malware is typically deployed.
Dumpster Diving
Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away looking for sensitive information in the trash Shredded papers can sometimes indicate sensitive info
Wrappers
Is a program used to combine two or more executables into a single packaged program. programs that allow you to bind an executable to an innocent file
Shell Virus
Just like boot sector virus - wraps itself around an application's code, inserting its code before the application's. Virus is run before application
Trinity
Linux based DDoS Tool
Multipartite Virus
Literally meaning "multipart" virus; a type of computer virus that attempts to infect both the boot sector and executable files at the same time.
Fragmentation Attacks
Overwhelms targets ability of re-assembling the fragmented packets
APT Lifecycle - 4
Persistence During this phase of the APT lifecycle, an attacker will attempt to create additional footholds within the target environment in order to maintain access.
Smishing (SMS Phishing)
Phishing using text messages
APT Lifecycle - 1
Preparation During this phase of the APT lifecycle, an attacker will identify a target and research it. Research might include gathering email addresses, IP addresses, and domain information. Org charts and phone directories.
R-U-Dead-Yet (RUDY)
This attack targets web applications by starvation of available sessions on the web server DoS with HTTP POST via long-form field submissions
Cryptography Attack Tools
Tools Carnivore and Magic Lantern - used by law enforcement for cracking codes L0phtcrack - used mainly against Windows SAM files John the Ripper - UNIX/Linux tool for the same purpose PGPcrack - designed to go after PGP-encrypted systems CrypTool Cryptobench Jipher
DNS port
UDP 53
TFTP
UDP 69
Perform DHCP Starvation Attack
Use tool such as: Dhcpstarv
Perform MAC Spoofing
Use tools such as: SMAC
Perform ARP Poisoning
Use tools such as: Cain & Abel WinArpAttacker Ufasoft Snif
Perform Mac Flooding Attack
Use tools such as: Yersinia and macof
Tailgating
When an unauthorized individual enters a restricted-access building by following an authorized user. attacker has a fake badge and walks in behind someone who has a valid one
Active Sniffing
When sniffing is performed on a switched network.
E-banking Trojans
Zeus Spyeye
Wireless Jamming
a form of Denial of Service (DoS) attack that is used against wireless network clients. This DoS attack involves flooding a network device with traffic so that resources on the device become overwhelmed or otherwise disrupting normal service between a client and server or access point (AP).
Spear Phishing
a phishing expedition in which the emails are carefully designed to target a particular person or organization targeting a person or a group with a phishing attack Can be more useful because attack can be targeted
Stealth Virus
a virus that hides its tracks after infecting the computer. Once the computer has been infected, the virus can make modifications to allow the computer to appear that it has not lost any memory or that the file size has not changed known as a tunneling virus; attempts to evade AVs by intercepting their requests and returning them instead of letting them pass to the OS
DROWN (Decrypting RSA with Obsolete and Weakened encryption)
affects SSL and TLS services Allows attackers to break the encryption and steal sensitive data Uses flaws in SSL v2 Not only web servers; can be IMAP and POP servers as well
Insider Attack
an attack from an employee, generally disgruntled Sometimes subclassified (negligent insider, professional insider)
Chosen plain-text attack
attacker encrypts multiple plain-text copies himself in order to gain the key
Piggybacking
attacker pretends they lost their badge and asks someone to hold the door
Volumetric attacks
bandwidth attacks; consume all bandwidth for the system or service
File Extension Virus
changes the file extensions of files to take advantage of most people having them turned off (readme.txt.vbs shows as readme.txt)
POODLE (Paddling Oracle On Downgraded Legacy Encryption)
downgrade attack that used the vulnerability that TLS downgrades to SSL if a connection cannot be made SSl 3 uses RC4, which is easy to crack
SYN attack
flood with synch requests never acknowledged sends thousands of SYN packets to the machine with a false source address; eventually engages all resources and exhausts the machine
Low Orbit Ion Cannon (LOIC)
free DDoS application that supports TCP connection floods, UDP floods, or HTTP floods (most common) DDoS tool that floods a target with TCP, UDP or HTTP request
Known plain-text attack
has both plain text and cipher-text; plain-text scanned for repeatable sequences which is compared to cipher text
Exploit Kits
help deliver exploits and payloads Infinity Bleeding Life Crimepack Backhole Exploit Kit
Encryption Virus
is a computer virus that encrypts its payload with the intention of making detecting the virus more difficult
KoreK Chop Chop
is an attack that can decrypt a wired equivalent privacy (WEP) packet without requiring the key. The attacker does not recover the WEP key when performing a KoreK chopchop attack; however, he or she is able to view the plain text of the wireless packet without needing a key.
Proxy Server Trojan
is that which, when installed on a victim computer accepts incoming connection requests and forwards the traffic to the intended destination by the party sending the traffic.
Boot Sector Virus
known as system virus; moves boot sector to another location and then inserts its code in the original location
Overt Channels
legitimate communication channels used by programs Use of FTP, instant messaging, peer-to-peer, email, and other obvious file and data sharing tools
Eavesdropping
listening secretly to a conversation listening in on conversations about sensitive information
Phlashing
malicious code embedded into BIOS or firmware -frequently used to remote control DoS attack that causes permanent damage to a system, usually to the hardware also. aka bricking the system.
FREAK (Factoring Attack on RSA-EXPORT Keys)
man-in-the-middle attack that forces a downgrade of RSA key to a weaker length
Cluster Virus
modifies directory table entries so every time a file or folder is opened, the virus runs
Polymorphic Code Virus
mutates its code by using a polymorphic engine; difficult to find because code is always changing
Sparse Infector Virus
only infects occasionally (e.g. every 10th time)
Impersonation
pretending to be someone you're not Can be anything from a help desk person up to an authoritative figure (FBI agent) Posing as a tech support professional can really quickly gain trust with a person
Passive Sniffing
refers to sniffing from a hub-based network.
Metamorphic Virus
rewrites itself every time it infects a new file.
Perform Rogue Server Account
run rogue DHCP server
RFID Identity Theft - (RFID skimming)
stealing an RFID card signature with a specialized device
DHCP port
udp/68 and udp/67
Crypters
use a combination of encryption and code manipulation to render malware undetectable to security programs Software used by hackers to hide viruses , keyloggers or tool in any kind of file so they are not easily detected
Trible Flood Network
uses voluntary botnet systems to launch massive flood attacks
Macro Virus
written in VBA; infects template files - mostly Word and Excel
Command Shell Trojan
Provides a backdoor to connect to through command-line access Netcat
TCP Flags - PSH
Push - Forces the delivery of data without concern for buffering
Remote Access Trojans (RAT)
RAT MoSucker Optix Pro Blackhole
TCP Flags - RST
Reset - Forces the termination of a connection (in both directions)
Perform Proxy Server DNS Poisoning
Run Rouge DNS
APT Lifecycle - 5
Search and Exfiltration During this phase of the APT Lifecycle, an attacker will finally gain access to the targeted resource. The resource can then be stolen, destroyed, or both. Data can be encrypted to prevent detection by data loss prevention (DLP) technologies.
ICMP flood
Sends ICMP Echo packets to the target with spoofed source address. Target responds to each packet and reaches limit of packets per second sent. sends ICMP Echo packets with a spoofed address; eventually reaches limit of packets per second sent
vishing (voice phishing)
Social engineering activity over the telephone system, most often using features facilitated by VoIP, to gain unauthorized access to sensitive data. a phone scam that attempts to defraud people by asking them to call a bogus telephone number to confirm their account information
Virus Makers
Sonic Bat PoisonVirus Maker Sam's Virus Generator JPS Virus Maker
TCP Flags - SYN
Synchronize - Set during initial communication. Negotiating of parameters and sequence numbers.
Registry Monitoring Tools
SysAnalyzer Tiny Watcher Active Registry Monitor Regshot
SSH
TCP 22
Telnet
TCP 23
SMTP
TCP 25
Defacement trojan
The Defacement Trojan allows you to view and edit almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the icons. Windows applications are defaced by User-styled Custom Application