Ch. 5.2
MAC spoofing is when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device. This can be used to bypass:
*A wireless access point with MAC filtering on a wireless network *Router access control lists (ACLs) *802.1x port-based security
ARP spoofing can be used to perform a man-in-the-middle attack as follows:
1.) When an ARP request is sent by a client for the MAC address of a device, such as the default gateway router, the attacker's system responds to the ARP request with the MAC address of the attacker's system. 2.)The client receives the spoofed ARP response and uses that MAC address when communicating with the destination host. For example, packets sent to the default gateway are sent instead to the attacker. 3.)The attacker receives all traffic sent to the destination host. The attacker can then forward these packets on to the correct destination using its own MAC address as the source address. ARP spoofing can also be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or non-existent MAC addresses.
Which of the following describes a man-in-the-middle attack?
A false server intercepts communications from a client by impersonating the intended server.
When the TCP/IP session state is manipulated so that a third party is able to insert alternate packets into the communication stream, what type of attack has occurred?
Hijacking
Domain name kiting occurs when spammers exploit domain registration by taking advantage of the five-day grace period for a newly registered domain name. This allows spammers to:
*Acquire domains and never pay for the registration of domain names by unregistering a domain name just before the grace period is up and then immediately re-registering the domain name. *Generate income through clicks by automatically registering thousands of domains and putting ads on them. They can create link farms (multiple domains with automatic hyperlinks to targeted sites) to spam the index of a search engine (such as Google) and trick the search engine into conferring a page ranking on the spammed website.
During a man-in-the-middle attack:
*An attacker inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker. *Both parties at the endpoints believe they are communicating directly with the other, while the attacker intercepts and/or modifies the data in transit. The attacker can then authenticate to the server using the intercepted credentials. Man-in-the-middle attacks are commonly used to steal credit cards, online bank credentials, and confidential personal and business information.
IP spoofing can be used to:
*Hide the origin of the attack by spoofing the source address. *Amplify attacks by sending a message to a broadcast address and then redirecting responses to a victim who is overwhelmed with responses.
Countermeasures for preventing spoofing are as follows:
*Implement firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network.Filters will drop any packet suspected of being spoofed. *Use certificates to prove identity. *Use reverse DNS lookup to verify the source email address, *Use encrypted communication protocols,such as IPsec. *Use ingress and egress filters to examine packets and identify spoofed packets. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. Any packet suspected of being spoofed on its way into or out of your network will be dropped.
In a DNS poisoning attack:
*Incorrect DNS data is introduced into the cache of a primary DNS server. *The incorrect mapping is made available to client applications. *Traffic is redirected to incorrect sites (known as pharming) for phishing purposes to perform: *Identity theft *Financial theft *Malware downloads (drive-by downloads), which can be used to capture sensitive information, such as passwords and financial information.
The HOSTS file is located on the C: drive at Windows/System32/drivers/etc maps IP addresses to host names. If the host name is not found in this file, then the computer will contact the DNS server. This file can be used to improve security and reduce bandwidth usage by:
*Mapping known malicious sites to the loopback address of 127.0.0.1 to prevent browsers from displaying the malicious sites. *Using security software to prevent modification of the HOSTS file without your knowledge. This will prevent hackers from placing a mapping in the file to redirect traffic to a fake site. Other ways to protect your organization from DNS attacks include: *Using the latest version of DNS software. *Consistently monitoring traffic going through your network. *Configuring servers to duplicate, separate, and isolate DNS functions. *Using Domain Name System Security Extensions (DNSSEC) to secure certain knds of information provided by DNS. DNSSEC adds cryptographic signatures to existing DNS records, helping the server correctly validate DNS responses. *Securing and automatically renewing domain registration accounts.
In a null session:
*Older Microsoft systems used null sessions between computers. Attackers can use this vulnerability to log on and discover information about the system, such as a list of user names or shared folders. *Null sessions are allowed through the SMB and NetBIOS protocols used on Microsoft systems. *To prevent null session attacks, block ports 139 and 445 on network firewalls. NT uses TCP port 139 to establish NetBIOS sessions, and Windows 2000 uses TCP port 445 for SMB sessions.
In Reconnaissance, the goal is to obtain DNS record that identify computer names and IP addresses in a network. This can be accomplished by:
*Performing direct queries on DNS servers (using a tool such as nslookup) to request individual records. *Attaching to a DNS server as a secondary server and requesting a zone transfer of DNS records. *Using a protocol analyzer to gather zone transfer traffic, which is transferred in cleartext from the primary DNS server to the secondary DNS server. To mitigate reconnaissance attacks: *Configure your DNS servers to only accept queries for zone transfers from specific hosts *Secure zone transfer data using IPsec or a VPN tunnel
A DNS-based attack occurs when stolen DNS records are used to redirect traffic to fake websites for malicious purposes. These are important facts you should know about DNS:
*Standard DNS is configured with one primary DNS server that maintains a read/write copy of all the computer names and IP addresses registered in DNS for the domain. *Secondary DNS servers obtain a read-only copy of this data from the primary DNS server or another secondary server. * The process of copying the records from the primary to the secondary DNS server is called zone transfer and is performed in cleartext.
During a TCP/IP (Session) hijacking:
*The attacker takes over the session and cuts off the original source device. *The TCP/IP session state is manipulated so that the attacker is able to insert alternate packets into the communication stream. Countermeasures for hijacking include using: *IPSec or other encryption protocols *Certificate authentication *Mutual authentication *Randomizing sequencing mechanisms *Packet time stamps *Packet sequencing
Spoofing is used to hide the true source of packets or redirect traffic to another location. Spoofing attacks:
*Use modified source and/or destination addresses in packets. *Can include site spoofing, which tricks users into revealing information.
Which of the following attacks tries to associate an incorrect MAC address with a known IP address?
ARP poisoning
reconnaissance
Actions taken to gather information for an attack.
Man-in-the-middle attack
An attack that intercepts information passing between two communication partners.
Session-based attack
An attack that takes over the TCP/IP session or captures information that can be used at a later date.
Replay attack
An attack that uses a protocol analyzer or sniffer to capture authentication information going from the client to the server and then uses this information to connect at a later time and pretend to be the client.
ARP Spoofing or ARP poisoning
An attack that uses spoofed ARP messages to associate a different MAC address with an IP address.
IP spoofing
An attack where IP address information is changed within a packet to amplify or redirect responses to a victim.
null session
An attack where a connection is made using a blank username and password that is used to discover information about the system.
Domain hijacking
An attack where an attacker gains access to the domain control panel itself and the domain name to point toward another web server.
DNS poisoning
An attack where malicious or misleading data that incorrectly maps hostnames and IP addresses is sent to a name server.
Domain Name Kiting
An attack where spammers exploit domain registration by taking advantage of the five-day grace period for a newly registered domain name.
MAC spoofing
An attack where that MAC address of a valid host currently in the MAC address table of a switch is spoofed so that frames are redirected to the attacker.
TCP/IP (Session) hijacking
An extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user.
When a malicious user captures authentication traffic and replays it against the network later, what is the security problem you are most concerned about?
An unauthorized user gaining access to sensitive resources
What are the most common network traffic packets captured and used in a replay attack?
Authentication
Which of the following is NOT a protection against session hijacking?
DHCP reservations
While using the Internet, you type the URL of one of your favorite sites in the browser. Instead of going to the correct site, however, the browser displays a completely different website. When you use the IP address of the Web server, the correct site is displayed. Which type of attack has likely occurred?
DNS poisoning
What is the goal of a TCP/IP hijacking attack?
Executing commands or accessing resources on a system the attacker does not otherwise have authorization to access
which of the following is the best countermeasure against man-in-the-middle attacks?
IPsec
Which of the following is the most effective protection against IP packet spoofing on a private network?
Ingress and egress filters
How does an intruder carry out a replay attack?
Intruders do not need to decrypt the intercepted packet. They can simply forward the packet to an application or service and gain access to the victim's resources or data.
Common session-based attack methods:
Man-in-the middle, TCP/IP (Session) hijacking, HTTP (Session hijacking, replay attack, and null session
Capturing packets as they travel from one host to another with the intent of altering the contents of the packets is a form of which attack type?
Man-in-the-middle attack
An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. What kind of exploit has been used in this scenario? (Choose two)
Pharming and DNS poisoning
The main methods used to attack DNS servers are:
Reconnaissance, DNS poisoning, domain name kiting, domain hijacking
What is modified in the most common form of spoofing on a typical IP packet?
Source address
A router on the border of your network detects a packet with a source address that is from an internal client but the packet was received on the Internet-facing interface. This is an example of what form of attack?
Spoofing
Which type of activity changes or falsifies information in order to mislead or re-direct traffic?
Spoofing
Domain hijacking
Unlike the other DNS attacks listed here, which use stolen DNS data to redirect unwitting users. Domain hijacking is when an attacker gains access to to the domain control panel itself. They reconfigure the domain name to point toward another web server. This allows attackers to trick users into thinking they're at a legitimate website, when they're really at a dummy site created by the attacker.
How do you prevent a replay attack?
Use a secure authentication method, such as Kerberos, the Kerberos protocol embeds additional data, such as the client's timestamp into network packets.
HTTP (Session) hijacking
a real-time attack in which the attacker hijacks a legitimate user's cookies and uses the cookies to take over the HTTP session.