Pentest+ Lesson 12 - Attacking Specialized Systems
Explain how fuzzing can identify system vulnerabilities.
Answers may vary. Fuzzing a system is a technique used to see if there are any misconfigurations. Fuzzing sends a running application random and unusual input and monitors how the app responds.
VM sprawl
Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.
Denial of Sleep attack
This attack continuously sends signals to the device, requiring the device to (continuously) respond and prevents the device from resting or sleeping, which then drains the battery.
Guest operating systems (Virtual Machines or instances)
represent the operating systems installed under the virtual environment.
Host hardware
represents the platform that will host the virtual environment.
bluetooth
A short-range wireless radio network transmission medium normally used to connect two personal devices, such as a mobile phone and a wireless headset.
Bluetooth Low Energy (BLE)
A technology similar to Bluetooth, in that it is used to communicate wirelessly over short distances; however, it uses less energy.
VM escape
An attack where malware running in a VM is able to interact directly with the hypervisor or host kernel. For this attack to take place, the malicious actor must detect the presence of a virtualized environment. The next step in is for the attacker to compromise the hypervisor.
When using virtualization, multiple operating systems can be installed and run simultaneously on a single computer. List three components that are required when running a virtual platform.
Answers can vary. A virtual platform requires: Host hardware—represents the platform that will host the virtual environment. Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine environment and facilitates interaction with the computer hardware and network. Guest operating systems (Virtual Machines or instances)—represent the operating systems installed under the virtual environment.
Hypervisors are generally regarded as well-protected and robust. However, they can suffer from vulnerabilities as well. Describe an attack that can take control of the hypervisor.
Answers can vary. Hyperjacking is when a malicious actor takes control of the hypervisor that manages a virtual environment. Once the malicious actor has taken control of the hypervisor, they will have all the required privileges and can take full control of the environment.
One attack an IoT device can suffer is a Denial of Sleep attack. Explain how this works.
Answers may vary. A Denial of Sleep attack continuously sends signals to the device, requiring the device to (continuously) respond and prevents the device from resting or sleeping, which then drains the battery.
An industrial control system (ICS) is any system that enables users to control industrial and critical infrastructure assets over a network. Describe how a SCADA system works.
Answers may vary. A Supervisory control and data acquisition (SCADA) system is a type of ICS that manages large-scale, multiple-site devices and equipment that are spread over geographically large areas from a host computer.
In addition to default passwords, it's important to be familiar with vulnerabilities that can be present in an IoT device when testing. List two or three issues that should be tested.
Answers may vary. Some of the vulnerabilities that can be present in IoT devices include the following: Lack of physical security—the small devices (such as IP cameras) can be located in several areas, many in plain sight. Unless access is restricted, these devices can be damaged or stolen. Hard-coded configurations—can occur when, for example, the device is configured to phone home as soon as it is activated. Outdated firmware/hardware—many IoT devices do not ever receive updates to the system. Even if an update is available, the device may not have an option to automatically update. Poorly designed code—can lead to an attack, that can include buffer overflows, SQL injection, SYN flood, and privilege escalation
Describe the different types of storage typically found within a LAN.
Answers may vary. Storage examples typically found within a LAN include: Direct Attached Storage (DAS) storage attached to a system such as a hard drive in a server instead of being accessed over the network Network Attached Storage (NAS)—a group of file servers attached to the network dedicated to provisioning data access Storage Area Network (SAN)—a separate subnetwork typically consisting of storage devices and servers that house a large amount of data
An IoT device is equipped with sensors, software, and network connectivity. List two ways IoT devices can communicate and exchange data.
Answers will vary. IoT devices can communicate and pass data in one of two ways: Machine-to-machine (M2M)—communication between the IoT device and other traditional systems such as a server or gateway Machine-to-person (M2P)—communication between the IoT device and the user
A VM repository is a location that is used to store VM templates or images and contains the configuration files that are used to create additional VMs. What could happen if a template has malware or is not configured correctly?
If a VM template in the repository has malware, when new VM's are generated from the infected template, this could then propagate throughout the organization.
Weaponizing an IoT Device
If a device is vulnerable, a malicious actor can infect an IoT device with malware and then turn the device into a zombie. Once infected, the device will wait for instructions from the command-and-control server to launch a Denial-of-service attack on a target.
bare metal virtual platform
In this model, the Type I hypervisor is installed directly onto the hardware and manages access to the host hardware without going through a host OS; common in enterprise network
IoT Vulns
Lack of physical security—the small devices (such as IP cameras) can be located in several areas, many in plain sight. Unless access is restricted, these devices can be damaged or stolen. Hard-coded configurations—such as the device configured to phone home as soon as the device is activated. Outdated firmware/hardware—many IoT devices do not ever receive updates to the system. Even if an update is available, the device may not have an option to automatically update. Poorly designed code—can lead to an attack that can include buffer overflows, SQL injection, SYN flood, and privilege escalation You can visit https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10 for a list of the Top 10 IoT vulnerabilities.
industrial control system (ICS)
any system that enables users to control industrial and critical infrastructure assets over a network.
host-based model
a Type II hypervisor is installed onto a host operating system. Any virtual machines that are created are a guest and ride on top of the native operating system
Network Attached Storage (NAS)
a group of file servers attached to the network dedicated to provisioning data access.
data center
a large group of servers that provides storage, processing, and distribution of critical company data for the network clients. It's the heart of any enterprise network and is located in a central location, generally in a secure computer or server room. Company data is accessed in one of several ways
VM repository
a location that is used to store VM templates or images and contains the configuration files used to create additional VMs. As a result, it's essential to protect the repository.
Storage Area Network (SAN)
a separate subnetwork typically consisting of storage devices and servers that house a large amount of data.
Supervisory control and data acquisition (SCADA) system
a type of ICS that manages large-scale, multiple-site devices and equipment that are spread over geographically large areas from a host computer.
Packet amplification
an attack where a malicious actor will first search for a list of abusable IP addresses. Once obtained, the next step is to send a flood of UDP packets to a DNS server where the source IP address is set as the victim. A DNS response is always larger than the request. The flood of responses results in packet (and bandwidth) amplification.
Industrial Internet of Things (IIoT) or Industry 4.0
can optimize the way SCADA handles data. It is a complement to a SCADA system as it merges the control functionality with the data collecting ability of an IoT device.
Message Queuing Telemetry Transport (MQTT)
carries messages between devices. MQTT uses authentication when communicating with other devices; however, the data is not encrypted and can be vulnerable to an attack. Some of the threats to MQTT include: Sniffing, which is possible because the data is not encrypted and can be captured and read as it passes between the devices, which is an attack on confidentiality. Data modification, which can occur if a malicious actor obtains the traffic while data is being transferred between devices during a MiTM attack. The malicious actor can then modify the data, which is an attack on integrity. Joining a botnet, using Shodan, a malicious actor can search for and poison unsecured IoT devices using MQTT so they can become a part of a botnet. This can lead to an attack on availability.
buckets or blobs
cloud file storage containers; container is created within a specific region and cannot be nested within another container. Each container can host data objects, which is the equivalent of files in a local file system. In addition, a container can have customizable metadata attributes. Containers improve efficiency as they provide an agile method of provisioning resources.
Machine-to-machine (M2M)
communication between the IoT device and other traditional systems such as a server or gateway
Machine-to-person (M2P)
communication between the IoT device and the user
Mirai bot
malware that spread to thousands of IoT devices like IP cameras and baby monitors that still had their default credentials set. These infected devices formed a large botnet that triggered several high-profile DoS attacks, including taking down name servers operated by Dyn, a DNS provider for Amazon, Twitter, GitHub, and other large companies
Hypervisor/Virtual Machine Monitor (VMM)
manages the virtual machine environment and facilitates interaction with the computer hardware and network.
Spoofing CoAP
possible because UDP does not use a handshake, and a rogue endpoint can read and write messages. This can have a greater implication, for example, when getting the device to accept malicious code
fuzzing the system
sends a running application random and unusual input and monitor how the app responds. When setting up the fuzzer, the team can select what objects are to be tested. Selections can include: Configuration files Source code files Logs and archives Documents and web files Once run, the fuzzer will search for objects and report the findings
hypervisor
software or firmware that creates and manages virtual machines on the host and facilitates interaction with the computer hardware and network. Hypervisors are generally regarded as well-protected and robust. However, they can suffer from vulnerabilities as well.
Direct Attached Storage (DAS)
storage attached to a system such as a hard drive in a server, instead of being accessed over the network.
Containerization
supports microservices and serverless architecture and is also being widely used to implement corporate workspaces on mobile devices.
administration in a virtualized env
takes place at two levels: Within the hypervisor, which is the software or firmware that creates and manages virtual machines on the host hardware. Within the virtual machine, which is a guest operating system installed on a host computer using a hypervisor, such as Microsoft Hyper-V or VMware.
Class 2 attack
the attack directly affects a VM.
Class 1 attack
the attack happens outside of the VM.
Class 3 attack
the attack originates within the VM and is the attack source.
Hyperjacking
when a malicious actor takes control of the hypervisor that manages a virtual environment. Once the malicious actor has taken control of the hypervisor, they will have all the required privileges and can take full control of the environment. In addition, they will be able to access every VM along with the data stored on them and can then use any guest OS as a staging ground to attack other guests.
coercive parsing attack
will attempt to exhaust system resources by sending a Simple Object Access Protocol (SOAP) message with multiple open tags in the body
CoAP (Constrained Application Protocol)
works within a constrained network to transfer data in a number of different devices. It uses UDP as a transport layer protocol and, as a result, could benefit from using Datagram Transport Layer Security (DTLS) to improve security. However, there isn't any method to provide security for group communication.