CEH part 5
Hex Encoding
The HTML encoding scheme uses the hex value of every character to represent a collection of characters for transmitting binary data.
Fake AP access points
are those that create fake 802.11b beacon frames with randomly generated ESSID and BSSID (MAC address) assignments. This only send beacon frames but do not produce any fake traffic on the access points, and an attacker can monitor the network traffic and quickly note the presence of fake AP.
Malware honeypots
are used to trap malware attempts over the network infrastructure. These honeypots are simulated with known vulnerabilities such as outdated APIs, vulnerable SMBv1 protocols, etc., and they also emulate different Trojans, viruses, and backdoors that encourage adversaries to perform exploitation activities
A true positive
is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress. The event may be an actual attack, in which case an attacker is making an attempt to compromise the network, or it may be a drill, in which case security personnel are using hacker tools to conduct tests of a network segment.
KFSensor
is a host-based IDS that acts as a Honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than that achieved using firewalls and NIDS alone
Firewalking
is a method of collecting information about Remote networks Behind Firewalls. It is a technique that uses TTL values to determine gateway ACL filters and map networks by analyzing the IP packet response
Suricata
is a robust network threat detection engine capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing.
Anonymizer
this VPN routes all the traffic through an encrypted tunnel directly from your Laptop to secure and harden servers and networks. It then masks the real IP address to ensure complete and continuous anonymity for all online activities
Time-to-live exceeded
this means that the traffic through port 23 has passed through the firewall filtering which indicates that the firewall does not block port 23.
Invalid RST Packets
The TCP uses 16-bit checksums for error checking of the header and data and to ensure that communication is reliable. It adds a checksum to every transmitted segment that is checked at the receiving end. When a checksum differs from the checksum expected by the receiving host, the TCP drops the packet at the receiver's end. The TCP also uses an RST packet to end two-way communications. Attackers can use this feature to elude detection by sending RST packets with an invalid checksum.
TCP flag bits
Used to check whether the packet has SYN, ACK, or other bits set for the connection to be made.
Session Splicing
Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS?
MITM attacks
attackers use DNS servers and routing techniques to bypass firewall restrictions. They may either take over the corporate DNS server or spoof DNS responses to perform these attacks.
ZoneAlarm PRO Firewall
blocks attackers and intruders from accessing your system. It monitors programs for suspicious behavior spotting and stopping new attacks that bypass traditional anti-virus protection. It prevents identity theft by guarding your data. It even erases your tracks allowing you to surf the web in complete privacy. Furthermore, it locks out attackers, blocks intrusions, and makes your PC invisible online. Also, it filters out an annoying and potentially dangerous email.
XSS attack
exploits vulnerabilities that occur while processing the input parameters of end users and the server responses in a web application. Attackers take advantage of these vulnerabilities to inject malicious HTML code into the victim website to bypass the WAF.
Packet filtering firewall
firewall investigates each individual packet passing through it and makes a decision whether to pass the packet or drop it. It works at the Internet protocol (IP) layer of the TCP/IP model. These firewalls concentrate on individual packets, analyze their header information, and determine which way they need to be directed.
Static NAT
helps to hide an internal network layout and force connections to go through a choke point, And uses a One-to-One Mapping. This works with the help of a router and helps in sending packets and modifying them. When the internal machine sends the packet to the outside machine, this tool modifies the source address of the particular packet to make it appear as if it is coming from a valid address. When the outside machine sends the packet to the internal machine, this tool modifies the destination address to turn the visible address into the correct internal address. It can also modify the source and destination port numbers
Zimperium's zIPS™
is a Mobile intrusion prevention system App that provides comprehensive protection for iOS and Android devices against mobile network, device, and application cyber-attacks.
A false negative
is a condition occurred when an IDS Fails to react to an Actual attack event. This event is the most dangerous failure since the purpose of an IDS is to detect and respond to attacks.
A true negative
is a condition occurred when an IDS identifies an activity as acceptable behavior and the activity is acceptable. A true negative is successfully ignoring the acceptable behavior. It is not harmful as the IDS is performing as expected.
True positive
is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress.
True positive (attack - alert)
is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress. The event may be an actual attack, in which case an attacker is making an attempt to compromise the network, or it may be a drill, in which case security personnel is using hacker tools to conduct tests of a network segment.
SPECTER
is a honeypot-based intrusion detection system that offers common Internet services such as SMTP, FTP, POP3, HTTP, and TELNET which appear perfectly normal to the attackers but in fact are traps
Banner
is used to refer to Service Announcements provided by services in response to connection requests and often carry Vendor's Version of Information.
Circuit-level gateway firewall
works at the session layer of the OSI model or TCP layer of TCP/IP. It forwards data between networks without verifying it, and blocks incoming packets into the host, but allows the traffic to pass through itself. Information passed to remote computers through a this tool will appear to have originated from the gateway, as the incoming traffic carries the IP address of the proxy.
Anomaly Detection
It detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system
Mobile Device Firewalls
Mobiwol: NoRoot Firewall Mobile Privacy Shield NetPatch Firewall
Packet Generating Tools
Ostinato, WAN Killer and WireEdit
Indicator of network intrusion
Repeated Probes of the available services on your machines.
Loki
ICMP tunneling is used to execute commands of choice by tunneling them inside the payload of ICMP echo packets.
False Positive
An Alert was generated because a Large Number of Packets were coming into the network on ports 20 and 21. Attackers craft these malicious large packets and send them to the IDS to create this type of alert ????, used to hide real attack traffic.
Char Encoding
Associates each symbol with a numeric value. -Use this function to replace common injection variables present in the SQL statement to evade the IDS.
Protocol Anomaly Detection
In this type of detection, models are built to explore anomalies in the way in which vendors deploy the TCP/IP specification
string concatenation
Combining several strings into a single string, or combining a string with other data into a new, longer string. -This technique breaks SQL statement into a number of pieces and breaks up SQL keywords to evade IDS.
proxy firewalls
Computers establish a connection with a ???? that initiates a new network connection for the client.
Port 259
Check Point's FireWall-1 listens to which of the following TCP ports?
Encrypted Taffic
In network security, an IDS is a system used for monitoring and identifying unauthorized access or abnormal activities on computers or local networks. Which of the following techniques can an attacker use to Escape Detection by the IDS?
Obfuscating
Encode the Packet; It is an IDS evasion technique used by attackers to Encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS. An attacker manipulates the path referenced in the signature to fool the HIDS. Using Unicode characters, an attacker can encode attack packets that the IDS would not recognize but which an IIS web server can decode
16-bit
How many bit checksum is used by the TCP protocol for error checking of the header and data and to ensure that communication is reliable?
Packet filtering firewall because it will best keep the increased traffic moving at an acceptable level.
The director indicates that the amount of throughput will increase over the next few years and this firewall will need to keep up with the demand while other security systems do their part with the passing data. What firewall will John use to meet the requirements?
Spider honeypots
These honeypots are specifically designed to trap web crawlers and spiders. Many threat actors perform web crawling and spidering to extract important information from web applications. Such crucial information includes URLs, contact details, directory details, etc
Stateful multilayer inspection firewall
They filter packets at the network layer, to determine whether session packets are legitimate, and evaluate the contents of packets at the application layer.
Flooding
To bypass IDS security, attackers send huge amount of unnecessary traffic to the IDS resources with noise or fake traffic to exhaust them. Once such attacks succeed, attackers send malicious traffic toward the target system behind the IDS, which offers little or no intervention. Thus, true attack traffic might go undetected
Indications of Network intrusions:
-A sudden increase in bandwidth consumption -Repeated probes of the available services on your machines -Connection requests from IPs other than those in the network range, which imply that an unauthenticated user (intruder) is attempting to connect to the network -Repeated login attempts from remote hosts -A sudden influx of log data, which could indicate attempts at DoS attacks, bandwidth consumption, and DDoS attacks
Indications of File System intrusions:
-If you find new, unknown files/programs on your system, then there is a possibility that the system has been intruded into. The system can be compromised to the extent that it can, in turn, compromise other network systems. -When an intruder gains access to a system, he or she tries to escalate privileges to gain administrative access. When the intruder obtains administrator privileges, he/she could change file permissions, for example, from read-only to write. -Unexplained modifications in file size are also an indication of an attack. Make sure you analyze all your system files. -The presence of rogue suid and sgid files on your Linux system that do not match your master list of suid and sgid files could indicate an attack. -You can identify unfamiliar file names in directories, including executable files with strange extensions and double extensions. -Missing files are also a sign of a probable intrusion/attack.
Countermeasures to Defend Against IDS Evasion
-Shut down switch ports associated with known attack hosts -Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions -Harden the security of all communication devices such as modems, routers, etc. -If possible, block ICMP TTL expired packets at the external interface level and change the TTL field to a considerable value, ensuring that the end host always receives the packets. -Regularly update the antivirus signature database. -Use a traffic normalization solution at the IDS to protect the system from evasions. -Store the attack information (attacker IP, victim IP, timestamp) for future analysis. -Deploy IDS after a thorough analysis of the network topology, nature of network traffic, and number of hosts to monitor
Indications of System Intrusions:
-Sudden changes in logs such as short or incomplete logs -Unusually slow system performance -Missing logs or logs with incorrect permissions or ownership -Modifications to system software and configuration files -Unusual graphic displays or text messages -Gaps in system accounting -System crashes or reboots -Unfamiliar processes
IP address spoofing
-is a hijacking technique in which an attacker Masquerades as a Trusted host to Conceal his identity, spoof a website, Hijack Browsers, or gain unauthorized access to a network. -The attacker creates IP packets by using a forged IP address and gains access to the system or network without authorization.
Sim Hijacking
1. Get Personal Data Your personal info is obtained by a fraudster via some means. Data leaks have exposed millions of personal records. Obtaining the last four a social security number or a bit of information from a security question is all that is needed to make an attempt. 2. Convince a Carrier The fraudster uses personal info to convince mobile carrier to switch from current SIM to new SIM. There is even evidence that works at the carriers have been bribed or coerced to make the switch. 3. Take Over With control of new number, fraudster logs into accounts by using two-factor authentication or one-time passwords. Requiring a phone number was supposed to give solid security for password retrieval and access. That trust given to a phone number has been used against the system. 4. Profit The compromised accounts might be ransomed or used for other nefarious purposes. Accessing the financial records or others accounts are the most direct route to loss. People with high-value social media handles have been extorted to give those up. The phone number might be ransomed for Bitcoins.
False positives
A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator understand this situation?
False-positive alarm:
A network traffic false alarm: A network traffic false alarm triggers when a non-malicious traffic event occurs. A great example of this would be an IDS triggers an alarm when the packets do not reach the destination due to network device failure. A network device alarm: An IDS triggers a network device alarm when the device generates unknown or odd packets, for example, load balancer. An Alarm caused by an incorrect software script: If poorly written software generates odd or unknown packets, IDS will trigger a false-positive alarm. Alarms caused by an IDS bug: A software bug in an IDS will raise an alarm for no reason.
Polymorphic shellcode
An attacker hides the shellcode by encrypting it with an unknown encryption algorithm and by including the decryption code as part of the attack packet. He encodes the payload and then places a decoder before the payload. Identify the type of attack executed by attacker.
Network layer, Transport layer
At which two traffic layers do most commercial IDSes generate signatures? (Select Two)
Snort
Attaching This in promiscuous mode to the network media decodes all the packets passing through the network. It generates alerts according to the content of individual packets and rules defined in the configuration file. When an alert rule is matched in a network-based IDS like this, the IDS continues to evaluate the packet until all rules are checked.
Tiny Fragments
Attackers create tiny fragments of outgoing packets, forcing some of the TCP packet's header information into the next fragment. The IDS filter rules that specify patterns will not match with the fragmented packets owing to the broken header information. The attack will succeed if the filtering router examines only the first fragment and allows all the other fragments to pass through
Polymorphic shellcode
In which of the following IDS evasion techniques does an attacker use an existing buffer-overflow exploit and set the "return" memory address on the overflowed stack to the entrance point of the decryption code? An attacker hides the shellcode by encrypting it with an unknown encryption algorithm and by including the decryption code as part of the attack packet
Bitvise
SSH Server provides Secure Remote login capabilities to Windows workstations and servers by encrypting data during transmission (SSH TCP/IP tunneling). It is ideal for remote administration of Windows servers, for advanced users who wish to access their home machine from work or their work machine from home, and for a wide spectrum of advanced tasks, such as establishing a VPN using the SSH TCP/IP tunneling feature or providing a secure file depository using SFTP.
Super Network Tunnel
Two-way HTTP tunneling software that connects two computers using HTTP-Tunnel Client and HTTP-Tunnel Server. It works like VPN tunneling but uses the HTTP protocol to establish a connection for accessing the Internet without monitoring and provides an extra layer of protection against attackers, spyware, identity theft, and so on
Source IP address
Used to check whether the packet is coming from a valid source. The information about the source IP address can found from the IP header of the packet.
Interface
Used to check whether the packet is coming from an unreliable zone.
Direction
Used to check whether the packet is entering or leaving the private network.
Source Routing
Using this technique, the sender of the packet designates the route (partially or entirely) that a packet should take through the network such that the designated route should bypass the firewall node. Thus, the attacker can evade firewall restrictions
Tar Pits
are security entities that are similar to honeypots, which are designed to respond slowly to incoming requests. They slow down unauthorized attempts of hackers
False-positive
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this?
Obfuscation
Which evasion technique is used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS?
Send-Safe Honeypot Hunter
Which honeypot detection tool has the following features: -Checks lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports -Checks several remote or local proxylists at once -Can upload "Valid proxies" and "All except honeypots" files to FTP -Can process proxylists automatically every specified period -May be used for usual proxylist validating as well
Firewalking
Which method of firewall identification has the following characteristics: -uses TTL values to determine gateway ACL filters -maps networks by analyzing IP packet response -probes ACLs on packet filtering routers/firewalls using the same method as trace-routing -sends TCP or UDP packets into the firewall with TTL value is one hop greater than the targeted firewall
Session splicing
Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS?
XSS (Cross Site Scripting)
Which of the following attack techniques is used by an attacker to exploit the vulnerabilities that occur while processing the input parameters of end users and the server responses in a web application?
Banner Grabbing
Which of the following is a fingerprinting technique used by an attacker to detect the vendor of a firewall, firmware version, and services running on a system?
Wifi Inspector
Which of the following is a mobile intrusion detection tool that allows users to find all the devices connected to a network and provides relevant data such as the IP addresses, manufacturer names, device names, and MAC addresses of the connected devices?
Insertion Attack
Which of the following is an IDS evasion technique used by an attacker to confuse the IDS by Forcing it to read invalid packets as well as blindly trust and accept a packet that an end system rejects?
Evasion
Which of the following techniques is used by an attacker to Exploit a host computer and results in the IDS discarding packets while the host that must receive the packets accepts them?
Circuit-level gateway firewall
While conducting a penetration test, the tester determines that there is a firewall between the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse?
Install compensatory controls such as internal firewall (FW) and IPS to protect it.
You are a security expert. What can you do to protect an Internal server that does not have antivirus and you cannot install any tools because of performance issues?
Bait and Switch Honeypots
actively participate in security mechanisms that are employed to respond quickly to incoming threats and malicious attempts. They redirect all malicious network traffic to a honeypot after any intrusion attempt is detected. An attacker can identify the presence of such honeypots by looking at specific TCP/IP parameters such as the Round-Trip Time (RTT), the Time To Live (TTL), and the TCP timestamp.
ACK tunneling method
allows tunneling a backdoor application with TCP packets with the ACK bit set. The ACK bit is used to acknowledge the receipt of a packet. Some firewalls do not check packets with the ACK bit set because ACK bits are supposed to be used in response to legitimate traffic
Signature Recognition
also known as misuse detection, tries to identify events that indicate an abuse of a system or network resource -technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision
Honeynets
are networks of honeypots. They are very effective in determining the entire capabilities of the adversaries. These are mostly deployed in an isolated virtual environment along with a combination of vulnerable servers. The various TTPs employed by different attackers to enumerate and exploit networks will be recorded, and this information can be very effective in determining the complete capabilities of the adversary.
Fragmentation attack
can be used as an attack vector when fragmentation timeouts vary between the IDS and the host. Through the process of fragmenting and reassembling, attackers can send malicious packets over the network to exploit and attack systems.
Intrusion Detection System (IDS)
is a security software or hardware device used to monitor, detect, and protect networks or systems from malicious activities; it alerts the concerned security personnel immediately upon detecting intrusions. Alert thresholding is a set of rules that detects suspicious activities based on access attempts and time intervals. Users can customize the default threshold according to their requirements. Setting threshold is difficult because a user may miss few key packets if it is set too high. If thresholds are too low, the analyst may see many false-positives.
Sebek
is a server/client-based honeypot application that captures the rootkits and other malicious malware that hijacks the read() system call. Such honeypots record all the data accessed via reading () call. Attackers can detect the existence of these honeypots by analyzing the congestion in the network layer, as this data communication is usually unencrypted.
Traffic IQ Professional
is a tool that Audits and Validates the Behavior of security devices by generating the standard application traffic or attack traffic between two virtual machines. This tool is generally used by security personnel for assessing, auditing, and testing the behavioral characteristics of any Non-Proxy packet-filtering device, which can include application firewalls, IDS, IPS, routers, switches, etc. However, as this tool can generate custom attack traffic, it is extensively employed by attackers to bypass the installed perimeter devices in the target network.
Proxy chaining
is a way of being anonymous on the Internet or to access information that is not accessible in your country/region. Though it wont make you 100% anonymous but still helps to protect your identity. Proxies are just ip address of different machines in different regions which passes your request and make the content available to you. -A user setup several proxies on his machine then he made a request on Internet from his own machine. Then the request will be sent to first proxy then second then third and when request reaches to last proxy it complete request and sent the data back to original machine. -A user can become absolute anonymous if he uses many proxies. As proxies are usually very slow then just to load a simple Web page it will take more than enough time you can give if you use many proxies.
Snort
is an open-source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching, and it is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
Bastion Host
is designed for Defending the network against attacks. It acts as a Mediator Between inside and outside networks. This is a computer system designed and configured to protect network resources from attacks. Traffic entering or leaving the network passes through the firewall
Insertion Attack
is the process by which the attacker confuses the IDS by forcing it to Read Invalid Packets (i.e., the system may not accept the packet addressed to it). An IDS blindly trusts and accepts a packet that an end system rejects. If a packet is malformed or if it does not reach its actual destination, the packet is invalid. If the IDS reads an invalid packet, it gets confused. An attacker exploits this condition and inserts data into the IDS
Colasoft Packet Builder
is used to create custom network packets and fragmenting packets. Attackers use this tool to create custom malicious packets and fragment them such that firewalls cannot detect them. They can create custom network packets such as Ethernet Packet, ARP Packet, IP Packet, TCP Packet, and UDP Packet. Security professionals use this tool to check your network's protection against attacks and intruders.
Snort
network-based IDS; performs the following actions: Alert - Generate an alert using the selected alert method, and then log the packet Log - Log the packet Pass - Drop (ignore) the packet
defend against the polymorphic shellcode problem
nopopcode other than 0x90
A false positive
occurs if an event triggers an alarm when no actual attack is in progress. A false positive occurs when an IDS treats regular system activity as an attack. False positives tend to make users insensitive to alarms and reduce their reactions to actual intrusion events. While testing the configuration of an IDS, administrators use false positives to determine if the IDS can distinguish between false positives and real attacks or not.
Spam honeypots
specifically target spammers who abuse vulnerable resources such as open mail relays and open proxies. Basically, these consist of mail servers that deliberately accept emails from any random source from the Internet
polymorphic shellcode attack
these attacks include multiple signatures, making it difficult to detect the signature. Attackers encode the payload using some technique and then place a decoder before the payload. As a result, the shellcode is completely rewritten each time it is sent for evading detection.
Application-level firewall
these concentrate on the application layer rather than just the packets. The need for these firewall arises when huge amount of voice, video, and collaborative traffic are accessed at data-link layer and network layer utilized for unauthorized access to internal and external networks.
Dual-homed
these devices have two interfaces; a public interface that directly connected to the Internet and a private interface connected to the Intranet. It is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function. The bastion host is an exampleIt, it acts as a mediator between inside and outside networks. A bastion host is a computer system designed and configured to protect network resources from attack. Traffic entering or leaving the network passes through the firewall.