Chapter 4 - Types of Attacks
Reasons for a hacker success with social engineering
1. Authority 2. Intimidation 3. Consensus/social proof 4. Scarcity 5. Urgency 6. Familiarity/liking 7. Trust
Other Password Attack Terms
1. Collision 2. Downgrade 3. Replay 4. Weak implementation
Popular Network Attacks
1. Denial of Service (DoS) 2. Distributed Denial of Service (DDoS) 3. Spoofing 4. Eavesdropping/Sniffing 5. Replay 6. Man-in-the-Middle 7. DNS Poisoning 8. Domain Hijacking and Man-in-the-Browser 9. Pass the Hash 10. ARP Poisoning 11. Amplification 12. Span 13. Privilege Escalation 14. Port Scanning Attacks 15. Other Network Attacks
Types of Password Attacks
1. Dictionary Attack 2. Brute-Force Attack 3. Hybrid Attack
Impersonation scenarios for social engineering
1. Hacker impersonates administrator. 2. Hacker impersonates user. 3. Hacker impersonates management.
Popular social engineering attacks
1. Impersonation 2. Phishing 3. Shoulder Surfing and Dumpster Diving 4. Tailgating 5. Hoaxes 6. Whaling and Vishing
Popular password-auditing and -cracking tools
1. LC4 2. Cain & Abel 3. NAT 4. Brutus 5. John the Ripper
Preventing Network Attacks (1)
1. Make sure that you have physical security controls to ensure that unauthorized individuals cannot get access to the facility in order to connect to the network. 2. Implement security features on your switches, such as disabling unused ports on the switches. If a port is disabled, it cannot be used when the hacker tries to connect to the unused port. 3. Implement the port security feature on the switches; that is, when a port is enabled, you associate a specific MAC address with the port. This will ensure that someone cannot disconnect one workstation from the switch and replace it with an unauthorized system.
Examples of programs that can spoof packets
1. Nemesis 2. Hping2 3. Macchanger
Other network attacks
1. Pharming 2. Spim 3. Spear phishing 4. Antiquated protocols 5. Session hijacking 6. Null sessions 7. Domain name kitting 8. Malicious insider threat 9. Transitive access (attack) 10. Client-side attacks
Popular Application Attacks
1. SQL Injection 2. Buffer Overflow 3. Cross-Site Scripting 4. Cross-Site Request Forgery 5. Dictionary Traversal/Command Injection
Examples of packet-sniffing software
1. Wireshark 2. tcpdump 3. airodump-ng
Popular commands to replay traffic
1. tcpreplay: A Linux command used to replay traffic stored in the capture file created by tcpdump: tcpreplay output.txt -i eth0 2. aireplay-ng: A Linux command used to replay wireless traffic on the network captured with the airodump-ng command.
Preventing Network Attacks (2)
4. Keep you system up to date with patches so that you are not vulnerable to known exploits. Update the firmware on your network hardware, such as switches and routers. 5. Make all employees aware of different types of attacks, such as vishing, pharming, spam, and spim.
Exam Watch
An offline password attack is when the hacker copies the user account database from your system to a flash drive and takes it away with them in order to do the password cracking. In this example, the password attack will not be stopped because there is no password policy or account lockout policy at the hacker's location.
tcpdump
A Linux command used to capture network traffic to a file that can then be reviewed or replayed on the network. The following command captures all traffic on Ethernet interface eth0 and writes the data to file named output.txt: tcpdump -v -i eth0 -w output.txt
Nemesis
A Linux packet-crafting program that creates different types of packets such as ARP or TCP packets.
Hping2
A Linux packet-crafting program that is used to create ping packets that use TCP instead of ICMP packets. Hping2 is useful to bypass a firewall that is blocking ICMP traffic: hping2 -c 3 -s 53 -p 80 -S 192.168.2.200
airodump-ng
A Linux program used to capture wireless traffic that can be replayed later. The following command captures traffic on a wireless network using the network card wlan0 writes the information to a file named wepfile: airodump-ng -c 11 -w wepfile -bssid 00:11:22:33:44:55 wlan0
XMAS scan
A packet is sent to each port with PSH, URG, and FIN flags set in the packet. The term XMAX scan comes from the fact that you have three of six flags enabled, which is like turning on a bunch of lights on a Christmas tree! It is also called an XMAS attack.
Password Attacks
A password attack is an attempt by a hacker to figure out the passwords for user accounts stored on the system. Password attacks are also known as cryptographic attacks.
Replay
A password replay attack is when the hacker eavesdrops on a conversation and captures the password hash being sent from a client system to the server. Once the hacker has the hash value, they then use that to impersonate the original client and access the server.
Macchanger
A popular Linux program used to modify your MAC address on the system. Macchanger is a common program used by hackers to spoof their MAC address in order to gain access to the wireless network: macchanger --mac 11:22:33:44:55:66 wlan0
Replay
A replay attack starts as a sniffing attack because the hacker first must capture the traffic that they wish to replay. The hacker then resubmits the traffic onto the network (replays it) later. The hacker may alter the traffic first and then replay it, or the hacker may simply be replaying traffic to generate more traffic. Example, a hacker replaying traffic is with wireless hacking. To be able to crack the encryption of a wireless network, the hacker has to capture a large amount of traffic.
3. Spear phishing
A type of phishing (form social engineering attack) where the e-mail message sent is spoofed and looks like it comes from a trusted source such as a fellow employee. The e-mail message tries to get the recipient to divulge sensitive information.
Cain & Abel
A very functional password-cracking program. The benefit of this tool is it is a free download and can capture passwords on the network and crack those passwords with dictionary or brute-force attacks.
John the Ripper
A very popular dictionary and brute-force cracker that runs on Windows or Linux.
LC4
A very popular password-auditing tool that can be used to access user passwords on a Microsoft network. It can do dictionary, brute-force, and hybrid attacks against the passwords.
ARP poisoning
ARP is a protocol that converts the IP address to the MAC address and then stores the IP and corresponding MAC address in memory on the system. This area of memory is known as the ARP cache. ARP poisoning involves the hacker altering the ARP cache on a system, or group of systems, so that all systems have the address of the default gateway. Typically, the hacker will poison the ARP cache so that the default gateway IP address (your router's IP address) points to the hacker's MAC address. This will ensure that every time a system tries to send data to the router, it will retrieve the hacker's MAC address from the local ARP cache and then send the data to the hacker's system instead of to the router.
NAT
The NetBIOS Authentication Tool is a small program that allows you to do a dictionary attack against a Windows system.
Familiarity/liking
The hacker may use a friendly tone and be very sociable, which makes the victim tend to like them and want to help.
10. Client-side attacks
Client-side attacks are attacks on a system through vulnerabilities within the software on a client system. Many client-side attacks come from Internet applications such as web browsers and messenger applications.
1. Denial of Service (DoS)
DoS attack involves the hacker overloading a system with requests so that the system is so busy servicing the hacker's requests that it cannot service valid requests from other client. For example, a hacker could overload a web server with numerous network requests, making the web server unable to send the web pages to customers in a timely manner. This typically results in the customer going to a different site to get adequate service. With DoS attack, the attacker could be causing the target network to perform slowly, or the hacker could crash the victim's system, causing it to be unavailable.
Exam Watch
For the exam, know that social engineering attacks involve the hacker trying to trick someone into compromising security through social contacts such as a phone call or e-mail message.
Collision
Hashing protocols are known to create collisions, which is when two different pieces of data create the same hash value.
3. Hacker impersonate management
If the hacker knows the name of personnel on the management team, the hacker may call employees within the company and impersonate management team. The hacker will ask the unsuspecting employee to perform actions that will essentially compromise the security of the systems or the environment so that the hacker can gain access later.
Domain Hijacking and Man-in-the-Browser
It involves the hacker taking over a domain name from the original registrant. The hacker may hijack the domain by using social engineering techniques to gain access to the domain name and then switch ownership, or the hacker could exploit a vulnerability on the systems that host the domain name to gain unauthorized access to the domain registration. A man-in-the-broswer (MITB) attack is a form of man-in-the-middle (MITM) attack where the browser contains a Trojan that was inserted via an add-in being loaded or script executing within the browser. The Trojan at this point can intercept any data the user inputs into the browser and alter it before sending it to the destination server. Examples of MITB Trojans are Zeus and SpyEye.
Social Engineering
It involves the hacker trying to trick an employee into compromising security through social contact such as a phone call or e-mail message. Hacker will act as if they need help, exploiting the fact that most people will offer help. The hacker is just trying to collect information to help them perform an attack later.
Dictionary Attack
It involves the hacker using a program that has a list of popular usernames in one text file and a list of words in a language dictionary that are to be tried as passwords in another file. The dictionary file normally contains all of the words in a language and can be download from the Internet. The benefit of this attack from a hacker's point view is it is a very fast and efficient type of attack because all it does is read the contents of a file - there is no mathematical calculation needed on the part of the password-cracking software. The disadvantage of this attack is that most passwords today are complex passwords in the sense that they require letters, numbers, and symbols.
Hybrid Attack
It involves the password-cracking software using dictionary file, but after the software tries a word from the dictionary file, it then tries to modify the word. Example, the cracking software will place numbers after the word and possibly to replace characters. (After the word "house" the software will add "house1", "house2" and so on)
Brute-Force Attack
It involves using the password-cracking software to mathematically calculate every possible password. Normally, the hacker would configure the password-cracking software with requirements such as the number of characters and whether to use letters, number, and symbols. The benefit of this attack from the hacker's point of view is that it is very effective - it will crack the passwords on a system if it has enough time to do so. The disadvantage of this attack is the time it takes to complete it. Due to large number of possible passwords, it could take years for the password crack to complete!
Pass the Hash
It is a hacking technique used to access networks that use Microsoft NT LAN Manager (NTLM) as their authentication protocol. With pass the hash, the hacker accesses a remote server by providing the NTLM hash instead of the plain-text password for a user account. The benefit of this type of attack from a hacker's perspective is that the hacker does not need to crack the user passwords; they can simply pass the hash value of the password, which can be obtained using many tools, such as L0phtCrack version 4.0 (LC4).
Privilege Escalation
It is a popular attack that involves someone who has user-level access to a system being able to elevate their privileges to gain administrative access to the system. It occurs due to a vulnerability within software running on the system or within the operating system itself. Keep the system and application patched in order to remove any known vulnerabilities, which will help prevent privilege escalation.
Dumpster Diving
It is a popular attack where the hacker goes through the victim's garbage looking for documents or information that could facilitate an attack. The hacker might find information that can help them perform a social engineering attack through a phone call or an in-person discussion, or the hacker could simply locate a password someone wrote down and threw in the garbage.
Birthday Attacks
It is a type of attack performed on hashing functions. It has been found that if you try enough data input, you will find that two different data inputs generate the same hash value. This is known as a birthday attack because the theory is based on the fact that when you select a large, random group of people, you will have people with duplicate birth dates.
Brutus
It is a unique in the sense that it can encapsulate the password attack through different Internet application such as HTTP, FTP, POP3, and Telnet.
Known-plaintext attack
It is also called KPA for short. With this attack, the hacker knows the plaintext value of a password (known as the crib) and the corresponding encrypted version (known as ciphertext). With this information, the hacker can then work on figuring out the encryption keys and other passwords.
Tailgating
It is another important social engineering attack, but it is more of an attack against physical security. Tailgating is when the hacker walks through a secure area by closely following an authorized person who has unlocked the door using their swipe card or pass code. The hacker may strike up a conversation with the person they are tailgating in order to distract the employee from the fact that the hacker (actually, we call someone who compromises physical security an intruder) has entered the facility without swiping their card or entering their own PIN number. To control tailgating, use mantrap.
Note about spoofing
It is important to note that the hacker may spoof a frame or a packet in order to bypass an access list. For example, most wireless networks implement MAC filtering, where only certain MAC addresses are allowed to access the wireless network. Once the hacker finds out what MAC addresses are allowed on the network, they then spoof their MAC address to look like one of those addresses. A hacker may also spoof the IP address to bypass a filter on a router that only allows traffic from specific IP addresses to pass through the router.
Trust
It is in our nature to trust people who appear to be in need of help.
Spam
It is sending the same unsolicited e-mail message to a number of people. Spam messages are typically sent in hopes that the receiver of the spam message will buy a product or service from the sender of the message. Most e-mail servers now have spam filters in place that help protect the system from receiving a large number of unsolicited e-mail messages.
Wireshark
It is the leading network analyzer that runs on many different platforms, including Windows and Linux.
Amplification
It is the process of increasing the strength of a signal so that communication can occur. A hacker may amplify the signal on their wireless card so that they can reach greater distances with wireless. The hacker may need to be physically close to a network in order to connect to that network if they have amplified their signal. From a security point of view, you should lower the power on your wireless access point to force someone to be close to your access point in order to connect (inside the facility)
6. Null sessions
It is when someone connects to a Windows system without providing any credentials. Once the person connects to the system, they can enumerate the system if it has not been secured. Through enumeration, the hacker may be able to collect the users, groups, and shared folder list. The following command is used to create a null session with a Windows system: net use \\10.0.0.1\ipc$ "" /u:""
8. Malicious insider threat
It is when someone inside the company purposely destroys or discloses company data. The malicious insider threat could also be someone who performs fraudulent activities (deterrents against which include leveraging the concepts of rotation of duties and least privilege).
5. Session hijacking
It is when the hacker kicks one of the parties out of the communication and impersonates that person in the conversation. The hacker typically disconnects one of the parties via a denial of service attack.
Shoulder Surfing
It is when the hacker tries to view confidential information or information that may help attacker compromise security by looking over employees' shoulders to view information either on their desk or on the computer screen.
2. Distributed Denial of Service (DDoS)
It is when the hacker uses many systems to perform the attack, which helps the hacker create a large number of requests. With a DDoS attack, the hacker first compromises and takes control of many systems and then uses those systems to help with the attack. The compromised systems are known as zombie systems because they have not mind of their own and will do whatever the hacker tells them to do. Example, the smurf attack involved the hacker sending ping (ICMP) messages to many systems, but also spoofing the source IP address of the packets so that they appeared to come from the intended victim. All of the systems would then send their ICMP replies to the victim system, overburdening it with traffic and causing it to crash.
9. Transitive access (attack)
It occurs when a user receives a hyperlink to another Windows shared folder and clicks the hyperlink. This forces the user's system to pass the Windows user account credentials to the remote system to try to authenticate. The problem is that if the hacker is using a sniffer and password cracker, they can then try to crack the account password.
Exam Watch
Know that password complexity is the countermeasure to a dictionary attack, while an account lockout policy is a countermeasure to a brute-force attack.
1. Authority
Most of the time the hacker impersonates a person of authority, which makes the victim believe they should do what the hacker says.
Identifying Network Attacks
Network attacks have also become very popular and occur on a daily basis.
Note about password policy and account lockout
One thing to understand about your password policy and account lockout policy is that they do not have any effect if the hacker is performing an offline password attack.
Online Vs. Offline
Password attacks can be either online or offline. Online attack, the hacker is trying to crack the password against the live system. The problem with this is that the hacker risks getting detected and locking out the accounts. If the hacker can get a copy of the user account database on a flash drive, the hacker can then take that away with them and try to crack the passwords offline.
Weak implementation
Passwords can be encrypted to protect the plaintext value, but sometimes the encryption is not performed in the best way possible. Example, the Windows passwords are hashed in the SAM database, but they are broken into two 7-character hashes. This allows the hacker to determine very easily if someone has a password of less than eight characters because the last part of the password hash would be the same for all of those passwords.
1. Pharming
Pharming is a term some people use for an attack on DNS or the hosts file that leads an individual to the wrong web site.
DNS poisoning
Poisoning with computers is the concept that someone goes into an environment and purposely places incorrect setting into it in order to disrupt the environment. Popular example, DNS poisoning and ARP poisoning. DNS poisoning is when the hacker compromises a DNS server and poisons the DNS entries by having the DNS names point to incorrect IP addresses. Often, the hacker will modify the DNS records to point to the hacker's system - this will force all traffic for that DNS name to the hacker's system.
Scarcity
Scarcity is when the attack comes in the form of an e-mail, web site, or even a call, where the hacker makes you feel you need to click the order link now as you have a limited amount of time to take advantage of the great deal!
Exam Watch
Security training and awareness are the only ways to prevent social engineering attacks.
2. Spim
Spim gets its name from "Spam with instant messaging" and is often written as "spIM" Typically, instant messenger IDs are learned by the hacker using a bot (a piece of software crawling across the Internet looking for IM login names). The bot then sends the user an instant message asking the user to click the hyperlink sent.
Spoofing
Spoofing is a type of attack where the hacker alters the source address of information to make the information look like it is coming from a different person. * Spoofing is sometimes referred to as refactoring. Types of spoofing: 1. IP Spoofing 2. MAC spoofing 3. E-mail spoofing
Exam Watch
Spoofing is the altering of the source address to make the information look like it came from someone else. IP spoofing and MAC spoofing are popular methods used by hackers to bypass filters placed on firewalls and wireless networks.
SYN scan (half-open scan)
The TCP connect scan is easily detected on a network because of the three packets sent between the hacker and the system being scanned, so the SYN scan was created. With SYN scan, the hacker sends a SYN message but doesn't send the ACK as the third phase of the three-way handshake after receiving an ACK/SYN from the victim's system. The goal here is to avoid detection by creating less traffic. This scan is also known as a half-open scan or a stealth scan
1. Hacker impersonates administrator.
The hacker calls a user and impersonates the network administrator. The hacker (posing as the administrator) tries to trick the user into compromising security by asking the user to do things such as changing their password or giving away account information. The hacker also may ask the user questions about the general setup of the systems.
2. Hacker impersonates user
The hacker calls the network administrator pretending to be a frustrated user. The hacker will pretend they do not remember their password or how to get onto the system. An unaware administrator may help the hacker (acting as a frustrated user) gain access to the system by resetting a password and guiding them through the process of gaining access.
Eavesdropping/Sniffing
The hacker captures network traffic and is able to view the contents of the packets traveling along the network. The packets may contain sensitive information such as credit card numbers or usernames and passwords. You learned that a network switch filters traffic and sends only the data to the port on the switch where the destination system resides. This type of filtering helps protect against eavesdropping because it essentially takes the opportunity away from the hacker to capture network traffic. However, the hacker can poison the MAC address table on the switch with bogus entries so that the switch stops trusting the MAC address table and then starts flooding all frames to all ports - resulting in the hacker now receiving a copy of all traffic!
7. Domain name kiting
The hacker obtains a domain name for free by using the five-day grace period that is allowed. At the end of the five-day grace period, they cancel the name and then get it free again for another five days. They continue doing this to get the name for free.
TCP connect scan
The hacker performs a TCP three-way handshake with each port on the system. The concept is that if the hacker can do a three-way handshake with a port, then the port must be open.
Port Scanning Attacks
The hacker runs software on the network that does a port scan against the system, which indicates to the hacker what ports are open. Once the hacker finds out what ports are open, they can then try to exploit the ports to gain access to the system. Types of port scans: 1. TCP connect scan 2. SYN scan (half-open scan) 3. XMAS scan
Urgency
The hacker usually has a sense of urgency in the e-mail or voice that makes the victim feel they should fix the problem right away, so the victim doesn't really think of the security impact.
3. Consensus / social proof
The hacker usually presents some facts known to the victim (and hacker) to act as proof that what the hacker is saying is true and can be trusted.
Shoulder Surfing and Dumpster Diving
The key thing to remember about social engineering attacks is they typically do not involve technology. Example of social engineering attacks that do not involve technology are shoulder surfing and dumpster diving.
Impersonation
The most popular scenario for social engineering attacks is when the hacker impersonates (pretends to be) another employee in the organization.
Preventing Social Engineering Attacks
The only way to protect yourself and organization employees is through training and awareness. Make sure that as part of your training and awareness program you educate employees on the popular scenarios for social engineering attacks. Ensure that you have a method - known to all employees - to validate anyone who calls stating they are the network administrator and asking employees to change their password.
2. Intimidation
The victim may be intimidated by the message the hacker is relaying, so the victim does exactly what the message says.
4. Antiquated protocols
They are protocols that were developed without security in mind and that typically now have a secure version to replace it. Examples, most protocols in the TCP/IP protocol suite, such as HTTP, FTP, SMTP, and POP3.
Rainbow Tables
They are used to speed up the process of performing a brute-force attack. Recall that brute-force attacks can take a very long time. To speed the process up, the hacker can generate rainbow tables, which is a file generated that contains all mathematically possible passwords based on criteria given by the rainbow table generator. Rainbow tables are beneficial when the hacker is performing the attack because the calculations are already in the table (file); the hacker is simply reading a file. So the hacker gets the complexity of a brute-force attack, but the speed of a dictionary attack.
Preventing Password Attacks
To prevent dictionary attacks, you must implement a strong password policy and require users to use complex passwords. Implementing password complexity will not protect your systems from brute-force attacks, so you must implement an account lockout policy to protect your systems from them. If you use an account lockout policy, after a certain number of bad logons the account is locked out and cannot be used until the administrator unlocks it.
Vishing
Vishing tries to trick people and steal money from them. The difference with vishing, the contact is made with a phone call instead of an e-mail message. The term vishing comes from the fact the hacker is using "voice" and "phishing" techniques.
Whaling
Whaling attacks are similar to phishing attacks in that the goal is to send an e-mail to trick someone into giving out their account name and password to sites masquerading as a bank or eBay. But Whaling differs in that instead of sending an e-mail to everyone, the hacker sends the e-mail to a specific person ("the big fish") who may have a lot to lose from the attack. The whaling victim is usually an executive for a company, and the hacker typically obtains their name from the company web site and personalizes the e-mail using the name of the executive.
Downgrade
When creating passwords for environments using older clients, the software may allow you to implement password downgrade, which is a feature where the product stores two versions of the password. Each version of the password would use different algorithms to store the password in a secure manner.
Hoaxes
When it comes to security, make sure you educate your users about e-mail hoaxes. E-mail hoaxes are e-mail messages that users receive giving a false story and asking the user to take some type of action. For example, the hoax could say a certain file is causing a serious flaw in the operating system. The e-mail could tell the reader they should delete the file, but in reality there is nothing wrong with the file, and it may be needed for information on important features of the operating system.
E-mail spoofing
When the "from" address of an e-mail message has been altered so that the e-mail looks like it comes from someone else. This is normally used in a social engineering attack.
IP spoofing
When the source IP address of a packet is altered so that it appears as if the packet comes from a different source.
MAC spoofing
When the source MAC address of a frame is altered so that it appears to have come from a different system or device.
Phishing
With a phishing attack the hacker e-mails a user and pretends to be a representative from a bank or a company such as eBay. The e-mail tells the user that a security incident has occurred and that the user should click the link provided in the e-mail to navigate to the site and check their account status. For example, the e-mail looks like it is coming from the security officer for a bank, asking the user to follow the link provided and log in to the bank site to check their account. In this example, the hyperlink that the use is tricked into clicking navigates to a site that the hacker set up to look like the bank site. The hacker is waiting for the user to try to log on with their account number and password so they can capture it and then store it in a database.
Man-in-the-Middle (MITM)
With an MITM, the hacker inserts himself in the middle of two systems that are communicating. For example, when User 1 sends data to User 2, the information is actually sent to the hacker first, who then forwards the information to User 2.
On the Job!
You can use password-cracking tools to assess the complexity of passwords on your network, but remember that hacking is illegal - no matter what the reason. Be sure to obtain permission from upper-level management (in writing) before you run any of these tools in a production environment.
Exam Watch
You should know the different types of password attacks.
Exam Watch
know that tailgating is when someone tries to slip though the door behind you after you unlock it. Also know that mantraps are popular security controls to help protect against tailgating.