CNA 210 | Ch. 5, Networking & Server Attacks

burned

A MAC address is permanently ______ into a network interface card (NIC), so that there is not a means of altering the MAC address on a NIC.

Trojan

A MITB attack usually begins with a ______ infecting the computer and installing an "extension" into the browser configuration. The extension is then launched upon browser activation.

man-in-the-browser (MITB)

A ___ attack intercepts communication between parties to steal or manipulate data. Specifically, this type of attack seeks to intercept and then manipulate communication between a web browser and the security mechanisms of the computer.

Denial of Service (DoS)

A ___ attack is a deliberate attempt to prevent authorized users from accessing a system. This is done by overwhelming a system with such a ludicrously high number of fake requests, that the system becomes incapable of responding to legitimate ones.

man-in-the-middle (MITM)

A ____ attack is when a person intercepts a legitimate communication and forges a fictitious response to the sender. In a network based scenario, a threat actor will insert themselves into a conversation between two parties to gain access to information being sent by both parties.

smurf

A ____ attack is when an attacker broadcasts a network request to multiple computers, but changes the address from which the request came to the victim's computer. This makes it appear as if it is asking for a response. Each computer then sends a response to the victim's computer, quickly overwhelming the device.

cross-site request forgery (XSRF)

A ____ attack uses the user's web browser settings to impersonate the user. If a user is authenticated on a website and is somehow tricked into loading another page, the new page inherits the identity and privileges of the victim to perform an undesired function on the attacker's behalf.

replay

A _____ attack makes a copy of a legitimate transmission before sending it to the recipient. This copy is then used at a later time.

session token

A ________ is a random string assigned to an online interaction between a user and the web application being accessed.

name system symbolic name

A ___________ allows computers on a network to be assigned both numeric addresses and more friendly human-readable names composed of letters, numbers and special symbols, called a ______________.

buffer overflow

A ____________ attack occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer. This extra data runs over into the adjacent memory locations.

add-ons

A category of tools that adds functionality to web browsers are called _______. These add a greater degree of functionality to the entire browser and not just a single webpage.

Hypertext Transport Protocol (HTTP)

A client's web browser makes a request using ____ to a web server, which may be connected to one or more web application servers.

SQL injection

A common injection attack called ____________, inserts statements to manipulate a database server

C. makes a copy of the transmission for use at a later time

A replay attack ______. A. can be prevented by patching the web browser B. is considered to be a type of DoS attack C. makes a copy of the transmission for use at a later time D. replays the attack over and over to flood the server

1000

A well-known site like Google.com may have to deal with more than ____ typo squatting domains.

MAC spoofing

ARP poisoning relies upon ____________ (or imitating another computer by means of changing the MAC address).

University of California, LA Stanford Research Institute University of California, Santa Barbara University of Utah

ARPAnet was completed in 1969 and it linked together single computers located at each of four different sites, each of these connections was only 50 Kbit/s. Name at least three of the four sites used. (Possible bonus question)

SYN flood

An _______ attack takes advantage of the procedures for initiating a session. The attacker sends segments in IP packets to computer addresses that do not exist or cannot be reached. The server will continue to "hold the line open", waiting for a valid response (which is never coming), while receiving more false requests and keeping more lines open for responses.

integer overflow

An ______________ is the condition that occurs when the result of an arithmetic operation, like addition or multiplication, exceeds the maximum size of integer type used to store it.

ARP poisoning

An attack which targets a stored MAC address in a software ARP cache is known as_____________.

top-level domains (TLDs)

At one point ___ were limited to .com, .org, .net, .int, .gov and .mil, so it was fairly easy to register close-sounding domain names.

IP spoofing

Attackers use ____________ to mask the fact that Methbot traffic is generated by servers and not users.

D. URL Hijacking

Attackers who register domain names that are similar to legitimate domain names are performing ______. A. Address resolution B. HTTP Manipulation C. HTML squatting D. URL Hijacking

zero-pixel IFrame

Clickjacking often relies upon threat actors who craft a ______________. These are virtually invisible to the naked eye, making it easier to overlay a button in a webpage.

C. substitutes DNS addresses so that the computer is automatically redirected to another device

DNS poisoning _________. A. floods a DNS server with requests until it can no longer respond B. is rarely found today due to the use of host tables C. substitutes DNS addresses so that the computer is automatically redirected to another device D. is the same as ARP poisoning

It occurs on "big-name" websites, luring users into a false sense of security Website owners generally have no knowledge of the malicious advertisements on their site. Ad networks rotate content quickly, meaning only some visitors become infected, making it difficult to determine if malvertising was actually the source of an attack. Because of targeted advertising that makes adds occur according to a user's interests or geographic location, threat actors are able to narrowly target their victims.

Describe at least two of the advantages for an attacker when using malvertising.

integer overflow

During an ______________ attack an attacker changes the value of a variable to something outside the range that the programmer had intended.

URL hijacking typo squatting

Fake sites that have similar/close spelling to largely used sites in an attempt to get users to click on malicious content is called _____________ or _______________.

clickjacking

Hijacking a moue click is called ____________, when the user is tricked into clicking a link that is other than what it appears to be.

/etc/ Windows\System32\drivers\etc

Host tables are found in the ____ directory in UNIX, Linux and Mac OS, and are located in the _____________________ directory in Windows. (Another possible bonus)

'[a]' = '[a]'

In SQL _____ is a statement that will always be true.

[whatever]'

In SQL, ___ means this can be anything meaningless.

cross-site scripting (XSS)

In a ___ attack, the threat actor takes advantage of web applications that accept user input without validating it before presenting it back to the user.

bitsquatting

In addition to registering names that are similar to the actual names, threat actors are now registering domain names that are one bit different, which is called _____________.

Address Resolution Protocol (ARP)

In order for a host using TCP/IP on an Ethernet network to find the MAC address of another device based on the IP address, it uses ___.

Distributed Denial of Service (DDoS)

Instead of only a single computer making a fake request, a ____ attack involves hundreds or even tens of thousands of devices flooding a server with requests.

200 million - 300 million $5 million

It is estimated that threat actors sell between _________ to___________ false adds each day 1.3 cents per view, which generate up to _________ dollars a day in revenue.

B. XSS

John was explaining about an attack that accepts user input without validating it and uses that input in a response. What type of attack was he describing? A. SQL B. XSS C. XSRF D. DDos DNS

XSS eavesdropping guessing

List the three ways listed in chapter 5 that a threat actor may use to steal a session token.

.xyz .top .loan .win

List three of the most popular new TLDs being used today.

TrueView

Many pre-rolls support a video format called _______ that allows users to skip the ad after five seconds, almost half of all viewers watch the entire pre-roll ad.

Java Adobe Flash player Apple QuickTime Adobe Acrobat Reader

Name three of the most widely used plug-ins for web browsers.

A. Privilege escalation

Newton is concerned that attackers could be exploiting a vulnerability in software to gain access to resources that the user normally would be restricted from accessing. What type of attack is he worried about? A. Privilege escalation B. Session replay C. Scaling exploit D. Amplification

D. Host table and external DNS server

Olivia was asked to protect the system from a DNS poisoning attack. What are the locations she would need to protect? A. Web server buffer and host DNS server B. Reply referrer and domain buffer C. Web browser and browser add-on D. Host table and external DNS server

web applications

On the international global Internet network, a web service provides services that are implemented as _____________ through software running on the server.

script

One method for adding dynamic content is for a web server to download a _____ or a series of instructions in the form of computer code that commands the browser to perform specific actions.

75

One report found that almost __ percent of DOS attack victims also saw at least one security incident at the same time as the DoS attack. This may indicate that DoS attacks often serve as decoys to divert attention away from other attacks.

vertical

One type of privilege escalation sometimes called _______ privilege escalation, is when a user with a lower privilege uses escalation to grant herself access to functions reserved for higher-privilege users.

Unknown Server Failure

Regarding an SQL injection, If the message E-mail Address ________ is displayed, it indicates that user input is being properly filtered and a SQL attack cannot be rendered on the site. However, if the error message ______________ is displayed, it means that the user input is not being filtered and all user input is sent directly to the database

20

Security found that __ percent of a sample of 433 registered attack domains were the result of bitsquatting.

cross-site injection

Several different web server application attacks target the input from users. These can be grouped into two categories: _________ attacks and__________ attacks.

DNS amplification

Similar to a smurf attack, a ______________ floods an unsuspecting victim by redirecting valid responses to it. With this method, publicly accessible and open DNS servers are used to flood a system with DNS response traffic. In addition, attackers often craft the DNS name lookup request so that it returns all known information about a DNS zone in a single request, which drastically increases the volume of data being sent/received.

phishing

Some security experts note that XSS is like a _________ attack, but without needing to trick the user into visiting a malicious website. Instead, the user starts at a legitimate website and XSS automatically directs them to the malicious site.

or

The SQL __ means that as long as either of the conditions are true, the entire statement is true and will be executed.

return address

The _____________ is not the only element that can be altered in a buffer overflow attack, but it is one of the most commonly altered elements.

825,000 $285 million

The cost of typo squatting is significant because of the large number of misspellings. In one month the typo squatting site goggle.com received almost ______ unique visitors. It is estimated that typo squatting costs the 250 top websites __________ annually in lost sales and other expenses.

HTML5

The most recent version of HTML known as _______ standardizes sound and video formats so that plug-ins like Flash are no longer needed.

ARPAnet

The predecessor to today's Internet was the network _______.

hijacking

The word _________ means to illegally seize, commandeer, or take control over something to use for a different purpose.

Same origin

This JavaScript defense restricts a JavaScript downloaded from site A from accessing data that came from site B.

Methbot

Threat actors manipulate the pre-roll auction process to earn ad revenue that is directed back to them. Attackers have created essentially a "robo-browser" called _______ that spoofs all the necessary interactions needed to initiate, carry out, and complete the ad auction.

True

True or False? A valid method of combating replay attacks is using timestamps in ALL messages and to also reject any messages that fall outside of a normal window of time.

False. There are no authentication procedures to verify ARP requests and replies.

True or False? ARP poisoning is successful because the authentication procedures to verify ARP requests and replies are easily manipulated.

True

True or False? During a DNS amplification attack, a threat actor may also craft the DNS name lookup request to return all known information about a DNS zone in a single request. This drastically increases the volume of data being sent/received and can lead to the victim being overwhelmed much more quickly.

False. It is more difficult for standard anti-malware software to detect it.

True or False? Fortunately, MITB software resides exclusively within the web browser, making it easier than typical for standard anti-malware software to detect and remove.

True

True or False? MITB malware can be selective as to which websites are targeted, an infected MITB browser might remain dormant for months until triggered by the user visiting a targeted site.

True

True or False? One of the most common ways to steal a user's session token is by using an XSS attack.

False. Overflow attacks can target either a server or a client.

True or False? Overflow attacks can target a server but not client devices.

False. Plaintext passwords should NEVER be stored in a database. Millions of user passwords have been stolen this way.

True or False? Plaintext passwords should not generally be stored in a database, but it is however acceptable when proper security measures are implemented prior to the storing of passwords.

True

True or False? The Chinese government uses DNS poisoning to prevent Internet content that it considers unfavorable from reaching its citizenry.

True

True or False? The malicious content of an XSS URL is not confined to material posted on a website; it can be embedded into virtually any hyperlink, such as one in an email or even in a text message.

False. Uses scripting that originates on one site (the web server) to impact another site (being viewed by the user).

True or False? The term cross-site scripting refers to an attack using scripting that originates on a threat actor's device to impact a website being accessed by the user.

pre-roll

Upon clicking on a video, users will often first see a short (10-15 second) advertising video called a _______.

Java is a programming language, while JavaScript is a scripting language. Java creates programs that run in a virtual machine or browser, while JavaScript code is run on a browser only. Java code needs to be compiled, while JavaScript is all in text.

What are some key differences between Java and JavaScript?

Limit capabilities Sandboxing Same origin

What are the three defenses for protecting your computer while using JavaScript?

local host table external DNS server

What are the two locations where DNS poisoning can be done?

Accept user input without validating Input is used in a response

What are the two pieces of criteria needed on a website for an XSS attack to be initiated?

B. A random string assigned by a web server

What is a session token? A. XML code used in an XML injection attack B. A random string assigned by a web server C. Another name for a third-party cookie D. A unique identifier that includes the user's email

Poisoned ad attack

What is the alternate name for malvertising?

C. To insert SQL statements through unfiltered user input.

What is the basis of an SQL injection attack? A. To expose SQL code so that it can be examined. B. To have the SQL server attack client web browsers. C. To insert SQL statements through unfiltered user input. D. To link SQL servers into a botnet.

B. DoS attacks use fewer computers than DDoS attacks.

What is the difference between a DoS and a DDoS attack? A. DoS attacks are faster than DDoS attacks. B. DoS attacks use fewer computers than DDoS attacks. C. DoS attacks do not use DNS servers as DDoS attacks do. D. DoS attacks use more memory than a DDoS attack.

A. Privilege escalation

What kind of attack is performed by an attacker who takes advantage of the inadvertent and unauthorized access built through three succeeding systems that all trust one another? A. Privilege escalation B. Cross-site attack C. Horizontal access attack D. Transverse attack

active scripting

What setting can be turned off in browsers to reduce the risk of XSS? Note that this limits a user's ability to use dynamic websites.

C. MITM

What type of attack intercepts legitimate communication and forges a fictitious response to the sender? A. SIDS B. Interceptor C. MITM D. SQL intrusions

B. Malvertising

What type of attack involves manipulating third-party ad networks? A. Session advertising B. Malvertising C. Clickjacking D. Directory traversal

Domain Name System (DNS) domain name resolution

When TCP/IP was developed, the host table concept was expanded to a hierarchical name system for matching computer names and numbers known as the ___, which is the basis for _____________________ of names-to-ip addresses used today.

B. Reformat the web application server's hard drive

Which action cannot be performed through a successful SQL injection attack? A. Discover the names of different fields in a table B. Reformat the web application server's hard drive C. Display a list of customer telephone numbers D. Erase a database table

B. Man-in-the-browser (MITB)

Which attack intercepts communications between a web browser and the underlying computer? A. Man-in-the-middle (MITM) B. Man-in-the-browser (MITB) C. Replay D. ARP poisoning

D. Session hijacking

Which attack uses the user's web browser settings to impersonate that user? A. XDD B. XSRF C. Domain hijacking D. Session hijacking

C. Plug-ins

Which of the following adds new functionality to the web browser so that users can play music, view videos, or display special graphical images within the browser? A. Extensions B. Scripts C. Plug-ins D. Add-ons

D. Push flood

Which of these is not a DoS attack? A. SYN flood B. DNS amplification C. Smurf attack D. Push flood

D. Traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks.

Which statement is correct regarding why traditional network security devices cannot be used to block web application attacks? A. The complex nature of TCP/IP allows for too many ping sweeps to be blocked. B. Web application attacks use web browsers that cannot be controlled on a local computer. C. Network security devices cannot prevent attacks from web resources. D. Traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks.

B. They have introduced vulnerabilities in browsers.

Why are extensions, plug-ins, and add-ons considered to be security risks? A. They are written in java, which is a weak language. B. They have introduced vulnerabilities in browsers. C. They use bitcode. D. They cannot be uninstalled.

Structured Query Language (SQL)

___ is a language used to view and manipulate data that is stored in a relational database.

IFrame (short for inline frame)

_____ is an HTML element that allows for embedding another HTML document inside the main document.

Static Dynamic

_______ content is information that does not change, such as text and pictures through a web browser. __________ content changes, such as animated images or customized information.

Extensions

________ expand the normal capabilities of a web browser for a specific webpage. Most are written in JavaScript so that the browser can support dynamic actions.

Poisoning

________ is the act of introducing a substance that harms or destroys a functional living organism. These types of attack inject a malicious substance into a normal network process to facilitate an attack.

Horizontal

________ privilege escalation is a type of escalation where a user with restricted privileges accesses the different restricted functions of a similar user.

Java applet

_________ a separate program created by Java, is stored on the web server and then downloaded onto the user's computer along with the HTML code, or other simple tasks very quickly because the user's request does not have to be sent to the web server for processing and returned; instead, all processing is done on the local computer by this.

JavaScript

_________ is the most popular scripting code. As this code cannot create separate "stand-alone" applications, the code instructions are embedded inside HTML documents.

Sandboxing

___________ is permitting JavaScript to run only in a restricted environment. This can limit what computer resources it has access to and what actions it's able to take.

Malvertising

____________ is when a threat actor promotes themselves as a reputable third-party advertiser on a well-known site while distributing their malware through the adds. An add containing the malware will redirect visitors who receive it to the attacker's webpage than then download a Trojan or ransomware onto the user's computer.

DNS poisoning

____________ substitutes a DNS address so that the computer is automatically redirected to another device. Whereas ARP based attacks substitute a fraudulent MAC address for an IP address, this attack substitutes a fraudulent IP address for a symbolic name.

Domain hijacking

_____________ occurs when a domain pointer that links a domain name to a specific web server is changed by a threat actor. By doing this, a threat actor gains access to the domain control panel and redirects the registered domain to a different physical web server.

Session hijacking

______________ is an attack in which an attacker attempts to impersonate the user by using her session token.

Privilege escalatoin

_________________ is exploiting a vulnerability in software to gain access to resources that the user normally would be restricted from accessing.