Identifying Advanced Attacks

MITM Attack vs Replay Attack

A Replay Attack - a more specific type of man-in-the-middle attack. MITM is a form of active interception or eavesdropping. An attacker can use a sniffer or protocol analyzer (such as Wireshark) to capture transmitted data. A wireless access point placed in a wireless closet and transmitting captured data to someone outside the building can be considered a man-in the middle attack I view the biggest difference in the intent. In the man-in-the-middle attack the intent is simply to capture the data, but in a replay attack the intent is to reuse the data in an attack.

Transitive Access and Client-Side Attacks

A client-side attack uses an application on the client computer, such as a web browser. A transitive access attack attempts to access a back-end server through another server. A SQL injection attack is an example of a transitive access attack that can bypass many other security controls. Example:. Homer is able to access the web server, and the web server is able to access the database server. However, even though Homer is not able to access the database server directly, he might be able to access the database server using transitive access via his web browser. All of the security controls provide a strong defense-in-depth strategy with several layers of security. However, they aren't enough. If the application on the web server isn't using input validation techniques, an attacker can use a SQL injection attack from the client side. The SQL injection attack uses transitive access to get to the database server through the web server. In addition to explaining a client-side attack using transitive access, this also provides a great reminder that security is never done. Network and database administrators have implemented a strong defense-in-depth strategy. However, if web application developers don't implement security controls such as input validation, attackers can bypass all of the security controls and access the data.

Cross-Site Request Forgery (XSRF)

A malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim's already authenticated browser. Targets include web applications like social media, in-browser email clients, online banking and web interfaces for network devices. XSRF causes users to perform actions on websites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords.

Pharming

A pharming attack is another type of attack that manipulates the DNS name resolution process. A pharming attack redirects a website's traffic to another website and can do so by modifying the hosts file on the user's system.

What is Directory Traversal?

A specific type of command injection attack that attempts to access a file by including the full directory path, or traversing the directory structure Example: In Unix systems, the passwd file includes user logon information, and it is stored in the /etc directory with a full directory path of /etc/passwd. Attackers can user commands such as ../../etc/passwd or /etc/passwd to read the file.

Rainbow Table Attack

A type of attack that attempts to discover the password from the hash, using Rainbow Tables, which are huge databases of precomputed hashes How to prevent "rainbow table attacks?" • Salting passwords is a common method of preventing rainbow table attacks, along with other password attacks such as dictionary attacks Passwords are typically stores as hashes. Salting adds random text to passwords before hashing them and thwarts many password attacks.

What are ways to thwart online password attacks such as dictionary and brute force attacks?

Account lockout policies thrwart online password attacks such as dictionary and brute force attacks that attempt to guess a password.

ARP DoS Atttack

An attacker can also use ARP poisoning in a DoS attack. For example, an attacker can send an ARP reply with a bogus MAC address for the default gateway. The default gateway is the IP address of a router connection that provides a path out of the network. If all of the computers cache a bogus MAC address for the default gateway, none of them can reach it, and it stops all traffic out of the network.

Integer Overflow Attack

An integer overflow attack attempts to create a numeric value that is too big for an application to handle. The result is that the application gives inaccurate results. Ex: An application reserves 8 bits to store a number. It can store any value between 0 and 255. If the application attempts to multiply two values such as 95 x 59, the result is 5605 -> cannot be stored in 8 bits >>>> causing integer overflow error Ex: An application expects a positive number, but instead receives a negative number. If the application doesn't have adequate error- and exception-handling routines, this might cause a buffer overflow error.

Arbitrary Code Execution/Remote Code Execution

Arbitrary code execution - refers to the ability of an attacker to execute commands or run programs on a target system Remote code execution - refers to the ability of an attacker to execute the code from a remote system Neither is desirable -> allows attackers to install and run malware on vulnerable systems Software bugs are the most common reason that arbitrary code execution and remote code execution is possible. >>> Keep systems up-to-date with current patches

What is LDAP injection?

Attackers are able to use LDAP injection attacks to query and modify account information in AD with LDAP commands

Cross-Site Scripting (XSS)

Attackers embed malicious HTML or JavaScript code into email or web site error messages. • If user responds to the email or error message, it executes the code • Many times, this gives the attacker access to user cookies or other information about the user • Attackers can manipulate tags to run malicious code • Attackers often embed cross-scripting code into comments on blog pages or forums when the page allow users to include HTML tags

Typo Squatting/URL Hijacking

Attackers purchase similar domain names in typo squatting attacks for various malicious purposes. Users visit the type squatting domain when they enter the URL incorrectly with a common typo. Ex: CompTIA hosts the comptia.org web site. If an attacker purchases the name comptia.org with a slight misspelling at the end of comptia, some users might inadvertently go to the attacker's web site instead of the legitimate web site.

Brute Force Attack

Attempts to guess all possible character combinations One of the best protection against offline Brute Force Attack -> to use complex passwords & Account lockout policies

Dictionary Attack

Attempts to use every word in the dictionary to see if it works These attacks are thwarted by using complex passwords >> complex password will not include words in a dictionary

Web servers are highly susceptible to what attacks?

Buffer overflow attacks SQL injection attacks

Buffer Overflow Attack

Buffer overflow attacks often include NOP instructions (such as x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code.

Which is more vulnerable to input validation client-side or server-side?

Client side Input validation verifies the validity of inputted data before using it, and server-side validation is more secure than client-side validation.

What are ways to thwart offline password attacks?

Complex passwords thwart offline password attacks

DNS Poisoning Attack

DNS Poisoning Attack refers to the attack of the cache of the DNS server DNS poisoning attack attempts to modify or corrupt DNS results.

DNS Spoofing

DNS spoofing refers to the broad category of attacks that spoof DNS records. It is a category of attacks (an end goal of the attack, rather than a particular attack mechanism). There are many different ways to do DNS spoofing: •compromise a DNS server, mount a DNS cache poisoning attack (such as the Kaminsky attack against a vulnerable server), mount a man-in-the-middle attack (if you can get access to the network), guess a sequence number (maybe making many requests), be a false base station and lie about the DNS server to use, or DNS Poisoning attack by changing the cache on the DNS servers

DoS Attack

Denial of Service An attack launched from a single system and attempts to disrupt services

DDoS

Distributed Denial of Service DDoS attacks are DoS attacks from multiple computers. These attacks typically include sustained, abnormally high network traffic.

Explain Error and Exception Handling in relation to input validation

Error and exception handling routines are a part of input validation. They ensure that an application can handle an error gracefully. • They catch errors • Provide user-friendly feedback to the user Using effective error- and exception-handling routines protects the integrity of the underlying operating system. There are two important points about error reporting: • Errors to users should be general • Detailed information about the error should be logged.

What method is used to block a SYN Flood?

Flood guards protect against WYN flood attacks.

Flood Guards

Flood guards use a variety of different methods to protect against SYN flood attacks. • Firewalls and IDS include flood guards • Simple techniques to limit the success of a SYN flood attack • Flood guard appliances -> dedicated to detecting and blocking these attacks

Fuzzing

Fuzzing (AKA Fuss Testing) uses a computer program to send random data to an application. In some cases, the random data can actually crash the program or provide unexpected results, indicating a vulnerability. Security professionals use fuzz testing >>> To test systems and applications for vulnerabilities they can correct. Attackers use fuzzing >>> To find vulnerabilities they can exploit

SQL Injection Attack

In a SQL injection attack, the attacker enters additional data into the web page form to generate different SQL statements. Many SQL injection attacks use a phrase of Or '1' = '1' To create a true condition. Attackers use SQL injection attacks to pass queries to backend databases through web servers. Many SQL injection attacks use the phrase 'or '1'='1' -- to trick the database server into providing information. Input validation and stored procedures reduce the risk of SQL injection attacks.

ARP Man-in-the-Middle Attack

In a man-in-the-middle attack, an attacker can redirect network traffic, and in some cases insert malicious code via ARP Poisoning used to redirect traffic.

How to protect against directory traversal?

Input validation can prevent these type of attacks

How to prevent SQL injection attack?

Input validation provides strong protection against SQL injection attacks. Before using the data entered into a web form, the web application verifies that the data is valid. Use of stored procedures with dynamic web pages >>> protection against SQL injection attacks

Watering Hole Attack

It attempts to discover which web sites employees are likely to visit and then infects those websites with malware that can infect the visitors. Sometimes these malware redirect the users to malicious sites Sometimes the malicious site attempted to install a type of remote access tool (RAT)

ARP Poisoning Attack

It is an attack that misleads computers or switches about the actual MAC address of a system. ARP is very trusting -> It will believe any ARP replay packet. >>>>Thus: • Attackers can easily create ARP reply packets with spoofed or bogus MAC addresses and poison the ARP cache on systems in the network. • Two possible attacks from ARP poisoning are a man-in-the-middle attack and a DoS attack.

Birthday Attack

It is named after the birthday paradox in mathematical probability theory, stating that any random group of 23 people, there is a 50% change that 2 of them have the same birthday. How to prevent birthday attacks? • By increasing the number of bits used in the hash to increase the number of possible hashes • Ex: MD5 algorithm uses 128 bits and is susceptible to birthday attacks • Ex: SHA-2 can use as many 512 bits and it is not susceptible to birthday attacks

Zero-Day Attack

It is one that exploits undocumented vulnerability Many times, vendor isn't aware of the issue o At some point, vendor learns of the vulnerability and begins to write and test patch to eliminate it o However, until the vendor releases the patch, vulnerability is still a zero-day vulnerability

What is a "buffer overflow?"

It occurs when an application receives more input, or different input, than it expects. The result is an error that exposes system memory that would otherwise be protected and inaccessible Buffer overflow allows access to memory locations beyond the application's buffer -> enabling an attacker to write malicious code into this area of memory

How to prevent buffer overflow vulnerabilities?

Keep the systems up-to-date with current patches

What are the types of attack due to lack of input validation?

Lack of input validation -> most common security issues on web-based applications. It allows many different types of attacks, such as: o Buffer overflow o SQL injection o Command injection o Cross-site scripting attacks

XML Injection

Many databases use Extensible Markup Language (XML) for inputting or exporting data. XML provides formatting rules to describe the data. Databases use XPath as a query language for XML data. If an application accepts XML data without input validation and without stored procedures, it is susceptible to an XML injection attack similar to SQL injection attack. The attacker can insert additional data in an XML injection attack. >>> additional data creates XPath statements to retrieve or modify data

How to prevent header manipulation attacks?

Many web sites use dual authentication to prevent attacker from taking malicious action with the session ID

Session Hijacking Attacks

Mostly related to web browser issues • When a user logs on to a web site, the web site often returns a cookie with a session ID • In many cases, this cookie is stored on the user's system and remains active until the user logs off • If the user closes the session and returns to the web site, the web site reads the cookie and automatically logs the user on. >>> Vulnerability that can be exploited In a session hijacking attack: • The attacker learns the user's session ID >>> uses it to impersonate the user How does the attacker read the cookies (which has the session ID)? • Cross-site scripting attacks • Flash cookies

Password Attacks

Password attacks attempts to discover or by passwords used for authentication on systems and networks, and for different types of files. There are 2 generic categories: • Online password attacks • Offline password attacks

How to protect against XSS?

Primary protection against XSS attacks is at the web application with input validation techniques to block the use of HTML tags and JavaScript tags Tags are embedded within the < and > characters, so it's possible to block these tags by rejecting any text that includes these characters. It is important to educate users about the dangers of clicking links o Some XSS attacks send emails with malicious links within them

Replay Attack

Replay attacks capture data in a session with the intent of later impersonating one of the parties in the session. Timestamps and sequence numbers are effective countermeasures against replay attacks.

What method is used to block a Smurf Attack?

Smurf attacks are blocked by preventing routers from passing directed broadcasts, especially border routers with direct access to the Internet.

How to prevent Arbitrary Code Execution/Remote Code Execution attacks?

Software bugs are the most common reason that arbitrary code execution and remote code execution is possible. >>> Keep systems up-to-date with current patches

Header Manipulation Attacks

TCP/IP packages data into packets before sending them over a network. These packets have headers. TCP header includes port numbers to identify the protocol. IP header includes source and destination addresses. Headers include flags. Attackers can manipulate the flags within the headers to modify behavior. Ex: Attacker can modify the session ID within the packet >>> as in Session Hijacking Attack

SYN Flood Attacks

The SYN flood attack is a common attack used against servers on the Internet. They are easy for attackers to launch, difficult to stop, and can cause significant problems. • Disrupts the TCP Handshake process and can prevent legitimate clients from connecting • Never completes the handshake by NOT sending the ACK packet • The attacker sends a barrage of SYN packets, leaving the server with multiple half-open connections. o The half-open communications can consume a server's resources while it is waiting for the 3rd packet o Or, the server limits the number of half-open connections and won't accept any new connections, blocking connections from legitimate users.

What are the specific types of Offline Password Attacks?

The following are specific types of password attack: • Brute Force Attack • Dictionary Attack • Birthday Attack • Rainbow Table Attack • Hybrid Attacks

What is input validation?

The practice of checking data for validity before using it. Prevents an attacker from sending malicious code that an application will use by either sanitizing the input to remove malicious code or rejecting the input

How to prevent XSRF Attack?

The primary burden of protection from XSRF falls on the website developers. • Use of dual authentication • Force the user to manually enter credentials prior to performing actions • Expire the cookie after a short period, such as 10 min, preventing automatic logon for the user.

Hybrid Attack

This uses a combination of two or more attacks to crack a password. Ex: A dictionary attack can use a dictionary of words, but also combine it with a brute force attack by modifying the words.

What method is used to block a Replay Attack?

Timestamps and sequence numbers act as counermeasures against Replay attacks.

Explain the term "Avoiding Race Conditions"

When two or more modules of an application, or two or more applications, attempt to access a resource at the same time >>>> cause conflict called Race Condition Most database application have internal controls that avoid Race Conditions. Databases lock the records so that two entities cannot modify the same item at the same time.

Hash Attack

attack the hash of a password instead of the password

Man-in-the-Middle (MITM) Attack

• A form of active interception or active eavesdropping • It uses a separate computer that accepts traffic from each party in a conversation and forwards the traffic between the two. •The two computers are unaware of the MITM computer, and it can interrupt the traffic at will or insert malicious code.

Xmas Attacks

• A type of port scan used to identify underlying details on an operating system • Xmas attack goes farther than a typical port scan o Sets specific flags within the TCP packet header o Different OS respond to these flags in specific ways >>> Attackers can analyze the response and determine the OS of the remote system in addition to what ports are open.

Spoofing

• Occurs when one person or entity impersonates or masquerades as someone or something else. • May different types of attacks use spoofing

Smurf Attack

• Spoofs the source IP address and use a directed broadcast ping to flood victims with ping replies Smurf attacks typically use directed broadcasts to launch attacks through amplifying networks. Disabling directed broadcasts on routers mitigates the threat. It's especially important to ensure directed broadcasts are disabled on routers bordering on the Internet to ensure internal networks are not used as amplifying networks.

How to prevent MITM?

• Use of Kerberos • Kerberos - helps prevent MITM attacks with mutual authentication. • It doesn't allow a malicious system to insert itself in the middle of the conversation without knowledge of the other two systems.