CNT 2401 11.6 Analyzing Network Attacks
MAC spoofing
A MAC spoofing attack starts with the attacker scanning the network for valid MAC addresses. The attacker spoofs the MAC address to match the gateway's and overwrites the switch's CAM table with this new mapping. All data that would normally go to the gateway is sent to the attacker's computer.
URL redirection attack
A URL redirection attack is very similar to the DNS poisoning attack in that the attacker's goal is to get the user to go to a different site than the user intends to. In this attack, the attacker uses social engineering and phishing emails to get the victim to click what looks like a legitimate link, but the link sends the victim to the attacker's malicious site. The goal is usually to get the victim to input login credentials into the fake site allowing the attacker to steal them. >
Distributed Denial of Service
A distributed denial of service attack is designed to bombard the target with more data than it can handle causing it to shut down. A DDoS attack will usually target a network; specific applications or services; and even the systems used to monitor and control industrial operations (Operational Technology). There are many different methods to pull off a DDoS attack. The following table explains the three main methods.
Command Shells
A shell provides an interface for users to access operating system functions and services. Shells are generally associated with command line interfaces, but they can have graphical interfaces also. Because these programs provide access to core operating system functions, they are extremely dangerous when exploited. Commands can be typed directly into the shell program or can be run from a script. A script is a plain-text document that has the commands typed out just like they would be in the shell. When the script is run, the commands are executed. Two of the more heavily used shells are PowerShell and Bash. The following table describes these two shell programs:
Man-in-the-Middle Attacks
A very common attack is the man-in-the-middle attack. In this attack, the attacker is positioned between two devices and intercepts a transmission between them. For example, if a device sends its login information to a website, the hacker intercepts the transmission and steals the credentials. There are a variety of methods that can be used to perform a man-in-the-middle attack. The follow table describes some of them.
The Address Resolution Protocol (ARP) poisoning
ARP is used to translate IP addresses into MAC addresses. ARP was designed for speed, not security. It can be exploited by an attacker using ARP poisoning, also referred to as an ARP spoofing attack. To perform an ARP poisoning attack, the attacker does the following: Scans the network to get a list of all connected devices. Selects two devices to intercept communication between. This is usually a computer and the router. Sends a malicious ARP request to both devices to update their ARP caches, remapping the IP address of each to the attacker's MAC address. The devices then send all communication between the two to the attacker's computer. A successful ARP poisoning attack will allow the hacker to: Perform packet sniffing Carry out session hijacking attacks Alter the communications between the two devices Perform a distributed denial of service attack To protect against ARP poisoning attacks, use HTTPS whenever possible. Because HTTPS is encrypted, the attacker is unable to read or modify the data. This makes the ARP poisoning attack worthless for the hacker.
Amplification DDoS
An amplification attack consumes the bandwidth between the victim and the internet, effectively cutting the victim off. DNS amplification attacks are a common example of this. The attacker sends a large number of DNS queries to multiple open DNS servers with the victim's IP address spoofed as the sender. The DNS servers send the DNS responses back to the victim. The victim quickly get overloaded with the amount of data and is unable to function.
Application layer DDoS
An application layer attack's goal is to exhaust the target's resources by overloading a specific program or service. For example, an attacker sends a large number of HTTP requests to a web server causing it to repeatedly load a web page. This method takes little effort by the attacker, but will quickly overwhelm the web server as it repeatedly loads the media files including images, audio, and video.
Bash
Bash is a command shell and scripting language used in most Linux distros and MacOS versions prior to Catalina. Bash was released in 1989 and is still heavily used. When a command is executed in Linux, Bash works in the background to execute the command using environment variables. Since many web servers run on Linux's Apache platform, malware can be designed in Bash to attack these systems. A well-known malware called Shellshock uses Bash commands to exploit a flaw within the Bash shell. The flaw allows an attacker to inject malicious commands.
Domain Name System (DNS) Attacks
DNS is the system that translates IP addresses into names, such as a website's URL. Attackers can use DNS to steal data or perform other attacks. The following table explains some common DNS attacks:
DNS poisoning
DNS poisoning is a man-in-the-middle type of attack. The attacker intercepts DNS requests from a browser and sends back a malicious response. The response usually redirects the user to the attacker's malicious site. The DNS response also gets stored in the browser's DNS cache. This means that every time the user enters the website URL, the browser's cache redirects to the malicious site.
MAC flooding
MAC flooding is an attack against the network switch. Network switches maintain a MAC table. The MAC table is a list of the MAC addresses for each connected device and the port each device is connected to. The MAC table allows the switch to send data packets to only the intended recipient. In a MAC flooding attack, the attacker sends a large number of Ethernet frames with different MAC addresses. The switch begins adding these new MAC addresses to the MAC table. Eventually, the MAC table gets overloaded causing the switch to dump the MAC table. During this time, the switch begins sending packets to all ports, just like a hub. An attacker can use a MAC Flooding attack to: Carry out a DDoS attack Intercept and analyze packets Perform advanced attacks such as ARP poisoning while the switch is down
Macros
Macros are similar to scripts in that they are little bits of code that are used to perform a series of steps or functions. Macros however are used inside specific applications. Many different programs can make use of macros, but the most common use of macros is in the Microsoft Office programs. Microsoft Office programs use the Visual Basic for Applications (VBA) programming language to create and run macros. If the Office program is not configured properly, malicious VBA code can be used to open a shell on the Windows operating system. The shell can be used to perform malicious attacks. In newer version of Microsoft Office, macros are disabled by default and a user must specifically allow them to run.
PowerShell
PowerShell is a management framework that Microsoft developed to replace Command Prompt and give users more power and control over the Windows system. PowerShell is built on the .NET framework and can now be run on multiple operating systems including MacOS and Linux. PowerShell uses cmdlets to execute commands. Cmdlets are tiny scripts that perform certain functions. Some cmdlets replace older commands and provide more advanced functions. Users can combine these cmdlets to develop scripts to automate tasks and configure just about anything in Windows. Malicious PowerShell scripts pose a major security threat. These scripts can run in the memory of the system which means they don't need a executable to run. An attacker can take advantage by running malicious PowerShell scripts in the background. This type of malware is known as fileless malware. Fileless malware is especially dangerous because many anti-virus programs are unable to detect it.
Python
Python has become one of the most popular programming languages. First released in 1991, Python is designed to be easy to learn and read. It can be used on most operating systems including Windows, MacOS, and Linux. Python can also take advantage of open-source Python packages and repositories. Many Remote Access Trojans (RATs) are designed using Python. Python makes it easy to implement libraries that allow the RAT to perform functions such as: Taking screenshots Enabling the webcam and viewing it remotely Making web requests Making phone calls Python also makes it very simple to develop malicious code that can be run on many different systems and devices, including Android devices. One of the main drawbacks to using Python for malware is the file size. Python files are larger than other common languages. Also, Python must be installed on a system for a Python script to run. This works for MacOS and Linux, but Windows doesn't come with it installed. Python scripts can be converted to Windows compatible executables fairly easily though.
Domain/IP reputation attack
Security firms keep track of a domain's activities to determine if it is being used for malicious activity. The activity would include sending spam emails or if the domain is being used as part of a zombie network to perform denial of service (DOS) attacks. Either activity would result in the domain's reputation being degraded. A negative domain reputation can cause the domain to be put on a list that many security programs use to identify sites to block and prohibit users from visiting. Domain reputation attacks can be extremely devastating to an organization.
Protocol DDoS
The attacker can also target different protocols such as TCP flags to overload network devices such as a firewall. A SYN flood attack is a common example of this method: The attacker sends a large number of SYN packets with a spoofed IP address. The victim responds with the SYN-ACK packet, but it goes to the wrong IP address. The victim never receives a response. The victim leaves the connection open waiting for a response to complete the 3-way handshake. Eventually the victim gets overwhelmed waiting for the response packets to come back.
Email hijacking
The hacker compromises the target's email account and is able to monitor and gather information.
DNS spoofing
The hacker modifies a website's address in the DNS server. The user attempts to go to that website, but instead is redirected to the hacker's malicious site.
IP address spoofing
The hacker modifies an IP address in a communication. The recipient intends to send information to the originally specified IP address, but the packets go to the hacker instead.
SSL hijacking
The hacker passes forged authentication keys to both the user and application/server. The user and application/server are talking directly to each other, but all communication is going through the hacker.
HTTPS spoofing
The hacker uses a website name that looks similar to a real site. For example, www.testout.com could be replaced with www.test0ut.com.
Wi-Fi eavesdropping
This is also known as a evil-twin attack. The hacker tricks users into connecting to a malicious wireless network in order to monitor and manipulate the data packets flowing across the wireless network.
Browser cookie theft
This is also known as session hijacking. When a user logs into a website, a session cookie is generated. The hacker intercepts the session cookie and can access the user's website account.
DNS hijacking
To carry out a DNS hijacking attack, the attacker needs to gain access to the DNS records of a website. A variety of techniques can be used to gain access. These include: Using phishing attacks Using social engineering Exploiting a vulnerability in the domain name registrar With access to the DNS records, the attacker can change the record to redirect the URL. This means that when attempting to go the legitimate site, the user is redirected to the attacker's malicious site. The attacker can also transfer the DNS or perform other malicious activities.
