SECURITY + SPOOFING AND POISONING 5.2

Ace your homework & exams now with Quizwiz!

HTTP (Session) Hijacking

A real-time attack in which the attacker hijacks a legitimate user's cookies and uses them to take over the HTTP session.

ARP Spoofing

ARP spoofing (also known as ARP poisoning) uses spoofed ARP messages to associate a different MAC address with an IP address. ARP spoofing can be used to perform a man-in-the-middle attack as follows: . When an ARP request is sent by a client for the MAC address of a device, such as the default gateway router, the attacker's system responds to the ARP request with the MAC address of the attacker's system. 2. The client receives the spoofed ARP response and uses that MAC address when communicating with the destination host. For example, packets sent to the default gateway are sent instead to the attacker. 3. The attacker receives all traffic sent to the destination host. The attacker can then forward these packets on to the correct destination using its own MAC address as the source address. ARP spoofing can also be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or non-existent MAC addresses.

Reconnaissance

Actions taken to gather information for an attack.

Man-in-theMiddle Attac

An attack that intercepts information passing between two communication partne

Session-Based Attack

An attack that takes over the TCP/IP session or captures information that can be used at a later date.

Replay Attack

An attack that uses a protocol analyzer or sniffer to capture authentication information going from the client to the server and then uses this information to connect at a later time and pretend to be the client.

ARP Spoofing or ARP Poisoning

An attack that uses spoofed ARP messages to associate a different MAC address with an IP address.

IP Spoofing

An attack where IP address information is changed within a packet to amplify or redirect responses to a victim.

Null Session

An attack where a connection is made using a blank username and password that is used to discover information about the system.

Domain Hijacking

An attack where an attacker gains access to the domain control panel itself and reconfigures the domain name to point toward another web serve

DNS Poisoning

An attack where malicious or misleading data that incorrectly maps hostnames and IP addresses is sent to a name server

Domain Name Kiting

An attack where spammers exploit domain registration by taking advantage of the five-day grace period for a newly registered domain nam

MAC Spoofing

An attack where that MAC address of a valid host currently in the MAC address table of a switch is spoofed so that frames are redirected to the attacker.

TCP/IP (Session) Hijacking

An extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user

To mitigate reconnaissance DNS attacks:

Configure your DNS servers to only accept queries for zone transfers from specific hosts. Secure zone transfer data using IPSec or a VPN tunnel

Common methods of spoofing

IP Spoofing MAC Spoofing ARP Spoofing

Countermeasures for hijacking include using TCP/IP (Session) Hijacking

IPSec or other encryption protocols Certificate authentication Mutual authentication Randomizing sequencing mechanisms Packet time stamps Packet sequencing

Countermeasures for preventing spoofing are as follows:

Implement firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network. Filters will drop any packet suspected of being spoofed. Use certificates to prove identity. Use reverse DNS lookup to verify the source email addres Use encrypted communication protocols, such as IPsec. Use ingress and egress filters to examine packets and identify spoofed packets. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. Any packet suspected of being spoofed on its way into or out of your network will be dropped.

DNS Poisoning attack:

Incorrect DNS data is introduced into the cache of a primary DNS server

MAC Spoofing

MAC spoofing is when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device. This can be used to bypass: A wireless access point with MAC filtering on a wireless network Router access control lists (ACLs) 802.1x port-based security

Session-Based Attacks are

Man-intheMiddle TCP/IP (Session) Hijacking HTTP (Session) Hijacking Replay Attack Null Session

Reconnaissance A DNS-based attack are

Performing direct queries on DNS servers (using a tool such as nslookup) to request individual records. Attaching to a DNS server as a secondary server and requesting a zone transfer of DNS records. Using a protocol analyzer to gather zone transfer traffic, which is transferred in cleartext from the primary DNS server to the secondary DNS serve

Other ways to protect your organization from DNS attacks include:

Using the latest version of DNS software. Consistently monitoring traffic going through your network. Configuring servers to duplicate, separate, and isolate DNS functions. Using Domain Name System Security Extensions (DNSSEC) to secure certain kinds of information provided by DNS. DNSSEC adds cryptographic signatures to existing DNS records, helping the server correctly validate DNS responses. Securing and automatically renewing domain registration accounts

Null Session are allowed

are allowed through the SMB and NetBIOS protocols used on Microsoft system

Man-intheMiddle, Both parties

at the endpoints believe they are communicating directly with the other, while the attacker intercepts and/or modifies the data in transit. The attacker can then authenticate to the server using the intercepted credentials.

ARP spoofing can also

be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or non-existent MAC addresses

to prevent null session attacks,

block ports 139 and 445 on network firewalls. Windows NT uses TCP port 139 to establish NetBIOS sessions, and Windows 2000 uses TCP port 445 for SMB sessions.

Domain Name Kiting This allows spammers to Generate income through clicks

by automatically registering thousands of domains and putting ads on them. They can create link farms (multiple domains with automatic hyperlinks to targeted sites) to spam the index of a search engine (such as Google) and trick the search engine into conferring a page ranking on the spammed website

IP Spoofing Amplify attacks

by sending a message to a broadcast address and then redirecting responses to a victim who is overwhelmed with response

Man-intheMiddle, the attacker

inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker

Standard DNS

is configured with one primary DNS server that maintains a read/write copy of all the computer names and IP addresses registered in DNS for the domain.

In a DNS poisoning attack The incorrect mapping is

is made available to client applications

TCP/IP (Session) Hijacking, The session state

is manipulated so that the attacker is able to insert alternate packets into the communication stream

Spoofing

is used to hide the true source of packets or redirect traffic to another location. Spoofing attacks:

A DNS-based attack

k occurs when stolen DNS records are used to redirect traffic to fake websites for malicious purposes. Below are important facts you should know about DNS:

Spoofing Use

modified source and/or destination addresses in packets

Domain Name Kiting This allows spammers to Acquire domains

never pay for the registration of domain names by unregistering a domain name just before the grace period is up and then immediately re-registering the domain name.

Using security software to

prevent modification of the HOSTS file without your knowledge. This will prevent hackers from placing a mapping in the file to redirect traffic to a fake s

Secondary DNS

servers obtain a read-only copy of this data from the primary DNS server or another secondary server

Spoofing Can include

site spoofing, which tricks users into revealing information

TCP/IP (Session) Hijacking, The attacker

takes over the session and cuts off the original source device

session-based attack,

the attacker takes over the TCP/IP session or captures information that can be used at a later date. Common sessionbased attacks

IP Spoofing Hide

the origin of the attack by spoofing the source address.

. In a DNS poisoning attack Traffic is redirected

to incorrect sites (known as pharming) for phishing purposes to perform: Identity theft Financial theft Malware downloads (drive-by downloads), which can be used to capture sensitive information, such as passwords and financial information.

Mapping known malicious sites to the loopback address of 127.0.0.1

to prevent browsers from displaying the malicious sites.

Man-in-the-middle attacks are commonly used

to steal credit cards, online bank credentials, and confidential personal and business information

Null Session, Older Microsoft system

used null sessions between computers. Attackers can use this vulnerability to log on and discover information about the system, such as a list of user names or shared folders

The process of copying the records from the primary to the secondary DNS server is called

zone transfer and is performed in cleartext


Related study sets

FALL-ECO 120 SURVEY OF ECONOMICS

View Set

Yale ~ Science of Well-Being ~ Quiz 2

View Set

BIO 201 Master Review Questions Chapters 1-15

View Set

Chapter 66 - Management of Patients with CVA

View Set

D075 Information Technology Management Essentials

View Set