1.2 Compare and contrast types of attacks.

Question 1

Social Engineering - Phishing

Answer 1

Phishing is the attempt at fraudulently obtaining private information. A phisher usually masquerades as someone else, perhaps another entity. There are two main differences between phishing and pretexting.

First, phishing is usually done by electronic communication, not in person.

Second, little information about the target is necessary. A phisher may target thousands of individuals without much concern as to their background. An example of phishing would be an e-mail that requests verification of private information. The e-mail probably leads to a malicious website designed to lure people into a false sense of security to fraudulently obtain information. The website often looks like a legitimate website. A common phishing technique is to pose as a vendor (such as an online retailer or domain registrar) and send the target email confirmations of orders that they supposedly placed.

This is a triple-whammy.

First, the orders are obviously fake; a person might say “Hey, wait! I didn’t place these orders!” and perhaps click the link(s) in the e-mail, leading the person to the false web page.

Second, if a person thinks it’s a legitimate order (perhaps the person does many orders, and the fraudulent one looks like another legitimate one), the person might click a link to track the order, again leading to the bogus web page.

Third, once at the web page, the person is asked to enter her credentials for her account (which then leads to credit card fraud and ID theft), and in addition to that the page might have Trojans and other malicious scripts that are delivered to the unsuspecting person on exit. Sheesh, talk about cyber-bullying!

Question 2

Social Engineering - Spear Phishing

Answer 2

(Cont. after Phishing)
Generally, no information about the target is necessary for a phishing attack. However, some “phishermen” actually target specific groups of people or even specific individuals. This is known as spear phishing.

Question 3

Social Engineering - Whaling

Answer 3

(Cont. after Phishing and Spear Phishing)
And when an attacker targets senior executives (CEOs, CFOs, and so on) it is known as whaling. Whaling attacks are much more detailed and require that the attacker know a good deal of information about the target (much of which is freely available on the Internet).

Question 4

Social Engineering - Vishing

Answer 4

The concept of phishing is also accomplished by telephone. Phone phishing, known as vishing, works in the same manner as phishing but is initiated by a phone call (often using VoIP systems).

The phone call often sounds like a prerecorded message from a legitimate institution (bank, online retailer, donation collector, and so on). The message asks the unsuspecting person for confidential information such as name, bank account numbers, codes, and so on; all under the guise of needing to verify information for the person’s protection. It’s really the opposite, of course, and many people are caught unawares by these types of scams every day.

By using automated systems (such as the ones telemarketers use), vishing can be perpetuated on large groups of people with little effort.

Question 5

Social Engineering - Tailgating

Answer 5

A favorite method of gaining entry to electronically locked systems is to follow someone through the door they just unlocked, a process known as tailgating. Many people don’t think twice about this event—it happens all the time—as they hold the door open for someone behind them who is carrying heavy boxes or is disabled in some way

Question 6

Social Engineering - Impersonation

Answer 6

As mentioned at the beginning of the chapter, impersonation involves any act of pretending to be someone you are not. This can be a service technician, a pizza delivery driver, a security guard, or anyone else who might be allowed unfettered access to the grounds, network, or system. Impersonation can be done in person, over the phone, by email, and so forth.

Question 7

Social Engineering - Dumpster Diving

Answer 7

Dumpster diving is a common physical access method. Companies normally generate a huge amount of paper, most of which eventually winds up in dumpsters or recycle bins.

Dumpsters may contain information that is highly sensitive in nature. In high-security and government environments, sensitive papers are either shredded or burned. Most businesses don’t do this. In addition, the advent of “green” companies has created an increase in the amount of recycled paper, which can often contain all sorts of juicy information about a company and its employees.

Question 8

Social Engineering - Shoulder Surfing

Answer 8

Shoulder surfing is when the hacker tries to view confidential information or information that may help the attacker compromise security by looking over employees’ shoulders to view information either on their desk or on the computer screen.

The best defense against this type of attack is to survey
your environment before entering personal data. It is a good idea for users not to have their monitors positioned in ways that make it easy for this act to occur, but they also need to understand and appreciate that such an attack can occur away from the desk as well: in any public location where they sit with their laptops, at business travel centers in hotels, at ATMs, and so on.

Question 9

Social Engineering - Hoax

Answer 9

A hoax is the attempt at deceiving people into believing something that is false. The differences between hoaxes and phishing can be quite gray.

However, hoaxes can come in person, or through other means of communication, whereas phishing is generally relegated to e-communication and phone. Although phishing can occur at any time, and with the specific goal of obtaining private information, a hoax can often be perpetuated on holidays or other special days and could be carried out simply for fun.

Regardless, hoaxes can use up valuable organization resources: e-mail replies, Internet bandwidth used, time spent, and so on. An example of a “harmless” hoax was Google’s supposed name change to “Topeka” on April Fools’ Day 2010. An example of a financially harmful hoax was the supposed assassination of Bill Gates on April Fools’ Day 2003. This hoax led to stock market fluctuations and loss of profit in Asia. Some companies place a time limit on jokes and hoaxes indicating that the affected person has become nonproductive; for example, 3% of the workday.

Pretexting, malicious insider attempts, diversion theft, phishing, and hoaxes are all known as confidence tricks, thus the term con, and are committed by “bunko” artists.

Question 10

Social Engineering - Water Hole Attack

Answer 10

A watering hole attack can sound a lot more
complicated than it really is. The strategy the attacker takes is simply to identify a site that is visited by those they are targeting, poisoning that site, and then waiting for the results.

As an example, suppose an attacker wants to gain unauthorized access to the servers at Spencer Industries, but Spencer’s security is really good. The attacker discovers that Spencer does not host its own email but instead outsources it to a big cloud provider. Thus, they focus their attention on the weaker security of the cloud provider. On the cloud provider’s email site, they install the malware du jour, wait until a Spencer employee gets infected, and suddenly have the access they coveted.

The best defense against a watering hole attack is to make certain that all of your partners are secure. Identify weak links, and bring them up to the same level of security as the rest of your infrastructure. From an exam perspective, one of the best things about most of these
types of attacks is that the name telegraphs the predicament.

As an IT administrator, you have no way of preventing someone from trying these tactics against your company, but educating users about them is the best way to prevent them from being successful. The more people are aware of their presence and potential harm, the more likely they can help thwart such attacks since the ultimate objective is to gain unauthorized access to information.

Question 11

Social Engineering - Principles (Reasons for Effectiveness) - Authority

Answer 11

If it is possible to convince the person you are attempting to trick that you are in a position of authority, they may be less likely to question your request. That position of authority could be upper management, tech support, HR, or law enforcement.

Question 12

Social Engineering - Principles (Reasons for Effectiveness) - Intimidation

Answer 12

Although authority can be a source of intimidation, it is
possible for intimidation to occur in its absence as well. This can be done with threats, with shouting, or even with guilt.

Question 13

Social Engineering - Principles (Reasons for Effectiveness) - Consensus/Social Proof

Answer 13

Putting the person being tricked at ease by putting the
focus on them—listening intently to what they are saying, validating their thoughts, charming them—is the key to this element. The name comes from a desire that we all have to be told that we are right, attractive, intelligent, and so forth, and we tend to be fond of those who confirm this for us. By being so incredibly nice, the social engineer convinces the other party that there is no way their intentions could possibly be harmful.

In other words, the hacker usually presents some facts known to the victim (and hacker) to act as proof that what the hacker is saying is true and can be trusted.

Question 14

Social Engineering - Principles (Reasons for Effectiveness) - Scarcity

Answer 14

Convincing the person who is being tricked that there is a limited supply of something can often be effective if carefully done.

For example, convincing them that there are only 100 vacation requests that will be honored for the entire year and that they need to go to a fictitious website now and fill out their information (including username and password, of course) if they want to take a vacation anytime during the current year can dupe some susceptible employees.

In other words, scarcity is when the attack comes in the form of an e-mail, web site, or even a call, where the hacker makes you feel you need to click the order link now as you have a limited amount of time to take advantage of a great deal!

Question 15

Social Engineering - Principles (Reasons for Effectiveness) - Familiarity/Liking

Answer 15

Mental guards are often lowered, many times subconsciously, when we are dealing with other individuals that we like. The “like” part can be gained by someone having, or pretending to have, the same interests as we do, be engaged in the same activities, or otherwise working to gain positive attention.

The hacker may use a friendly tone and be very sociable, which makes the victim tend to like them and want to help.

Question 16

Social Engineering - Principles (Reasons for Effectiveness) - Trust

Answer 16

One of the easiest ways to gain trust is through reciprocation. When someone does something for you, there is often a feeling that you owe that person something. For example, to gain your trust, someone may help you out of a troublesome situation or buy you lunch.

It is in our nature to trust people who appear to be in need of help.

Question 17

Social Engineering - Principles (Reasons for Effectiveness) - Urgency

Answer 17

The secret for successfully using the urgency element is for the social engineer to convince the individual whom they are attempting to trick that time is of the essence so the victim doesn’t really think of the security impact. If they don’t do something right away, the money will be lost, a nonexistent intruder will get away, the company will suffer irreparable harm, or a plethora of other negative possibilities may occur.

Question 18

Application/Service Attacks - DoS

Answer 18

A denial of service (DoS) attack involves the hacker overloading a system with requests so that the system is so busy servicing the hacker’s requests that it cannot service valid requests from other clients

Question 19

Application/Service Attacks - DDoS

Answer 19

A distributed denial of service (DDoS) attack is when the hacker uses a number of systems to perform the attack, which helps the hacker create a large number of requests. With a DDoS attack, the hacker first compromises and takes control of a number of systems and then uses those systems to help with the attack. The compromised systems are known as zombie systems because they have no mind of their own and will do whatever the hacker tells them to do

Question 20

Application/Service Attacks - Man-in-the-middle (MITM)

Answer 20

A form of eavesdropping that intercepts all data between a client and a server, relaying that information back and forth.

Question 21

Application/Service Attacks - Buffer Overflow

Answer 21

Most attacks are buffer overflows. A buffer is an area of memory used to store information sent to an application. A buffer overflow is when a hacker sends too much information to the application, causing the information to fill both the buffer and memory outside the buffer

If the hacker can store information in memory beyond the buffer area, the hacker can run whatever code they want with administrative privileges. The software that is susceptible to this attack could be an application or a background service loaded in the operating system.

Question 22

Application/Service Attacks - Injection

Answer 22

SQL Injection
SQL (Structured Query Language) is the de facto language used for communicating with online (and other relational) databases. With a SQL injection attack (also known as a SQL insertion attack), an attacker manipulates the database code to take advantage of a weakness in it.

LDAP Injection
Just as SQL injection attacks take statements that are input by users and exploit weaknesses within, an LDAP injection attack exploits weaknesses in LDAP (Lightweight Directory Access Protocol) implementations. This can occur when the user’s input is not properly filtered, and the result can be executed commands, modified content, or results returned to unauthorized queries. The best way to prevent LDAP injection attacks is to filter the user input and to use a validation scheme to make certain that queries do not contain exploits.

XML Injection
When users enter values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best way to prevent XML injection attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return more data than it should.

Question 23

Application/Service Attacks - Cross-site Scripting (XSS)

Answer 23

In cross-site scripting (XSS), the hacker inserts script code into a form on a site so that when the page is displayed by another user, the browser reads the script and executes it.

Question 24

Application/Service Attacks - Cross-site Request Forgery (CSRF)

Answer 24

Cross-site request forgery, CSRF or XSRF for short, is an attack that targets a user who is already authenticated to a web site, such as a bank site to do online banking. The user is then tricked by a hacker to run a web page; for example, the hacker sends an e-mail message to the user and tricks the user into clicking a link. The malicious web page loads and sends commands (form submission) to the bank site that the user is already logged in to. The end result is the user unknowingly could be transferring money to the hacker’s account.

Question 25

Application/Service Attacks - Privilege Escalation

Answer 25

Privilege escalation is when a hacker finds a flaw in the operating system, or in a piece of software installed on the system, that, when exploited, elevates the hacker’s privileges from normal user capabilities to administrative access. Once the hacker has gained administrative access to the system, they can make whatever changes they want to the system, including planting a back door for future access.

There are three types of privilege escalation:
Vertical privilege escalation
When someone with normal user access is able to raise their privileges to administrative access

Horizontal privilege escalation
When the same level of access is maintained, but the resource being accessed is different

Privilege de-escalation
When someone with administrative access is able to lower their privilege level so that they can access data that a specific user has access to

Question 26

Application/Service Attacks - ARP Poisoning

Answer 26

ARP is a protocol that converts the IP address
to the MAC address and then stores the IP and corresponding MAC address in memory on the system. This area of memory is known as the ARP cache

ARP poisoning involves the hacker altering the ARP cache on a system, or group of systems, so that all systems have the wrong MAC address stored in the ARP cache for a specific IP address, maybe the address of the default gateway.

Typically, the hacker will poison the ARP cache so that the default gateway IP address (your router’s IP address) points to the hacker’s MAC address. This will ensure that every time a system tries to send data to the router, it will retrieve the hacker’s MAC address from the local ARP cache and then send the data to the hacker’s system instead of to the router.

This is how the hacker typically performs an MITM attack on a wired network or wireless network. This also allows a hacker to capture all network traffic even in a switched environment. The hacker just needs to enable the routing feature on their system so that all data is then passed on to the router and out to the Internet, while in the meantime the hacker has captured every piece of data headed out to the Internet.

Question 27

Application/Service Attacks - Amplification

Answer 27

Amplification is the process of increasing the strength of a signal so that communication can occur. A hacker may amplify the signal on their wireless card so that they can reach greater distances with wireless. This means that the hacker may not need to be physically close to a network in order to connect to that network if they have amplified their signal. Keep in mind, from a security point of view, you should lower the power on your wireless access point to force someone to be close to your access point in order to connect (inside the facility).

Question 28

Application/Service Attacks - DNS Poisoning

Answer 28

DNS poisoning is when the hacker compromises a DNS server and poisons the DNS entries by having the DNS names point to incorrect IP addresses. Often, the hacker will modify the DNS records to point to the hacker’s system—this will force all traffic for that DNS name to the hacker’s system.

At the domain-level (company’s local DNS servers)
DNS poisoning is also the altering of the DNS cache that is located on your company’s local DNS servers. The DNS cache stores the names of web sites already visited by employees and the IP addresses of those sites. The cache is on your DNS server so that when another employee surfs the same site, the DNS server already has the IP address of that site and does not need to forward a query out to the Internet. The DNS server in your local office simply sends the IP address that is stored in the DNS cache to the client. It is possible for the hacker to poison the DNS cache so that your users are sent to the wrong web sites.

At the host-level (each computer in the company)
Another popular technique for hackers to lead you to the wrong web site is to modify the hosts file that resides on every system. The hosts file is used to resolve domain names to IP addresses, and if an entry is found in the local hosts file, then the system will not query DNS.

Question 29

Application/Service Attacks - Domain Hijacking

Answer 29

Domain hijacking is a type of attack that involves the hacker taking over a domain name from the original registrant. The hacker may hijack the domain by using social engineering techniques to gain access to the domain name and then switch ownership, or the hacker could exploit a vulnerability on the systems that host the domain name to gain unauthorized access to the domain registration.

Question 30

Application/Service Attacks - Man-in-the-browser

Answer 30

A man-in-the-browser (MITB) attack is a form of man-in-the-middle (MITM) attack where the browser contains a Trojan that was inserted via an
add-in being loaded or a script executing within the browser. The Trojan at
this point can intercept any data the user inputs into the browser and alter it
before sending it to the destination server. Examples of MITB Trojans are
Zeus and SpyEye.

Question 31

Application/Service Attacks - Zero Day

Answer 31

“Zero day” refers to an exploit in an application that is
unknown to the developers of the application. The term zero-day exploit comes from the fact that the hacker exploits the software before the vendor knows of the vulnerability or on the first day the vendor becomes aware of it (zero day).

Question 32

Application/Service Attacks - Replay

Answer 32

A replay attack starts as a sniffing attack because the hacker first must capture the traffic that they wish to replay. The hacker then resubmits the traffic onto the network (replays it) later. The hacker may alter the traffic first and then replay it, or the hacker may simply be replaying traffic to generate more traffic.

Question 33

Application/Service Attacks - Pass the Hash

Answer 33

In cryptanalysis and computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.

After an attacker obtains valid user name and user password hash values (somehow, using different methods and tools), they are then able to use that information to authenticate to a remote server or service using LM or NTLM authentication without the need to brute-force the hashes to obtain the cleartext password (as it was required before this technique was published). The attack exploits an implementation weakness in the authentication protocol, where password hash remain static from session to session until the password is next changed.

Question 34

Application/Service Attacks - Hijacking and Related Attacks - Clickjacking

Answer 34

In a clickjacking attack, the hacker tricks the user into clicking a button (or some other object) in an application or web page that launches malicious code.

Question 35

Application/Service Attacks - Hijacking and Related Attacks - Session Hijacking

Answer 35

Session hijacking is when the hacker kicks one of
the parties out of the communication and impersonates that person in the conversation. The hacker typically disconnects one of the parties via a denial of service attack.

Question 36

Application/Service Attacks - Hijacking and Related Attacks - URL Hijacking/Typo Squatting

Answer 36

Typo squatting is also known as URL hijacking and takes advantage of the fact that some users will make typos when typing a URL into the browser. The hacker sets up a web site with a URL that is very similar to the URL of a popular web site but includes an anticipated typo, leading unwary misspellers to the hacker’s web site.

Question 37

Application/Service Attacks - Driver Manipulation - Shimming

Answer 37

There are a few interpretations of shimming. First, shimming is a type of attack on ATMs and self-service gas pumps where the hacker inserts into the card reader a “shimmer” that can intercept the data transferring to the terminal. As a result, the hacker can copy the card data, including the account number and expiration date.

The second scenario for shimming is related to application code and driver manipulation. Following a continuous code-improvement mindset, we are always looking for better ways to improve our code. When an application has problems running in an environment, a shim can be created and applied to the application to fix compatibility issues. As it relates to driver manipulation, a shim can be created to allow a driver to run on an OS that the driver had compatibility issues with.

From a security point of view, shimming an application could create a new vector for attacks because rewriting functions in a shim and applying the shim to the application or driver could introduce a flaw by accident, or on purpose if the person who created the shim is the hacker.

Question 38

Application/Service Attacks - Driver Manipulation - Refactoring

Answer 38

Malware authors like to do is to change the way the malware looks every time it’s downloaded. This is metamorphic malware. It’s a technique called refactoring. And every time somebody downloads malware, it’s downloaded as a completely different executable. This means that, if you’re looking for something to be the same every time, for instance with an anti-virus signature, this now becomes much more difficult to identify.

The refactoring adds things like NOPs, which are No Operation methods. They put loops into the application. There are code strings added that have nothing to do with the operation of the malware. They’re really just designed to make the malware look different.

This refactoring process is very intelligent. It takes malware and reorders all the functions. It changes the actual flow of the application. The code is completely reorganized and becomes very difficult for a signature-based identification method like anti-virus to be able to now identify this as something malicious.

This means that you should be using a layered approach. You should still use the anti-virus signatures that you have, but you should also consider adding on blocking of known malicious URLs, or perhaps making sure that you have backups done more often so that, if you do need to restore from backup, you won’t lose too much of your data.

Question 39

Application/Service Attacks - MAC Spoofing

Answer 39

When the source MAC address of a frame is altered so that it appears to have come from a different system or device.

Question 40

Application/Service Attacks - IP Spoofing

Answer 40

When the source IP address of a packet is altered so that it appears as if the packet comes from a different source

Question 41

Wireless Attacks - Replay

Answer 41

A replay attack is a common type of attack with
wireless networking whereby the hacker tries to crack the encryption key. In order to crack the encryption key, the hacker must generate enough traffic to allow the cracking tools to perform the crack. Instead of waiting for the wireless access point to receive enough traffic, the hacker can capture traffic with a sniffer and resend, or replay, the traffic.

Question 42

Wireless Attacks - IV

Answer 42

WEP is a wireless encryption protocol that uses RC4 as the symmetric encryption algorithm using 64-bit or 128-bit encryption. The 64-bit or 128-bit encryption key is based on a 24-bit initialization vector (IV), a value that is
randomly generated and sent in the header of the packet. The IV is used with a 40-bit key (for 64-bit encryption) or a 104-bit key (for 128-bit encryption) that is configured on the wireless access point and the wireless client.

It is important to understand that WEP has huge flaws in its implementation of encryption and key usage, and that as a result both 64-bit and 128-bit WEP have been cracked. The IV is only a 24-bit value, which means that there are only 16,777,216 possible IVs. As a result, environments with large amounts of traffic have repeating IVs. Because the IV is transmitted in the header, if a hacker can capture enough traffic, then the
remainder of the 64-bit/128-bit key can be cracked within minutes. Therefore, for security reasons, you should not use WEP.

If you have older wireless hardware that only supports WEP, you should replace that hardware with newer hardware so you can create a more secure environment.

Question 43

Wireless Attacks - Evil Twin

Answer 43

An evil twin is a rogue access point that copies the SSID of a legitimate access point.

A hacker can install a rogue access point from their wireless connection on a laptop and make the laptop device appear to be a valid access point. This is known as an evil twin, with the benefit to the hacker being that clients will connect to the hacker’s fake access point, thinking it is a valid wireless network. All data sent on this wireless network will be sent to the hacker’s laptop, where they can capture and read the data.

Question 44

Wireless Attacks - Rogue AP

Answer 44

A rogue access point occurs when someone puts up an unauthorized access point. If users connect to it, then all of their traffic goes through this access point

Question 45

Wireless Attacks - Jamming

Answer 45

Interference can be unintentional (caused by other devices in the vicinity, for example) or intentional. When it is intentional, then it is referred to as jamming, as the intent is to jam the signal and keep the legitimate device from communicating.

Given the way the jamming attack works, it can be thought of as a type of denial-of-service (DoS) attack and is a violation of federal law in most cases.

Powerful jammers are available that send a constant signal and, if in the right vicinity, can incapacitate a network quickly. Since they are so strong, however, these constant jammers are usually easily detected, and administrators can implement antijamming procedures (such as switching channels) to negate them.

More troublesome to identify are low-powered jammers, some of which hide by sending out signals and then stopping, hiding for a while, and then sending out signals again.

Question 46

Wireless Attacks - WPS

Answer 46

Wi-Fi Protected Setup (WPS) is a wireless security feature introduced a number of years ago that allowed a user to enter a PIN (found on the back of the wireless router) to connect to the wireless network.

After the PIN has been used, the SSID and WPA2 encryption key is automatically configured. This security feature was created to allow home users who know very little of wireless networking to create and join their wireless network with ease. In 2011 a vulnerability was found in WPS that allows an attacker to perform a brute-force attack on the WPS PIN.

For more details:
https://www.professormesser.com/security-plus/sy0-501/wps-attacks-2/

Question 47

Wireless Attacks - Bluejacking

Answer 47

Sending unsolicited messages using the Bluetooth

wireless protocol to other Bluetooth-enabled devices such as phones and tablets

Question 48

Wireless Attacks - Bluesnarfing

Answer 48

Exploiting a Bluetooth-enabled device by copying data from it

Question 49

Wireless Attacks - RFID

Answer 49

Radio-frequency identification (RFID) is a technology that involves a small device, such as an ID badge or maybe a piece of equipment, containing a chip and an antenna within a tag that is used to send radio waves containing data. The data goes to a reader that is connected to a computer that can be reached with distances of several feet. The major advantage of RFID is that because it uses radio waves, there is no requirement for line of sight.

Question 50

Wireless Attacks - NFC

Answer 50

Another type of wireless communication that is becoming more common today is known as Near Field Communication (NFC). NFC is a mobile device standard that allows you to bring the mobile devices within inches of one another to transfer information. Some common uses of NFC are to transfer data such as contacts, to pay for items in a store, or even to transfer Wi-Fi configuration information.

Question 51

Wireless Attacks - Disassociation

Answer 51

After changing the value of the SSID, disable SSID broadcasting so that your router does not broadcast the name out on the network to anyone who wants to connect to it.

To disable SSID broadcasting on the D-Link wireless router, set the Visibility Status to Invisible, and then click Save Settings. Now that you have disabled SSID broadcasting, users who want to connect to your network will not see the wireless network through Windows unless they manually input the SSID name.

Note that if you change the SSID of a wireless network, any clients that are connected will lose their connection in what is known as a disassociation event.

A hacker can also disassociate your wireless connection during an attack so that they can capture the reassociation traffic and replay that traffic in order to try to crack the encryption.

For more details:
https://www.professormesser.com/security-plus/sy0-501/wireless-disassociation-attacks/

Question 52

Cryptographic Attacks - Birthday

Answer 52

A birthday attack is a type of attack performed on hashing functions. It has been found that if you try enough data input, you will find that two different data inputs generate the same hash value. This is known as a birthday attack because the theory is based on the fact that when you select a large, random group of people, you will have people with duplicate birth dates.
… (more details)
The math works out to about 1.7*sqrt(n) to get a collision
Remember, a collision is when two inputs produce the same output. So for an MD5 hash, you might think that you need “2^(128) + 1” different inputs to get a collision—and for a guaranteed collision you do. That is an exceedingly large number: 3.4028236692093846346337460743177e+38.

But the Birthday paradox tells us that to just have a 51 percent chance of there being a collision with a hash you only need 1.7*sqrt(n) (n being 2^(128)) inputs.

That number is still very large: 31,359,464,925,306,237,747.2. But it is much smaller than the brute-force approach of trying every possible input.

Question 53

Cryptographic Attacks - Known Plain Text/Cipher Text

Answer 53

Another common type of password attack is called the known-plaintext attack, or KPA for short. With a known-plaintext attack, the hacker knows the plaintext value of a password (known as the crib) and the corresponding encrypted version (known as ciphertext). With this information, the hacker can then work on figuring out the encryption keys and other passwords.

Question 54

Cryptographic Attacks - Rainbow Tables

Answer 54

Rainbow tables are used to speed up the process of performing a bruteforce attack. Recall that brute-force attacks can take a very long time. To speed the process up, the hacker can generate rainbow tables, which is a file generated that contains all mathematically possible passwords based on criteria given by the rainbow table generator. Rainbow tables are beneficial when the hacker is performing the attack because the calculations are already in the table (file); the hacker is simply reading a file.

So the hacker gets the complexity of a brute-force attack, but the speed of a dictionary attack.

Question 55

Cryptographic Attacks - Dictionary

Bonus: Hybrid Attack

Answer 55

A dictionary attack involves the hacker using a program that has a list of popular usernames in one text file and a list of words in a language dictionary that are to be tried as passwords in another file. The dictionary file normally contains all of the words in a language and can be downloaded from the Internet.

The benefit of a dictionary attack from a hacker’s point of view is it is a very fast and efficient type of attack because all it does is read the contents of a file—there is no mathematical calculation needed on the part of the password-cracking software. The disadvantage of the dictionary attack is that most passwords today are complex passwords in the sense that they require letters, numbers, and symbols. This makes the dictionary attack ineffective because those passwords are not dictionary words.

Another type of password attack is known as a hybrid attack. A hybrid attack involves the password-cracking software using a dictionary file, but after the software tries a word from the dictionary file, it then tries to modify the word.

Examples of modifications that the cracking software will use are to place numbers after the word and possibly to replace characters. For example, after the word “house” is attempted, the software will then try “house1,” “house2,” and so on. Examples of popular character replacement scenarios include replacing the “a” in the word with an “@” symbol, replacing an “L” with the number “1”, and replacing the “o” with a “0.”

Question 56

Cryptographic Attacks - Brute Force

Answer 56

A brute-force attack is a password attack that involves using the password-cracking software to mathematically calculate every possible password. Normally, the hacker would configure the password-cracking software with requirements such as the number of characters and whether to use letters, numbers, and symbols.

The benefit of a brute-force attack from the hacker’s point of view is that it is very effective—it will crack the passwords on a system if it has enough time to do so.

The disadvantage of a brute-force attack is the time it takes to complete it. Due to a large number of possible passwords, it could take years for the password crack to complete!

Question 57

Cryptographic Attacks - Brute Force - Online vs. Offline

Answer 57

As mentioned earlier, password attacks can be either online or offline. With an online attack, the hacker is trying to crack the password against the live system. The problem with this is that the hacker risks getting detected and locking out the accounts. If the hacker can get a copy of the user account database on a flash drive, the hacker can then take that away with them and try to crack the passwords offline.

Question 58

Cryptographic Attacks - Collision

Answer 58

Hashing protocols are known to create collisions, which is when two different pieces of data create the same hash value.

Question 59

Cryptographic Attacks - Downgrade

Answer 59

A downgrade attack is sometimes used against secure communications such as TLS in an attempt to get the user to shift to less secure modes (SSL). The idea is to trick the user into shifting to a less secure version of the protocol, one that might be easier to break.

Question 60

Cryptographic Attacks - Replay

Answer 60

A password replay attack is when the hacker eavesdrops on a conversation and captures the password hash being sent from a client system to the server. Once the hacker has the hash value, they then use that to impersonate the original client and access the server.

Question 61

Cryptographic Attacks - Weak Implementation

Answer 61

Passwords can be encrypted to protect the plaintext value, but sometimes the encryption is not performed in the best way possible. For example, the Windows passwords are hashed in the SAM database, but they are broken into two 7-character hashes. This allows the hacker to determine very easily if someone has a password of less than eight characters because the last part of the password hash would be the same for all of those passwords.