1.4 Given a scenario, analyze potential indicators associated with network attacks Flashcards
Evil twin (Wireless attack)
An evil twin is a malicious fake AP (access point) that is set up to appear to be a legitimate, trusted network.
The attacker may have used a more powerful AP, placed the evil twin closer to the target, or used another technique to make the AP more likely to be the one the target will associate with.
Once a client connects to the evil twin, the attacker will typically provide internet connection so that the victim does not realize that something has gone wrong. The attacker will then capture sensitive data in victims network traffic.
Rogue access point (Wireless attack)
Rogue access points are APs added to your network either intentionally or unintentionally. Once they are connected to your network, they can offer a point of entry to attacker or other unwanted users.
It is important to monitor you network and facilities for rogue APs.
Wireless intrusion detection systems or features can continuously scan for unknown APs and then determine if they are connected to you network by combining wireless network testing with wired network logs and traffic information.
Bluesnarfing (Wireless attack)
Bluesnarfing is unauthorized access to a Bluetooth device, typically aimed at gather information like contact lists or other details the device contains.
Bluejacking (Wireless attack)
Bluejacking simply sends unsolicited messages to Bluetooth enabled devices.
Disassociation (sometimes referred to Disassociation)
(Wireless attack)
A Wi-Fi disassociation attack is when an attacker breaks the connection between a victim and a wireless access point. This type of attack involves an attacker posing as the victim, and sending a message to the wireless access point telling it to disassociate from the victim device. This is a type of Denial of Service (DOS) attack.
Jamming (Wireless attack)
Jamming will block all the traffic in the range or frequency it is conducted against.
Since jamming is essentially wireless interference, jamming may not always be intentional—-in fact, running into devices that are sending out signals in the same frequency range as Wi-Fi devices isn’t uncommon.
RFID or Radio Frequency Identification (Wireless attack)
RFID vulnerable to several classes of attack, like sniffing (or eavesdropping), spoofing, cloning, replay, relay, and DoS attack
Radio-Frequency Identification (RFID) uses radio waves to transmit information from a “tag” that stores the information, to a “reader” that retrieves information from a tag.
RFID tags come in both passive and active varieties:
Passive tags have no power source of their own, and instead use power wirelessly transferred by the reader to transmit their information, while active tags contain their own power source.
Active tags can be read from up to hundreds of meters away, while passive tags have a much shorter range, usually less than a meter.
NFC or Near Field Communication (Wireless attack)
Built on RFID, often used with payment systems. Subject to many of the same vulnerabilities as RFID, sniffing (or eavesdropping), spoofing, cloning, replay, relay, and DoS attack.
NFC or Near Field Communication is used for short-ranged communication between devices. You’ve likely seen NFC used for payment terminals using Apple Pay or Google Wallet with phones. NFC is limited to about 4 inches of range and primarily used for low-bandwidth, device-to-device purposes.
Initialization Vector or IV (Wireless attack)
The original implementation of wireless security was WEP (Wired Equivalent Privacy). WEP used a 24-bit IV, which could be reverse-engineered once enough traffic from a network was captured.
After the traffic was analyzed, the initialization vector or IV used to generate an RC4 key stream could be derived, and all traffic sent on the network could be decrypted.
WPA2 and WPA3 do not use weak initialization vectors like this, making this attack useless.
On-path attack
On-path attack occurs when a person uses a packet sniffer between the sender and the receiver of a communication on the network and listens in on or intercepts the information being transferred, modifying its contents before resending the data to its destination.
To prevent on-path attacks, a unique server host key can be used to prove its identity to a client as a known host.
packet sniffing can be prevented by encrypting data.
What is the OSI model?
The OSI or Open System Interconnection model is made up of seven layers, typically divided into two groups: the host layers and media layers.
Layers 1-3, the Physical, Data Link, and Network layers, are considered media layers and are used to transmit frames or logical groups of bit, and to make networks of systems or devices work properly using addressing, routing, and control schemes.
Layers 4-7, the host layers, ensure that data transmission is reliable, that sessions can be managed, that encryption is handled and that translation of data from the application to the network and back works, and that APIs and other high-level tools work.
WE DONT NEED TO MEMORIZE THE OSI MODEL
- Application Layer—— (Human/computer interaction)
- Presentation Layer——- (Format data, handles data encryption, compression)
- Session Layer ——(Authentication, sessions, permissions)
- Transport Layer —— (Transmission of data, error control)
- Network Layer ——- (Physical path decisions, addressing, routing, switching)
- Data Link Layer ——- (Data format for the network, error detection, flow control)
- Physical Layer —— (Sends electrical impulses (bits))
ARP or Address Resolution Protocol
poisoning (Layer 2 attacks)
ARP or Address Resolution Protocol poisoning attacks send malicious ARP packets to the default gateway of a network with the intent of changing the pairings of MAC addresses tot IP addresses that the gateway maintains.
Attackers will send ARP replies that claim that the IP address for a target machine is associated with their MAC address, causing systems and the gateway to send traffic intended for the target system to the attacker’s system.
Attackers can use this to conduct on-path attacks by then relaying the traffic to the target system, or they can simply collect and use the traffic they receive. ARP poisoning can also be used to create a denial of service by causing traffic not to reach the intended system.
Media Access Control or MAC flooding (Layer 2 attacks)
MAC flooding targets switches by sending so many MAC addresses to the switch that the CAM (Content Addressable Memory) or MAC table that stores pairings of ports and MAC addresses is filled
Since these tables have a limited amount of space, flooding them results in a default behavior that sends out traffic to all ports when the destination is not known to ensure traffic continues to flow.
MAC flooding can be prevented by using port security, which limits how many MAC addresses can be learned for ports that are expected to be used by workstations or devices. In addition, tools like NAC or other network authentication and authorization tools can match MAC addresses to known or authenticated systems.
MAC cloning (Layer 2 attack)
MAC cloning duplicates the media access control of a device (hardware address)
Attackers may choose to do this to bypass MAC address restricted networks or to acquire access that is limited by MAC address.
NAC or Network Access Control capabilities or other machine authentication and validation technologies can help identify systems that are presenting a cloned or spurious MAC address
Spurious —- not being what it purports to be; false or fake.
Domain Hijacking (Domain Name System or DNS attack)
Domain hijacking changes the registration of a domain, through technical means like a vulnerability with a domain registrar or control of a system belonging to an authorized user, or through nontechnical means such as social engineering.
The end result, of domain hijacking is that the domain’s settings and configuration can be changed by an attacker, allowing them to intercept traffic, send and receive email, or otherwise take action while appearing to be the legitimate domain holder.
