1.4 - Network Attacks Flashcards

Analyze Potential Indicators Associated with Network Attacks

1
Q

Rogue Access Point

A
  • An unauthorized wireless access point
  • Doesn’t have to be malicious, but it a security threat
  • A significant potential backdoor
  • Could be an employee or an attacker
  • Very easy to plug in a wireless access point
  • To combat: Schedule a periodic survey of wireless connections. Look for 3rd party tools or pineapples
    To combat: Consider using 802.1x (Network Access Control) - must authenticate, regardless of connection type
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

802.1x

A
  • Network Access Control
  • Must authenticate (sign in) regardless of connection type
  • If someone was to install a rogue access point and someone gained access, they couldn’t get in if you were running 802.1x b/c they would still need to authenticate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Wireless Evil Twin

A
  • Looks legitimate, but is malicious
  • Wireless version of phishing
  • Try to get users to connect to your access point
  • Can overpower signal from other access points and become the primary access point
  • Ex: Public wifi, very easy to install wireless evil twin
  • To combat: want to make sure all communication is sent via HTTPs and VPN (this will encrypt communication). Especially, if using public wifi
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Bluejacking

A
  • Sending an unsolicited message to another device via Bluetooth
  • No mobile carrier required
  • Bluetooth usually operates in a radius of around 10 meters
  • Sometimes can include other types of media or messages
  • Relatively low security concern, small area, no enhanced capabilties
  • To combat: train users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Bluesnarfing

A
  • Attacker can access data on device using Bluetooth
  • More of a concern than Bluejacking
  • Released in 2003, modern devices shouldn’t be susceptible
  • Ex: attacker might gain access to calendar, email, contacts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Wireless Disassociation

A
  • a type of DoS (Denial of Service) attack
  • aka Wireless Deauthentication
  • Causes wireless devices on network to not be able to communicate to access point
  • Ex: wireless keeps dropping in and out
  • To remedy you might have to get a patch cable and physically connect with ethernet cable. Although generally nothing you can do about it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

802.11 management framework

A
  • Mobile device -> access point via management frames
  • These management frames manage quality and allow devices to associate / disassociate with access point
  • original 802.11 standard didn’t provide any protection (Sent in the clear, no authentication / validation)
  • These can be exploited for a Wireless Disassociation attack
  • IEEE has an updated to address this problem 802.11w made in July 2014
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

802.11w

A
  • The updated version to protect against Wireless Disassociation attacks
  • Some important management frames are now encrypted (disassociate, deauthnticate, channel switch announcements etc.)
  • Although some management frames have to be not encrypted in order to allow connections
  • Updated July 2014
  • If you’re running 802.11 ac compliance or later then you’re already running 802.11w
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

RF Jamming

A
  • Radio Frequency Jamming
  • A way for an attacker to create a DoS attack, by overwhelming good signal
  • Prevents wireless communication
  • Decrease the signal - to - noise ratio at the receiving device
  • If the amount of noise is able to overwhelm the good signal then the device can’t communicate over wifi
  • Sometimes this in unintentional (ex: turning on a microwave) but it can be malicious.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Techniques to create Noise

A
  • Send constant, random bits / constant, legitimate frames over network
  • Or attacker could send random timed, intermittent data and legitimate frames
  • Or attacker could send “reactive jamming” only sending noise when someone else tries to communicate
  • Jamming device needs to be relatively close (physically close or install device near physical network) - See Fox Hunting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fox Hunt

A
  • Take a directional antenna w/ headphones device to try to find jamming devices (that create noise and disrupt wifi)
  • look for signal and then triangulate it
  • Can be challenging but need the right equipment and techniques to remove the jamming devices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

RFID

A
  • Radio Frequency Identification
  • uses radio energy transmitted to the tag, which powers the tag and the ID is transmitted back (no battery)
  • Some bi-directional communication (most are unidirectional)
  • There are some RFID that have a battery (so doesn’t need energy transmitted to tag)
  • It’s everywhere, can be very small
  • Ex: in pets, inventory tracking, access badges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

RFID Vulnerabilities

A
  • Similar vulnerabilities to any wireless network
  • Ex: Data capture (b/n RFID tag and reader), especially if not encrypted
  • Could potentially spoof the reader and modify the contents of RFID tag
  • Could create a DoS with signal jamming
  • Many keys are on google to decrypt
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

NFC

A
  • Near Field Communication
  • Two- way wireless communication, builds on RFID which is usually one way
  • Commonly see if used in stores for payment options (tapping phone to pay for something)
  • Bootstrap for other wireless, can use as an authentication (using phone to pay for something)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

NFC Security Concerns

A
  • Remote capture
  • Wireless communication, so any interference could potentially create a DoS (Ex: Frequency jamming)
  • If not encrypted, someone could sit in the middle of the conversation and relay / replay attack (on-path attack)
  • Could potentially lose the RFC device itself (ex: losing your phone)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cryptography without Randomization

A
  • Without randomization, an encrypted form could look similar to the original data or image, it could be reversed engineered by an attacker
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Cryptographic Nonce

A
  • Arbitrary number that is used once
  • Random value or randomized (hard to replicate it)
  • “For the time being”
  • Ex: during login process, server gives you a nonce, calculate your password hash using the nonce, each password hash sent to the host will be different so a replay won’t work
  • Every time you send the hash back to the server, it will be different every time (b/c the nonce will be unique each time)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

IV

A
  • Initialization Vector
  • A common type of cryptographic nonce
  • Used for randomizing an encryption scheme
  • The more random the better
  • Can attach the IV to an Encryption key (like WEP key) and that will make the overall encryption method much stronger
  • IV is also used in some implementations of SSL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Salt

A
  • A type of password randomization (and an example of a nonce)
  • Makes the password hash unpredictable
  • Password storage should always be salted
  • If two users had the same password, they would get a different salt and their hash would look very different
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

On-path attack

A
  • Sits in the middle of communication
  • attacker receives your communication and then passes it on to the intended destination (making it hard to know that the traffic was redirected)
  • Can occur without anyone knowing
  • aka “man in the middle” attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

ARP poisoning

A
  • Address Resolution Protocol Poisoning
  • Common type of on-path attack
  • Attacks the local IP subnet
  • Attacker will send ARP message to target device with information that was not requested, but b/c no security the receiving device will update the information it has in it’s cache and any future requests will be sent to the attacker’s address (now the attacker will perform the same poisoning to the router). Now it’s sitting gin the middle.
  • ARP has no security (Devices receive and modify ARP tables without any authentication)
  • Not an easy type of attack (need to be on local network)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

ARP

A
  • Address Resolution Protocol
  • How it’s supposed to work:
  • Computer will send an ARP communication asking who is the router that it’s trying to connect to? Expectation that it will receive the address in return from the router.
  • The requesting station (laptop) will store this mac address in the ARP cache
23
Q

On-path Browswer attack

A
  • What if the middle man was on the same computer as the victim
  • Malware/Trojan does all of the proxy work
  • In the browswer of the victim
  • formerly known as man-in-the-browser
  • Gets around the ARP poisoning issue where you have to be on the same network. Big advantage to attackers
  • Can see all data in unencrypted form
  • Attacker waits for you to log into bank for example (can then capture log in credentials and transfer money or making modifications to bank account)
24
Q

MAC Address

A
  • Media Access Control address
  • “physical” address of network adaptor card
  • ## Every adaptor card has a unique MAC address
25
Q

Ethernet MAC address

A
  • 48 bits / 6 bytes long
  • Displayed in hexadecimal
  • broken up into two sections, OUI (Organizationally Unique Identifier) and NICS (Network Interface Controller-Specific)
  • ex: 8c:2d:aa:4b:98:a7
  • 8c -> aa = OUI
  • 4b -> a7 = NICS
26
Q

OUI

A
  • “Manufacture’s portion” of a MAC address
  • 1st section (3 bytes)
  • Each manufacture assigned a unique code for all its network adaptor cards
27
Q

NICS

A
  • Network Interface Controller-Specific
  • 2nd section (3 bytes) of a MAC address
  • The serial number (incremented by manufacturer)
28
Q

LAN Switching

A
  • Forward / drop frames based on destination of MAC address
  • Gather a constantly updating list of MAC addresses
  • List is built on the source MAC address of incoming traffic
  • These age out, usually after 5 minutes
  • Needs to maintain a loop-free environment - STP (Spanning Tree Protocol)
29
Q

STP

A
  • Spanning Tree Protocol

- Concept relating to LAN switching

30
Q

Learning the MACs

A
  • Switches examine incoming traffic and make a note of the SOURCE MAC address
  • Switch ‘A’ will add any MAC addresses not listed in their MAC Address table when it receives a frame and also include the Output Interface (ex: Interface F01 = Fast ethernet 0/1 interface of the switch)
  • This tells where the MAC address is listed.
  • The same thing happens in reverse
31
Q

MAC Flooding

A
  • A challenge of the MAC address table, is there is only so much space in a switch to maintain the list
  • Switch will tell you how many MAC addresses can be held
  • Attackers can exploit this
  • Can send different source MAC addresses to a switch
  • the Switch will add these addresses and eventually will fill up
  • A switch, once filled, it will stop sending individual frames, instead it will send every frame to every interface b/c it doesn’t know where the device might be and it can’t store the MAC addresses
  • This essentially turns the switch into a hub
  • Great opportunity for attacker to get all network traffic
32
Q

Flood guard

A
  • Most switches have features to protect against MAC flooding
  • Restricts one particular interface from sending multiple MAC addresses out to prevent overloading
33
Q

MAC cloning / spoofing

A
  • Attacker changes their MAC address to match the MAC address of an existing device
  • Could be used to circumvent filters
  • Could create a DoS by disrupting communication to the legitimate MAC address
  • Can easily modify a MAC address, most drivers will allow you to modify an address (therefore easy to clone)
  • To combat - fortunately, many switches will look out for MAC cloning / spoofing
34
Q

DNS Poisoning

A
  • Modifying a DNS server takes a bit of knowledge, but very effective way to redirect traffic to a hackers website
  • One way to do this, modify a host file on each DNS device. The host file takes precedent over DNS queries.
  • Another method, is to sit in the middle and send a fake response to a valid DNS request (Allow attacker to change IP address)
  • Another way, modify the DNS info on the legitimate DNS server itself
  • Another way, domain hijacking
35
Q

Domain Hijacking

A
  • Get access to the domain registration, and you have control where the traffic flows (attacker gets access to account of domain)
  • Don’t need to touch the actual servers
  • Determines the DNS names and DNS IP addresses
  • Another example of DNS Poisoning
  • Could brute force or use phishing or gain access to email account associated with registrar
36
Q

URL Hijacking

A
  • This type of attack doesn’t change the legitimate domain name, but takes control of one that is similar enough to seem legitimate.
  • Often used to redirect to send ppl to ads
  • Attackers also will sell these similar URLs back to the original owner
  • Some attackers will take all traffic to one company and redirect it to a competitor (not as common, legal issues)
  • More common to use this as a phishing opportunity to get personal info from ppl who think they’re on a legitimate site (Can then potentially get them to download malicious software)
37
Q

Typosquatting / brandjacking

A
  • An example of URL hijacking

- Can exploit common mispellings, similar syntax (like adding ‘s’) or use another domain .org, .com, etc..

38
Q

Domain reputation (Email)

A
  • The internet is tracking your security posture
  • If many ppl mark you as spam it will inhibit your ability to send messages
  • There may be malware that is sending spam from a company email
39
Q

Domain reputation (Web server)

A
  • If malware ends up on your server, it will be noted by search engines and your domain can be flagged or removed
  • if your server is infected, even if the malware is quickly removed, it will still take time to be reindexed by search engines, so there will be lingering effects
40
Q

DoS

A
  • Denial of Service
  • Force a service to fail (overload the service)
  • When an attacker causes a service to stop responding
  • Ex: make a webserver unavailable or emails can no longer be sent
  • Usually b/c some type of vulnerability in software or design failure
  • To combat: Keep OS up to date with the latest versions
  • Motivation - May be a competitor
  • Motivation - May be a smokescreen for another attack
  • Doesn’t have to be complicated (turn off the power)
41
Q

A “friendly” DoS

A
  • Ex: plug the wrong switch into the wrong place and inadvertently cause a Layer 2 Loop in network
  • To combat - Use STP (standing tree protocol)
  • One person downloading a large file, could cause interruption for everyone else
  • Physical facility (like a water line break)
42
Q

DDos

A
  • Distrubuted Denial of Service
  • Often use botnets
  • Launch an army of computers to bring down a computer (use all the bandwidth - resource spike)
  • ## Can be thousands or millions of computers
43
Q

Asymmetric threat

A
  • The attacker might have fewer resources but b/c they’re coordinated (in a DDoS attack) they can overwhelm their target
44
Q

DDoS Amplification

A
  • Take a small attack and when it arrives at victim’s machine as a much larger attack
  • Increasingly common network DDoS technique, turn internet services against victim
  • Uses protocols with little (if any) authentication
  • Ex: NTP, DNS, ICMP
  • A common example of protocol abuse
45
Q

Application DoS

A
  • Make the application break or work harder
  • Ex: Zip bomb, when you open it, it uncompresses to a massive file
  • Ex: a cloud based attack, exploiting elasticity, attacker uses more and more resource (or slow down response time) the attacker trying to find more resources to use (and often more expensive)
46
Q

OT

A
  • Operational Technology
  • Hardware and software for industrial equipment
  • Ex: electric grids, traffic control, manufacturing plants
  • Huge issues if there is a DoS attack
  • Requires a different approach, much more critical
47
Q

Scripting and Automation

A
  • Pros and vulnerabilities
  • Provides efficiencies, monitor and resolve issues before they happen
  • No human error, faster
  • But an attacker can automate an attack
48
Q

Windows Powershell

A
  • Included in Windows 8 and 10
  • extends functionality of command line functions (for sys admins) .ps1 file extension
  • Uses cmdlets (command-lets)
  • Can run executables
  • Attackers use Powershell as a jumping off point
49
Q

Python

A
  • Used across many diff OS
  • Means you can create python scripts that can target different OS
  • often use in the cloud
  • Attackers interested in attacking cloud infrastructure might choose python
  • .py extension
50
Q

Shell script

A
  • Unix and Linux
  • Can be customized with other kinds of shells (Bash, Bourne, Korn, C)
  • Starts with a shebang or hash-bang #!
  • often has a .sh file extension
  • Attackers can exploit this in Linux/Unix (esp b/c most things can be accomplished from the command line in Linux/ Unix)
51
Q

Macros

A
  • Written specific to certain types of applications
  • Designed to make apps easier to use by automating
  • Attackers can use macros to perform malicious attacks. Just need victim to open marcro and execute it.
52
Q

VBA

A
  • Visual Basic for Applications
  • Automates processes within Windows applications
  • Microsoft mega macro
  • Hooks in VBA that can talk directly to OS
  • Good entry place for an atatcker.
53
Q

CVE-2010-0815/MS10-31

A
  • VBA vulnerability
  • VBA does not properly search for ActiveX controls in a document
  • Can run arbitrary code embedded in a document
  • Easy to infect a computer