1.4 - Network Attacks

Question 1

Rogue Access Point

Answer 1

• An unauthorized wireless access point
• Doesn’t have to be malicious, but it a security threat
• A significant potential backdoor
• Could be an employee or an attacker
• Very easy to plug in a wireless access point
• To combat: Schedule a periodic survey of wireless connections. Look for 3rd party tools or pineapples
  To combat: Consider using 802.1x (Network Access Control) - must authenticate, regardless of connection type

Question 2

802.1x

Answer 2

• Network Access Control
• Must authenticate (sign in) regardless of connection type
• If someone was to install a rogue access point and someone gained access, they couldn’t get in if you were running 802.1x b/c they would still need to authenticate

Question 3

Wireless Evil Twin

Answer 3

• Looks legitimate, but is malicious
• Wireless version of phishing
• Try to get users to connect to your access point
• Can overpower signal from other access points and become the primary access point
• Ex: Public wifi, very easy to install wireless evil twin
• To combat: want to make sure all communication is sent via HTTPs and VPN (this will encrypt communication). Especially, if using public wifi

Question 4

Bluejacking

Answer 4

• Sending an unsolicited message to another device via Bluetooth
• No mobile carrier required
• Bluetooth usually operates in a radius of around 10 meters
• Sometimes can include other types of media or messages
• Relatively low security concern, small area, no enhanced capabilties
• To combat: train users

Question 5

Bluesnarfing

Answer 5

• Attacker can access data on device using Bluetooth
• More of a concern than Bluejacking
• Released in 2003, modern devices shouldn’t be susceptible
• Ex: attacker might gain access to calendar, email, contacts

Question 6

Wireless Disassociation

Answer 6

• a type of DoS (Denial of Service) attack
• aka Wireless Deauthentication
• Causes wireless devices on network to not be able to communicate to access point
• Ex: wireless keeps dropping in and out
• To remedy you might have to get a patch cable and physically connect with ethernet cable. Although generally nothing you can do about it.

Question 7

802.11 management framework

Answer 7

• Mobile device -> access point via management frames
• These management frames manage quality and allow devices to associate / disassociate with access point
• original 802.11 standard didn’t provide any protection (Sent in the clear, no authentication / validation)
• These can be exploited for a Wireless Disassociation attack
• IEEE has an updated to address this problem 802.11w made in July 2014

Question 8

802.11w

Answer 8

• The updated version to protect against Wireless Disassociation attacks
• Some important management frames are now encrypted (disassociate, deauthnticate, channel switch announcements etc.)
• Although some management frames have to be not encrypted in order to allow connections
• Updated July 2014
• If you’re running 802.11 ac compliance or later then you’re already running 802.11w

Question 9

RF Jamming

Answer 9

• Radio Frequency Jamming
• A way for an attacker to create a DoS attack, by overwhelming good signal
• Prevents wireless communication
• Decrease the signal - to - noise ratio at the receiving device
• If the amount of noise is able to overwhelm the good signal then the device can’t communicate over wifi
• Sometimes this in unintentional (ex: turning on a microwave) but it can be malicious.

Question 10

Techniques to create Noise

Answer 10

• Send constant, random bits / constant, legitimate frames over network
• Or attacker could send random timed, intermittent data and legitimate frames
• Or attacker could send “reactive jamming” only sending noise when someone else tries to communicate
• Jamming device needs to be relatively close (physically close or install device near physical network) - See Fox Hunting

Question 11

Fox Hunt

Answer 11

• Take a directional antenna w/ headphones device to try to find jamming devices (that create noise and disrupt wifi)
• look for signal and then triangulate it
• Can be challenging but need the right equipment and techniques to remove the jamming devices

Question 12

RFID

Answer 12

• Radio Frequency Identification
• uses radio energy transmitted to the tag, which powers the tag and the ID is transmitted back (no battery)
• Some bi-directional communication (most are unidirectional)
• There are some RFID that have a battery (so doesn’t need energy transmitted to tag)
• It’s everywhere, can be very small
• Ex: in pets, inventory tracking, access badges

Question 13

RFID Vulnerabilities

Answer 13

• Similar vulnerabilities to any wireless network
• Ex: Data capture (b/n RFID tag and reader), especially if not encrypted
• Could potentially spoof the reader and modify the contents of RFID tag
• Could create a DoS with signal jamming
• Many keys are on google to decrypt

Question 14

NFC

Answer 14

• Near Field Communication
• Two- way wireless communication, builds on RFID which is usually one way
• Commonly see if used in stores for payment options (tapping phone to pay for something)
• Bootstrap for other wireless, can use as an authentication (using phone to pay for something)

Question 15

NFC Security Concerns

Answer 15

• Remote capture
• Wireless communication, so any interference could potentially create a DoS (Ex: Frequency jamming)
• If not encrypted, someone could sit in the middle of the conversation and relay / replay attack (on-path attack)
• Could potentially lose the RFC device itself (ex: losing your phone)

Question 16

Cryptography without Randomization

Answer 16

• Without randomization, an encrypted form could look similar to the original data or image, it could be reversed engineered by an attacker

Question 17

Cryptographic Nonce

Answer 17

• Arbitrary number that is used once
• Random value or randomized (hard to replicate it)
• “For the time being”
• Ex: during login process, server gives you a nonce, calculate your password hash using the nonce, each password hash sent to the host will be different so a replay won’t work
• Every time you send the hash back to the server, it will be different every time (b/c the nonce will be unique each time)

Question 18

IV

Answer 18

• Initialization Vector
• A common type of cryptographic nonce
• Used for randomizing an encryption scheme
• The more random the better
• Can attach the IV to an Encryption key (like WEP key) and that will make the overall encryption method much stronger
• IV is also used in some implementations of SSL

Question 19

Salt

Answer 19

• A type of password randomization (and an example of a nonce)
• Makes the password hash unpredictable
• Password storage should always be salted
• If two users had the same password, they would get a different salt and their hash would look very different

Question 20

On-path attack

Answer 20

• Sits in the middle of communication
• attacker receives your communication and then passes it on to the intended destination (making it hard to know that the traffic was redirected)
• Can occur without anyone knowing
• aka “man in the middle” attack

Question 21

ARP poisoning

Answer 21

• Address Resolution Protocol Poisoning
• Common type of on-path attack
• Attacks the local IP subnet
• Attacker will send ARP message to target device with information that was not requested, but b/c no security the receiving device will update the information it has in it’s cache and any future requests will be sent to the attacker’s address (now the attacker will perform the same poisoning to the router). Now it’s sitting gin the middle.
• ARP has no security (Devices receive and modify ARP tables without any authentication)
• Not an easy type of attack (need to be on local network)

Question 22

ARP

Answer 22

• Address Resolution Protocol
• How it’s supposed to work:
• Computer will send an ARP communication asking who is the router that it’s trying to connect to? Expectation that it will receive the address in return from the router.
• The requesting station (laptop) will store this mac address in the ARP cache

Question 23

On-path Browswer attack

Answer 23

• What if the middle man was on the same computer as the victim
• Malware/Trojan does all of the proxy work
• In the browswer of the victim
• formerly known as man-in-the-browser
• Gets around the ARP poisoning issue where you have to be on the same network. Big advantage to attackers
• Can see all data in unencrypted form
• Attacker waits for you to log into bank for example (can then capture log in credentials and transfer money or making modifications to bank account)

Question 24

MAC Address

Answer 24

• Media Access Control address
• “physical” address of network adaptor card
• ## Every adaptor card has a unique MAC address

Question 25

Ethernet MAC address

Answer 25

• 48 bits / 6 bytes long
• Displayed in hexadecimal
• broken up into two sections, OUI (Organizationally Unique Identifier) and NICS (Network Interface Controller-Specific)
• ex: 8c:2d:aa:4b:98:a7
• 8c -> aa = OUI
• 4b -> a7 = NICS

Question 26

OUI

Answer 26

• “Manufacture’s portion” of a MAC address
• 1st section (3 bytes)
• Each manufacture assigned a unique code for all its network adaptor cards

Question 27

NICS

Answer 27

• Network Interface Controller-Specific
• 2nd section (3 bytes) of a MAC address
• The serial number (incremented by manufacturer)

Question 28

LAN Switching

Answer 28

• Forward / drop frames based on destination of MAC address
• Gather a constantly updating list of MAC addresses
• List is built on the source MAC address of incoming traffic
• These age out, usually after 5 minutes
• Needs to maintain a loop-free environment - STP (Spanning Tree Protocol)

Question 29

STP

Answer 29

• Spanning Tree Protocol
• Concept relating to LAN switching

Question 30

Learning the MACs

Answer 30

• Switches examine incoming traffic and make a note of the SOURCE MAC address
• Switch ‘A’ will add any MAC addresses not listed in their MAC Address table when it receives a frame and also include the Output Interface (ex: Interface F01 = Fast ethernet 0/1 interface of the switch)
• This tells where the MAC address is listed.
• The same thing happens in reverse

Question 31

MAC Flooding

Answer 31

• A challenge of the MAC address table, is there is only so much space in a switch to maintain the list
• Switch will tell you how many MAC addresses can be held
• Attackers can exploit this
• Can send different source MAC addresses to a switch
• the Switch will add these addresses and eventually will fill up
• A switch, once filled, it will stop sending individual frames, instead it will send every frame to every interface b/c it doesn’t know where the device might be and it can’t store the MAC addresses
• This essentially turns the switch into a hub
• Great opportunity for attacker to get all network traffic

Question 32

Flood guard

Answer 32

• Most switches have features to protect against MAC flooding
• Restricts one particular interface from sending multiple MAC addresses out to prevent overloading

Question 33

MAC cloning / spoofing

Answer 33

• Attacker changes their MAC address to match the MAC address of an existing device
• Could be used to circumvent filters
• Could create a DoS by disrupting communication to the legitimate MAC address
• Can easily modify a MAC address, most drivers will allow you to modify an address (therefore easy to clone)
• To combat - fortunately, many switches will look out for MAC cloning / spoofing

Question 34

DNS Poisoning

Answer 34

• Modifying a DNS server takes a bit of knowledge, but very effective way to redirect traffic to a hackers website
• One way to do this, modify a host file on each DNS device. The host file takes precedent over DNS queries.
• Another method, is to sit in the middle and send a fake response to a valid DNS request (Allow attacker to change IP address)
• Another way, modify the DNS info on the legitimate DNS server itself
• Another way, domain hijacking

Question 35

Domain Hijacking

Answer 35

• Get access to the domain registration, and you have control where the traffic flows (attacker gets access to account of domain)
• Don’t need to touch the actual servers
• Determines the DNS names and DNS IP addresses
• Another example of DNS Poisoning
• Could brute force or use phishing or gain access to email account associated with registrar

Question 36

URL Hijacking

Answer 36

• This type of attack doesn’t change the legitimate domain name, but takes control of one that is similar enough to seem legitimate.
• Often used to redirect to send ppl to ads
• Attackers also will sell these similar URLs back to the original owner
• Some attackers will take all traffic to one company and redirect it to a competitor (not as common, legal issues)
• More common to use this as a phishing opportunity to get personal info from ppl who think they’re on a legitimate site (Can then potentially get them to download malicious software)

Question 37

Typosquatting / brandjacking

Answer 37

• An example of URL hijacking
• Can exploit common mispellings, similar syntax (like adding ‘s’) or use another domain .org, .com, etc..

Question 38

Domain reputation (Email)

Answer 38

• The internet is tracking your security posture
• If many ppl mark you as spam it will inhibit your ability to send messages
• There may be malware that is sending spam from a company email

Question 39

Domain reputation (Web server)

Answer 39

• If malware ends up on your server, it will be noted by search engines and your domain can be flagged or removed
• if your server is infected, even if the malware is quickly removed, it will still take time to be reindexed by search engines, so there will be lingering effects

Question 40

DoS

Answer 40

• Denial of Service
• Force a service to fail (overload the service)
• When an attacker causes a service to stop responding
• Ex: make a webserver unavailable or emails can no longer be sent
• Usually b/c some type of vulnerability in software or design failure
• To combat: Keep OS up to date with the latest versions
• Motivation - May be a competitor
• Motivation - May be a smokescreen for another attack
• Doesn’t have to be complicated (turn off the power)

Question 41

A “friendly” DoS

Answer 41

• Ex: plug the wrong switch into the wrong place and inadvertently cause a Layer 2 Loop in network
• To combat - Use STP (standing tree protocol)
• One person downloading a large file, could cause interruption for everyone else
• Physical facility (like a water line break)

Question 42

DDos

Answer 42

• Distrubuted Denial of Service
• Often use botnets
• Launch an army of computers to bring down a computer (use all the bandwidth - resource spike)
• ## Can be thousands or millions of computers

Question 43

Asymmetric threat

Answer 43

• The attacker might have fewer resources but b/c they’re coordinated (in a DDoS attack) they can overwhelm their target

Question 44

DDoS Amplification

Answer 44

• Take a small attack and when it arrives at victim’s machine as a much larger attack
• Increasingly common network DDoS technique, turn internet services against victim
• Uses protocols with little (if any) authentication
• Ex: NTP, DNS, ICMP
• A common example of protocol abuse

Question 45

Application DoS

Answer 45

• Make the application break or work harder
• Ex: Zip bomb, when you open it, it uncompresses to a massive file
• Ex: a cloud based attack, exploiting elasticity, attacker uses more and more resource (or slow down response time) the attacker trying to find more resources to use (and often more expensive)

Question 46

OT

Answer 46

• Operational Technology
• Hardware and software for industrial equipment
• Ex: electric grids, traffic control, manufacturing plants
• Huge issues if there is a DoS attack
• Requires a different approach, much more critical

Question 47

Scripting and Automation

Answer 47

• Pros and vulnerabilities
• Provides efficiencies, monitor and resolve issues before they happen
• No human error, faster
• But an attacker can automate an attack

Question 48

Windows Powershell

Answer 48

• Included in Windows 8 and 10
• extends functionality of command line functions (for sys admins) .ps1 file extension
• Uses cmdlets (command-lets)
• Can run executables
• Attackers use Powershell as a jumping off point

Question 49

Python

Answer 49

• Used across many diff OS
• Means you can create python scripts that can target different OS
• often use in the cloud
• Attackers interested in attacking cloud infrastructure might choose python
  -.py extension

Question 50

Shell script

Answer 50

• Unix and Linux
• Can be customized with other kinds of shells (Bash, Bourne, Korn, C)
• Starts with a shebang or hash-bang #!
• often has a .sh file extension
• Attackers can exploit this in Linux/Unix (esp b/c most things can be accomplished from the command line in Linux/ Unix)

Question 51

Macros

Answer 51

• Written specific to certain types of applications
• Designed to make apps easier to use by automating
• Attackers can use macros to perform malicious attacks. Just need victim to open marcro and execute it.

Question 52

VBA

Answer 52

• Visual Basic for Applications
• Automates processes within Windows applications
• Microsoft mega macro
• Hooks in VBA that can talk directly to OS
• Good entry place for an atatcker.

Question 53

CVE-2010-0815/MS10-31

Answer 53

• VBA vulnerability
• VBA does not properly search for ActiveX controls in a document
• Can run arbitrary code embedded in a document
• Easy to infect a computer