3.1 Attacks and Exploits Flashcards
Given a scenario, research attack vectors and perform network attacks.
What is an On-Path attack?
An On-Path attack, previously known as a man-in-the-middle (MITM) attack, is when a malicious actor sits in the middle or on the path of a connection. It acts as a relay between the client and server, while both sides think they are communicating directly with each other. The On-Path attack then captures information that might otherwise be encrypted or manipulates the data in some other way.
What is a DNS Cache Poisoning attack?
In this attack, the malicious actor sends bogus records to a DNS resolver. When the victim requests an IP address, the DNS server will send the wrong IP address. That will redirect traffic to the malicious actor’s IP address instead of the web server’s IP address.
How can you bypass Network Access Control (NAC)?
The most common way to bypass NAC is by accessing an authenticated device and using the device to slip by the NAC appliance.
What is VLAN hopping?
VLAN hopping is the act of illegally moving from one VLAN to another. This is done by one of the following:
-Launching a Macof attack, which overflows the MAC table on a vulnerable switch so that it behaves as a hub, repeating frames out all ports
-Configuring the interface of an attacker machine to become a trunk port, which will negotiate an unauthorized trunk link with the switch, allowing traffic from any VLAN to flow over that link.
What is ARP spoofing?
This attack transmits spoofed ARP messages out on the LAN. The spoofed messages falsely report a malicious actor’s MAC address as being the victim’s address, which will redirect traffic to the malicious actor instead of the victim.
What is MAC address spoofing?
MAC address spoofing will modify the MAC address on the malicious actor’s NIC card so that it matches the MAC address on the victim’s machine. Once done, the traffic will be directed to both the victim and the malicious actor.
What is Link-Local Multicast Name Resolution (LLMNR)/NetBIOS-Name Service (NBT-NS) poisoning?
LLMNR and NetBIOS are 2 name resolution services used in a Windows environment to resolve network addresses. During name resolution, if a Windows host cannot resolve a domain or host name via a DNS server, it will query, by default, first LLMNR, and if that fails, NBT-NS.
LLMNR/NBT-NS poisoning is when you intercept the requests, which returns the attacker’s host IP as the name record, causing the querying host to establish a session with the attacker. For this to work, the victim system must be either tricked into querying a nonexistent name or prevented from using the legitimate DNS service.
What is a New Technology LAN Manager (NTLM) relay attack?
In a NTLM relay attack, the malicious actor doesn’t try to crack the password but instead will use the hash in an attack called pass the hash (PtH). In this type of attack the malicious actor will:
-Obtain the hash by inducing the OS or app to dump them from RAM, the Windows Registry, or a credentials file
-Then when logging into the target OS or app, you provide the username and the hash of the password, instead of the password itself.
What is Kerberoasting?
In this attack, the malicious actor will do the following:
-Get user Service Principal Names (SPN), which will identify all accounts that are candidates for Kerberoasting
-From this list, get the service tickets of interesting targets
-Dump out the service ticket, which is encrypted with the NTLM hash of the service account
-Crack the account’s plaintext password offline
What is Exploit Chaining?
Exploit Chaining s the act of using multiple exploits to form a larger attack. Success of the attack will depend on all exploits doing their part. Using multiple forms of attacks in a distributed nature makes them complex and difficult to defend against. Chained exploits can either run consecutively or in parallel.
What is a packet storm and why is it useful?
A packet storm is a sudden flood of traffic and could be used in one of the following scenarios:
-To conduct stress testing
-To launch a denial of service (DoS) attack
What are Metasploit’s six basic modules and their functions?
-Exploits: Attack software that delivers a payload
-Payloads: Code that runs remotely
-Post: Additional tasks you can perform on a compromised host
-Auxiliary: Scanners, sniffers, fuzzers, spoofers and other non-exploit features
-Encoders: Ensures that payloads make it to their destination intact and undetected
-Nops: Keeps payload sizes consistent across exploit attempts
What is exploitDB?
Exploit Database provides a complete collection of public exploits and vulnerable software in a searchable database.
What is Hash cracking?
Hash cracking is an offline password attack in which the attacker gets the system to display/dump all of the credentials in their hashed format, take a copy of the dump and then subject it to a cracker.
What is a dictionary attack?
A dictionary attack is the most straightforward type of automated password attack, in which a password cracking tool goes through a list of words until it either finds the password or exhausts the list.