4.2 network attacks Flashcards
what every attack has in common
- Every attack (or exploit) ever invented has one thing in common with every other attack ever invented: Every attack takes something (or some things) that exists for perfectly valid reasons and misuses it in invalid, malicious ways. Always!
5 phases of an attack
- Reconnaissance involves identifying assets that might be a target for exploitation. Recon is primarily a passive exercise using tools such as Google to research the target organization. Go through and find the employee about us page then see their LinkedIn and see who they’re friends with and so on. You can find email addresses as well,
- Scanning can be used to identify vulnerable assets that are candidates for compromise. The attack moves from passive to active when you begin scanning publicly available IP addresses for open ports. Part of this phase includes enumerating the operating systems of visible computers and the specific software and version running on any open ports. Let’s say you know from recon that an organization has 10 public IP and you use tools to scan them and see that they’re a web and email ports – then I can launch a script and connect to your port 80 web surver and show us you’re running a patchy web server software and then you start looking for vulnerabilities for that web server
a. At this point you know which IP addresses are active, what ports are open on those IPs, the software on those ports, and the OS on those IPs
b. At that point unless your patching program is perfect, you can find something to take advantage of
c. If there is 0-day exploit, even if you have a perfect patching system it doesn’t matter - Gaining access may be via the network, the operating system, or one of the applications. The information obtained in phases 1 and 2 should provide enough information to find something the attacker can take advantage of. NOTE: There is usually a 3.5 step required as well. In most cases, initial access is to a non-privileged account. To move to the next two phases, the attacker must escalate their privileges to Administrator or Root
- Maintaining access involves installing tools that permit the attacker to return undetected. Maintaining access also involves phase 5, covering tracks.
- Covering tracks refers to those activities undertaken by the attacker to hide (or mask) the activities associated with the compromise. The better they accomplish this phase, the better the attacker can maintain access as described in phase 4. You can do things like deleting log entries to cover tracks, but you do this to mantain access (phase 4) so these two phases are very closely associated
It is also important to note that this is an iterative process or what some like to call a “shampoo process.” If you ever read the instructions on a bottle of shampoo, they say, “wash, rinse, repeat.” The example applies here because as soon as you gain access to an organizations system, other systems become visible. Perhaps from the internet, you were only able to observe three public IP addresses. As soon as you gain access to one of those, 20 more become visible to you. Meaning your very next step is to move back to recon, scanning, and so on to repeat the process on the newly visible targets.
Cyber Kill Chain
- There is another well-known and widely referenced “attack model.” It comes from Lockheed Martin and is called the Cyber Kill Chain®. The chain shows the typical actions of the attacker:
o 1. Reconnaissance: Harvest publicly available information
o 2. Weaponization: Couple an exploit/backdoor into a payload
o 3. Delivery: Deliver the weaponized bundle
o 4. Exploitation: Exploit an existing vulnerability
o 5. Installation: Install malware on compromised system (via backdoor placed in prior steps)
o 6. Command & Control (C2): Establish a Command and Control channel for remote manipulation
o 7. Actions on Objectives: With C2 “hands on keyboard” access, intruder accomplishes their goals - The most important aspect of the Cyber Kill Chain® is that it is indeed a chain. If you break any link of the chain by disrupting those activities, you thwart the attack. For example, the attacker might make it all the way to step number 5, installation. If you configure your systems in such a way that the attacker cannot perform that step, then the attacker cannot move further along the chain. Even if the attacker makes it as far as step 6 (Command & Control), if you can prevent them from issuing instructions to the compromised system, then you have still broken the chain. The attacker is unable to do step 7 and Act on their Objectives.
Robots.txt
- The robots.txt file is a world readable ASCII text file found on a web server. It constitutes a polite request to search engine spiders used by Google, BING, and others to please not make these directories searchable. It is a polite request that the search engine can choose to ignore. Google and BING both honor the request, but there are a few search engines that ignore it.
- To view a robots.txt file, simply enter www.someurl.com/robots.txt as you see in the graphic on the slide (we have hidden the company name as a courtesy. By looking at the robots.txt file above, we see they’ve disallowed crawling of multiple directories, including the top-level directory.
- Please understand that having a robots.txt file on your web server is a good thing. There are directories that you must have on your server and you do not want them indexed. The directory named cgi-bin is a good example of this. However, an attacker might use this to poke and prod in areas that your normal website visitors didn’t even know existed. A line like “Disallow: /salesfigures/” might suggest that http://www.company.com/salesfigures/ might be worth a look. Or, looking at the file displayed above, what might be found in /Admin?
- Be careful, though—entries in robots.txt may point to directories that, if accessed, set off alarms or may even lock you out of their website entirely. Indeed, attempting to access some of these directories may violate the law in certain jurisdictions.
Google dorks
- Google is a far more powerful tool than many people realize. With advanced search operators, you can search in incredibly powerful ways. With the use of a site operator, you can limit those powerful searches to the potential victim’s domain
- For example, to identify an admin page for websites built with Python Django framework, you would use the following search string (called a Google Dork): intitle: “Django site admin” inurl:admin -site:stackoverflow.com -site:github.com To determine if the netip.com domain, in particular, is susceptible, you would add “site:netip.com” to the beginning of the search string. It would now look like this: site:netip.com intitle:”Django site admin” inurl:admin -site:stackoverflow.com -site:github.com This and thousands of other searches are freely available via the Google Hacking Database, maintained by the folks at the company Offensive Security. This is the same company that creates and maintains the Kali Linux penetration testing distribution. They call the search strings maintained at this site “Google Dorks”
Social engineering
- direct and indirect
- Social engineering is the most lucrative attack category ever invented. If done well, it will always work. This is because the attacker targets the “weak link” in security: Specifically, you and me. The human being. If the attacker understands human nature well enough and manipulates the victim in the right way, the victim actually becomes happy to help the attacker.
- One of the dangers of social engineering is that it can defeat any security measure. Sometimes, it does so because the attacker learns what they need to know to defeat the measure. More commonly, social engineering renders the security measure moot because the victim simply gives the attacker the information they are
- Now for the bad news. There is no effective defense against social engineering. About the only thing you can do is good awareness training, then more awareness training, and then more and more and more. Even after all that training, a determined and skilled social engineer can succeed.
o 1. Direct social engineering involves the phone call or in-person meeting. The risk to the social engineer is higher with the in-person meeting, but sometimes the chance of success is higher.
o Indirect social engineering is most commonly done through phishing scams on email. Indirect can also involve pop-ups on websites and other technological ploys to trick an unsuspecting user
o Spear phishing is the most common and most successful specific attack today. For that reason, we take a closer look at spear phishing later in this section - Every social engineering attack is different. That is part of why they are so difficult to defend against. We can make some general statements about them, though. In many cases, the attacker assumes a position of trust and employs pretexting. Examples include: “This is the help desk, and your account is broken so I need …” None of which is true of course, but “the help desk” is a position of trust. Your account being broken is a reason given in justification that is not the real reason, which is the definition of pretexting. These two combined can be a powerful combination when done well. In fact, the most successful social engineer will make the victim want to help them. The victim is even happy to do so, thinking they have done exactly the right thing
Spearpishing, vishing, social engineering - physical
- Spear phishing is, by some accounts, the most common and most successful attack today. It is simply a highly targeted phishing email. Typically, the attacker finds out about an interest of the victim through a variety of means (often including social media). The scenario plays out something like that on the slide. If the targeting is done well, it has a high chance of success. It does not have to target work interests either. If I find out you have an intense interest in classic cars or any other topic, that could be the opening I need.
- Today, any discussion of Spear Phishing should include a discussion of Business Email Compromise (BEC). According to the FBI’s 2019 Internet Crime Report, BEC is now the most common type of complaint they receive. As the chart above shows, the financial losses attributed to this are growing at a rapid pace
- The scenario on the Spear Phishing slide lays out the basics of how the attack normally plays out, but the attack becomes more sophisticated over time. In 2013/2014, these attacks almost always involved email coming from a compromised executive’s email account and they still can today. But in 2019, it was increasingly common to see compromised personal email accounts, compromised vendor accounts, compromised law firm accounts
- n the United States, the FBI has established the Recovery Assets Team (RAT) to help victims recover funds. They cannot be successful in 100% of cases, but in 2019, the RAT recovered 79% of the funds lost in BEC incidents. Of course, if you don’t report the BEC incident to the ic3.gov website, then there is very little chance you will see your funds again!
- This point is commonly misunderstood, so we wanted to give a bit more-detailed explanation between the category of attack versus the specific attack. Social engineering is the most common and most lucrative attack category and has been for centuries. Spear Phishing is the most common and most lucrative specific attack and has been for decades. Spear Phishing is a form of social engineering, and that is part of what continues to drive social engineering as the most common category of attack
- Phishing is such a popular attack vector in that it is successful and quick. As you can see in the slide above, 25% of link clicks happen within 10 minutes of the phishing campaign starting (the median average is 1 hour).
Vishing
* Another form of social engineering that is gaining in popularity is sometimes referred to as vishing. It is essentially phishing via telephone. One common vishing scenario that is making its way around the country is listed on the slide. Another is that you get a call at 3 a.m. after checking into a hotel room. The “girl at the front desk” says there is a problem with your credit card. You either have to give them new credit card information or leave the hotel immediately with the police officers she has waiting with her at the front desk
Social Engineering : Physical
* Social engineering will also often defeat physical security. “Tailgating” through a secure door is often extremely easy to do, especially if you appear to belong. Masquerading as service technicians, UPS delivery people, or pizza delivery people, and the list continues
* Dumpster diving is not social engineering; it is a social engineer’s gold mine. Successful dumpster diving often yields information valuable to the social engineer. Think about the value of the company phone directory. In his younger days, Keven Mitnick had the name, position, and office phone number of almost all PacBell managers memorized. If someone were to call you and say, “Hi, I work for John Smith, director of marketing. You can call him at 123-7895 to verify that. He wanted me to find out …” You check the company phone book and find that the information provided is indeed accurate.
Social engineering: prevention
- The simple truth is, you cannot prevent Social Engineering. Because it targets the human emotion, no technology exists to stop it. With that understood, it is absolutely possible to make successful social engineering attacks less common. Doing this requires a good repetitive awareness training strategy – also known as an Awareness Campaign
- In an effective awareness program, the security team has identified their top human risks and the behaviors that manage those risks. They then communicate to engage and train their workforce to change and exhibit those secure behaviors. As a result, a mature awareness program is one of the most effective ways an organization can manage their human risk
- Also, notice the use of the word “campaign” which we will define as “To work in an organized way toward a particular goal, usually over a long period of time”. In other words, security awareness is not a once-and-done prospect
Spoofing
- IP address spoofing
- ARP cache poisining
- Email address falsification
- picture on page 110
- Spoofing (as applied to networking and communications) refers to the practice of falsifying information to gain an advantage. In reviewing the characteristics of some of the protocols used in IPv4 (for example, IP, TCP, UDP, ARP, and ICMP), we see that there are no built-in integrity checks within the protocols
- Typical examples of spoofing can include the following:
o * IP address spoofing: A number of tools can be used to craft packets that have a spoofed source address. This is one of the key aspects of an attack such as a SYN flood.
o * ARP cache poisoning: When an attacker sends unsolicited ARP Reply packets to place incorrect information in an ARP Cache (also called ARP Spoofing).
o * Email address falsification: It’s fairly easy to modify the From: field to make the message appear to have come from someone other than the sender. - If the 1.1 machine sends a packet to 1.2 machine but the source IP is spoofed to say it came from 1.3 then 1.2 will always respond back to 1.3 not 1.1
o Denial of service, I get 10 thousand computers saying the packet came from 1.3 then it overwelhms its bandwidth
The man-in-the-middle
- Man-in-the-Middle attacks are a favorite ploy of attackers. The condition exists anytime the attacker has all data packets flowing through them (or a point that they control, such as a computer). MitM attacks require eavesdropping on and controlling all communication traffic between two parties. Attackers love MitM because it is an extremely powerful and insidious capability.
- Once an attacker establishes a MitM, their capability is limited only by their imagination and their knowledge. If they can think up something malicious and know how to do it, they can do it.
- How does an attacker become a Man-in-the-Middle? There are many ways discussed elsewhere in this course, including rogue access points and ARP cache poisoning. There are many other ways as well. For example, if I can take control of a router, I am a Man-in-the-Middle for all traffic flowing through that device. If you think about it, your Internet Service Provider is a Man-in-the-Middle since all of your Internet traffic flows through them (sure they are fine people, but have they been hacked?).
ARP cache poisining
- picture on page 112
- It utilizes the “unsolicited ARP reply” which has a valid purpose but misuses it to create a Man-in-the-Middle (MitM) situation. In other words, it redirects all the victim’s network traffic through the attacker’s computer. When all the traffic flows through the attacker’s system, they can manipulate that traffic in any way they desire.
o Erronesouly gives attacker’s MAC address as matching the victim’s IP address
o Tricks systems into sending their traffic through attacker’s machine - In the diagram on the left, we see a normal switched network operation. The client PC (192.168.1.1) sends an ARP request to the default gateway (192.168.1.254) and receives a reply. The client PC updates its ARP table and knows that 192.168.1.254 is found at MAC address BB. If traffic is flowing in both directions, the gateway also has its MAC table updated, showing that 192.168.1.1 is at MAC address AA. The traffic flows from the client to the gateway through the switch, exactly as we have been describing.
- In the diagram on the right, we see how an attacker can manipulate the process. The client PC and default gateway have each exchanged ARP requests and replies, so they have each other’s IP address and MAC address combinations in their ARP caches.
- The attacker at the bottom of the diagram sends an unsolicited ARP reply to the client PC, saying that IP address 192.168.1.254 is at MAC address FF (the MAC of the attacker’s computer). The PC updates its ARP cache with this new information. Likewise, the attacker sends an unsolicited ARP reply to the gateway, saying that 192.168.1.1 is found at MAC address FF (again, the MAC of the attacker’s computer). The gateway updates its ARP cache with the new information.
- When the client PC needs to send a packet outside the network, it creates an Ethernet header containing a destination MAC address of FF. The switch does exactly as it is supposed to do and forwards the packet to that MAC address. The attacker runs software such as Ettercap, which removes the original Ethernet header and replaces it with a new Ethernet header containing a destination MAC address of BB (the gateway) and forwards the packet.
- When a response packet comes back into the local network, it arrives at the gateway. That router checks its ARP cache and sees that it does have an entry for 192.168.1.1, which says that system’s MAC address is FF. It creates a hardware header containing that destination MAC address, which the switch forwards to the attacker. The attacker’s software replaces the Ethernet (or hardware) header with a new one, this time with a destination hardware MAC address of AA (the client PC
- The attacker is now a MitM. All the client PCs (the victim’s) traffic flows through the attacker’s computer. At that point, there are few limits on what the attacker can do to the victim. At the absolute minimum, the attacker can see all the traffic to and from the victim. The attacker can choose not to forward traffic, creating a Denial-of-Service (DoS), or edit the traffic to change its meaning, or … pretty much anything else the attacker can think of doing. The limit here is the attacker’s imagination. Do note that ARP traffic is limited to the local network, so the ARP cache poisoning attack is also limited to the local network only. In other words, the victim, the gateway, and the attacker all have to be connected to the same switch. They all have to be on the same network
Water hole attack
- There is an attack growing in frequency referred to as a “watering hole attack.” These attacks are especially prevalent when the target company does an excellent job of security
- The attacker first researches the target organization using the typical methods of Facebook, Twitter, Google, and others. The attacker learns via research that employees of the target frequent a particular website that is outside the organization’s control and therefore not secured by the target organization. The attacker breaks into the external website and plants malware. When the target organization’s employees visit the site, their computers become infected. The infection gives the attackers remote control of the employee’s computers. The attacker just became an “external insider.”
- An excellent watering hole at many companies is their job search site. This is the site that prospective employees go to in search of positions they might be hired for. It is also the site current employees go to in search of positions they might get promoted to. Meaning that sooner or later, everyone in the company will visit that site.
o The lion doesn’t have to go hunting for the gazelle, it can just wait by the water and sit back and wait for them to show up
Drive-by download
- picture on page 114
- Another widespread type of attack is called the “Drive-By Download.” Essentially, firewalls improved significantly. If you have a modern well-configured firewall, it is remarkably difficult to hack your way through it. Attackers had to change their tactics to continue being successful. Hence, the Drive-By Download, or sometimes referred to as a type of “application level attack”, was born
- Before we get to the details of the attack, there is something you have to understand before the attack will make sense. If your computer is behind a firewall and you surf the web, then the firewall MUST allow your computer to send a request for the web page and MUST allow the web server to return that page. In other words, the firewall must allow outgoing requests and allow their responses back in. Also, as you will see in the upcoming web security section, it is completely common for your computer to connect to many different locations on the internet each time you load a webpage. The firewall has to allow all of that communication as well
- The attack begins when an attacker defaces a legitimate website. In days gone by, when someone defaced a site, they changed the words and pictures in an attempt to embarrass the site owner. While that type of attack still happens, it is less common than it once was. Today, attackers are careful not to change the look and feel of the site. Instead, they plant malicious code on the site. When a visitor to the website downloads the webpage, the malicious code will execute on their local computer. There are many possibilities for an attacker once that is in place. Drive-By Downloads are just one favorite possibility
o The user types in the URL of a legitimate but defaced website. The browser connects to that web server.
o The web server downloads the requested webpage. A part of that page is the malicious code placed by the attacker during the defacement. That code indicates to the browser that to load additional components of the webpage, it must connect to another server (in this case, one owned by the attacker).
o The browser follows the instructions of the downloaded code and connects to the attacker’s server. The browser asks for the additional elements needed to create the webpage—not knowing what those elements genuinely are.
o The attacker’s server downloads malware to the unsuspecting user’s computer. The browser executes the code received from the attacker’s site, installing the malware.
o The malware establishes a connection out to the attacker and grants them full remote-control access to the user’s computer. The attacker now has what we call a “Command and Control channel ” or a “C2 channel” running over that outgoing connection. Via the C2 channel, the attacker is able to control the compromised system and instruct it to launch attacks against other systems on its own network.
moving laterally, pivoting, island hopping
- Most of the time, the initial system compromised by an attacker does not contain the information they are looking for. It was simply a target of opportunity. It was either compromised because it was visible from the internet (a public access system such as a web server or mail server), or it was compromised via a drive-by download, a watering hole attack, or something similar.
- Once the attacker has access to that initial computer, other internal systems on that network are now visible. The attacker begins methodically working their way through machines, compromising one after another. In other words, they move laterally through your network – or they pivot from one machine to another.
- Each time a system is compromised, the attacker looks to see what they might have just gained access to. Eventually, the attacker exploits the system that contains the “gold mine” of information the attacker was after to begin with. At that point, data exfiltration begins
- Island Hopping According to the same Carbon Black report, “Moving Laterally or Pivoting”, about half of cyberattacks today use the victim primarily for “island hopping”. This is extremely similar to moving laterally. The difference is the lateral movement happens within a single company’s LAN. Island hopping occurs between two or more different company’s networks.
o For example, * The attacker cannot find anything to exploit on your corporate headquarters LAN * Via the first phase of an attack, reconnaissance, they discover you have a business partner * Scanning that company’s network shows unpatched systems * The attacker compromises one of their systems and moves laterally through their network * Eventually, the attacker discovers a system on the business partner’s network with a trust relationship to a computer on your network * They then “island hop” from the partner’s network to your network * Much like an attacker moving within your network, but between two networks
Buffer overflow
- picture on page 115
- Another attack we have been dealing with for many years is called a Buffer Overflow (or often just, BO’s). It is possible on any type of software, whether that be an operating system or an application.
- All buffer overflow attacks: * are highly targeted against a very specific version of a very specific software * make a piece of software do something it was never intended to do
- Normal Operation: On the left side of the slide, we see a greatly simplified explanation of how software works without any attacks. You see five lines of computer code instructing the computer to do various things. Each line of code is at a particular address in RAM (Random Access Memory) that we learned about earlier. Memory addresses are pretty long in reality, but we truncate them to simply A, B, C, etc. As you read down through those instructions, notice that the code at memory address C tells the computer to read some data from a buffer found at memory address Q. The buffer or variable might be any number of things, but let’s say it is your name. You entered that information into a software field on the screen so the computer can add your name to a database. Following the data is a “return pointer,” in this case telling the computer to return to memory address D to read more instructions. The computer code at memory address D will process the address data by storing your name in a database. Following are the steps that occur:
- Buffer Overflow: On the right side of the slide, you see the abnormal operation that happens when a buffer overflow attack occurs. Everything about the setup is identical to regular function. There are five lines of code at memory address A through E, with line C reading data at address Q and line D processing that data. Before we get into the specific steps, we need to talk about a particular computer instruction. It is called a “NoOp” (pronounced No-Op). It is short for No Operation and is a perfectly valid computer instruction that means, “do nothing.” It is essentially a placeholder in software
o Note that the attacker already filled memory address Z with their attack code. For simplicity, we will say that code will “Do Bad Things.” * The software reads through the NoOps at address Q and hits the return pointer, “Return to Z.” * The software dutifully goes to address Z and executes the Do Bad Things code. * Following the attacker’s code is a new return pointer, directing the software to memory address M. You may recall, earlier the attacker placed the original data (your name) in that location. * The software goes to address M, reads the data, and then hits the Return to D pointer. * The software returns to address D, adding your name to the database, and continues along - When the hacker’s Do Bad Things code executes, the software does something it is not intended to do, which is the real goal of any BO attack. The question is, what might “Do Bad Things” be? The answer is, there are thousands of buffer overflow attacks and just as many answers to that question. But a typical example might be that the BO exploit adds an unknown Administrative level account to the system. BO’s are one method attackers use to escalate their privileges from a non-privileged account to an administrator level account
- Windows 10 now included memory address randomnization which randomizes the lines of code and consequently this has dropped off in popularity because no one can perform these attacks