4.4 Summarize common networking attacks.

Question 1

Denial of service

Answer 1

Force a service to fail
Take advantage of a design failure or vulnerability
Cause a system to be unavailable
Create a smokescreen for some other exploit
Doesn’t have to be complicated - Turn off the power

Question 2

A “friendly” DoS

Answer 2

Unintentional DoSing -
Network DoS - Layer 2 loop without STP
Bandwidth DoS - Downloading multi-gigabyte Linux distributions over a DSL line

Question 3

Distributed Denial of Service (DDoS)

Answer 3

Launch an army of computers to bring down a service
This is why the bad guys have botnets
Asymmetric threat

Question 4

DDOS amplification

Answer 4

Turn your small attack into a big attack
An increasingly common DDoS technique
Uses protocols with little (if any) authentication or checks - NTP, DNS, ICMP

Question 5

DNS Amplification

Answer 5

Botnet C&C sends a single message to the botnet
Bots send spoofed DNS requests
DNS revolvers send amplified DNS responses to the Web Server

Question 6

Effective social engineering

Answer 6

Constantly changing - You never know what’s next
May involve multiple people
May be in person or electronic - email, phone

Question 7

Social engineering principles

Answer 7

• Authority
• Intimidation
• Consensus / Social proof
• Scarcity
• Urgency
• Familiarity / Liking
• Trust

Question 8

Authority

Answer 8

The social engineer is in charge• I’m calling from the help desk/office of the CEO/police

Question 9

Intimidation

Answer 9

There will be bad things if you don’t help

If you don’t help me, the payroll checks won’t be processed

Question 10

Consensus / Social proof

Answer 10

Convince based on what’s normally expected• Your co-worker Jill did this for me last week

Question 11

Scarcity

Answer 11

The situation will not be this way for long

Must make the change before time expires

Question 12

Urgency

Answer 12

Works alongside scarcity - Act quickly, don’t think

Question 13

Familiarity / Liking

Answer 13

Someone you know, we have common friends

Question 14

Trust

Answer 14

Someone who is safe

I’m from IT, and I’m here to help

Question 15

Insider threats

Answer 15

• Significant security issues• Harms reputation
• Critical system disruption
• Loss of confidential or proprietary information
• Innocent employees - Phishing scams, hacking scams
• Disgruntled employees - Someone is out to get you
• Careless employees - Using a laptop for personal use
• Defense in depth - Cover all possible scenarios

Question 16

Logic Bomb

Answer 16

• Waits for a predefined event
• Often left by someone with grudge
Time bomb• Time or date• User event• Logic bomb• Difficult to identify• Difficult to recover if it goes off

Question 17

Preventing a logic bomb

Answer 17

Difficult to recognize - Each is unique
• No predefined signatures
• Process and procedures - Formal change contro
l• Electronic monitoring - Alert on changes - Host-based intrusion detection, Tripwire, etc.
• Constant auditing - An administrator can circumvent existing system

Question 18

Rogue access points

Answer 18

A significant potential backdoor
Very easy to plug in a wireless AP
Schedule a periodic survey
Consider using 802.1X (Network Access Control)

Question 19

Wireless evil twins

Answer 19

Buy a wireless access point
Configure it exactly the same way as an existing network
Overpower the existing access points
WiFi hotspots are easy to fool
You encrypt your communication, right?

Question 20

Wardriving

Answer 20

Combine WiFi monitoring and a GPS
Huge amount of intel in a short period of time
All of this is free - Kismet, inSSIDer - Wireless Geographic Logging Engine - http://wigle.net
Always an alternative - Warflying, warbiking

Question 21

Phishing

Answer 21

Often delivered by spam, IM, etc. - Very remarkable when well done

• Check the URL
• Usually there’s something not quite right • Spelling, fonts, graphics • Vishing is done over the phone • Fake security checks or bank updates

Question 22

Spear phishing

Answer 22

Phishing with inside information

Makes the attack more believable

Question 23

Whaling

Answer 23

Spear phishing the CEO is “whaling”

Question 24

Ransomware

Answer 24

Locks your computer “by the police”
The ransom may be avoided
• A security professional may be able to remove these kinds of malware

Question 25

Crypto-malware

Answer 25

New generation of ransomware Malware encrypts your data files You must pay the bad guys to obtain the decryption key

Question 26

Protecting against ransomware

Answer 26

Always have a backup Keep your operating & applications system up to date - patches Keep your anti-virus/anti-malware signatures up to date

Question 27

DNS Poisoning

Answer 27

-Modify the DNS server 1. User 1 performs a normal DNS query to the DNS server: -Modify the client host file 2. Bad guy modifies the DNS records and changes the IP address Send a fake response to a valid DNS request• Requires a redirection of the original request or the resulting response 3. User 2 performs the same DNS query as User 1, but now the poisoned DNS entry is returned:

Question 28

Spoofing

Answer 28

Pretend to be something you aren’t Email address spoofing • The sending address of an email isn’t really the sender• Caller ID spoofing • The incoming call information is completely fake• Man-in-the-middle attacks • The person in the middle of the conversation pretends to be both endpoints

Question 29

MAC spoofing

Answer 29

``` Your Ethernet device has a MAC address Most drivers allow you to change this Changing the MAC address can be legitimate It might not be legitimate Very difficult to detect ```

Question 30

IP address spoofing

Answer 30

Take someone else’s IP address Can be legitimate May not be legitimate Easier to identify than MAC address spoofing

Question 31

Spoofing cont

Answer 31

A legitimate response to an ARP request is received from the default gateway.The ARP response is cached on the local device An attacker sends an ARP response that spoofs the IP address of the router and includes the attacker’s MAC address.The malicious ARP information replaces the cached record, completing the ARP poisoning

Question 32

Wireless Deauthentication

Answer 32

Wireless deauthentication• A significant wireless denial of service (DoS) attack

Question 33

802.11 management frames

Answer 33

802.11 wireless includes a number of management features Important for the operation of 802.11 wireless Original wireless standards did not add protection for management frames

Question 34

Protecting against disassociation

Answer 34

IEEE has already addressed the problem | 802.11w is required for 802.11ac compliance

Question 35

Brute force

Answer 35

The password is the key Brute force attacks - Online • Keep trying the login process • Very slow • Most accounts will lockout after a number of failed attempts• Brute force the hash - Offline • Obtain the list of users and hashes • Calculate a password hash, compare it to a stored hash • Large computational resource requirement

Question 36

Dictionary attacks

Answer 36

People use common words as passwords If you’re using brute force, you should start with the easy ones • password, ninja, football • Many common wordlists available on the ‘net • Some are customized by language or line of work • This will catch the low-hanging fruit • You’ll need some smarter attacks for the smarter people

Question 37

VLAN hopping

Answer 37

“Hop” to another VLAN - this shouldn’t happen• Two primary methods• Switch spoofing and double tagging

Question 38

Switch spoofing

Answer 38

Some switches support automatic configuration There’s no authentication required can Send and receive from any configured VLAN Switch administrators should disable trunk negotiation• Administratively configure trunk interfaces and device/access interfaces

Question 39

Man -in- the-middle

Answer 39

``` Redirects your traffic • Then passes it on to the destination • You never know your traffic was redirected • ARP poisoning •because ARP has no security ```

Question 40

Vulnerabilities and exploits

Answer 40

A weakness in a system

Question 41

Exploit

Answer 41

Take advantage of a vulnerability Gain control of a system Gain control of a systemModify data Disable a service

Question 42

Zero-day attacks

Answer 42

Zero-day• The vulnerability has not been detected or published• Zero-day exploits are increasingly common• Common Vulnerabilities and Exposures (CVE)• http://cve.mitre.org/

Question 43

Device Hardening

Answer 43

``` Changing default credentials Avoid common passwords Upgrading firmware File hashing Disabling unnecessary services Watching the network Secure protocols - SSH, SFTP ,SNMPv3 ,TLS/SS, IPse Generating new keys Disabling unused TCP and UDP ports Disabling unused interfaces ```

Question 44

Mitigation Techniques

Answer 44

IPS signature management - Device hardening The native VLAN -Change the native VLAN number (e.g., VLAN 999) Privileged accounts - Elevated access to one or more systems FIM (File Integrity Monitoring) Restricting access via ACLs - device ACLs to limit access Honeypots - Attract the bad guys - and trap them there Penetration testing - Simulate an attack

Question 45

Switch Port Protection

Answer 45

``` Loop protection BPDU guard Root guard Flood guard DHCP snooping ```

Question 46

Loop protection

Answer 46

IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990)• Created by Radia Perlman• Used practically everywhere

Question 47

BPDU guard

Answer 47

PortFast -Bypass the listening and learning states If a BPDU frame is seen on a PortFast configured interface (i.e., a workstation), shut down the interface• This shouldn’t happen - Workstations don’t send BPDU (Bridge Protocol Data Unit)

Question 48

Root guard

Answer 48

Root guard allows you to pick the root • Cisco feature • Prevents a rogue root bridge • If your root bridge receives a superior STP BPDUon a root guard port, root guard changes the interface status to “root-inconsistent” (listening) • This effectively disables the interface to the rogue root

Question 49

Flood guard

Answer 49

Configure a maximum number of source MAC addresses on an interface • You decide how many is too many • You can also configure specific MAC addresses • The switch monitors the number of unique MAC addresses • Maintains a list of every source MAC address • Once you exceed the maximum, port security activates • Interface is usually disabled by default

Question 50

DHCP snooping

Answer 50

IP tracking on a layer 2 device (switch) Switch watches for DHCP conversations Filters invalid IP and DHCP information

Question 51

Network Segmentation

Answer 51

Segmenting the network Physical segmentation DMZ

Question 52

Physical segmentation

Answer 52

Separate Device• Multiple units, separate infrastructure

Question 53

Logical segmentation with VLANs

Answer 53

Virtual Local Area Networks (VLANs)• Separated logically instead of physically - Cannot communicate between VLANs without a Layer 3 device / router

Question 54

Network Troubleshooting Methodology

Answer 54

* Identify the problem * Establish a theory of probable cause * Test the theory to determine cause * Establish a plan of action to resolve the problem and identify potential effects * Implement the solution or escalate as necessary * Verify full system functionality and, if applicable,implement preventative measures * Document findings, actions and outcomes

Question 55

Hardware Tools

Answer 55

* Cable crimper * Cable tester * Punch-down Tool * TDR / OTDR * Light meter * Toner Probe * Loopback plug * Multimeter * Spectrum analyzer

Question 56

Cable crimper

Answer 56

* ”Pinch” the connector onto the wire * The final step of a cable installation * Metal prongs push through insulation

Question 57

Cable tester

Answer 57

Continuity testing Identify missing pins, crossed wires Not used for advanced testing

Question 58

Punch-down Tool

Answer 58

Forces wire into a wiring block | Trims the wires and breaks the insulation

Question 59

TDR / OTDR

Answer 59

(Optical) Time Domain Reflectometer• Estimate fiber lengths, measure signal loss, determine light reflection, create wire maps• May require additional training

Question 60

Light meter

Answer 60

Send a light from one side• Measure the light power on the othe

Question 61

Toner Probe

Answer 61

Puts an analog sound on the wire• Inductive probe doesn’t need to touch the copper

Question 62

Loopback plug

Answer 62

• Useful for testing physical ports• Serial, Ethernet, T1, fiber• These are not crossover cables

Question 63

Multimeter

Answer 63

AC/DC voltages• Continuity, wire mapping

Question 64

Spectrum analyzer

Answer 64

View the frequency spectrum• Identify frequency conflicts

Question 65

Software Tools

Answer 65

Protocol analyzer Network / port scanner Wireless packet analysis Speed test sites

Question 66

Protocol analyzer

Answer 66

Capture and display network traffic• Use a physical tap or redirect on the switch

Question 67

Network / port scanner

Answer 67

• Scan for open ports and IP addresses• Visually map the network• Rogue system detection

Question 68

Wireless packet analysis

Answer 68

View wireless information• Signal-to-noise ratio, channel information, etc.

Question 69

Speed test sites

Answer 69

Bandwidth testing• Pre- and post-change analysis• Not all sites are the same

Question 70

Command Line Tools

Answer 70

* ping - Test reachability * traceroute - Determine the route a packet takes to a destination * nslookup and dig - Lookup information from DNS servers * ipconfig and ifconfig - View and manage IP configuration * iptables - Packet filtering * netstat - Display network statistics * tcpdump * Nmap * route - View the device’s routing table * arp - Address resolution protocol information

Question 71

ping - Test reachability

Answer 71

• ping - Test reachability to a TCP/IP address• ping -t - Ping until stopped with Ctrl-c• ping -a - Resolve address to a hostname• ping -n - Send # of echo requests• ping -f - Send with Don’t Fragment flag set

Question 72

traceroute

Answer 72

Takes advantage of ICMP Time to Live Exceeded error message• Not all devices will reply with ICMP Time Exceeded messages• traceroute

Question 73

nslookup

Answer 73

nslookup • dig

Question 74

ipconfig and ifconfig

Answer 74

ipconfig - Windows TCP/IP config • ipconfig /all - Display all IP configuration details • ipconfig /release - Release the DHCP lease • ipconfig /renew - Renew the DHCP lease • ipconfig /flushdns - Flush the DNS resolver cache• ifconfig - Linux interface configuration

Question 75

iptables - Packet filtering

Answer 75

Linux iptables - filter packets in the kernel • Simple data blocks - ignores state • Usually placed on a device or server

Question 76

netstat - Display network statistics

Answer 76

netstat -a - Show all active connections• netstat -b - Show binaries• netstat -n - Do not resolve names

Question 77

tcpdump

Answer 77

tcpdumpCapture packets from the command line• Available in most Unix/Linux operating systems• Included with Mac OS X, available for Windows (WinDump)• Apply filters, view in real-time• Written in standard pcap format

Question 78

pathping - Combination of ping and traceroute

Answer 78

pathping

Question 79

Nmap

Answer 79

Network mapper - find network devices• Port scan - Find devices and identify open ports• Operating system scan• Discover the OS without logging in to a device• Service scan• What service is available on a device? Name, version, details• Additional scripts• Nmap Scripting Engine (NSE

Question 80

route - View the device’s routing table

Answer 80

route print - View the Windows routing table

Question 81

arp

Answer 81

• arp -a - View the local ARP table