4.4 Summarize common networking attacks. Flashcards

1
Q

Denial of service

A

Force a service to fail
Take advantage of a design failure or vulnerability
Cause a system to be unavailable
Create a smokescreen for some other exploit
Doesn’t have to be complicated - Turn off the power

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A “friendly” DoS

A

Unintentional DoSing -
Network DoS - Layer 2 loop without STP
Bandwidth DoS - Downloading multi-gigabyte Linux distributions over a DSL line

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Distributed Denial of Service (DDoS)

A

Launch an army of computers to bring down a service
This is why the bad guys have botnets
Asymmetric threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

DDOS amplification

A

Turn your small attack into a big attack
An increasingly common DDoS technique
Uses protocols with little (if any) authentication or checks - NTP, DNS, ICMP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DNS Amplification

A

Botnet C&C sends a single message to the botnet
Bots send spoofed DNS requests
DNS revolvers send amplified DNS responses to the Web Server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Effective social engineering

A

Constantly changing - You never know what’s next
May involve multiple people
May be in person or electronic - email, phone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Social engineering principles

A
  • Authority
  • Intimidation
  • Consensus / Social proof
  • Scarcity
  • Urgency
  • Familiarity / Liking
  • Trust
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Authority

A

The social engineer is in charge• I’m calling from the help desk/office of the CEO/police

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Intimidation

A

There will be bad things if you don’t help

If you don’t help me, the payroll checks won’t be processed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Consensus / Social proof

A

Convince based on what’s normally expected• Your co-worker Jill did this for me last week

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Scarcity

A

The situation will not be this way for long

Must make the change before time expires

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Urgency

A

Works alongside scarcity - Act quickly, don’t think

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Familiarity / Liking

A

Someone you know, we have common friends

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Trust

A

Someone who is safe

I’m from IT, and I’m here to help

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Insider threats

A
  • Significant security issues• Harms reputation
  • Critical system disruption
  • Loss of confidential or proprietary information
  • Innocent employees - Phishing scams, hacking scams
  • Disgruntled employees - Someone is out to get you
  • Careless employees - Using a laptop for personal use
  • Defense in depth - Cover all possible scenarios
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Logic Bomb

A

• Waits for a predefined event
• Often left by someone with grudge
Time bomb• Time or date• User event• Logic bomb• Difficult to identify• Difficult to recover if it goes off

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Preventing a logic bomb

A

Difficult to recognize - Each is unique
• No predefined signatures
• Process and procedures - Formal change contro
l• Electronic monitoring - Alert on changes - Host-based intrusion detection, Tripwire, etc.
• Constant auditing - An administrator can circumvent existing system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Rogue access points

A

A significant potential backdoor
Very easy to plug in a wireless AP
Schedule a periodic survey
Consider using 802.1X (Network Access Control)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Wireless evil twins

A
Buy a wireless access point
Configure it exactly the same way as an existing network
Overpower the existing access points
WiFi hotspots are easy to fool
You encrypt your communication, right?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Wardriving

A

Combine WiFi monitoring and a GPS
Huge amount of intel in a short period of time
All of this is free - Kismet, inSSIDer - Wireless Geographic Logging Engine - http://wigle.net
Always an alternative - Warflying, warbiking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Phishing

A

Often delivered by spam, IM, etc. - Very remarkable when well done

  • Check the URL
  • Usually there’s something not quite right • Spelling, fonts, graphics • Vishing is done over the phone • Fake security checks or bank updates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Spear phishing

A

Phishing with inside information

Makes the attack more believable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Whaling

A

Spear phishing the CEO is “whaling”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Ransomware

A

Locks your computer “by the police”
The ransom may be avoided
• A security professional may be able to remove these kinds of malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Crypto-malware
New generation of ransomware Malware encrypts your data files You must pay the bad guys to obtain the decryption key
26
Protecting against ransomware
Always have a backup Keep your operating & applications system up to date - patches Keep your anti-virus/anti-malware signatures up to date
27
DNS Poisoning
-Modify the DNS server 1. User 1 performs a normal DNS query to the DNS server: -Modify the client host file 2. Bad guy modifies the DNS records and changes the IP address Send a fake response to a valid DNS request• Requires a redirection of the original request or the resulting response 3. User 2 performs the same DNS query as User 1, but now the poisoned DNS entry is returned:
28
Spoofing
Pretend to be something you aren’t Email address spoofing • The sending address of an email isn’t really the sender• Caller ID spoofing • The incoming call information is completely fake• Man-in-the-middle attacks • The person in the middle of the conversation pretends to be both endpoints
29
MAC spoofing
``` Your Ethernet device has a MAC address Most drivers allow you to change this Changing the MAC address can be legitimate It might not be legitimate Very difficult to detect ```
30
IP address spoofing
Take someone else’s IP address Can be legitimate May not be legitimate Easier to identify than MAC address spoofing
31
Spoofing cont
A legitimate response to an ARP request is received from the default gateway.The ARP response is cached on the local device An attacker sends an ARP response that spoofs the IP address of the router and includes the attacker’s MAC address.The malicious ARP information replaces the cached record, completing the ARP poisoning
32
Wireless Deauthentication
Wireless deauthentication• A significant wireless denial of service (DoS) attack
33
802.11 management frames
802.11 wireless includes a number of management features Important for the operation of 802.11 wireless Original wireless standards did not add protection for management frames
34
Protecting against disassociation
IEEE has already addressed the problem | 802.11w is required for 802.11ac compliance
35
Brute force
The password is the key Brute force attacks - Online • Keep trying the login process • Very slow • Most accounts will lockout after a number of failed attempts• Brute force the hash - Offline • Obtain the list of users and hashes • Calculate a password hash, compare it to a stored hash • Large computational resource requirement
36
Dictionary attacks
People use common words as passwords If you’re using brute force, you should start with the easy ones • password, ninja, football • Many common wordlists available on the ‘net • Some are customized by language or line of work • This will catch the low-hanging fruit • You’ll need some smarter attacks for the smarter people
37
VLAN hopping
“Hop” to another VLAN - this shouldn’t happen• Two primary methods• Switch spoofing and double tagging
38
Switch spoofing
Some switches support automatic configuration There’s no authentication required can Send and receive from any configured VLAN Switch administrators should disable trunk negotiation• Administratively configure trunk interfaces and device/access interfaces
39
Man -in- the-middle
``` Redirects your traffic • Then passes it on to the destination • You never know your traffic was redirected • ARP poisoning •because ARP has no security ```
40
Vulnerabilities and exploits
A weakness in a system
41
Exploit
Take advantage of a vulnerability Gain control of a system Gain control of a systemModify data Disable a service
42
Zero-day attacks
Zero-day• The vulnerability has not been detected or published• Zero-day exploits are increasingly common• Common Vulnerabilities and Exposures (CVE)• http://cve.mitre.org/
43
Device Hardening
``` Changing default credentials Avoid common passwords Upgrading firmware File hashing Disabling unnecessary services Watching the network Secure protocols - SSH, SFTP ,SNMPv3 ,TLS/SS, IPse Generating new keys Disabling unused TCP and UDP ports Disabling unused interfaces ```
44
Mitigation Techniques
IPS signature management - Device hardening The native VLAN -Change the native VLAN number (e.g., VLAN 999) Privileged accounts - Elevated access to one or more systems FIM (File Integrity Monitoring) Restricting access via ACLs - device ACLs to limit access Honeypots - Attract the bad guys - and trap them there Penetration testing - Simulate an attack
45
Switch Port Protection
``` Loop protection BPDU guard Root guard Flood guard DHCP snooping ```
46
Loop protection
IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990)• Created by Radia Perlman• Used practically everywhere
47
BPDU guard
PortFast -Bypass the listening and learning states If a BPDU frame is seen on a PortFast configured interface (i.e., a workstation), shut down the interface• This shouldn’t happen - Workstations don’t send BPDU (Bridge Protocol Data Unit)
48
Root guard
Root guard allows you to pick the root • Cisco feature • Prevents a rogue root bridge • If your root bridge receives a superior STP BPDUon a root guard port, root guard changes the interface status to “root-inconsistent” (listening) • This effectively disables the interface to the rogue root
49
Flood guard
Configure a maximum number of source MAC addresses on an interface • You decide how many is too many • You can also configure specific MAC addresses • The switch monitors the number of unique MAC addresses • Maintains a list of every source MAC address • Once you exceed the maximum, port security activates • Interface is usually disabled by default
50
DHCP snooping
IP tracking on a layer 2 device (switch) Switch watches for DHCP conversations Filters invalid IP and DHCP information
51
Network Segmentation
Segmenting the network Physical segmentation DMZ
52
Physical segmentation
Separate Device• Multiple units, separate infrastructure
53
Logical segmentation with VLANs
Virtual Local Area Networks (VLANs)• Separated logically instead of physically - Cannot communicate between VLANs without a Layer 3 device / router
54
Network Troubleshooting Methodology
* Identify the problem * Establish a theory of probable cause * Test the theory to determine cause * Establish a plan of action to resolve the problem and identify potential effects * Implement the solution or escalate as necessary * Verify full system functionality and, if applicable,implement preventative measures * Document findings, actions and outcomes
55
Hardware Tools
* Cable crimper * Cable tester * Punch-down Tool * TDR / OTDR * Light meter * Toner Probe * Loopback plug * Multimeter * Spectrum analyzer
56
Cable crimper
* ”Pinch” the connector onto the wire * The final step of a cable installation * Metal prongs push through insulation
57
Cable tester
Continuity testing Identify missing pins, crossed wires Not used for advanced testing
58
Punch-down Tool
Forces wire into a wiring block | Trims the wires and breaks the insulation
59
TDR / OTDR
(Optical) Time Domain Reflectometer• Estimate fiber lengths, measure signal loss, determine light reflection, create wire maps• May require additional training
60
Light meter
Send a light from one side• Measure the light power on the othe
61
Toner Probe
Puts an analog sound on the wire• Inductive probe doesn’t need to touch the copper
62
Loopback plug
• Useful for testing physical ports• Serial, Ethernet, T1, fiber• These are not crossover cables
63
Multimeter
AC/DC voltages• Continuity, wire mapping
64
Spectrum analyzer
View the frequency spectrum• Identify frequency conflicts
65
Software Tools
Protocol analyzer Network / port scanner Wireless packet analysis Speed test sites
66
Protocol analyzer
Capture and display network traffic• Use a physical tap or redirect on the switch
67
Network / port scanner
• Scan for open ports and IP addresses• Visually map the network• Rogue system detection
68
Wireless packet analysis
View wireless information• Signal-to-noise ratio, channel information, etc.
69
Speed test sites
Bandwidth testing• Pre- and post-change analysis• Not all sites are the same
70
Command Line Tools
* ping - Test reachability * traceroute - Determine the route a packet takes to a destination * nslookup and dig - Lookup information from DNS servers * ipconfig and ifconfig - View and manage IP configuration * iptables - Packet filtering * netstat - Display network statistics * tcpdump * Nmap * route - View the device’s routing table * arp - Address resolution protocol information
71
ping - Test reachability
• ping - Test reachability to a TCP/IP address• ping -t - Ping until stopped with Ctrl-c• ping -a - Resolve address to a hostname• ping -n - Send # of echo requests• ping -f - Send with Don’t Fragment flag set
72
traceroute
Takes advantage of ICMP Time to Live Exceeded error message• Not all devices will reply with ICMP Time Exceeded messages• traceroute
73
nslookup
nslookup • dig
74
ipconfig and ifconfig
ipconfig - Windows TCP/IP config • ipconfig /all - Display all IP configuration details • ipconfig /release - Release the DHCP lease • ipconfig /renew - Renew the DHCP lease • ipconfig /flushdns - Flush the DNS resolver cache• ifconfig - Linux interface configuration
75
iptables - Packet filtering
Linux iptables - filter packets in the kernel • Simple data blocks - ignores state • Usually placed on a device or server
76
netstat - Display network statistics
netstat -a - Show all active connections• netstat -b - Show binaries• netstat -n - Do not resolve names
77
tcpdump
tcpdumpCapture packets from the command line• Available in most Unix/Linux operating systems• Included with Mac OS X, available for Windows (WinDump)• Apply filters, view in real-time• Written in standard pcap format
78
pathping - Combination of ping and traceroute
pathping
79
Nmap
Network mapper - find network devices• Port scan - Find devices and identify open ports• Operating system scan• Discover the OS without logging in to a device• Service scan• What service is available on a device? Name, version, details• Additional scripts• Nmap Scripting Engine (NSE
80
route - View the device’s routing table
route print - View the Windows routing table
81
arp
• arp -a - View the local ARP table