Additional Need to Knows Flashcards
What is CWE?
Common Weakness and Enumeration
CWE is a category system for software weaknesses and vulnerabilities.
It is sustained by a community project with the goals of understanding flaws in software and creating automated tools that can be used to identify, fix and prevent those flaws.
The project is sponsored by the National Cybersecurity FFRDC, which is operated by the MITRE Corprorate with support from US-CERT and the National Cyber Security Division of the US Department of Homeland Security
CWE has over 600 categories, including classes for buffer overflow, path/directory traversal, race conditions, cross-site scripting, hard coded credentials and insecure random numbers
What is CVE?
Common Vulnerabilities and Exposures
CVE provides a reference-method for publicly known information-security vulnerabilities and exposures
CVE’s are unique and common identifiers for publicly known information-security vulnerabilities in publicly released software packages.
What is CAPEC?
Common Attack Pattern Enumeration and Classification provide a publicly available catalog of common attack patterns that help users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
Established by the US Department of Homeland Security
What is Censys?
Censys is a public search engine that enables researchers to qwuickly ask questions about the hosts and networks that compose the Internet.
Provides simple search:
This is where if you search for a word or phrase, Censys will return any records that contain the phrase.
For example searching nginx will return any records that contain the word nignx
Searching for 23.0.0.0./8 will return all hosts in that network
Advanced Search:
Censys data is strctured and supports more advanced quesries including searching specific fields, specifying ranges of values, and boolean logic
For example; you can search for hosts with HTTP Server Header “Apache” in Germany by running the query
‘80.http.get.headers.server: Apache and location.country_code: DE.
What is a chop chop attack?
Chopcop Attack is one of the main attacks against TKIP (Temporal Key Integrity Protocol)
This attack is not a key recovery attack.
This attack is implemented originally against WEP and allows the attacker to interactively decrypt the last m bytes of plaintext of an encrypted packet by sending m*128 packets in average to the network
It relies on the weakness of the CRC32 checksum called the ICV (Integrity Check Value) which is appended to the data of the packet
The attacker truncates the last byte of the encrypted packet and guesses the value and returns the packet to the access point.
What is reaver?
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases
Reaver is designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementation
On average, Reaver will recover the targets AP’s plain text WOA/WPA2 passphrase in 4-10 hours, depending on the AP.
In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase
What is a KRACK attack?
Key re-installation attacks (KRACK) are a type of cyber attack that exploit a vulnerability in WPA2 for the purpose of stealing data transmitted over networks.
These attacks can result in the theft of sensitive information like login credentials, credit card numbers, private chats and any other data the victim transmits over the web
KRACK can also be used to perform on-path attacks, serving the victim a fake website or injecting malicious code into a legitimate site
An encrypted WPA2 connection is initiated with a four-way handshake sequence, although the entire sequence isnt required for a reconnect.
In order to enable faster re-connections, only the third part of the four-way handshake needs to be re-transmitted.
WHen a user reconnects to a familiar wiFi network, the WIFi network resends them the third part of the handshake sequence; this re-sending can occur multiple times to ensure the connection succeeds.
This step is repeatable making an exploitable vulnerability
What is a NOP Sled and how does it work in an attack?
No Operation (NOP) Buffer Over Flow
Some NOP Sled attacks consist of making the program jump to a specific address and continue running from there.
The injected code has to be loaded previously somehow in that exact location
Stack randomization and other runtime differences may make the address where the program will jump impossible to predict, so the attacker places a NOP sled in a big range of memory.
If the program jumps to anywhere into the sled, it will run all the remaining NOPs, doing nothing, and then will run the payload code, just next to the sled
The reason the attacker uses the NOP sled is to make the target address bigger; the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.
The goal essentially of this attack is to occupy memory and some runtime
What is NBNS?
NetBIOS Name Server (NBNS)
NetBIOS over TCP is a networking protocol that allows legacy computer application relying on the NetBIOS API to be used on modern TCP/IP networks
This is essentially DNS
Each participant must register on the network using a unique name of at most 15 characters
When a new applicated is wanting to register a name, it has to broadcast a message saying “Whats good, is anyone using this name?” If no answer comes back, it was safe to assume that the name was not in user.
Both NetBIOS and LLMNR are protocols that a Windows computer uses to look for a host on the internal network when a host’s IP address cannot be resolved through the organizational DNS server.
What is LLMNR?
Link-Local Multicast Name Resolution
LLMNR is a protocol based on the DNS packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
LLMNR in included in Windows
How can NBNS and LLMNR be exploited?
Spoofing these MFs
An NBNS and LLMNR spoofing attack takes advantages of these internal DNS request.
When these requests are seen on the local subnet, the attacker will respond to them and say “I know where that server is, in fact, I am that server, ya dig?”
This allows the attacker to capture whatever traffic comes next.
This doesnt seem useful, unless a database server file server is the one making these request
What is DLL?
Dynamic-link Library
DLL is Microsoft’s implementation of the shared library concept.
These library’s consist of EXEs, but are not directly executable., but instead are called upon by other code that is already running
DLL”s is a type of file that contains instructions that other programs can call upon to do certain things.
This way, several programs can share the abilities programmed into a single file and even do simultaneously
For example, serveral different programs might all call upon a DLL file to find the free space on a hard drive, locate a file in a particular directory and print a test page to the default printer.
What is DLL Hijacking?
DLL Hijacking is a method of injecting malicious code into an application by exploiting the way some Windows applications search and load Dynamic Link Libraries (DLL)
Only Microsoft operating systems are susceptible to DLL Hijacks
DLL hijacking is when you abuse the library search order to gain execution in a process.
Being able to write to the directory an executable resides in allowing a malicious actor the ability to drop a DLL with the same name as one the executable will request via LoadLibrary
DLL is a way for attackers to run unwanted code on your system
By replacing a required DLL file with an infected version and placing it within the search parameters of an application, the infected file will be called upon when the application loads, activating its malicious operations
For a DLL hijack to be successfully a victim needs to load an infected DLL file from the same directory as the targeted application
If applications that are automatically loaded upon startup are compromised with a tainted DLL file, cyber criminals will be granted access to the infected computer whenever it loads.
What are ProxyChains?
ProxyChains is a tool that forces any TCP connection made by any given application to go through proxies like TOR or any other SOCKS4, SOCKS5 or HTTP proxies.
It is an open-source project for GNU/Linux systems
Essentially, you can use ProxyCHains to run any program through a proxy server
This will allow you to access the Internet from behind a restrictive firewall, hide your IP address, run applications like SSH/telnet/wget/FTP and Nmap through proxy servers and even access your local Intranet from outside through an external proxy.
ProxyChains even allows you to use multiple proxies at once by chaining the proxies together and to use programs with no built-in proxy support through a proxy
What is a DLL Injection?
DLL Injection on the other hand is where a running process is manipulated to load a desired library.
DLL Injection is a method used for running code within the address space of another process by forcing it to load a dynamic-link library.
DLL is often used by outer programs to manipulate the performance of another program in a way its creators did not expect or intend
This is when the malware launcher forces a victim process to load the malicious library by name in the process memory and then creating a thread that loads the malicious library
There is also direct DLL Injection where the malware author doesnt need to write the malicious code into a seperate DLL and then load it into the victim process, instead it writes the code directly into the victim process memory space using VirtualAllocEx and WriteProcessMemory twice
