Advanced Attacks Flashcards
MAC Spoofing
- Type of attack
- An exploitation
MAC Spoofing
- Use software to change MAC address of NIC
- MAC flood attack overwhelms switch with spoofed MACs
- Attacker can use to bypass MAC filtering
IP Spoofing
IP Spoofing
- Attacker changes source IP address of packet
- Attack from single systems seems to come from many
SYN Flood Attack
SYN Flood Attack
- Against server on internet
- Disrupt three-way handshake
- Attacker sends many SYN’s
- Never completes with ACK’s
- Many half-open connections
- Servers can limit number of connection, but may deny connections to legit clients
- One attacker spoof IP for DoS
- Many attackers are DDoS
Man-In-The-Middle
-What can prevent and how?
Man-In-The-Middle
- Third computer intercepts comms and forwards
- Can insert malicious code
- Kerberos helps prevent with mutual authentication
ARP Poisoning
-Two kinds of attack
ARP Poisoning
- Attacker creates fake ARP reply with spoofed MAC address to poison ARP cache
- ARP Man-In-The-Middle - make traffic of router go to attacker. Attacker uses IP forwarding to send traffic to router
- ARP DoS - send ARP reply with bogus MAC address for default gateway - stops traffic out of network
DNS Poisoning
-What prevents?
DNS Poisoning
- Replace IP address of legit website with that of malicious site
- DNS-SEC prevents
DDoS DNS Attack
DDoS DNS Attack
-Botnet machines repeatedly send queries to DNS servers, overwhelm them
Amplification Attack
Amplification Attack
- DoS
- Increase traffic sent to or from victims
- smurf attack
- DNS amplification attack
- NTP attack
Smurf Attack
Smurf Attack
- An amplification attack
- broadcast ping to all computers in subnet, spoof source IP to victim, so victim gets
DNS Amplification Attack
DNS Amplification Attack
- An amplification attack
- Send DNS requests spoofing IP address of victim; request as much zone data as possible
NTP Attack
NTP Attack
- An amplification attack
- Request monlist (last 600 systems requesting time) using spoofed IP address of victim
Pass The Hash Attack
- What is susceptible and why?
- Use what instead?
Pass The Hash Attack
- Password attack
- Discover password hash and use to log on
- LM and NTLM susceptible because hash not encrypted
- Use NTLMv2 or Kerberos instead
Birthday Attack
- Type of attack
- How to prevent
- What is susceptible
- What is not susceptible
Birthday Attack
- Password attack
- Attacker creates hash that produces same hash as actual password (hash collision)
- Prevent by increasing bits in hash
- MD5 has 128 bits - susceptible
- SHA-3 has 512 bits - not susceptible
Rainbow Table Attack
-How to prevent
Rainbow Table Attack
- Database of passwords and their hashes
- Compare hash of original password vs hashes in table
- When match, password discovered
- Salting prevents - random data (extra characters) before hashing
Replay Attack
-What prevents
Replay Attack
- Password attack
- Attacker intercepts authentication credentials and replays to impersonate
- Timestamps and sequence numbers can prevent - Kerberos
Known Plaintext Attack
Known Plaintext Attack
- Attacker has sample of plaintext and its ciphertext
- Use both to discover encryption method
- Use to decrypt other cyphertexts
Chosen Plaintext Attack
Chosen Plaintext Attack
- Choose part of encrypted message you know, try to decrypt that
- If it works, use same method to decrypt whole message
Session Hijacking
Session Hijacking
-Attacker uses user’s session ID (cookie) to impersonate user
Domain Hijacking
Domain Hijacking
- Change registration of domain name
- Likely using social engineering
Man-In-The-Browser
Man-In-The-Browser
- Proxy trojan horse infecting web browsers
- Can capture session data: keystrokes, data sent from browser (bank login info)
Buffer Overflow Attack
Buffer Overflow Attack
- Use buffer overflow to overwrite memory with malicious code
- Ex: long string, first part causes buffer overflows, then string of no-op commands (NOP or x90) followed by malicious code
Directory Traversal
Directory Traversal
- Webserver vulnerability
- Injection attack
- Enter directory path into web form or text box
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
- Webserver vulnerability
- Attackers embed malicious HTML or Javascript into website’s code
- Or email link that takes advantage of website that allows scripts to run in user input
- Executes when user visits
- Can capture cookies
- Prevent with
- input validation
- security encoding library to sanitize HTML
Cross-Site Request Forgery (XSRF)
-How to prevent
Cross-Site Request Forgery (XSRF)
- Webserver vulnerability
- Attacker tricks user into performing action on website
- Attacker creates HTML link that performs action if clicked, ie, www.foo.com/edit?action=badstuff
- attacker makes request on behalf of the authenticated user
- Prevent by
- expiring cookie
- forcing re-authentication when performing action
- sending token with form submission and check on server
Kerberos prevents these attacks
Kerberos prevents these attacks
- Replay attack - timestamps and sequence numbers
- Pass the hash attack - encrypts hash
- Man-In-The-Middle - mutual authentication
