Advanced Attacks

Question 1

MAC Spoofing

• Type of attack
• An exploitation

Answer 1

MAC Spoofing

• Use software to change MAC address of NIC
• MAC flood attack overwhelms switch with spoofed MACs
• Attacker can use to bypass MAC filtering

Question 2

IP Spoofing

Answer 2

IP Spoofing

• Attacker changes source IP address of packet
• Attack from single systems seems to come from many

Question 3

SYN Flood Attack

Answer 3

SYN Flood Attack

• Against server on internet
• Disrupt three-way handshake
• Attacker sends many SYN’s
• Never completes with ACK’s
• Many half-open connections
• Servers can limit number of connection, but may deny connections to legit clients
• One attacker spoof IP for DoS
• Many attackers are DDoS

Question 4

Man-In-The-Middle

-What can prevent and how?

Answer 4

Man-In-The-Middle

• Third computer intercepts comms and forwards
• Can insert malicious code
• Kerberos helps prevent with mutual authentication

Question 5

ARP Poisoning

-Two kinds of attack

Answer 5

ARP Poisoning

• Attacker creates fake ARP reply with spoofed MAC address to poison ARP cache
• ARP Man-In-The-Middle - make traffic of router go to attacker. Attacker uses IP forwarding to send traffic to router
• ARP DoS - send ARP reply with bogus MAC address for default gateway - stops traffic out of network

Question 6

DNS Poisoning

-What prevents?

Answer 6

DNS Poisoning

• Replace IP address of legit website with that of malicious site
• DNS-SEC prevents

Question 7

DDoS DNS Attack

Answer 7

DDoS DNS Attack

-Botnet machines repeatedly send queries to DNS servers, overwhelm them

Question 8

Amplification Attack

Answer 8

Amplification Attack

• DoS
• Increase traffic sent to or from victims
• smurf attack
• DNS amplification attack
• NTP attack

Question 9

Smurf Attack

Answer 9

Smurf Attack

• An amplification attack
• broadcast ping to all computers in subnet, spoof source IP to victim, so victim gets

Question 10

DNS Amplification Attack

Answer 10

DNS Amplification Attack

• An amplification attack
• Send DNS requests spoofing IP address of victim; request as much zone data as possible

Question 11

NTP Attack

Answer 11

NTP Attack

• An amplification attack
• Request monlist (last 600 systems requesting time) using spoofed IP address of victim

Question 12

Pass The Hash Attack

• What is susceptible and why?
• Use what instead?

Answer 12

Pass The Hash Attack

• Password attack
• Discover password hash and use to log on
• LM and NTLM susceptible because hash not encrypted
• Use NTLMv2 or Kerberos instead

Question 13

Birthday Attack

• Type of attack
• How to prevent
• What is susceptible
• What is not susceptible

Answer 13

Birthday Attack

• Password attack
• Attacker creates hash that produces same hash as actual password (hash collision)
• Prevent by increasing bits in hash
• MD5 has 128 bits - susceptible
• SHA-3 has 512 bits - not susceptible

Question 14

Rainbow Table Attack

-How to prevent

Answer 14

Rainbow Table Attack

• Database of passwords and their hashes
• Compare hash of original password vs hashes in table
• When match, password discovered
• Salting prevents - random data (extra characters) before hashing

Question 15

Replay Attack

-What prevents

Answer 15

Replay Attack

• Password attack
• Attacker intercepts authentication credentials and replays to impersonate
• Timestamps and sequence numbers can prevent - Kerberos

Question 16

Known Plaintext Attack

Answer 16

Known Plaintext Attack

• Attacker has sample of plaintext and its ciphertext
• Use both to discover encryption method
• Use to decrypt other cyphertexts

Question 17

Chosen Plaintext Attack

Answer 17

Chosen Plaintext Attack

• Choose part of encrypted message you know, try to decrypt that
• If it works, use same method to decrypt whole message

Question 18

Session Hijacking

Answer 18

Session Hijacking

-Attacker uses user’s session ID (cookie) to impersonate user

Question 19

Domain Hijacking

Answer 19

Domain Hijacking

• Change registration of domain name
• Likely using social engineering

Question 20

Man-In-The-Browser

Answer 20

Man-In-The-Browser

• Proxy trojan horse infecting web browsers
• Can capture session data: keystrokes, data sent from browser (bank login info)

Question 21

Buffer Overflow Attack

Answer 21

Buffer Overflow Attack

• Use buffer overflow to overwrite memory with malicious code
• Ex: long string, first part causes buffer overflows, then string of no-op commands (NOP or x90) followed by malicious code

Question 22

Directory Traversal

Answer 22

Directory Traversal

• Webserver vulnerability
• Injection attack
• Enter directory path into web form or text box

Question 23

Cross Site Scripting (XSS)

Answer 23

Cross Site Scripting (XSS)

• Webserver vulnerability
• Attackers embed malicious HTML or Javascript into website’s code
• Or email link that takes advantage of website that allows scripts to run in user input
• Executes when user visits
• Can capture cookies
• Prevent with
• input validation
• security encoding library to sanitize HTML

Question 24

Cross-Site Request Forgery (XSRF)

-How to prevent

Answer 24

Cross-Site Request Forgery (XSRF)

• Webserver vulnerability
• Attacker tricks user into performing action on website
• Attacker creates HTML link that performs action if clicked, ie, www.foo.com/edit?action=badstuff
• attacker makes request on behalf of the authenticated user
• Prevent by
• expiring cookie
• forcing re-authentication when performing action
• sending token with form submission and check on server

Question 25

Kerberos prevents these attacks

Answer 25

Kerberos prevents these attacks

• Replay attack - timestamps and sequence numbers
• Pass the hash attack - encrypts hash
• Man-In-The-Middle - mutual authentication