Advanced Threats Flashcards
IV (Initialization Vector)
Provides randomization of encryption keys to ensure they are not reused.
IV Attack
Packet injection to increase the number of packets to analyze and discover the encryption key. (Less keys means higher risk of discovery)
Banner Grabbing
Fingerprinting attack. Telnet Port 80. HTML response might have useful info such as Web Server software brand
Spoofing
Email Spoofing, MAC Address Spoofing
Smurf Attack
Spoofs source IP address of a directed broadcast ping packet to flood a victim with ping replies.
Countermeasure: Disable Directed Broadcasts. Most routers do this.
SYN Flood
Disrupts TCP handshake process.
Client sends Syn
Server Sends SYN/ACK
Client never responds with ACK
This leaves connections open. Once connection limit is reached, server is unreachable.
Countermeasure: Flood guards (included in most firewalls and IDS)
XMAS Attack
Recon attack. Sets certain bits/flags in packet headers.
Different OS’s respond in different ways. Attackers analyze responses.
Most IDS and IPS can detect.
Replay attacks
Attacker replays data that was already part of session.
Countermeasure: Timestamp and sequence numbers
MITM
Interception/Eavesdropping
Kerberos helps prevent MITM attacks with mutual authentication
Password attack location
Online and Offline Attacks
Birthday attack
Attacker create a password that produces the same hash as the users actual password.
Countermeasure: Increase the number of bits in the hash to increase the number of possible hashes.
Rainbow table attack
Attempts to discover password from hash.
Uses “huge databases of precomputed hashes.”
Countermeasure: Salting
DNS Poisoning
Modifies or Corrupts DNS results.
Pharming
Corrupts the DNS Server or DNS Client
Client DNS Pharming modifies the hosts file.
ARP Poisoning
Misleads computers or switches about the actual MAC address of a system.
Two ARP Poisoning attacks
ARP MITM, ARP DoS
Watering Hole Attack
Attempts to discover which web sites employees will likely visit and infects those sites with malware that can infect visitors.
Session Hijacking
Attacker learns session ID and uses it to impersonate user
Flash Cookies and LSO’s (local shared objects)
Used for tracking
Arbitrary Code Execution
Attacker executes commands on a target system
Remote Code Execution
Attacker executes code from a remote system
Header Manipulation
Attacker modifies data in a packet such as session ID
Race condition
Two or more applications attempt to access a resource at the same time.
Buffer Overflow
Application receives more input that it can handle or different than it expects. Exposes system memory.
SQL Injection
Pass queries to back end DB’s through web servers
or ‘1’ = ‘1’
SQL Injection phrase to create “true” condition
SQL Injection Prevention
Input validation and sending requests to “stored procedures”
Cross Site Scripting
Scripts are injected into websites. Scripts contain malicious code.
Cross Site Request Forgery (XSRF)
Bad links on good sites. Users perform actions on web sites without their knowledge.
Countermeasure: Sign back in before to performing actions. Expire cookies after a short time.
Command injection
Inject OS commands into web forms or text boxes.
Countermeasure: Input Validation
Transitive access
Jumping from a public service to a private one. Ex: Going from public web server to back end DB server.
Common example: SQL Injection
Fuzzing
Send random data to an application. Random data can crash the program or provide unexpected results.
