Attacks Flashcards
Attacks
Zero-day vulnerability
Zero-day vulnerability- vulnerability known before patch is available
Zero-day exploit
Zero-day exploit- refers to existence of exploit code for a vulnerability that has yet to be patched
Session hijacking
Session hijacking- seizing control of an existing network session
MITM
MITM (Man/monkey in the middle)- places attacker between the system and the victim
o Attacker spoofs (masquerades as endpoint), sniffing traffic, then inserts a malicious system into the middle
Virus
Virus- A piece of malicious code that often attaches onto executable code. Needs a host in which to live, and an action by the user to spread.
o Macro virus- macro language; eg MS Doc
o Boot sector virus- loads at startup
o Stealth virus- hides itself
o Polymorphic virus- changes its signature on infection
o Multipartite virus- spreads via multiple vectors
Worm
Worm- self propogate and spread without user interaction
Trojan Horse
Trojan Horse- provides user with a desired functionality as well as an unknown malicious functionality. It often provides a persistent backdoor access
Rootkits
Rootkits- designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer;
replaces portions of the kernel or OS;
user-mode rootkit operates in ring 3
DoS
DoS Denial of Service: The purpose of these attacks is to overwhelm a system and disrupt its availability
DDoS
DDoS Distributed Denial of Service: Characterized by the use of Control Machines (Handlers) and Zombies (Bots).
An attacker uploads software to the control machines, which in turn commandeer unsuspecting machines to perform an attack on the victim.
The idea is that if one machine initiating a denial of service attack, then having many machines perform the attack is better.
Land attack
LAND (Local Area Network Denial) attack is a DoS attack that consists of sending a special poison spoofed SYN packet where source and destination are the same to a computer, causing it to lock up.
SMURF
SMURF: A variation of the ICMP flood attack where Echo Requests with the intended victim’s spoofed source IP are broadcast to a computer network using an IP Broadcast address.
Counter Measures:- Disabled ICMP on perimeter systems.- Use packet filtering and stateful inspection
Syn Flood
Syn Flood: Type of attack that exploits the three way handshake of TCP (SYN, SYN-ACK, ACK). Layer 4 attack.
Stateful firewall is needed to prevent; Limit the allowed number of half-open; connections; Reduce amount of time before half-open connections are purged.
Fraggle
Fraggle: Similar to Smurf, but uses UDP instead of ICMP. Layer 4 attack.
Mitigate by blocking distributed broadcasts on routers
ICMP Flood
ICMP Flood: Large numbers of ICMP packets are sent to the target to consume resources.
Counter Measures: ICMP should be disabled across perimeter systems.
Teardrop
Teardrop Attack: The length and fragmentation offset fields of sequential IP packets are modified, causing the target system to become confused and crash.
Can also be used to let one fragment overlap another and change the TCP header which can be used to change the connection type from HTTP to Telnet, for example.
Counter measure: Employ filter device that performs virtual packet reassembly
Ping of death
Ping of death- malformed ICMP echo request that is larger than Maximum Transmission Unit (MTU) size of IP packet
Ping Flooding
Ping Flooding: Overwhelming a system with a multitude of pings.
Buffer Overflow
Buffer Overflow: Attacks that overwhelm a specific type of memory on a system’s buffers.
Is best avoided with input validation
Bonk
Bonk : Similar to the Teardrop attack. Manipulates how a PC reassembles a packet and allows it to accept a packet much too large
UDP Flood
UDP Flood: Large numbers of UDP packets are sent to the target to consume resources.
Counter Measures: Using a router to filter UDP and drop UDP traffic if UDP is not a required service.
DNS reflection
DNS reflection- (like smurf) leverages third party; directs many poorly configured DNS servers to query an attacker controlled DNS, causing the third-party DNS to cache large DNS records. Attacker then requests all large DNS query records be sent to the victim.
Steganography
Steganography: Attempts to conceal data by hiding it. Used by placing information in graphics, sound files or document headers
Password Cracking types
Password Cracking
o Dictionary attack- try common passwords
o Brute force- all combinations
o Hybrid attack- combination
o LanMan hashes- compromised MS hashing function
o Rainbow tables- matches hashes to passwords
Chosen plaintext attack
A cryptanalyst ‘chooses’ the plaintext to be encrypted in a chosen plaintext attack; the goal is to derive the key. Encrypting without knowing the key is done via an encryption oracle (a device that encrypts without revealing the key).
Adaptive-chosen plaintext begins with a chosen plaintext attack in round 1. The cryptanalyst then adapts further rounds of encryption based on the previous round.
Known plaintext attack
A known plaintext attack relies on ‘recovering’ and analyzing a matching plaintext and ciphertext pair. The goal is to derive the key that was used.
Known key attack
Known key means the cryptanalyst ‘knows something about’ the key, to reduce the efforts used to attack it
Chosen ciphertext attack
Chosen ciphertext attacks chooses the ciphertext to be decrypted.
This attack is usually launched against ‘asymmetric’ cryptosystems, where the cryptanalyst may choose public documents to decrypt that are signed (encrypted) with a user’s public key.
Adaptive Chosen Ciphertext begins with a chosen ciphertext attack in round 1. The cryptanalyst then adapts further rounds of decryption based on the previous round.
Meet-in-the-middle attack
A meet-in-the-middle attack encrypts on one side, decrypts on the other side, and meets in the middle.
The most common attack is against double DES, which encrypts with two keys in encrypt, encrypt order.
The attack is a known plaintext attack- the attacker has a copy of a matching plaintext and ciphertext and seeks to recover the two keys used to encrypt.
Birthday attack
The birthday attack is used to create hash collisions. Matching any birthday is easier than matching a specific birthday => finding any input that creates a colliding hash with any other input is easier.
Side-channel attack
Side-channel attacks use physical data to break a cryptosystem, such as monitoring CPU cycles or power consumption used while encrypting or decrypting
Dictionary attack
Dictionary attack- is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password
Brute force attack
Brute force attack- every possible password combination is tried
Rainbow tables
Rainbow tables- is a precomputed table of plaintext passwords and hashes used for lookup when cracking password hashes.
Hybrid attack
Hybrid attack- changes characters in dictionary words before hashing
Black hat
Black hat- malicious hackers, or crackers
White hat
White hat- ethical hackers that perform penetration testing
Gray hat
Gray hat- not malicious, exploits to bring weakness to attention
Script Kiddies
Script Kiddies- attack with tools they have little/no understanding of
Outsiders
Outsiders- unauthorized attackers with no privileges
Insiders
Insiders- internal user who intentionally or accidentally attacks a system; cause most high-impact incidents
Hactivist
Hactivist- attacks for political reasons
Bots & Botnets
Bots & Botnets- bot (aka zombie) is system running malware controlled via botnet managed by bot herders (humans)
o Systems become bots after infection via server or client side attack, trojans, etc.
o Botnets often use IRC (Internet Relay Chat), HTTPS, HTTP for command and control
Phishing
Phishers- attacker tricks user into divulging info (credentials) via mass social engineering
Spear phishing
Spear phishing- is more targeted social engineering attacks (aka whale hunting, whaling)
Vishing
Vishing- attack using phone system
Logic Bomb
Logic Bomb: A type of malicious code that lays dormant until a logical event occurs
Back Door Programs
Back Door Programs: A Program that allows access (often administrative access) to a system that bypasses normal security controls.
Salami
Salami: Many small attacks add up to equal a large attack
Data Diddling
Data Diddling: Altering/Manipulating data, usually before entry
Sniffing
Sniffing: Capturing and Viewing packets through the use of a protocol analyzer. Best defense: Encryption
Session Hijacking
Session Hijacking: Where an attacker steps in between two hosts and either monitors the exchange, or often disconnects one.
Session hijacks are types of MITM.
Encryption prevents sniffing and mutual authentication would prevent a session hijack
Session Spoofing
Session Spoofing: Altering a TCP packet so that it appears to be coming from a known, trusted source, thus giving the attacker access to the trusted network
War dialing
War dialing: An attack on a RAS (Remote Access Server) where the attacker tries to find the phone number that accepts incoming calls.
RAS should be set to use caller ID (can be spoofed), callback (best), and configured so that modem does not answer until after 4 calls.
Foot Printing
Foot Printing - Probes for Network Information: Includes PING sweeps, port scanning DNS information gathering
Masquerading attack
Masquerading attack: (aka ARP table poisoning) An attacker alters a system’s ARP table so that it contains incorrect information.
DNS Poisoning
DNS Poisoning: Altering a DNS cache so as to redirect traffic. Is used to spoof a legitimate website so as to capture sensitive information or for denial of service
LOKI
LOKI: sending extra data in ICMP messages (covert channel)
Packers
Packers- used to shrink the size of the executable
Replay Attack
Replay Attack: An attacker capturing the traffic from a legitimate session and replaying it to authenticate his session. In a web application, if the attacker can gain access to the authentication cookie in use by another user, they can impersonate that user.
Race Condition
Race Condition: time of check is different from time of use (TOCTOU)
