Attacks

Question 1

Zero-day vulnerability

Answer 1

Zero-day vulnerability- vulnerability known before patch is available

Question 2

Zero-day exploit

Answer 2

Zero-day exploit- refers to existence of exploit code for a vulnerability that has yet to be patched

Question 3

Session hijacking

Answer 3

Session hijacking- seizing control of an existing network session

Question 4

MITM

Answer 4

MITM (Man/monkey in the middle)- places attacker between the system and the victim
o Attacker spoofs (masquerades as endpoint), sniffing traffic, then inserts a malicious system into the middle

Question 5

Virus

Answer 5

Virus- A piece of malicious code that often attaches onto executable code. Needs a host in which to live, and an action by the user to spread.
o Macro virus- macro language; eg MS Doc
o Boot sector virus- loads at startup
o Stealth virus- hides itself
o Polymorphic virus- changes its signature on infection
o Multipartite virus- spreads via multiple vectors

Question 6

Worm

Answer 6

Worm- self propogate and spread without user interaction

Question 7

Trojan Horse

Answer 7

Trojan Horse- provides user with a desired functionality as well as an unknown malicious functionality. It often provides a persistent backdoor access

Question 8

Rootkits

Answer 8

Rootkits- designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer;
replaces portions of the kernel or OS;
user-mode rootkit operates in ring 3

Question 9

DoS

Answer 9

DoS Denial of Service: The purpose of these attacks is to overwhelm a system and disrupt its availability

Question 10

DDoS

Answer 10

DDoS Distributed Denial of Service: Characterized by the use of Control Machines (Handlers) and Zombies (Bots).
An attacker uploads software to the control machines, which in turn commandeer unsuspecting machines to perform an attack on the victim.
The idea is that if one machine initiating a denial of service attack, then having many machines perform the attack is better.

Question 11

Land attack

Answer 11

LAND (Local Area Network Denial) attack is a DoS attack that consists of sending a special poison spoofed SYN packet where source and destination are the same to a computer, causing it to lock up.

Question 12

SMURF

Answer 12

SMURF: A variation of the ICMP flood attack where Echo Requests with the intended victim’s spoofed source IP are broadcast to a computer network using an IP Broadcast address.
Counter Measures:- Disabled ICMP on perimeter systems.- Use packet filtering and stateful inspection

Question 13

Syn Flood

Answer 13

Syn Flood: Type of attack that exploits the three way handshake of TCP (SYN, SYN-ACK, ACK). Layer 4 attack.
Stateful firewall is needed to prevent; Limit the allowed number of half-open; connections; Reduce amount of time before half-open connections are purged.

Question 14

Fraggle

Answer 14

Fraggle: Similar to Smurf, but uses UDP instead of ICMP. Layer 4 attack.
Mitigate by blocking distributed broadcasts on routers

Question 15

ICMP Flood

Answer 15

ICMP Flood: Large numbers of ICMP packets are sent to the target to consume resources.
Counter Measures: ICMP should be disabled across perimeter systems.

Question 16

Teardrop

Answer 16

Teardrop Attack: The length and fragmentation offset fields of sequential IP packets are modified, causing the target system to become confused and crash.
Can also be used to let one fragment overlap another and change the TCP header which can be used to change the connection type from HTTP to Telnet, for example.
Counter measure: Employ filter device that performs virtual packet reassembly

Question 17

Ping of death

Answer 17

Ping of death- malformed ICMP echo request that is larger than Maximum Transmission Unit (MTU) size of IP packet

Question 18

Ping Flooding

Answer 18

Ping Flooding: Overwhelming a system with a multitude of pings.

Question 19

Buffer Overflow

Answer 19

Buffer Overflow: Attacks that overwhelm a specific type of memory on a system’s buffers.
Is best avoided with input validation

Question 20

Bonk

Answer 20

Bonk : Similar to the Teardrop attack. Manipulates how a PC reassembles a packet and allows it to accept a packet much too large

Question 21

UDP Flood

Answer 21

UDP Flood: Large numbers of UDP packets are sent to the target to consume resources.
Counter Measures: Using a router to filter UDP and drop UDP traffic if UDP is not a required service.

Question 22

DNS reflection

Answer 22

DNS reflection- (like smurf) leverages third party; directs many poorly configured DNS servers to query an attacker controlled DNS, causing the third-party DNS to cache large DNS records. Attacker then requests all large DNS query records be sent to the victim.

Question 23

Steganography

Answer 23

Steganography: Attempts to conceal data by hiding it. Used by placing information in graphics, sound files or document headers

Question 24

Password Cracking types

Answer 24

Password Cracking
o Dictionary attack- try common passwords
o Brute force- all combinations
o Hybrid attack- combination
o LanMan hashes- compromised MS hashing function
o Rainbow tables- matches hashes to passwords

Question 25

Chosen plaintext attack

Answer 25

A cryptanalyst ‘chooses’ the plaintext to be encrypted in a chosen plaintext attack; the goal is to derive the key. Encrypting without knowing the key is done via an encryption oracle (a device that encrypts without revealing the key).
Adaptive-chosen plaintext begins with a chosen plaintext attack in round 1. The cryptanalyst then adapts further rounds of encryption based on the previous round.

Question 26

Known plaintext attack

Answer 26

A known plaintext attack relies on ‘recovering’ and analyzing a matching plaintext and ciphertext pair. The goal is to derive the key that was used.

Question 27

Known key attack

Answer 27

Known key means the cryptanalyst ‘knows something about’ the key, to reduce the efforts used to attack it

Question 28

Chosen ciphertext attack

Answer 28

Chosen ciphertext attacks chooses the ciphertext to be decrypted.
This attack is usually launched against ‘asymmetric’ cryptosystems, where the cryptanalyst may choose public documents to decrypt that are signed (encrypted) with a user’s public key.
Adaptive Chosen Ciphertext begins with a chosen ciphertext attack in round 1. The cryptanalyst then adapts further rounds of decryption based on the previous round.

Question 29

Meet-in-the-middle attack

Answer 29

A meet-in-the-middle attack encrypts on one side, decrypts on the other side, and meets in the middle.
The most common attack is against double DES, which encrypts with two keys in encrypt, encrypt order.
The attack is a known plaintext attack- the attacker has a copy of a matching plaintext and ciphertext and seeks to recover the two keys used to encrypt.

Question 30

Birthday attack

Answer 30

The birthday attack is used to create hash collisions. Matching any birthday is easier than matching a specific birthday => finding any input that creates a colliding hash with any other input is easier.

Question 31

Side-channel attack

Answer 31

Side-channel attacks use physical data to break a cryptosystem, such as monitoring CPU cycles or power consumption used while encrypting or decrypting

Question 32

Dictionary attack

Answer 32

Dictionary attack- is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password

Question 33

Brute force attack

Answer 33

Brute force attack- every possible password combination is tried

Question 34

Rainbow tables

Answer 34

Rainbow tables- is a precomputed table of plaintext passwords and hashes used for lookup when cracking password hashes.

Question 35

Hybrid attack

Answer 35

Hybrid attack- changes characters in dictionary words before hashing

Question 36

Black hat

Answer 36

Black hat- malicious hackers, or crackers

Question 37

White hat

Answer 37

White hat- ethical hackers that perform penetration testing

Question 38

Gray hat

Answer 38

Gray hat- not malicious, exploits to bring weakness to attention

Question 39

Script Kiddies

Answer 39

Script Kiddies- attack with tools they have little/no understanding of

Question 40

Outsiders

Answer 40

Outsiders- unauthorized attackers with no privileges

Question 41

Insiders

Answer 41

Insiders- internal user who intentionally or accidentally attacks a system; cause most high-impact incidents

Question 42

Hactivist

Answer 42

Hactivist- attacks for political reasons

Question 43

Bots & Botnets

Answer 43

Bots & Botnets- bot (aka zombie) is system running malware controlled via botnet managed by bot herders (humans)
o Systems become bots after infection via server or client side attack, trojans, etc.
o Botnets often use IRC (Internet Relay Chat), HTTPS, HTTP for command and control

Question 44

Phishing

Answer 44

Phishers- attacker tricks user into divulging info (credentials) via mass social engineering

Question 45

Spear phishing

Answer 45

Spear phishing- is more targeted social engineering attacks (aka whale hunting, whaling)

Question 46

Vishing

Answer 46

Vishing- attack using phone system

Question 47

Logic Bomb

Answer 47

Logic Bomb: A type of malicious code that lays dormant until a logical event occurs

Question 48

Back Door Programs

Answer 48

Back Door Programs: A Program that allows access (often administrative access) to a system that bypasses normal security controls.

Question 49

Salami

Answer 49

Salami: Many small attacks add up to equal a large attack

Question 50

Data Diddling

Answer 50

Data Diddling: Altering/Manipulating data, usually before entry

Question 51

Sniffing

Answer 51

Sniffing: Capturing and Viewing packets through the use of a protocol analyzer. Best defense: Encryption

Question 52

Session Hijacking

Answer 52

Session Hijacking: Where an attacker steps in between two hosts and either monitors the exchange, or often disconnects one.
Session hijacks are types of MITM.
Encryption prevents sniffing and mutual authentication would prevent a session hijack

Question 53

Session Spoofing

Answer 53

Session Spoofing: Altering a TCP packet so that it appears to be coming from a known, trusted source, thus giving the attacker access to the trusted network

Question 54

War dialing

Answer 54

War dialing: An attack on a RAS (Remote Access Server) where the attacker tries to find the phone number that accepts incoming calls.
RAS should be set to use caller ID (can be spoofed), callback (best), and configured so that modem does not answer until after 4 calls.

Question 55

Foot Printing

Answer 55

Foot Printing - Probes for Network Information: Includes PING sweeps, port scanning DNS information gathering

Question 56

Masquerading attack

Answer 56

Masquerading attack: (aka ARP table poisoning) An attacker alters a system’s ARP table so that it contains incorrect information.

Question 57

DNS Poisoning

Answer 57

DNS Poisoning: Altering a DNS cache so as to redirect traffic. Is used to spoof a legitimate website so as to capture sensitive information or for denial of service

Question 58

LOKI

Answer 58

LOKI: sending extra data in ICMP messages (covert channel)

Question 59

Packers

Answer 59

Packers- used to shrink the size of the executable

Question 60

Replay Attack

Answer 60

Replay Attack: An attacker capturing the traffic from a legitimate session and replaying it to authenticate his session. In a web application, if the attacker can gain access to the authentication cookie in use by another user, they can impersonate that user.

Question 61

Race Condition

Answer 61

Race Condition: time of check is different from time of use (TOCTOU)