Book 5: Hijacking Attacks Flashcards
A way in which we can hijack system information?
LLMNR
what is Link-Local-Multicast Name Resolution?
NetBIOS and LLMNR are protocols used to resolve host names on local networks. Their main function is to resolve host names to facilitate communication between hosts on local networks
Any time there is a system or service blindy reaching out for help to identify a system or service, an attacker can hijack that response and redirect the victim system through a computer we control.
true
what is responder?
a tool that is designed to launch LLMNR attacks.
Automatically launches a number of services to redirect victim systems in order to harvest credentials
- HTTP, HTTPs, SQL Server, Kerberos, FTP, IMAP, SMTP, DNS, LDAP.
Responder launches not only LLMNR attacks but also can launch __, ___ attacks
NBTS-NS
DNS/MDNS
What tool automatically launches a number of services to redirect victim systems to harvest credentials?
responder
what is the goal of responder?
spoof a system, then be ready to intercept the authentication requests on the fly. In addition serve up malicious .exe files and force downgrade for LANMAN authentication (easier to crack)
Responder is a tool dedicated to answering stray LLMNR/MNT-NS/proxy requests
true
When a windows host cannot resolve a hostname using DNS, it uses the LLMNR protocol (Link-Local Multicast Name Resolution) to ask neighboring computers about it. If that also fails, then it uses the NBT-NS (NetBios Name Service).
When LLMNR/NBT-NS is used to resolve a name, any host on the network can reply. So, Responder is one of such tools that poisons the request.
true
Responder will not only harvest credentials, but can stand up a number of services, because the victim has to go to that server and do something. Whatever request the victim is making, the attacker needs to have that service running so the victim can authenticate in order to grab their credentials. in addition, servinig malicious files.
true.
Responder will not only harvest credentials, but can stand up a number of services, because the victim has to go to that server and do something. Whatever request the victim is making, the attacker needs to have that service running so the victim can authenticate in order to grab their credentials. in addition, serving malicious files.
true.
Responder will try and have a service that the victim can authenticate to in order to grab credentials?
true
responder can force the victim to downgraded its authentication to LANMAN?
true. because they are easier to crack
How to start responder?
sudo /opt/Responder/Responder.py -I eth0
When a user requests a service where hostname isnt answered. Responder will reply to the final resolution attempt(Multicast DNS) with the attacksers IP address, forcing the user to connect to attacker service, potentially disclosing password hash info
yes.
session hijacking involves sniffing and spoofing?
yes.
Defenses of session hijacking:
- be careful with incoming connections.
- Do not telnet to firewall
- Do not telnet to CA
- Utilize sstrong authentication and encryption path SSH or VPN
As a defense to session hijacking you sould hard code your ARP tables.
yes
hard coded arp tables cannot be overwritten by gratutious arps.
yes, BUT creates overhead because they must be updated in each system if and when changes occur
Defenses
- activate port level security on switches
- dynamic ARP inspect with DHCP snooping
- Disable LLMNR
- ) use strong authentication and encrypted sessions (SSH or VPN)
if originating host is compromised, strong authentication and encrypted paths do not help because session is stolen at the originating machine
yes
Defense in Identification
arp -a on both linux and windows. checks for spurious Arp entries.
what tools can be used for identifcation of sesion hijacking?
ARPwatch on LAN
CAMTableExport: across Network
Identifcation of session hijacking from windows?
arp -a
ipconfig /displaydns
Identification of session hijacking from UNIX?
arp -a or arp -e
strings /var/cache/nscd/hosts
Containment of session hijacking?
drop spurious sessions : change password and restarting service to which attacker connected
Erad/Rec
change passwords, rebuild systems
hard coded ARP tables (having only a specific IP to MAC address mapping) cannot be overwritten by gratutious ARPS
true.
