CH15 Network Attacks

Question 1

What are the 3 categories of ports and their port number range?

Answer 1

Well known Ports : 0 to 1023. Assigned by the Internet Assigned Numbers Authority (IANA)

Registered Ports : 1024 – 49,151. They are used by vendors for their own proprietary protocols. Each vendor will register them with IANA prior to using them.

Dynamic or Private Ports : Ports 49,152 – 65,535. Can be used by any application without being registered with IANA

Question 2

How many ports are available to use?

Answer 2

65,536 ports area available for use

Question 3

What is DoS?

Answer 3

DoS = Denial of Service
types of attacks which attempt to make a computer or server’s resources unavailable

For the exam : if the attack causes a system to go offline and to stop providing the service, or it can permanently cause a system to be broken, this could be categorized as a Denial of Service condition

Question 4

What are the 5 categories of DoS ?

Answer 4

DoS = Denial of Service

Flood Attack - Attempts to send more packets to a single server than they can handle

Ping of Death - sends an oversized and malformed packet to another computer or server

the Teardrop - Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine

the Permanent Denial of Service attack - Attack which exploits a security flaw to permanently break a networking device by reflashing its firmware

Fork Bomb - Attack that creates a large number of processes to use up the available processing power of a computer

Question 5

What is a Ping Flood?

Answer 5

a type of flood attack that attempts to flood the server by sending too many ICMP echo request packets. (Which are known as pings)

Question 6

What is Smurf Attack ?

Answer 6

a type of flood attack where attacker tries to amply ping by sending a ping to subnet broadcast address and devices reply to spoofed IP (victim server) using up bandwidth and processing power

Question 7

What is Fraggle Attack?

Answer 7

a type of flood attack where attacker sends a UDP echo packet to port 7 (ECHO) and port 19 (CHARGEN) to flood a server with UDP packets.

Question 8

What is SYN Flood ?

Answer 8

Variant of a Denial of Service (DOS) attack where attacker initiates multiple TCP sessions but never completes the 3-way handshake. Flood guards, time outs, and an IPS can prevent SYNC Flood

Question 9

What is XMAS attack ?

Answer 9

a specialized network scan that sets the FIN, PSH, and URG flags and can cause a device to crash or reboot.

Question 10

What is DDoS?

Answer 10

DDoS = Distributed Denial of Service

instead of using a single attack targeting one server, they use hundreds or even thousands of machines to launch an attack simultaneously against a single server, and force it to go offline to create that denial of service condition.

Question 11

What is DNS Amplification attack ?

Answer 11

allows an attacker to generate a high volume of packets that’s intended to flood a victim’s website by initiating DNS requests from a spoof version of the target’s IP address

Question 12

What is Blackholing or Sinkholing ?

Answer 12

One of the ways to stop DDoS by identifying any attacking IP Addresses and routes all their traffic to non-existent server trough the null interface.

This effectively stops the attack. Unfortunately, the attackers can move to a new IP and restart the attack all over again. So this is only a temporary solution

Question 13

What is IPS ?

Answer 13

IPS = Intrusion Prevention System

IPS can prevent small-scale DDoS

Question 14

What Spoofing ?

Answer 14

occurs when an attacker masquerades an another person by falsifying their identity.

Anything that uniquely identifies a user or system can be spoofed. (Ex. MAC address, IP Address).

Proper authentication is used to detect and prevent spoofing

Question 15

What is Hijacking?

Answer 15

Exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer or server

Question 16

what are 8 types of session hijacking?

Answer 16

1. Session Theft
2. TCP/IP hijacking
3. Blind hijacking
4. Clickjacking
5. Man-in-the-Middle (MITM)
6. Man-in-the-Browser
7. The watering hold attack
8. Cross-site-scripting attacks (XSS)

Question 17

What is Session Theft ?

Answer 17

one of the session hijacking methods where attacker guesses the session ID for a web session, enabling them to takeover the already authorized session of the client.

Question 18

What is TCP/IP hijacking?

Answer 18

one of the session hijacking methods where attacker takes over a TCP session between two computers without the need of a cookie or other host access

Question 19

What is Blind hijacking ?

Answer 19

one of the session hijacking methods where attacker blindly injects data into the communication stream without being able to see if it is successful or not

Question 20

What is Clickjacking ?

Answer 20

one of the session hijacking methods where attacker uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page

Question 21

What is Man-in-the-Middle (MITM)

Answer 21

one of the session hijacking methods where attack causes data to flow through the attacker’s computer where they can intercept or manipulate the data

Question 22

What is Man-in-the-Browser

Answer 22

one of the session hijacking methods where a Trojan infects a vulnerable web browser and modifies the web pages or transactions being done within the browser

Question 23

What is the watering hold attack?

Answer 23

one of the session hijacking methods where malware is placed on a website that the attacker knows his potential victims will access

Question 24

What is Cross-site-scripting attacks (XSS)

Answer 24

one of the session hijacking methods where attacker targets client’s computer and tricks it into thinking the code came from a trusted web server.

Question 25

What is Replay Attack?

Answer 25

Network-based attack where a valid data transmission is fraudulently or maliciously rebroadcast, repeated, or delayed.

To prevent, you should ensure that websites and devices are using session tokens to uniquely identify when an authentication session is occurring. Also use multi-factor authentication

Question 26

What is Null Sessions attack?

Answer 26

A connection to the Windows interprocess communications share (IPC$) IPC$ is an administrative share that you don’t see as a normal user, but it allows computers across the network to send information that they know about files, folders, users, groups, computers, and servers to each other. An attacker will be able to create a null connection to a computer and use that information as part of your follow-on attack.

On Windows enter the following command to create a null session:
net use \10.0.2.15\ipc$ “” /u:””

To stop null session attack, block port 445 and 139, this will block smb, your file sharing, as well as port 139 net bios.
Install IPS at your boundary to prevent anyone from outside your network to make null connection into your machine

Question 27

what is Transitive Attacks ?

Answer 27

if one network trusts second network and if the second network trusts third network, then that first network really trusts the third network.

If an attacker can get into any one of those three networks, he can then get into the other two as well based on the transitive trust. Whenever you connect your network to somebody else’s network using a trust relationship, you’re inherently assuming all of the risk of their security posture or the lack of their security posture, in addition to your own security posture

Question 28

What is DNS Poisoning?

Answer 28

It is type of DNS attack that occurs when the name resolution information is modified in the DNS servers’ cache. If the cache is poisoned, then the user can be redirected to a malicious website.

To prevent DNS poisoning, Secure DSN (DNSSEC) has been created. DNSSEC uses encrypted digital signatures when passing DNS information between servers to help protect it from poisoning

Question 29

What is Unauthorized Zone Transfers ?

Answer 29

It is a type of DNS attack where attacker requests replication of the DNS information to their systems for use in planning future attacks. Zone transfers should always be restricted between two known and trusted servers only and not let other people ask for zone transfers

Question 30

What is Altered Hosts Files attack?

Answer 30

attacker modifies the host file to have the client bypass the DNS server and redirects them to an incorrect or malicious website.

Hostfile is located at : \%systemroot%\system 32\drivers\etc

Question 31

What is Domain Name Kiting?

Answer 31

exploits a process in the way a domain name is registered so that the domain name is kept in limbo and cannot be registered by an authenticated buyer. When a new domain name is registered, they are given 5 days before getting expired.. so the user keeps renewing the domain name before 5 days is up.

Question 32

What is ARP poisoning?

Answer 32

ARP = Address Resolution Protocol

ARP converts IP address to a MAC address. ARP Poisoning exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network.

ARP poisoning allows an attacker to take over any sessions within the LAN.

To prevent ARP poisoning, set up VLAN segmentation within your network. Also set up DHCP snooping to ensure that IP Addresses aren’t being stolen