CH15 Network Attacks Flashcards
What are the 3 categories of ports and their port number range?
Well known Ports : 0 to 1023. Assigned by the Internet Assigned Numbers Authority (IANA)
Registered Ports : 1024 – 49,151. They are used by vendors for their own proprietary protocols. Each vendor will register them with IANA prior to using them.
Dynamic or Private Ports : Ports 49,152 – 65,535. Can be used by any application without being registered with IANA
How many ports are available to use?
65,536 ports area available for use
What is DoS?
DoS = Denial of Service
types of attacks which attempt to make a computer or server’s resources unavailable
For the exam : if the attack causes a system to go offline and to stop providing the service, or it can permanently cause a system to be broken, this could be categorized as a Denial of Service condition
What are the 5 categories of DoS ?
DoS = Denial of Service
Flood Attack - Attempts to send more packets to a single server than they can handle
Ping of Death - sends an oversized and malformed packet to another computer or server
the Teardrop - Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine
the Permanent Denial of Service attack - Attack which exploits a security flaw to permanently break a networking device by reflashing its firmware
Fork Bomb - Attack that creates a large number of processes to use up the available processing power of a computer
What is a Ping Flood?
a type of flood attack that attempts to flood the server by sending too many ICMP echo request packets. (Which are known as pings)
What is Smurf Attack ?
a type of flood attack where attacker tries to amply ping by sending a ping to subnet broadcast address and devices reply to spoofed IP (victim server) using up bandwidth and processing power
What is Fraggle Attack?
a type of flood attack where attacker sends a UDP echo packet to port 7 (ECHO) and port 19 (CHARGEN) to flood a server with UDP packets.
What is SYN Flood ?
Variant of a Denial of Service (DOS) attack where attacker initiates multiple TCP sessions but never completes the 3-way handshake. Flood guards, time outs, and an IPS can prevent SYNC Flood
What is XMAS attack ?
a specialized network scan that sets the FIN, PSH, and URG flags and can cause a device to crash or reboot.
What is DDoS?
DDoS = Distributed Denial of Service
instead of using a single attack targeting one server, they use hundreds or even thousands of machines to launch an attack simultaneously against a single server, and force it to go offline to create that denial of service condition.
What is DNS Amplification attack ?
allows an attacker to generate a high volume of packets that’s intended to flood a victim’s website by initiating DNS requests from a spoof version of the target’s IP address
What is Blackholing or Sinkholing ?
One of the ways to stop DDoS by identifying any attacking IP Addresses and routes all their traffic to non-existent server trough the null interface.
This effectively stops the attack. Unfortunately, the attackers can move to a new IP and restart the attack all over again. So this is only a temporary solution
What is IPS ?
IPS = Intrusion Prevention System
IPS can prevent small-scale DDoS
What Spoofing ?
occurs when an attacker masquerades an another person by falsifying their identity.
Anything that uniquely identifies a user or system can be spoofed. (Ex. MAC address, IP Address).
Proper authentication is used to detect and prevent spoofing
What is Hijacking?
Exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer or server
what are 8 types of session hijacking?
- Session Theft
- TCP/IP hijacking
- Blind hijacking
- Clickjacking
- Man-in-the-Middle (MITM)
- Man-in-the-Browser
- The watering hold attack
- Cross-site-scripting attacks (XSS)
What is Session Theft ?
one of the session hijacking methods where attacker guesses the session ID for a web session, enabling them to takeover the already authorized session of the client.
What is TCP/IP hijacking?
one of the session hijacking methods where attacker takes over a TCP session between two computers without the need of a cookie or other host access
What is Blind hijacking ?
one of the session hijacking methods where attacker blindly injects data into the communication stream without being able to see if it is successful or not
What is Clickjacking ?
one of the session hijacking methods where attacker uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page
What is Man-in-the-Middle (MITM)
one of the session hijacking methods where attack causes data to flow through the attacker’s computer where they can intercept or manipulate the data
What is Man-in-the-Browser
one of the session hijacking methods where a Trojan infects a vulnerable web browser and modifies the web pages or transactions being done within the browser
What is the watering hold attack?
one of the session hijacking methods where malware is placed on a website that the attacker knows his potential victims will access
What is Cross-site-scripting attacks (XSS)
one of the session hijacking methods where attacker targets client’s computer and tricks it into thinking the code came from a trusted web server.
What is Replay Attack?
Network-based attack where a valid data transmission is fraudulently or maliciously rebroadcast, repeated, or delayed.
To prevent, you should ensure that websites and devices are using session tokens to uniquely identify when an authentication session is occurring. Also use multi-factor authentication
What is Null Sessions attack?
A connection to the Windows interprocess communications share (IPC$) IPC$ is an administrative share that you don’t see as a normal user, but it allows computers across the network to send information that they know about files, folders, users, groups, computers, and servers to each other. An attacker will be able to create a null connection to a computer and use that information as part of your follow-on attack.
On Windows enter the following command to create a null session:
net use \10.0.2.15\ipc$ “” /u:””
To stop null session attack, block port 445 and 139, this will block smb, your file sharing, as well as port 139 net bios.
Install IPS at your boundary to prevent anyone from outside your network to make null connection into your machine
what is Transitive Attacks ?
if one network trusts second network and if the second network trusts third network, then that first network really trusts the third network.
If an attacker can get into any one of those three networks, he can then get into the other two as well based on the transitive trust. Whenever you connect your network to somebody else’s network using a trust relationship, you’re inherently assuming all of the risk of their security posture or the lack of their security posture, in addition to your own security posture
What is DNS Poisoning?
It is type of DNS attack that occurs when the name resolution information is modified in the DNS servers’ cache. If the cache is poisoned, then the user can be redirected to a malicious website.
To prevent DNS poisoning, Secure DSN (DNSSEC) has been created. DNSSEC uses encrypted digital signatures when passing DNS information between servers to help protect it from poisoning
What is Unauthorized Zone Transfers ?
It is a type of DNS attack where attacker requests replication of the DNS information to their systems for use in planning future attacks. Zone transfers should always be restricted between two known and trusted servers only and not let other people ask for zone transfers
What is Altered Hosts Files attack?
attacker modifies the host file to have the client bypass the DNS server and redirects them to an incorrect or malicious website.
Hostfile is located at : \%systemroot%\system 32\drivers\etc
What is Domain Name Kiting?
exploits a process in the way a domain name is registered so that the domain name is kept in limbo and cannot be registered by an authenticated buyer. When a new domain name is registered, they are given 5 days before getting expired.. so the user keeps renewing the domain name before 5 days is up.
What is ARP poisoning?
ARP = Address Resolution Protocol
ARP converts IP address to a MAC address. ARP Poisoning exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network.
ARP poisoning allows an attacker to take over any sessions within the LAN.
To prevent ARP poisoning, set up VLAN segmentation within your network. Also set up DHCP snooping to ensure that IP Addresses aren’t being stolen
