Chapter 5 - Attacks Flashcards
What is the difference between a Hacker and a Cracker?
Hackers have the knowledge to break into systems without malicious intent.
A Cracker breaks into machines with malicious intent.
What are typical examples of basic counter measures against hackers?
Patching Systems
System Hardening
- The practice where unused/unnecessary ports and services are removed/disabled.
System Isolation
- Air gapping systems if necessary
Cyber Awareness for employees
Intrusion Detection Systems
What is a SYN Floor DDos attack?
When the client withholds the 3rd Ack packet to complete the TCP handshake.
Instead of the final Ack being sent, the client sends another SYN request to the server.
The server maintains half-sessions consuming network and hardware resources.
What is a PING of Death DDoS attack?
A typical ping request is 32 bytes in size, attackers can change this to 64kb in size which consumes hardware and network resources.
What is a LAND DDoS attack?
A Local Area Network Denial (LAND) attack tricks a system into sending packets to itself in an endless loop - this can crash an entire system.
What are the two different wireshark modes?
Promiscuous Mode:
- The system captures all data it receives, even data not meant for that system.
Non-Promiscuous Mode:
- The system only captures data directed at the system’s IP address.
What are the two different types of network scans?
ARP Scans:
- ARP messages to identify live hosts within a network
- ARP responses includes MAC addresses
- ARP scans does not traverse routers and thus only effective in a single network/subnet
SYN Scans:
- SYN packets are sent to try and establish connections.
- Live hosts responds with a SYN/ACK message
- Client sends a RST message to reset the connection
- Attacker now know that is a live host open for a connection
How does operating system scans identify the OS type and version?
Data packet fields for:
Time to Live (TTL) and TCP Window size are fields that can determine OS version
What is a Salami Attack?
A Salami Attack is an attack vector where small/minor actions are conducted such as stealing 0.01% per transaction but over time, this will have a large impact.
What is a Man in the Middle Attack?
A Man in the Middle Attack is a form of eavesdropping attack.
The attack sits in between two communicating users and has access to the stream of data.
What is a Replay Attack?
A Replay Attack is when captured data packets via a sniffer is used later to impersonate a user and their subsequent system access.
This is prevented by Kerberos and CHAPS that use time-stamps and number used only once (nonce)
What is a Session Hijack Attack?
A session hijack is when a threat actor captures session information and takes over the session by impersonating one of the parties involved in the connection through the use of cookies.
What is DNS Cache Poisoning?
A DNS Cache Poisoning attack is when users are redirected away from legitimate sites and towards malicious hosts.
The DNS server’s own cache, not just the client side cache.
A DNS server’s cache is used when a DNS server queries another DNS server.
DNSSEC protects from this type of attack as each DNS response to the client is accompanied with a RRSIG which validates the record is valid.
What is a Smurf and Fraggle attack?
A Smurf and Fraggle attack is a form of DOS attack.
The attack broadcasts ICMP ping packets to multiple endpoint in a network but spoofs the originating IP address as the target IP address.
Hosts that responds to the ping packet then responds to the target host flooding it with network traffic.
What are Buffer Overflow Attacks?
Buffer Overflow Attacks is when an application processes more data than its allocated space in memory.
Attackers insert a large number of No Operation Commands (NOOP) with the intent to break out of an application’s allocated memory space.
Once out of the allocated memory space then attackers can write malicious code in free memory - out of the applications’ allocated memory space.
What are SQL injections attacks?
SQL injection attacks can grant attackers access to unauthorized database data or authenticate without the need of credentials.
Two SQL syntaxes are common in making these attack types possible:
semi-colon (;) indicates the end of a SQL statement
two hyphens (–) indicates to ignore the follow statement
Preventing SQL injection attacks require proper input validation and the use of SQL stored procedures.
SQL stored procedures ensures SQL commands are executed server side - not client side.
This prevent direct user interaction with SQL queries.
What are Cross Site Scripting Attacks?
A XSS attack is when attackers inject malicious code into a webpage and directs the target to open/interact with the webpage.
Host website is typically legitimate site that has been compromised to host malicious code.
What are Cross Site Request Forgery (CSRF) attacks?
A Cross site request forgery attack is when attackers craft a weblink whereby commands are present in the weblink themselves such as password change commands.
Since the user is authenticated via historical cookies, CSRF commands would be an authenticated command.
Asking the user to reauthenticate themselves prior to making actionable changes will prevent such CSRF attacks.
What are the three main social engineering factors in phishing attacks?
Impersonation
Identification of a problem
Dire consequences
What is a spearphish?
A spearphish is a directed, highly targeted phishing attack directly at a limited/group of individuals.
What is vishing?
Phishing but uses telephony system.
What is smishing?
Phishing but uses text messages/SMS
What is a typical WPA2 countermeasure against wireless attacks?
WPA2 uses a 802.1x authentication server running a RADIUS service.
This 802.1x server requires all users to pass through authentication before being allowed into the network.
How does WPA3 improve over WPA2?
WPA3 protects from brute-force attacks and uses a 192-bit cryptography rather than 128-bit used in WPA2.
