Chapter 5 - Attacks

Question 1

What is the difference between a Hacker and a Cracker?

Answer 1

Hackers have the knowledge to break into systems without malicious intent.

A Cracker breaks into machines with malicious intent.

Question 2

What are typical examples of basic counter measures against hackers?

Answer 2

Patching Systems

System Hardening
- The practice where unused/unnecessary ports and services are removed/disabled.

System Isolation
- Air gapping systems if necessary

Cyber Awareness for employees

Intrusion Detection Systems

Question 3

What is a SYN Floor DDos attack?

Answer 3

When the client withholds the 3rd Ack packet to complete the TCP handshake.

Instead of the final Ack being sent, the client sends another SYN request to the server.

The server maintains half-sessions consuming network and hardware resources.

Question 4

What is a PING of Death DDoS attack?

Answer 4

A typical ping request is 32 bytes in size, attackers can change this to 64kb in size which consumes hardware and network resources.

Question 5

What is a LAND DDoS attack?

Answer 5

A Local Area Network Denial (LAND) attack tricks a system into sending packets to itself in an endless loop - this can crash an entire system.

Question 6

What are the two different wireshark modes?

Answer 6

Promiscuous Mode:
- The system captures all data it receives, even data not meant for that system.

Non-Promiscuous Mode:
- The system only captures data directed at the system’s IP address.

Question 7

What are the two different types of network scans?

Answer 7

ARP Scans:
- ARP messages to identify live hosts within a network
- ARP responses includes MAC addresses
- ARP scans does not traverse routers and thus only effective in a single network/subnet

SYN Scans:
- SYN packets are sent to try and establish connections.
- Live hosts responds with a SYN/ACK message
- Client sends a RST message to reset the connection
- Attacker now know that is a live host open for a connection

Question 8

How does operating system scans identify the OS type and version?

Answer 8

Data packet fields for:

Time to Live (TTL) and TCP Window size are fields that can determine OS version

Question 9

What is a Salami Attack?

Answer 9

A Salami Attack is an attack vector where small/minor actions are conducted such as stealing 0.01% per transaction but over time, this will have a large impact.

Question 10

What is a Man in the Middle Attack?

Answer 10

A Man in the Middle Attack is a form of eavesdropping attack.

The attack sits in between two communicating users and has access to the stream of data.

Question 11

What is a Replay Attack?

Answer 11

A Replay Attack is when captured data packets via a sniffer is used later to impersonate a user and their subsequent system access.

This is prevented by Kerberos and CHAPS that use time-stamps and number used only once (nonce)

Question 12

What is a Session Hijack Attack?

Answer 12

A session hijack is when a threat actor captures session information and takes over the session by impersonating one of the parties involved in the connection through the use of cookies.

Question 13

What is DNS Cache Poisoning?

Answer 13

A DNS Cache Poisoning attack is when users are redirected away from legitimate sites and towards malicious hosts.

The DNS server’s own cache, not just the client side cache.

A DNS server’s cache is used when a DNS server queries another DNS server.

DNSSEC protects from this type of attack as each DNS response to the client is accompanied with a RRSIG which validates the record is valid.

Question 14

What is a Smurf and Fraggle attack?

Answer 14

A Smurf and Fraggle attack is a form of DOS attack.

The attack broadcasts ICMP ping packets to multiple endpoint in a network but spoofs the originating IP address as the target IP address.

Hosts that responds to the ping packet then responds to the target host flooding it with network traffic.

Question 15

What are Buffer Overflow Attacks?

Answer 15

Buffer Overflow Attacks is when an application processes more data than its allocated space in memory.

Attackers insert a large number of No Operation Commands (NOOP) with the intent to break out of an application’s allocated memory space.

Once out of the allocated memory space then attackers can write malicious code in free memory - out of the applications’ allocated memory space.

Question 16

What are SQL injections attacks?

Answer 16

SQL injection attacks can grant attackers access to unauthorized database data or authenticate without the need of credentials.

Two SQL syntaxes are common in making these attack types possible:

semi-colon (;) indicates the end of a SQL statement

two hyphens (–) indicates to ignore the follow statement

Preventing SQL injection attacks require proper input validation and the use of SQL stored procedures.

SQL stored procedures ensures SQL commands are executed server side - not client side.

This prevent direct user interaction with SQL queries.

Question 17

What are Cross Site Scripting Attacks?

Answer 17

A XSS attack is when attackers inject malicious code into a webpage and directs the target to open/interact with the webpage.

Host website is typically legitimate site that has been compromised to host malicious code.

Question 18

What are Cross Site Request Forgery (CSRF) attacks?

Answer 18

A Cross site request forgery attack is when attackers craft a weblink whereby commands are present in the weblink themselves such as password change commands.

Since the user is authenticated via historical cookies, CSRF commands would be an authenticated command.

Asking the user to reauthenticate themselves prior to making actionable changes will prevent such CSRF attacks.

Question 19

What are the three main social engineering factors in phishing attacks?

Answer 19

Impersonation

Identification of a problem

Dire consequences

Question 20

What is a spearphish?

Answer 20

A spearphish is a directed, highly targeted phishing attack directly at a limited/group of individuals.

Question 21

What is vishing?

Answer 21

Phishing but uses telephony system.

Question 22

What is smishing?

Answer 22

Phishing but uses text messages/SMS

Question 23

What is a typical WPA2 countermeasure against wireless attacks?

Answer 23

WPA2 uses a 802.1x authentication server running a RADIUS service.

This 802.1x server requires all users to pass through authentication before being allowed into the network.

Question 24

How does WPA3 improve over WPA2?

Answer 24

WPA3 protects from brute-force attacks and uses a 192-bit cryptography rather than 128-bit used in WPA2.

Question 25

What does Wireless Intrusion Detection/Prevention Systems monitor (WIDPS)?

Answer 25

WIDPS monitor:

Rouge Access Points: where an access point is connected physically to a network and an attacker then connects wirelessly.

Evil Twin Access Point: When an attacker names an AP as something legitimate to try and direct users to connect to the Access Point.

Question 26

What are Wi-Fi protected setup attacks (WPS)?

Answer 26

A Wifi-Protected Setup allows users to configure wireless devices.

WPS is protected by a PIN which can be brute-forced.

A countermeasure to this would be to disable the WPS service when not it use to prevent any form of WPS attacks.

Question 27

What are the typical user awareness countermeasures against cyber attacks?

Answer 27

Acceptable use policy of company devices.

Initial training when hired.

Annual refresher training.

Newsletter and periodic updates.

Question 28

What are the two different types of input validation?

Answer 28

Client Side and Server Side

Question 29

What is Application Review as a countermeasure?

Answer 29

Applications prior to release should undergo testing for bugs an any vulnerabilities.

Line-by-line peer review can be conducted to look for any issues with an application.

Question 30

What is Code Signing as a countermeasure?

Answer 30

Certificates can be issued to be associated with software to let users know that the file has not lost integrity through distributions.