Deck A Flashcards
Deck A
1
Q
What is Bluesnarfing
A
A cyber attack involving unauthorised access to information from wireless devices through bluetooth
2
Q
What is Bluejacking
A
An attack that sends unsolicited messages to Bluetooth-enabled devices
3
Q
What is BlueSmacking
A
A Denial of Service attack that overwhelms a device’s Bluetooth connection
4
Q
What is Bluebugging
A
A technique used to gain control over a device via Bluetooth
5
Q
What is BlueBorne
A
A set of vulnerabilities that allow attackers to take control of devices, spread malware, or perform other malicious activities via Bluetooth
6
Q
What is KNB
A
KNB is an attack that manipulates the data encryption process during Bluetooth connection estbalishment, weakening security
7
Q
What does KNB stand for
A
Key Negotiation Bluetooth
8
Q
What does BIAS stand for
A
Bluetooth Impersonation AttackS
9
Q
What does BIAS do
A
BIAS is an attack that exploits the pairing process allowing an attacker to impersonate a trusted device
10
Q
What is a Car Whisperer
A
A Bluetooth hack that targets vehicles, attackers can exploit to remotely unlock car doors or even start the engine without physical access
11
Q
What is bluetooth designed for
A
Transferring data over short distances from fixed and mobile devices
12
Q
What is a network of bluetooth devices called
A
Piconet
13
Q
What are multiple piconets called when they can interact
A
Scatternet
14
Q
What are risks with bluetooth
A
Unauthorised access, data theft, interference and device tracking
15
Q
What is the legacy Bluejacking attack
A
Sending unsolicited messages to Bluetooth-enabled devices, does not involve stealing data but rather an annoyance. AirDrop suffered from Bluejacking when people had Airdrop settings to Everyone, got fixed with Everyone being disabled after 10 min
16
Q
What is the legacy Bluebugging attack
A
An attacker gains full contol over a Bluetooth-enabled device allowing them to access and modify information, attacker does this by tricking the victim into pairing with a trusted device or brute forcing a pairing PIN
17
Q
What is BlueBorn attack
A
Threat presenting hackers the ability to exploit Bluetooth connections and gain complete control over targeted devices from computers mobile TV etc. did not require them to be paired or set on discoverable mode
18
Q
What does KNOB or KNB do
A
Exploits a flaw in the Bluetooth standard to undermine the encryption of Bluetooth connections that during pairing the attacker can intercept and set the length of the encryption key to one byte which can be bruteforced
19
Q
What are bluetooth attack mitigations
A
Keep devices updated, disable bluetooth when not needed, don’t connect to random devices
20
Q
What is Cryptanalysis
A
Cryptanalysis is the process of decrypting coded or encrypted data without access to the key used in the encryption process
21
Q
What is Cypher text
A
Cypher text is the scrambled, unreadable form of the plain text resulting from an encryption algorthm, this transformation is controlled by a key which is used in the encryption/decryption process.
22
Q
What is a Symmetric encryption
A
Same key is used for encryption/decryption
23
Q
What is Asymmetric encryption
A
Public key is used for encryption and private key is used for decryption
24
Q
What is frequency analysis
A
Based on the statistical study of the letters and symbols in the cypher text, if the freq. of characters in the cypher text matches the freq. of letters in the plain text it can provide clues to the substitution used
25
What is a Cryptanalysis Side Channel Attack
A Cryptanalysis Side Channel Attack refers to a category of crypographic attacks that exploit information inadvertantly leaked during the execution of cryptographic algorithms
26
What are the three types of cryptanalysis sidechannel attacks
Timing attacks, Power-monitoring attacks and Acoustic attacks
27
What is a timing attack in cryptanalysis
Where an attacker gains information based on the amount of time the system takes to process different inputs. The attack measures the computation time to make informed guesses about the secret key
28
What is a mitigation of a timing attack
Using constant-time algorithms to remove the correlation between data-dependant computation times and secret information
29
What is a power monitoring attack in cryptanalysis
An attacker can exploit the variations in a devices power consumption to extract information based on the observation of the power consumption of a device during the execution of cryptographic operations.
30
What are the two different types of Power monitoring attacks
Simple Power Analysis (SPA) and Differential Power Analysis (DPA)
31
What is a SPA
Simple Power Analysis
32
What is a DPA
Differential Power Analysis
33
What does a SPA do
The attacker interprets the power consumption graph to identify operations, a spike in power could mean a specific operation
34
What does a DPA do
A more sophisticated attack collecting power consumption data for many operations and using statistical analysis to find correlation between power consumption and values in bits in the secret key
35
Mitigation of Power monitoring attacks
Power regulation and randomisation techniques to make power analysis more difficult
36
What is Acoustic Cryptanalysis attack
Where an adversary seeks to extract information by analysing the sound emissions it produces during operation, sound emissions often correlate with different internal states or operations. The sound produced by the computers CPU or fans can change based on the computation being performed
37
Mitigation of acoustic cryptanalysis attack
Use sound-absorbing materials in device construction and phyisically isolating sensitive components to reduce sound emissions
38
What is the Spectre vulnerabiltiy
Spectre is a microprocessor vulnerability which breaks the isolation between applications allowing an attacker to trick error-free programs into leaking secrets.
39
What is the Meltdown vulnerability
Meltdown is a microprocessor vulnerabiltiy that dissolves the isolation between user applications and the operating system allowing a malicious program to access the memory of other programs and the operating system
40
What is the different between BFLA and BOLA
In BOLA the user is allowed to use the endpoint, in BFLA they are not authorised to use that endpoint
41
What is BOLA stand for
Broken Object Level Authorisation
42
What does BFLA stand for
Broken Function Level Authorisation
43
What is SSRF
SSRF occurs when a web server fetches a remote resource and does not verify if that is an allowed link to the resource
44
How can we determine SSRF
Using a netcat connection to ourself or to the localhost:80
45
How to prevent SSRF
Remote resources checked against whitelist, not accepting user-input
46
What is HTTPS also known as
HTTP over TLS
47
What does TLS stand for
Transport Layer Security
48
What does SSL stand for
Secure Sockets Layer
49
What are the 3 levels encryption can be applied at
Encryption at rest - Encryption-in-transit, End-to-end encryption
50
What is encryption at rest
Stored in an encrypted format to prevent unauthorised access
51
What is encryption in transit
Data that is transmitted is encrypted before transmission and decrypted after reception
52
What is end to end encryption
Encrypts data from the true sender to the final recipient such that no other party can access the data
53
AES DES 3DES Blowfish, RCx are all?
Symmetric encryption
54
Name 5 symmetric encryption types
AES DES 3DES Blowfish RCx
55
Is the RCx family symmetric or asymmetric
Symmetric encryption
56
What are the 4 RCx
RC2, RC4, RC5, RC6
57
Name 6 asymmetric encryption types
RSA, DSA, ElGamal, ECC, DH, ECDH
58
RSA DSA ECC DH ECDH are all
Asymmetric encryption methods
59
What is a Public Key Infrastructure
A PKI comprises roles and processes responsible for the management of digital certificates, creation and revocation of certificates
60
What is the purpose of a Certificate
The purpose of a Certificate is the bind public keys to an identity this proves the identity of the public key owner, ensuring when we encrypt data using a publi key only the designated recipient will receive it
61
What is a Certificate Authority
CA's are entities that are allowed to issue certificates,
62
How can we verify the identity of a CA
Through a CA Certificate
63
Where does the chain of CA's lead to
A root CA
64
What does a cipher suite do
A cipher suit defines the cryptographic algorithm used for a connection
65
What is the format of a cipher suite
KeyExchangeAlgorithm_ServerAuthentication_WITH_EncryptionWithMode_MACAlgorithm
66
Example of cipher suite
TLS_DH_RSA_WITH_AES_128_CBC_SHA256
67
What does PFS stand for
Perfect Forward Secrecy
68
What does PFS do
Means an attacker is not able to decrypt past messages even after obtaining a session key
69
What cipher suites have PFS
All TLS 1.3 and TLS_DHE and TLS_ECDHE have PFS
70
What improvements does TLS 1.3 have over 1.2
Dropping support for insecure cryptographic parameters and improving session establishment time
71
What does a TLS 1.3 cipher suite contain
EncryptionAlgorithm_Mode_HashFunction
72
What is a block cipher
A type of symmetric encryption algorithm that operates by splitting the input into blocks and encrypting the input block by block. It requires the input be divisible by the block size otherwise padding is added
73
What is padding
Padding is the extra data added to reach the correct length so that the input is divisibile by the block size if AES block size is 16 and input is 30 we need to add 2 padding bytes to reach 32 bytes
74
What is a padding oracle
Padding oracle attacks are the result of verbose leakage of error messages regarding the padding when the CBC encryption mode is used
75
When does a padding oracle exist
A padding oracle exists if the system reveals whether the padding is valid or invalid through different error messages responses or timings
76
What does POODLE stand for
Padding Oracle on Downgraded Legacy Encryption
77
What does BEAST stand for
Browser Exploit Against SSL/TLS
78
Wht are POODLE and BEAST
Both are padding oracle attacks that target encrypted data transmitted in SSL 3.0
79
What is the SSL 3.0 padding scheme
The last byte is the length of the pad excluding that byte (n-1) and all other padding bytes are arbitrary
80
Example of SSL 3.0 padding
DE AD BE EF is 4 bytes and we need 8 bytes so it becomes DE AD BE EF 00 00 00 03
81
What is the essence of the POODLE attack
It forced the victim to send a crafted request containing a full block of padding meaning the attacker already knows the last byte then changing the data in the last block
82
Prevention of POODLE
Disabling the use of SSL 3.0 entirely
83
What is the Bleichenbacher Attack
A type of attack targeting RSA encryption in combination with PKCS#1 padding, if the web server leaks whether the padding was valid or not the attacker can decude informatiomn about the original unmodified plaintext and repeat it
84
Prevention of Bleichenbacher attack
Not revealing padding information to the TLS client
85
What is the DROWN attack
A type of Bleichenbacher attack that exploits a vulnerability in SSL 2.0
86
What does DROWN stand for
Decrypting RSA with Obsolete and Weakened eNcryption
87
Prevention of DROWN
Disabling SSL 2.0
88
What does CRIME stand for
Compression Ratio Info-Leak Made Easy
89
What does CRIME do
It targets the TLS compression and can target cookies for example, the attacker can append a param with the same name as the cookie and an arbitrary value (sess=XXXXX) then observe response length, and replace sequentially (e.g: sess=aXXXX) to see if response length is smaller meaning it was compressed and is a correct character
90
What does BREACH stand for
Browser Reconnissance and Exfiltration via Adaptive Compression of Hypertext
91
What does BREACH do
A variant of the CRIME attack that targets HTTP-level compression meaning it leaves the HTTP headers uncompressed and we can only attack the HTTP body for things like CSRF tokens
92
What is the Heartbleed Bug
The heartbleed extension was implemented to check if a TLS connection is alive with a request in format of (, ) but it was found that the length is not validated and can send a small payload with a large data field and the server will respind with memory beyond the sent payload
93
Prevention of Heartbleed bug
Updating from vulnerable OpenSSL version 1.0.1 through 1.0.1f
94
What is SSL Stripping
SSL Stripping is forcing a victim to not use HTTPS but fall back to insecure HTTP
95
What is ARP spoofing
Sending a forged/spoofed ARP response to become a MiTM and receive packets destined for a different host/MAC
96
What is the mitigation of a SSL stripping attack
The header Strict-Transport-Security (HSTS)
97
What does HSTS stand for
Header Strict-Transport-Security
98
What does the HSTS do
The header tells the browser that the target should only be accessed through HTTPS any attempts to access the site via HTTP are rejected and converted to HTTPS
99
What does Lucky13 exploit
A timing difference in the MAC stage when the CBC mode is used. Lucky13 exploits the fact that MAC computation is still slightly longer in some cases
100
What does FREAK stand for
Factoring RSA Export Keys
101
What does FREAK exploit
Weak encryption used in SSL 3.0 and TLS 1.0 due to US restrictions
102
What are export keys
Deliberately weak to comply with regulation in the US that restricted the export of strong cryptographic software
103
What is a Downgrade attack
The victim is forced to use a older and insecure version of TLS or cipher suite
104
What is a Cipher Suite rollback
It is possible for a MiTM to intercept the ClientHello and alter the list of cipher suite. The ServerHello will then choose a vulnerable cipher suite which the attacker can break
105
What SSL / TLS version does Cipher Suite rollback target
SSL 2.0
106
What is a TLS Downgrade attack
Where a MiTM can interfere with the TLS handshake and make packets drop resulting in a handshake failure and eventially a downgrade connection from e.g: TLS 1.2 to TLS 1.1 so on so forth down to whatever vulnerable connection
107
What TLS versions should only be offered
TLS 1.3 and TLS 1.2
108
When should TLS 1.0 and TLS 1.1 be offered
Only if it is necessary to support for legacy reasons
109
What connections are completely insecure
SSL 2.0 and SSL 3.0
110
What cipher suites should never be used
NULL and EXPORT cipher suites
111
What cipher should should be used
Cipher suites that offer PFS (which is all TLS 1.3 and ECDHE and DHE in TLS 1.2)
112
What is SSTI
Where web applications that utilise templating engines too dynamically put content on the site can be exploited
113
What does SSTI stand for
Server Side Template Injection
114
What does SSI stand for
Server Side Include injection
115
What is SSI
SSI can be used to generate HTML response dynamically. When SSI directives are not validated an attacker can inject commands into the SSI directives
116
What are the extensions commonly used for SSI
.shtml .shtm .stm
117
What is Web Cache Poisoning
Web cache poisoning forces a web cache to serve malicious content to unsuspecting users visiting a vulnerable site
118
What is classified as a weak session ID
If an attacker can bruteforce it. Needs to be at minimum 16 bytes long
119
What are some session vulnerabilities
Premature Session Population, Common Session Variables, Session fixation
120
What is Premature Session Population
When information is prematurely uploaded to the session cookie such as a username being stored in the cookie temporarily to provide a customised login failed error message. The cookie is cleared upon seeing the error but hitting the /profile endpoint with that cookie lets you through as the username is in the cookie
121
What is Common Session Variables
When there are functionalities that share the same variable such as a 3 step password reset and 3 step account create where the 2nd step in password reset is security question answer. What if we complete step 1 and 2 from account create and use that cookie to bypass step 2 in password reset
122
What is XPath Injection
When we can XPath queries do not get sanitised and we can craft specific queries to read contents of an XML document
123
What are some XPath injection methods used for blind exploitation
name() substring() and string-length()
124
What is LDAP injection
If a LDAP query is not properly sanitised we can perform injection attacks primarily regarding authentication
125
What is LDAP
LDAP is a protocol used to access directory servers such as AD
126
What does LDAP stand for
Lightweight Directory Access Protocol
127
What is a very basic two examples of LDAP injection
On a login form simply * for username and password or a real username and a * for password
