Deck A Flashcards
Deck A
What is Bluesnarfing
A cyber attack involving unauthorised access to information from wireless devices through bluetooth
What is Bluejacking
An attack that sends unsolicited messages to Bluetooth-enabled devices
What is BlueSmacking
A Denial of Service attack that overwhelms a device’s Bluetooth connection
What is Bluebugging
A technique used to gain control over a device via Bluetooth
What is BlueBorne
A set of vulnerabilities that allow attackers to take control of devices, spread malware, or perform other malicious activities via Bluetooth
What is KNB
KNB is an attack that manipulates the data encryption process during Bluetooth connection estbalishment, weakening security
What does KNB stand for
Key Negotiation Bluetooth
What does BIAS stand for
Bluetooth Impersonation AttackS
What does BIAS do
BIAS is an attack that exploits the pairing process allowing an attacker to impersonate a trusted device
What is a Car Whisperer
A Bluetooth hack that targets vehicles, attackers can exploit to remotely unlock car doors or even start the engine without physical access
What is bluetooth designed for
Transferring data over short distances from fixed and mobile devices
What is a network of bluetooth devices called
Piconet
What are multiple piconets called when they can interact
Scatternet
What are risks with bluetooth
Unauthorised access, data theft, interference and device tracking
What is the legacy Bluejacking attack
Sending unsolicited messages to Bluetooth-enabled devices, does not involve stealing data but rather an annoyance. AirDrop suffered from Bluejacking when people had Airdrop settings to Everyone, got fixed with Everyone being disabled after 10 min
What is the legacy Bluebugging attack
An attacker gains full contol over a Bluetooth-enabled device allowing them to access and modify information, attacker does this by tricking the victim into pairing with a trusted device or brute forcing a pairing PIN
What is BlueBorn attack
Threat presenting hackers the ability to exploit Bluetooth connections and gain complete control over targeted devices from computers mobile TV etc. did not require them to be paired or set on discoverable mode
What does KNOB or KNB do
Exploits a flaw in the Bluetooth standard to undermine the encryption of Bluetooth connections that during pairing the attacker can intercept and set the length of the encryption key to one byte which can be bruteforced
What are bluetooth attack mitigations
Keep devices updated, disable bluetooth when not needed, don’t connect to random devices
What is Cryptanalysis
Cryptanalysis is the process of decrypting coded or encrypted data without access to the key used in the encryption process
What is Cypher text
Cypher text is the scrambled, unreadable form of the plain text resulting from an encryption algorthm, this transformation is controlled by a key which is used in the encryption/decryption process.
What is a Symmetric encryption
Same key is used for encryption/decryption
What is Asymmetric encryption
Public key is used for encryption and private key is used for decryption
What is frequency analysis
Based on the statistical study of the letters and symbols in the cypher text, if the freq. of characters in the cypher text matches the freq. of letters in the plain text it can provide clues to the substitution used
What is a Cryptanalysis Side Channel Attack
A Cryptanalysis Side Channel Attack refers to a category of crypographic attacks that exploit information inadvertantly leaked during the execution of cryptographic algorithms
What are the three types of cryptanalysis sidechannel attacks
Timing attacks, Power-monitoring attacks and Acoustic attacks
What is a timing attack in cryptanalysis
Where an attacker gains information based on the amount of time the system takes to process different inputs. The attack measures the computation time to make informed guesses about the secret key
What is a mitigation of a timing attack
Using constant-time algorithms to remove the correlation between data-dependant computation times and secret information
What is a power monitoring attack in cryptanalysis
An attacker can exploit the variations in a devices power consumption to extract information based on the observation of the power consumption of a device during the execution of cryptographic operations.
What are the two different types of Power monitoring attacks
Simple Power Analysis (SPA) and Differential Power Analysis (DPA)
What is a SPA
Simple Power Analysis
What is a DPA
Differential Power Analysis
What does a SPA do
The attacker interprets the power consumption graph to identify operations, a spike in power could mean a specific operation
What does a DPA do
A more sophisticated attack collecting power consumption data for many operations and using statistical analysis to find correlation between power consumption and values in bits in the secret key
Mitigation of Power monitoring attacks
Power regulation and randomisation techniques to make power analysis more difficult
What is Acoustic Cryptanalysis attack
Where an adversary seeks to extract information by analysing the sound emissions it produces during operation, sound emissions often correlate with different internal states or operations. The sound produced by the computers CPU or fans can change based on the computation being performed
Mitigation of acoustic cryptanalysis attack
Use sound-absorbing materials in device construction and phyisically isolating sensitive components to reduce sound emissions
What is the Spectre vulnerabiltiy
Spectre is a microprocessor vulnerability which breaks the isolation between applications allowing an attacker to trick error-free programs into leaking secrets.
What is the Meltdown vulnerability
Meltdown is a microprocessor vulnerabiltiy that dissolves the isolation between user applications and the operating system allowing a malicious program to access the memory of other programs and the operating system
What is the different between BFLA and BOLA
In BOLA the user is allowed to use the endpoint, in BFLA they are not authorised to use that endpoint
What is BOLA stand for
Broken Object Level Authorisation
What does BFLA stand for
Broken Function Level Authorisation
What is SSRF
SSRF occurs when a web server fetches a remote resource and does not verify if that is an allowed link to the resource
How can we determine SSRF
Using a netcat connection to ourself or to the localhost:80
How to prevent SSRF
Remote resources checked against whitelist, not accepting user-input
What is HTTPS also known as
HTTP over TLS
What does TLS stand for
Transport Layer Security
What does SSL stand for
Secure Sockets Layer
What are the 3 levels encryption can be applied at
Encryption at rest - Encryption-in-transit, End-to-end encryption
What is encryption at rest
Stored in an encrypted format to prevent unauthorised access
What is encryption in transit
Data that is transmitted is encrypted before transmission and decrypted after reception
What is end to end encryption
Encrypts data from the true sender to the final recipient such that no other party can access the data
AES DES 3DES Blowfish, RCx are all?
Symmetric encryption
Name 5 symmetric encryption types
AES DES 3DES Blowfish RCx
Is the RCx family symmetric or asymmetric
Symmetric encryption
What are the 4 RCx
RC2, RC4, RC5, RC6
Name 6 asymmetric encryption types
RSA, DSA, ElGamal, ECC, DH, ECDH
RSA DSA ECC DH ECDH are all
Asymmetric encryption methods
What is a Public Key Infrastructure
A PKI comprises roles and processes responsible for the management of digital certificates, creation and revocation of certificates
What is the purpose of a Certificate
The purpose of a Certificate is the bind public keys to an identity this proves the identity of the public key owner, ensuring when we encrypt data using a publi key only the designated recipient will receive it
What is a Certificate Authority
CA’s are entities that are allowed to issue certificates,
How can we verify the identity of a CA
Through a CA Certificate
Where does the chain of CA’s lead to
A root CA
What does a cipher suite do
A cipher suit defines the cryptographic algorithm used for a connection
What is the format of a cipher suite
KeyExchangeAlgorithm_ServerAuthentication_WITH_EncryptionWithMode_MACAlgorithm
Example of cipher suite
TLS_DH_RSA_WITH_AES_128_CBC_SHA256
What does PFS stand for
Perfect Forward Secrecy
What does PFS do
Means an attacker is not able to decrypt past messages even after obtaining a session key
What cipher suites have PFS
All TLS 1.3 and TLS_DHE and TLS_ECDHE have PFS
What improvements does TLS 1.3 have over 1.2
Dropping support for insecure cryptographic parameters and improving session establishment time
What does a TLS 1.3 cipher suite contain
EncryptionAlgorithm_Mode_HashFunction
What is a block cipher
A type of symmetric encryption algorithm that operates by splitting the input into blocks and encrypting the input block by block. It requires the input be divisible by the block size otherwise padding is added
What is padding
Padding is the extra data added to reach the correct length so that the input is divisibile by the block size if AES block size is 16 and input is 30 we need to add 2 padding bytes to reach 32 bytes
What is a padding oracle
Padding oracle attacks are the result of verbose leakage of error messages regarding the padding when the CBC encryption mode is used
When does a padding oracle exist
A padding oracle exists if the system reveals whether the padding is valid or invalid through different error messages responses or timings
What does POODLE stand for
Padding Oracle on Downgraded Legacy Encryption
What does BEAST stand for
Browser Exploit Against SSL/TLS
Wht are POODLE and BEAST
Both are padding oracle attacks that target encrypted data transmitted in SSL 3.0
What is the SSL 3.0 padding scheme
The last byte is the length of the pad excluding that byte (n-1) and all other padding bytes are arbitrary
Example of SSL 3.0 padding
DE AD BE EF is 4 bytes and we need 8 bytes so it becomes DE AD BE EF 00 00 00 03
What is the essence of the POODLE attack
It forced the victim to send a crafted request containing a full block of padding meaning the attacker already knows the last byte then changing the data in the last block
Prevention of POODLE
Disabling the use of SSL 3.0 entirely
What is the Bleichenbacher Attack
A type of attack targeting RSA encryption in combination with PKCS#1 padding, if the web server leaks whether the padding was valid or not the attacker can decude informatiomn about the original unmodified plaintext and repeat it
Prevention of Bleichenbacher attack
Not revealing padding information to the TLS client
What is the DROWN attack
A type of Bleichenbacher attack that exploits a vulnerability in SSL 2.0
What does DROWN stand for
Decrypting RSA with Obsolete and Weakened eNcryption
Prevention of DROWN
Disabling SSL 2.0
What does CRIME stand for
Compression Ratio Info-Leak Made Easy
What does CRIME do
It targets the TLS compression and can target cookies for example, the attacker can append a param with the same name as the cookie and an arbitrary value (sess=XXXXX) then observe response length, and replace sequentially (e.g: sess=aXXXX) to see if response length is smaller meaning it was compressed and is a correct character
What does BREACH stand for
Browser Reconnissance and Exfiltration via Adaptive Compression of Hypertext
What does BREACH do
A variant of the CRIME attack that targets HTTP-level compression meaning it leaves the HTTP headers uncompressed and we can only attack the HTTP body for things like CSRF tokens
What is the Heartbleed Bug
The heartbleed extension was implemented to check if a TLS connection is alive with a request in format of (, ) but it was found that the length is not validated and can send a small payload with a large data field and the server will respind with memory beyond the sent payload
Prevention of Heartbleed bug
Updating from vulnerable OpenSSL version 1.0.1 through 1.0.1f
What is SSL Stripping
SSL Stripping is forcing a victim to not use HTTPS but fall back to insecure HTTP
What is ARP spoofing
Sending a forged/spoofed ARP response to become a MiTM and receive packets destined for a different host/MAC
What is the mitigation of a SSL stripping attack
The header Strict-Transport-Security (HSTS)
What does HSTS stand for
Header Strict-Transport-Security
What does the HSTS do
The header tells the browser that the target should only be accessed through HTTPS any attempts to access the site via HTTP are rejected and converted to HTTPS
What does Lucky13 exploit
A timing difference in the MAC stage when the CBC mode is used. Lucky13 exploits the fact that MAC computation is still slightly longer in some cases
What does FREAK stand for
Factoring RSA Export Keys
What does FREAK exploit
Weak encryption used in SSL 3.0 and TLS 1.0 due to US restrictions
What are export keys
Deliberately weak to comply with regulation in the US that restricted the export of strong cryptographic software
What is a Downgrade attack
The victim is forced to use a older and insecure version of TLS or cipher suite
What is a Cipher Suite rollback
It is possible for a MiTM to intercept the ClientHello and alter the list of cipher suite. The ServerHello will then choose a vulnerable cipher suite which the attacker can break
What SSL / TLS version does Cipher Suite rollback target
SSL 2.0
What is a TLS Downgrade attack
Where a MiTM can interfere with the TLS handshake and make packets drop resulting in a handshake failure and eventially a downgrade connection from e.g: TLS 1.2 to TLS 1.1 so on so forth down to whatever vulnerable connection
What TLS versions should only be offered
TLS 1.3 and TLS 1.2
When should TLS 1.0 and TLS 1.1 be offered
Only if it is necessary to support for legacy reasons
What connections are completely insecure
SSL 2.0 and SSL 3.0
What cipher suites should never be used
NULL and EXPORT cipher suites
What cipher should should be used
Cipher suites that offer PFS (which is all TLS 1.3 and ECDHE and DHE in TLS 1.2)
What is SSTI
Where web applications that utilise templating engines too dynamically put content on the site can be exploited
What does SSTI stand for
Server Side Template Injection
What does SSI stand for
Server Side Include injection
What is SSI
SSI can be used to generate HTML response dynamically. When SSI directives are not validated an attacker can inject commands into the SSI directives
What are the extensions commonly used for SSI
.shtml .shtm .stm
What is Web Cache Poisoning
Web cache poisoning forces a web cache to serve malicious content to unsuspecting users visiting a vulnerable site
What is classified as a weak session ID
If an attacker can bruteforce it. Needs to be at minimum 16 bytes long
What are some session vulnerabilities
Premature Session Population, Common Session Variables, Session fixation
What is Premature Session Population
When information is prematurely uploaded to the session cookie such as a username being stored in the cookie temporarily to provide a customised login failed error message. The cookie is cleared upon seeing the error but hitting the /profile endpoint with that cookie lets you through as the username is in the cookie
What is Common Session Variables
When there are functionalities that share the same variable such as a 3 step password reset and 3 step account create where the 2nd step in password reset is security question answer. What if we complete step 1 and 2 from account create and use that cookie to bypass step 2 in password reset
What is XPath Injection
When we can XPath queries do not get sanitised and we can craft specific queries to read contents of an XML document
What are some XPath injection methods used for blind exploitation
name() substring() and string-length()
What is LDAP injection
If a LDAP query is not properly sanitised we can perform injection attacks primarily regarding authentication
What is LDAP
LDAP is a protocol used to access directory servers such as AD
What does LDAP stand for
Lightweight Directory Access Protocol
What is a very basic two examples of LDAP injection
On a login form simply * for username and password or a real username and a * for password
