Section 15 - Network Attacks Flashcards
What is a port?
A logical communication endpoint that exists on a computer or server
They are classified as inbound or outbound.
What is an inbound port?
Used when your computer or server is listening for a connection
*** the web server had port 80 open, that’s an inbound port. It’s just waiting for somebody to come along and connect to it.
What is an outbound port?
This is opened by a computer whenever it wants to connect to a server
*** If my computer is attempting to make a connection to your web server over port 80, my computer is going to open up a random high number port such as 52363 and it’s going to make an outbound request to that web server.
In addition to ports being called inbound and outbound, the ports are also going to be assigned a…?
Number that can be anywhere between 0 to 65,535. This large range is divided into three smaller groups.
What are the three port range numbered groups?
Well-Known ports
Registered ports
Dynamic or Private Ports
What is a Well-Known port?
Ports 0 to 1023 are considered well known and are assigned by the Internet Assigned Numbers Authority (IANA)
What is a Registered port?
Ports 1024 to 49,151 are considered registered and are usually assigned to proprietary protocols
** These are used by vendors for their own proprietary protocols and each vendor is going to register them with IANA prior to using them.
What is a Dynamic/Private port?
Ports 49,152 to 65,535 can be used by any application without being registered with IANA
*** This range is usually used by your client whenever it picks a random high number port for its application. Anytime it wants to have a temporary outbound connection, this is the range that it’s going to use. This is used commonly in gaming, as well as instant message and chat.
Give the answer for the following information:
Port Number - 21
Protocol -
TCP/UDP -
Port Number - 21
Protocol - (FTP) File Transfer Protocol is used to transfer files from host to host
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 22
Protocol -
TCP/UDP -
Port Number - 22
Protocol - (SSH, SCP, SFTP) Secure Shell is used to remotely administer network devices and systems.
SCP is used for secure copy and SFTP for secure FTP.
TCP/UDP -UDP
Give the answer for the following information:
Port Number - 23
Protocol -
TCP/UDP -
Port Number - 23
Protocol - Telnet is unencrypted method to remotely administer network devices (should not be used)
TCP/UDP - Both
Give the answer for the following information:
Port Number - 25
Protocol -
TCP/UDP -
Port Number - 25
Protocol - (SMTP) Simple Mail Transfer Protocol is used to send email over the internet
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 53
Protocol -
TCP/UDP -
Port Number - 53
Protocol - (DNS) Domain Name Service is used to resolve hostnames to IPs and IPs to hostnames
TCP/UDP - Both
Give the answer for the following information:
Port Number - 69
Protocol -
TCP/UDP -
Port Number - 69
Protocol - (TFTP) Trivial FTP is used as a simplified version of FTP to put a file on a remote host, or get a file from a remote host
TCP/UDP - UDP
Give the answer for the following information:
Port Number - 80
Protocol -
TCP/UDP -
Port Number - 80
Protocol - (HTTP) Hyper Text Transfer Protocol is used to transmit web page data to a client for unsecured web browsing
TCP/UDP -TCP
Give the answer for the following information:
Port Number - 88
Protocol -
TCP/UDP -
Port Number - 88
Protocol - Kerberos is used for network authentication using a system of tickets within a windows domain
TCP/UDP - Both
Give the answer for the following information:
Port Number - 110
Protocol -
TCP/UDP -
Port Number - 110
Protocol - (POP3) Post Office Protocol v3 is used to receive email from a mail server
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 119
Protocol -
TCP/UDP -
Port Number - 119
Protocol - (NNTP) Network News Transfer Protocol is used to transport usenet articles
TCP/UDP -TCP
Give the answer for the following information:
Port Number - 135
Protocol -
TCP/UDP -
Port Number - 135
Protocol - (RPC/DCOM-scm) Remote Procedure Call is used to locate DCOM ports to request a service from a program on another computer on the network
TCP/UDP - Both
Give the answer for the following information:
Port Number - 137-139
Protocol -
TCP/UDP -
Port Number - 137-139
Protocol - NetBIOS is used to conduct name querying, sending of data, and other functions over a NetBIOS connection
TCP/UDP - Both
Give the answer for the following information:
Port Number - 143
Protocol -
TCP/UDP -
Port Number - 143
Protocol - (IMAP) Internet Message Access Protocol is used to receive email from a mail server with more features than POP3
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 161
Protocol -
TCP/UDP -
Port Number - 161
Protocol - (SNMP) Simple Network Management Protocol is used to remotely monitor network devices
TCP/UDP - UDP
Give the answer for the following information:
Port Number - 162
Protocol -
TCP/UDP -
Port Number - 162
Protocol - SNMPTRAP is used to send trap and informrequests to the SNMP manager on a network
TCP/UDP -Both
Give the answer for the following information:
Port Number - 389
Protocol -
TCP/UDP -
Port Number - 389
Protocol - (LDAP) Lightweight Directory Access Protocol is used to maintain directories of users and other objects
TCP/UDP - Both
Give the answer for the following information:
Port Number - 443
Protocol -
TCP/UDP -
Port Number - 443
Protocol - (HTTPS) Hyper Text Transfer Protocol Secure is used to transmit web page data to a client over an SSL/TLS encrypted connection
TCP/UDP -TCP
Give the answer for the following information:
Port Number - 445
Protocol -
TCP/UDP -
Port Number - 445
Protocol - (SMB) Server Message Block is used to provide shared access to files and other resources on a network
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 465/587
Protocol -
TCP/UDP -
Port Number - 465/587
Protocol - SMTP with SSL/TLS is Simple Mail Transfer Protocol used to send email over the internet with an SSL and TLS secured connection
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 514
Protocol -
TCP/UDP -
Port Number - 514
Protocol - Syslog is used to conduct computer message logging, especially for routers and firewall logs
TCP/UDP - UDP
Give the answer for the following information:
Port Number - 636
Protocol -
TCP/UDP -
Port Number - 636
Protocol - LDAP SSL/TLS is used to maintain directories of users and other objects over an encrypted SSL/TLS connection
TCP/UDP - Both
Give the answer for the following information:
Port Number - 860
Protocol -
TCP/UDP -
Port Number - 860
Protocol - iSCSI is used for linking data storage facilites over IP
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 989/990
Protocol -
TCP/UDP -
Port Number - 989/990
Protocol - (FTPS) File Transfer Protocol Secure is used to transfer files from host to host over an encrypted connection
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 993
Protocol -
TCP/UDP -
Port Number - 993
Protocol - IMAP4 with SSL/TLS is used to receive email from a mail server over an SSL/TLS encrypted connection
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 995
Protocol -
TCP/UDP -
Port Number - 995
Protocol - (POP3 with SSL/TLS) is used to receive email from a mail server using an SSL/TLS encrypted connection
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 1433
Protocol -
TCP/UDP -
Port Number - 1433
Protocol - (Ms-sql-s) Microsoft SQL server is used to receive SQL database queries from clients
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 1645/1646
Protocol -
TCP/UDP -
Port Number - 1645/1646
Protocol - (RADIUS alternative) Remote Alternative Dial-In User Service is used for authentication and authorization (1645) and accounting (1646)
TCP/UDP - UDP
Give the answer for the following information:
Port Number - 1701
Protocol -
TCP/UDP -
Port Number - 1701
Protocol - (L2TP) Layer 2 Tunnel Protocol is used as an underlying VPN protocol but has no inherent security
TCP/UDP - UDP
Give the answer for the following information:
Port Number - 1723
Protocol -
TCP/UDP -
Port Number - 1723
Protocol - (PPTP) Point to Point Tunneling Protocol is an underlying VPN protocol with built in security
TCP/UDP - Both
Give the answer for the following information:
Port Number - 1812/1813
Protocol -
TCP/UDP -
Port Number - 1812/1813
Protocol - (RADIUS) Remote Authentication Dial-In User Service is used for authentication and authorization (1812) and accounting (1813)
TCP/UDP - UDP
Give the answer for the following information:
Port Number - 3225
Protocol -
TCP/UDP -
Port Number - 3225
Protocol - (FCIP) Fibre Channel IP is used to encapsulate Fibre Channel frames within TCP/IP packets
TCP/UDP - Both
Give the answer for the following information:
Port Number - 3260
Protocol -
TCP/UDP -
Port Number - 3260
Protocol - iSCSI Target is a listening port for a iSCSI targeted devices when linking data storage facilities over IP
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 3389
Protocol -
TCP/UDP -
Port Number - 3389
Protocol - (RDP) Remote Desktop Protocol is used to remotely view and control other Windows systems via Graphical User Interface
TCP/UDP - Both
Give the answer for the following information:
Port Number - 3868
Protocol -
TCP/UDP -
Port Number - 3868
Protocol - Diameter is a more advanced AAA protocol that is a replacement for RADIUS
TCP/UDP - TCP
Give the answer for the following information:
Port Number - 6514
Protocol -
TCP/UDP -
Port Number - 6514
Protocol - Syslog over TLS it is used to conduct computer message logging, especially for routers and firewall logs, over a TLS encrypted connection
TCP/UDP - TCP
What makes a port unnecessary?
Any port that is associated with a service or function that is non-essential to the operation of your computer or network
Why is it important that you close or disable any unused ports?
Any port represents a possible vulnerability that might be exposed
Many security professionals and analyst do what to see which ports are opened and closed?
Scan their servers, their routers and their firewalls
What are the three methods you can use to close an unnecessary port?
- The operating system’s graphic user interface - To do this in Windows, open up the computer management console, select services and applications and then select services. Double click on what you want to turn off.
- Command line interface - “C:\ net stop service” you can turn off a service by using the net stop command and the name of the service. On a Linux server, you can do this by entering sudo stop and the name of the service at the command line (ex. # sudo stop service)
- Block the ports at your firewall, whether this is a software or a hardware-based firewall, or on the server itself.
What is a Denial of Service (DoS) attack?
Term used to describe many different attacks which attempt to make a computer or server’s resources unavailable
What are the five subcategories of DoS attacks?
- Flooding Attacks
- Ping of Death
- the Teardrop
- the Permanent Denial of Service attack
- the Fork Bomb
What is a DoS Flood Attack?
A specialized type of DoS which attempts to send more packets to a single server or host than they can handle
There are a few different specialized varieties of DoS Flood Attacks, what are they?
- Ping Flood
- Smurf Attack
- Fraggle
- SYN Flood
- Christmas Attack
What is a Ping Flood?
An attacker attempts to flood the server by sending too many ICMP echo request packets (which are known as pings)
What is a Smurf Attack?
This is like a Ping Flood but instead of trying to flood a server by sending out pings directly to it the attack instead tries to amplify this attack by sending a ping to a subnet broadcast address instead, using the spoofed IP of the target server.
This causes all the devices on that subnet to reply back to the victimized server with those ICMP echo replies, and it’s going to eat up a lot of bandwidth and processing power.
What is a Fraggle?
Attacks send a UDP echo packet to port 7 (ECHO) and port 19 (CHARGEN) to flood a server with UDP packets
*** Fraggle attacks are uncommon today due to this ports generally being closed however, a UDP Flood Attack, which is a variant of Fraggle is still heavily used. It works basically the same but it uses different UDP ports.
What is a SYN Flood?
Variant on a Denial of Service (DoS) attack where attacker initiates multiple TCP sessions but never completes the 3-way handshake
How do you prevent SYN floods?
- Flood guards
- Time outs
- IPS
What is a flood guard?
These devices will detect when a SYN flood is being attempted and will block the request at the network boundary, freeing up the server.
What is a Christmas Attack?
A specialized network scan that sets the FIN, PSH, and URG flags and can cause a device to crash or reboot
*** This will cause a device to crash or reboot anytime that packet’s received because it’s a nonstandard format. This name was given from the way the packets look inside of a protocol analyzer like Wireshark because all of the flags are turned on (looking like a Christmas Tree.)
What is the Ping of Death?
An attack that sends an oversized and malformed packet to another computer or server
*** When received, these systems wouldn’t know what to do with it and they would crash. This is an older attack that modern operating systems aren’t vulnerable to anymore. This was one of the first DoS attacks that was very effective in the field.
What is a Teardrop Attack?
Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads and sends them to a victim machine.
** This attack gets its name because with enough “teardrops” you could form a puddle but this attack creates numerous smaller packets that can’t be reformed into this larger puddle, and when they’re trying to put those back together, the system simply crashes or reboots itself because it doesn’t understand how to handle it.
What is a Permanent Denial of Service?
Attack which exploits a security flaw to permanently break a networking device by reflashing its firmware
** This is an attack which exploits a security flaw to permanently break a networking device by reflashing its firmware. This can cause a device to be unable to reboot itself because its operating system is overwritten. Also, a quick reboot won’t bring the system back online hence its name.
What is Fork bomb?
Attack that creates a large number of processes to use up the available processing power of a computer
** This attack gets its name because a process is called a fork, and it can be forked into two processes, and then four processes and so on, until it eats up all of the resources. Now, some people think of this as a worm because of the self-replicating nature, but they’re not a worm, because they don’t infect programs, and they don’t use the network to spread. Instead, Fork Bombs only spread out inside the processor’s cache on a single computer that it’s being attacked with, and it causes a Denial of Service attack, and a Denial of Service condition, which is why it’s considered not to be a worm.
What is a Denial of Service condition?
Any attack that causes a system to go offline, and to stop providing the service that it’s really suppose to do to its real users or it can permanently cause a system to be broken
What is a Distributed Denial of Service (DDoS)?
A group of compromised systems attack a single target simultaneously to create a Denial of Service (DoS)
*** Usually, these machines that conduct the attack don’t even realize that they’re a part of it. Generally, they have become zombies or bots inside of a large botnet and then when they receive that command to attack they all simultaneously send all their payloads against a single victim.
What is a DDoS DNS amplification?
Attack which relies on the large amount of DNS information that is sent in response to a spoofed query on behalf of the victimized server
*** This specialized attack allows an attacker to generate a high volume of packets that’s intended to flood a victim’s website by initiating DNS requests from a spoof version of the target’s IP address. This causes the DNS servers to respond to that request and send the response back to the server, thinking that it’s valid. Because a DNS request uses very little bandwidth to send, but the response usually takes up a lot more bandwidth, this allows the attack to be amplified against the victim’s server.
What are the techniques to prevent DoS and DDoS attacks?
- Blackholing/Sinkholing
- IPS (can prevent small scale DDoS)
- Elastic Cloud Infrastructure (this infrastructure will scale up when demand increases allowing you to ride out an attack.)
What is blackholing or sinkholing?
Identifies any attacking IP addresses and routes all their traffic to a non-existent server through the null interface
What is spoofing?
Occurs when an attacker masquerades as another person by falsifying their identity
How do you prevent spoofing?
The best way is to user proper authentication, preferably multi-factor.
What is Hijacking?
The exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer or server.
What are the eight types of hijacking?
- Session Theft
- TCP/IP hijacking
- Blind hijacking
- Clickjacking
- Man-In-The-Middle
- Man-In-The-Browser
- Watering Hole
- Cross Site Scripting
What is Session Theft?
Attacker guesses the session ID for a web session, enabling them to takeover the already authorized session of the client
What is TCP/IP hijacking?
Occurs when an attack takes over a TCP session between two computers without the needs of a cookie or other host access
What is Blind hijacking?
Occurs when an attack blindly injects data into the communication stream without being able to see if it is successful or not
What is Clickjacking?
Attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page
What is a Man in the Middle attack?
Attack that causes data to flow through the attacker’s computer where they can intercept or manipulate the data
What is a Man in the Browser (MITB) attack?
Occurs when a trojan infects a vulnerable web browser and modifies the web pages or transactions being done within the browser
** This is similar to a Man in the Middle attack except it’s limited to your browser’s web communication
What is a Watering hole attack?
Occurs when malware is placed on a website that the attacker knows his potential victims will access
What is a Replay Attack?
Network-based attack where a valid data transmission is fraudulently or maliciously rebroadcast, repeated or delayed
How do we combat replay attacks?
Ensure that websites and devices are using session tokens to uniquely identify when an authentication session is occurring in addition to using multi-factor authentication
What is a Null Session?
A connection to the Windows interprocess communications share (IPC$)
** This is an administrative share that you don’t see as a normal user, but it allows computers across the network to send information that they know about files, folders, users, groups, computers and servers to each other.
What is a transitive attack?
These aren’t really an actual type of attack but more of a conceptual method. It gets its names from the transitive property we learned back in math. Essentially, this says that A = B = C then A also equals C. For the exam, this is the idea of trust. If one network trusts a second network and the second network trusts the third network, then that first network really trusts the third network. So if an attacker can get into any one of those three networks, he can then get into the other two as well.
What are the four different types of DNS attacks?
DNS Poisoning
Unauthorized Zone Transfers
Altered Hosts Files
Domain Name Kiting
What is DNS poisoning?
Occurs when the name resolution information is modified in the DNS server’s cache
What is DNS Unauthorized Zone Transfers?
Occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks
How do you counteract DNS poisoning?
- Secure DNS (DNSSEC) was created using encrypted digital signatures when passing DNS information between servers to help protect it from poisoning
- Ensure you are running the latest patches and updates
What is a DNS Unauthorized Zone Transfer attack?
Occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks
What is a DNS Altered Hosts File attack?
Occurs when an attacker modifies the host files to have the client bypass the DNS server and redirects them to an incorrect or malicious website
*** Every computer has a file on it called the host file. This is a plain text file and it contains IP addresses and names. This is a reference that the operating system is going to check every time a DNS lookup is requested prior to going to a DNS server.
How do you prevent your host file from being manipulated?
It should always be set to read-only
On a windows machine, your host file’s located in the
systemroot\system32\drivers\etc directory
What is Pharming?
Occurs when attacker redirects one website’s traffic to another website that is bogus or malicious
What is Domain Name Kiting?
Attack that exploits a process in the way a domain name is registered so that the domain name is kept in limbo and cannot be registered by an authenticated buyer
** You’re normally given a five-day grace period when you’re adding a domain name, but if you delete it before that five days is up and you re-add it again, the five day restarts. So this lets an attacker gobble up domain names without ever having to pay for them and they can be kept in a limbo state.
What is ARP?
Address Resolution Protocol is for mapping an internet protocol address (IP address) to a physical machine address that is recognized in the local network
*** used to convert IP address into a MAC addresss
What is ARP poisoning?
Attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network
** The concept here is that the attacker is going to associate their MAC address with the IP address of another device within their network. This way, whenever a router asks for the MAC address that’s associated with that IP, they get the attacker’s MAC address instead of the legitimate user’s.
How do you prevent ARP poisoning?
- Set up good VLAN segmentation within your network
- Set up DHCP snooping to ensure that IP addresses aren’t being stolen and taken over by an attacker
