Threats, Attacks and Vulnerabilities Flashcards
Malware
includes a wide variety of malicious code, including viruses, worms, Trojans, ransomware, and more.
Logic Bomb
string of code embedded into an application or script, executes in response to an event, such as when a specific application is executed or a specific time arrives
Torjan
appears to be something useful but includes a malicious component, such as installing a backdoor on a user’s system. Something that entice you to download such as a game, software free antivirus etc
Ransomware
is a type of malware that takes control of a user’s system or data. Criminals then attempt to extort payment from the victim
Rootkits
have system-level or kernel access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes.
Watering Hole Attack
attempts to discover which web sites a group of people are likely to visit and then infects those web sites with malware that can infect the visitors. The attacker’s goal is to infect a web site that users trust already, making them more likely to download infected files
Spear Phishing
attack targets specific groups of users. It could target employees within a company or customers of a company
Whaling
phishing attempts that targets high-level executives.
Vishing
a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call
Privilege Escalation
use various privilege escalation techniques to gain more and more privileges.
IP Spoofing
the attacker changes the source address so that it looks like the IP packet originated from a different source.
ARP poisoning
attacks attempt to mislead systems about the actual MAC address of a system. ARP poisoning is sometimes used in man-in-the-middle attacks.
SYN flood attack
is a common attack used against servers on the Internet. They are easy for attackers to launch, difficult to stop, and can cause significant problems. The SYN flood attack disrupts the TCP handshake process and can prevent legitimate clients from connecting.
TCP sessions use a three-way handshake when establishing a session. As a reminder, two systems normally start a TCP session by exchanging three packets in a TCP handshake. For example, when a client establishes a session with a server, it takes the following steps: 1. The client sends a SYN (synchronize) packet to the server. 2. The server responds with a SYN/ ACK (synchronize/ acknowledge) packet. 3. The client completes the handshake by sending an ACK (acknowledge) packet. After establishing the session, the two systems exchange data.
However, in a SYN flood attack, the attacker never completes the handshake by sending the ACK packet. Additionally, the attacker sends a barrage of SYN packets, leaving the server with multiple half-open connections. Figure 7.1 compares a normal TCP handshake with the start of a SYN flood attack
DNS Poisoning
attack attempts to modify or corrupt DNS results. For example, a successful DNS poisoning attack can modify the IP address associated with google.com and replace it with the IP address of a malicious web site. Each time a user queries DNS for the IP address of google.com, the DNS server responds with the IP address of the malicious web site.
Smurf Attack
A ping is normally unicast—one computer to one computer. A ping sends ICMP echo requests to one computer, and the receiving computer responds with ICMP echo responses.
- The smurf attack sends the ping out as a broadcast. In a broadcast, one computer sends the packet to all other computers in the subnet.
- The smurf attack spoofs the source IP. If the source IP address isn’t changed, the computer sending out the broadcast ping will get flooded with the ICMP replies. Instead, the smurf attack substitutes the source IP with the IP address of the victim, and the victim gets flooded with these
Replay Attacks
apture data in a session with the intent of later impersonating one of the parties in the session. Timestamps and sequence numbers are effective counter measures against replay attacks.
Typo Squatting
Users visit the typo squatting domain when they enter the URL incorrectly with a common typo
Domain Hijacking Attack
an attacker changes the registration of a domain name without permission from the owner
Zero-day exploits
are undocumented and unknown to the public. The vendor might know about it, but has not yet released a patch to address it
Buffer overflows
occur when an application receives more data than it can handle, or receives unexpected data that exposes system memory. Buffer overflow attacks often include NOP instructions (such as x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent buffer overflow attacks.
Disassociation Attack
effectively removes a wireless client from a wireless network. To understand the attack, it’s valuable to first understand the normal operation
Rogue Access Points
Access oints attached to companies network to capture and exfiltrate data.
Evil Twin
is a rogue access point using the same SSID as a legitimate access point
Bluejacking
is the practice of sending unsolicited messages to nearby Bluetooth devices. Bluejacking messages are typically text, but can also be images or sounds
Bluesnarfing
refers to the unauthorized access to, or theft of information from, a Bluetooth device. A bluesnarfing attack can access information, such as email, contact lists, calendars, and text messages. Attackers use tools such as hcitool and obexftp
Script Kiddie
is an attacker who uses existing computer scripts or code to launch attacks. Script kiddies typically have very little expertise, sophistication, and funding.
Hacktivist
launches attacks as part of an activist movement or to further a cause. Hacktivists typically aren’t launching these attacks for their own benefit, but instead to increase awareness about a cause
Organized crime elements
are typically motivated by greed and money but often use sophisticated techniques
Passive Reconnaissance
uses open-source intelligence methods, such as social media and an organization’s web site
Active reconnaissance
includes using tools to send data to systems and analyzing the responses. It typically starts by using various scanning tools such as network scanners and vulnerability scanners
Pivoting
is the process of using various tools to gain additional information. For example, imagine a tester gains access to Homer’s computer within a company’s network. The tester can then pivot and use Homer’s computer to gather information on other computers
Black Box Testing
Testers have zero knowledge of the environment prior to starting a black box test. Instead, they approach the test with the same knowledge as an attacker
White Box Testing
Testers have full knowledge of the environment before starting a white box test. For example, they would have access to product documentation, source code, and possibly even logon details
Gray Box testing
Testers have some knowledge of the environment prior to starting a gray box test. For example, they might have access to some network documentation, but not know the full network layout.
Salting
adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks
Pass the Hash
attempts to use an intercepted hash to access an account. Passwords are typically stored as Hashes
Session Hijacking
the attacker utilizes the user’s session ID to impersonate the user.