Network Attacks

Question 1

Evil Twin

Answer 1

An Evil Twin attack involves an attacker setting up a rogue Wi-Fi access point with the same name (SSID) as a legitimate network. Unsuspecting users may connect to this rogue access point, thinking it’s the genuine network. Once connected, the attacker can intercept and manipulate the users’ network traffic, potentially capturing sensitive information like login credentials or injecting malicious content into web pages.

To defend against Evil Twin attacks, users should be cautious when connecting to Wi-Fi networks, especially in public places. It’s essential to verify the legitimacy of networks by checking SSIDs and using secure connections like VPNs when possible.

Network administrators can implement measures like wireless intrusion detection systems and strong encryption protocols to detect and mitigate Evil Twin attacks on their networks. Additionally, educating users about the risks of connecting to unknown networks and promoting secure Wi-Fi practices can help prevent successful attacks.

Question 2

bluejacking vs bluesnarfing

Answer 2

Bluejacking: Bluejacking is a relatively harmless form of Bluetooth attack where an attacker sends unsolicited messages or files to Bluetooth-enabled devices, such as smartphones or laptops, within range. The goal of bluejacking is typically to send a humorous or promotional message to nearby users without their consent, rather than to steal data or compromise the device. Bluejacking exploits the Bluetooth protocol’s ability to send messages or business cards between devices without requiring pairing or authentication. While bluejacking can be annoying or disruptive to users, it generally does not pose a significant security risk, as it does not involve accessing or stealing data from the targeted devices.

Bluesnarfing: Bluesnarfing, on the other hand, is a more malicious Bluetooth attack that involves unauthorized access to a Bluetooth-enabled device to steal or extract data, such as contacts, messages, emails, or other personal information. Unlike bluejacking, which involves only sending messages or files, bluesnarfing exploits security vulnerabilities in the Bluetooth protocol to gain access to sensitive data stored on the targeted device. Bluesnarfing attacks often target devices with outdated or unpatched Bluetooth firmware, allowing attackers to exploit known vulnerabilities and extract data without the user’s knowledge or consent. Bluesnarfing poses a significant security risk to users, as it can result in the loss of sensitive information and compromise their privacy.

Question 3

Cryptographic attack, 5 types of

Answer 3

A cryptographic attack is an attempt to compromise the security of a cryptographic system or algorithm by exploiting its weaknesses or vulnerabilities. Cryptographic attacks can target various aspects of a cryptographic system, including encryption algorithms, cryptographic protocols, key management systems, and implementation flaws.

There are several types of cryptographic attacks, including:

Brute-force attack: In a brute-force attack, the attacker tries every possible key or password until the correct one is found. This type of attack is particularly effective against weak or short keys and passwords but becomes increasingly impractical as the key size or password length increases.

Known-plaintext attack: In a known-plaintext attack, the attacker has access to pairs of plaintext and corresponding ciphertext and attempts to deduce the encryption key or algorithm from this information. This type of attack exploits weaknesses in the encryption process or algorithm to recover the key.

Chosen-plaintext attack: In a chosen-plaintext attack, the attacker can choose plaintext messages and observe the corresponding ciphertext produced by the encryption algorithm. By analyzing these pairs, the attacker attempts to deduce information about the encryption key or algorithm.

Man-in-the-middle attack: In a man-in-the-middle attack, the attacker intercepts and modifies communication between two parties, allowing them to eavesdrop on the communication or manipulate the data exchanged. This type of attack can compromise the confidentiality and integrity of the communication.

Side-channel attack: In a side-channel attack, the attacker exploits unintended information leakage from the cryptographic system, such as timing information, power consumption, electromagnetic radiation, or sound, to deduce information about the encryption key or algorithm.

Question 4

Cryptographic attack, 5 types of

Answer 4

A cryptographic attack is an attempt to compromise the security of a cryptographic system or algorithm by exploiting its weaknesses or vulnerabilities. Cryptographic attacks can target various aspects of a cryptographic system, including encryption algorithms, cryptographic protocols, key management systems, and implementation flaws.

There are several types of cryptographic attacks, including:

Brute-force attack: In a brute-force attack, the attacker tries every possible key or password until the correct one is found. This type of attack is particularly effective against weak or short keys and passwords but becomes increasingly impractical as the key size or password length increases.

Known-plaintext attack: In a known-plaintext attack, the attacker has access to pairs of plaintext and corresponding ciphertext and attempts to deduce the encryption key or algorithm from this information. This type of attack exploits weaknesses in the encryption process or algorithm to recover the key.

Chosen-plaintext attack: In a chosen-plaintext attack, the attacker can choose plaintext messages and observe the corresponding ciphertext produced by the encryption algorithm. By analyzing these pairs, the attacker attempts to deduce information about the encryption key or algorithm.

Man-in-the-middle attack: In a man-in-the-middle attack, the attacker intercepts and modifies communication between two parties, allowing them to eavesdrop on the communication or manipulate the data exchanged. This type of attack can compromise the confidentiality and integrity of the communication.

Side-channel attack: In a side-channel attack, the attacker exploits unintended information leakage from the cryptographic system, such as timing information, power consumption, electromagnetic radiation, or sound, to deduce information about the encryption key or algorithm.

Question 5

Downgrade attack

Answer 5

A downgrade attack is a type of security exploit where an attacker forces a system or communication channel to use older or less secure versions of cryptographic protocols or algorithms. This is done by intercepting and manipulating the communication between two parties to trick them into using weaker security mechanisms than they would normally use.

For example, in the context of secure communication over the internet, a downgrade attack might involve an attacker intercepting the negotiation process between a client and a server and modifying the communication to force the use of an older version of the TLS (Transport Layer Security) protocol, which may have known vulnerabilities or weaknesses.

How to Defend: To mitigate the risk of downgrade attacks, it’s important for systems to support only the latest and most secure versions of cryptographic protocols and algorithms, and for communication channels to use strong encryption and secure negotiation mechanisms. Additionally, implementing mechanisms such as certificate pinning and secure update mechanisms can help prevent attackers from downgrading security protocols and compromising the integrity and confidentiality of communication.

Question 6

deauthentication attack

Answer 6

A deauthentication attack floods devices connected to a Wi-Fi network with deauthentication frames, causing them to disconnect from the network. These frames appear to come from the access point, exploiting weaknesses in the Wi-Fi protocol to disrupt connectivity without requiring authentication. While not directly compromising security, deauthentication attacks disrupt network access, potentially leading to denial-of-service conditions and facilitating other attacks like man-in-the-middle.

How to Defend: Defenses against deauthentication attacks include implementing intrusion detection and prevention systems, deploying wireless intrusion prevention systems, using strong encryption protocols like WPA2 or WPA3, enabling network segmentation, and monitoring for abnormal network activity. Additionally, users should exercise caution when connecting to public Wi-Fi networks and consider using virtual private networks (VPNs) for secure communication over untrusted networks.

Question 7

wireless disassociation attack

Answer 7

A wireless disassociation attack disrupts Wi-Fi connectivity by flooding devices with disassociation frames, causing them to repeatedly disconnect from the network. Attackers exploit weaknesses in the Wi-Fi protocol to send these frames without authentication.

How to Defend: To defend against such attacks, network administrators can deploy intrusion detection and prevention systems, implement strong encryption protocols like WPA2 or WPA3, and monitor for abnormal network activity. Users should exercise caution when connecting to public Wi-Fi networks and consider using virtual private networks (VPNs) for secure communication over untrusted networks.

Question 8

wireless jamming

Answer 8

Wireless jamming is a type of cyberattack aimed at disrupting wireless communications by flooding the airwaves with interference signals. In a jamming attack, the attacker transmits high-power radio frequency signals on the same frequencies used by the target wireless devices, such as Wi-Fi networks, Bluetooth devices, or cellular networks. This flood of interference disrupts the communication between devices and access points, causing connectivity issues, packet loss, and degraded performance. Wireless jamming attacks can be launched using specialized equipment or software-defined radio (SDR) devices and can be targeted at specific frequencies or broader spectrum ranges.

How to Defend: Defending against wireless jamming attacks requires implementing techniques such as frequency hopping, spread spectrum modulation, and adaptive power control to mitigate the impact of interference and maintain reliable wireless communication. Additionally, deploying intrusion detection and prevention systems (IDPS) and monitoring for abnormal radio frequency activity can help detect and mitigate jamming attacks in real-time.

Question 9

spoofing

Answer 9

Spoofing is a cyberattack where an attacker falsifies data to impersonate another user, device, or system. They might fake IP addresses, email addresses, or other identifiers to deceive targets.

How to Defend: Defenses include authentication measures like digital signatures and two-factor authentication, as well as deploying intrusion detection systems to detect and block suspicious activity. Users should be cautious when interacting with unsolicited emails or messages and verify communication before responding.

Question 10

RFID

Answer 10

RFID, or Radio Frequency Identification, is a technology that uses radio waves to wirelessly identify and track objects. It consists of small tags or labels containing electronic chips that store unique identification data and antennas to transmit and receive radio signals. RFID tags can be attached to various items, such as products in retail stores, library books, or assets in warehouses, enabling automated identification and tracking without the need for direct line-of-sight or manual scanning.

Question 11

Answer 11

RFID is vulnerable to:

Spoofing: where attackers can impersonate legitimate RFID tags.
Eavesdropping: unauthorized parties can intercept and capture RFID communications.
Data interception: attackers can capture and steal data transmitted between RFID tags and readers.
Replay attacks: attackers can record and replay RFID communications to gain unauthorized access.
Denial-of-Service (DoS) attacks: attackers can disrupt RFID systems by flooding them with excessive requests or interference.

So, the correct answer is: All of the above.

Question 12

Answer 12

NFC, or Near Field Communication, shares similarities with RFID and is also vulnerable to similar attacks:

Data interception: unauthorized parties can intercept and capture NFC communications, potentially accessing sensitive information.
Replay attacks: attackers can record and replay NFC transmissions to gain unauthorized access or perform fraudulent transactions.
Denial-of-Service (DoS) attacks: attackers can disrupt NFC systems by flooding them with excessive requests or interference, rendering them unavailable for legitimate use.

Therefore, the correct answer is: All of the above.

Question 13

on path attack

Answer 13

An “on-path attack” occurs when an attacker inserts themselves into the network path between two communicating parties to intercept and alter data. Unlike traditional man-in-the-middle attacks where the attacker simply relays messages, in an on-path attack, the attacker actively modifies the transmitted data. By compromising network devices or exploiting vulnerabilities, the attacker gains access to the network path, allowing them to intercept, modify, or inject malicious content into the communication stream.

How to Defend: Defending against on-path attacks requires robust network security measures such as encryption, authentication, and intrusion detection systems to detect and mitigate suspicious activity. Additionally, regular security assessments and employee training are crucial for maintaining a secure network environment and preventing on-path attacks from succeeding.

Question 14

ARP Poisoning

Difference between this and MAC cloning?

Answer 14

ARP poisoning, also known as ARP spoofing, is a cyberattack where an attacker manipulates the Address Resolution Protocol (ARP) to associate their MAC address with the IP address of a legitimate network device. By sending falsified ARP messages across a local area network (LAN), the attacker tricks other devices into believing that their machine is the legitimate destination for network traffic intended for the targeted device. Once the ARP cache of the victim device is poisoned, all traffic meant for it is rerouted to the attacker’s machine, allowing the attacker to intercept, modify, or even block data packets.

Defending against ARP poisoning requires implementing measures such as ARP spoofing detection mechanisms, network segmentation, and the use of encryption protocols like HTTPS and VPNs to protect data from interception or tampering by attackers. Regular security audits and employee training on recognizing and mitigating ARP poisoning attacks are also essential for maintaining a secure network environment.

Difference between this and MAC cloning? ARP poisoning is typically more temporary compared to MAC cloning. ARP poisoning relies on sending falsified ARP messages to manipulate the ARP cache entries of devices on the local area network (LAN). These ARP cache entries are used by devices to map IP addresses to MAC addresses for communication within the network.

MAC cloning involves permanently changing the MAC address of a network interface to match the MAC address of another device. This change persists even after network reboots or ARP cache updates.

Question 15

DNS Poisoning

Answer 15

DNS poisoning, also known as DNS spoofing or DNS cache poisoning, is a cyberattack where an attacker corrupts the data in a Domain Name System (DNS) resolver’s cache. The DNS resolver is responsible for translating domain names (e.g., www.example.com) into IP addresses (e.g., 192.0.2.1) to facilitate communication between devices on the internet. In a DNS poisoning attack, the attacker injects false information into the DNS resolver’s cache, causing it to return incorrect IP addresses for legitimate domain names.

This manipulation can redirect users to malicious websites controlled by the attacker, leading to various security risks such as phishing, malware distribution, or theft of sensitive information. DNS poisoning attacks can be particularly harmful because they can affect a wide range of users who rely on the compromised DNS resolver for domain name resolution.

How to Defend: Defending against DNS poisoning requires implementing measures such as DNSSEC (Domain Name System Security Extensions), which adds cryptographic authentication to DNS responses to prevent tampering. Additionally, regularly monitoring DNS traffic, updating DNS software, and using reputable DNS resolvers can help mitigate the risk of DNS poisoning attacks.

Question 16

Cross-Site Request Forgery

Answer 16

Cross-Site Request Forgery (CSRF) is a type of cyberattack where an attacker tricks a user into unknowingly making a request to a web application, typically using the user’s authenticated session. The attacker crafts a malicious request and embeds it in a webpage or email that the victim visits or clicks on while logged into the targeted web application. When the victim’s browser executes the malicious request, it includes the user’s session credentials, effectively bypassing authentication checks. This allows the attacker to perform unauthorized actions on behalf of the victim, such as transferring funds, changing account settings, or posting malicious content.

Defending against CSRF attacks involves implementing countermeasures such as using anti-CSRF tokens, which are unique and randomly generated tokens embedded in web forms to validate legitimate requests. Additionally, developers should implement secure coding practices, such as using the “SameSite” attribute for cookies to prevent cross-origin requests, and regularly updating and patching web applications to address known vulnerabilities. Users should also be cautious when clicking on links or visiting websites, especially when logged into sensitive accounts, and should log out of web applications when not in use to minimize the risk of CSRF attacks.

Question 17

Media Access Control (MAC)

Answer 17

Media Access Control (MAC) refers to a unique identifier assigned to network interfaces for communications on a network.

Any device or component that connects to a network and requires network communication will have a MAC address associated with its network interface.

MAC addresses are typically assigned by manufacturers and are permanently associated with a network interface card (NIC) or similar hardware component. These addresses are used at the data link layer of the OSI model to ensure that data packets are delivered to the correct destination within a local area network (LAN).

While MAC addresses are useful for local network communication, they are not typically routable across the internet. Instead, devices on different networks communicate using IP addresses. However, MAC addresses are still important for local network management, security, and troubleshooting purposes.

Question 18

MAC Flooding

Answer 18

MAC (media access control) flooding is a network attack aimed at compromising the security of a switched LAN. By overwhelming the switch’s MAC address table with a flood of spoofed Ethernet frames, the attacker forces the switch into a fail-open or fail-closed state. In the fail-open state, the switch behaves like a hub, broadcasting all incoming frames to all ports, allowing the attacker to intercept network traffic intended for other devices. This can lead to the interception of sensitive information or the launch of further attacks.

To defend against MAC flooding attacks, network administrators can implement measures such as MAC address port security and deploy intrusion detection or prevention systems. These systems can detect and mitigate MAC flooding attacks by monitoring network traffic for suspicious activity and automatically taking action to prevent further damage. Additionally, regular security audits, patch management, and employee training on recognizing and responding to network attacks are essential for maintaining a secure network environment.

Question 19

MAC Cloning

Answer 19

MAC cloning, also known as MAC spoofing or MAC address spoofing, is a technique used to impersonate another device’s MAC address on a network interface. By modifying the MAC address of their network interface to match that of a legitimate device on the network, attackers can deceive network devices and potentially bypass access controls or security measures. This technique is commonly employed as part of network reconnaissance or unauthorized access attempts, enabling attackers to masquerade as authorized devices and gain access to restricted network segments. Moreover, MAC cloning can be utilized to circumvent detection mechanisms reliant on MAC address filtering for network access control, posing a significant threat to network security.

Defending against MAC cloning attacks requires the implementation of robust security measures. Network administrators should deploy port security mechanisms to limit the number of MAC addresses allowed on each switch port and authenticate devices based on more than just their MAC addresses. Additionally, employing network access control mechanisms that authenticate devices using multiple factors, such as MAC address, username, and password, enhances security. Continuous monitoring of network traffic for unusual or unauthorized MAC address activity is essential for detecting and mitigating MAC cloning attacks promptly. Moreover, regular security audits and employee training on identifying and responding to network attacks are vital components of an effective defense strategy against MAC cloning and other network-based threats.

Question 20

An attack that relies on altering the burned-in address of a NIC (network interface card) to assume the identity of a different network host is known as: (Select 2 answers)
ARP poisoning
On-path attack
MAC spoofing
Replay attack
MAC cloning

Answer 20

MAC spoofing and MAC cloning are both techniques used to alter the Media Access Control (MAC) address of a network interface card (NIC) to assume the identity of a different network host.

MAC spoofing involves changing the MAC address of a network interface to impersonate another device’s MAC address on the network. This technique is commonly used in cyberattacks to bypass network access controls or security measures by tricking network devices into believing that the attacker’s device is a legitimate one.

MAC cloning, on the other hand, also involves altering the MAC address of a network interface to match that of another device on the network. However, unlike MAC spoofing, MAC cloning typically involves copying the MAC address of a legitimate device rather than manually configuring a new MAC address. This allows attackers to masquerade as the legitimate device and potentially gain unauthorized access to network resources.

Both MAC spoofing and MAC cloning rely on altering the burned-in address (BIA) of a NIC, which is a unique identifier assigned to the NIC by the manufacturer. By changing this address, attackers can assume the identity of a different network host, making it difficult to trace their activities on the network.

Question 21

Which of the following fall(s) into the category of Layer 2 attacks? (Select all that apply)
MAC cloning
ARP poisoning
MAC flooding
DNS poisoning
MAC spoofing

Answer 21

Layer 2 attacks target the data link layer of the OSI model, which is responsible for the transmission of data between devices on the same local network. Here’s an explanation of each attack and why they fall into the category of Layer 2 attacks:

MAC Cloning: This is a technique where a device’s MAC address is copied to another device. It can be considered a Layer 2 attack because MAC addresses operate at the Data Link layer

ARP Poisoning: Definitely a Layer 2 attack. ARP (Address Resolution Protocol) operates at Layer 2 and is used to associate IP addresses with MAC addresses. ARP poisoning involves sending false ARP messages over a local area network, which leads to the linking of an attacker’s MAC address with the IP address of another host.

MAC Flooding: This is a Layer 2 attack that targets the switch’s MAC address table. By flooding a switch with frames each containing different source MAC addresses, the MAC address table fills up, causing the switch to behave like a hub and send frames to all ports, allowing the attacker to intercept data.

DNS Poisoning: This occurs at Layer 7 (Application Layer). It involves corrupting the DNS cache to redirect queries to malicious websites or servers, so it does not qualify as a Layer 2 attack.

MAC Spoofing: Similar to MAC cloning, this involves changing a device’s factory-assigned MAC address to any arbitrary address, which is a Layer 2 activity because it directly involves manipulation of network interface addressing.

Question 22

Domain hijacking

Answer 22

Domain hijacking, also known as domain theft, is a type of cyberattack where an attacker unlawfully gains control over a domain name without the authorization of its rightful owner. This attack typically involves unauthorized changes to the domain’s registration information, such as the domain registrar, administrative contact, or DNS settings, effectively transferring ownership and control of the domain to the attacker.

To defend against domain hijacking attacks, domain owners should implement security measures such as enabling registrar locks, using strong and unique passwords for domain registrar accounts, enabling multi-factor authentication, and regularly monitoring domain registration records for unauthorized changes. Additionally, promptly reporting any suspicious activity to the domain registrar and maintaining up-to-date contact information can help mitigate the risk of domain hijacking.

Question 23

Which of the following enables client-side URL redirection?
host
hosts
hostname
localhost

Answer 23

The “hosts” file is a local operating system file that maps hostnames to IP addresses. By editing this file, users can redirect specific hostnames to different IP addresses, effectively redirecting the corresponding URLs to different destinations. This manipulation occurs at the client-side, allowing users to customize their local DNS resolution and override domain name resolutions provided by external DNS servers. Therefore, modifying the “hosts” file enables client-side URL redirection.

Question 24

Which of the following factors has the biggest impact on domain reputation?
Domain age
Missing SSL certificate
Derivative content
Bounce rate
Distribution of spam

Answer 24

The distribution of spam from a domain indicates malicious or unethical behavior and can severely damage its reputation. Internet service providers (ISPs) and email service providers (ESPs) closely monitor domain activity, particularly the volume of spam originating from a domain. High levels of spam distribution can lead to a domain being blacklisted or flagged as untrustworthy, resulting in email deliverability issues, website blocking, and tarnished reputation. Therefore, maintaining a clean email sending reputation and avoiding involvement in spam distribution are crucial for preserving domain reputation and ensuring continued online trustworthiness.

Question 25

What is the most common form of a DDoS attack?
IoT-based
Network-based
OT-based
Application-based

Answer 25

The most common form of a DDoS (Distributed Denial of Service) attack is “Network-based.”

In a network-based DDoS attack, the attacker targets the network infrastructure, such as routers, switches, or firewalls, with a flood of malicious traffic. This flood of traffic overwhelms the network resources, causing network congestion and disrupting legitimate traffic flow. Network-based DDoS attacks often exploit vulnerabilities in protocols or services, such as the ICMP (Internet Control Message Protocol), UDP (User Datagram Protocol), or TCP (Transmission Control Protocol), to flood the target network with large volumes of packets, effectively rendering it inaccessible to legitimate users.

Question 26

Which type of DDoS attack targets industrial equipment and infrastructure?
IoT
ATT&CK
OT
IoC

Answer 26

The type of DDoS attack that targets industrial equipment and infrastructure is “OT” (Operational Technology).

OT-based DDoS attacks focus on disrupting or damaging industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and other critical infrastructure components. These attacks aim to disrupt industrial processes, cause physical damage, or compromise safety systems by overwhelming or disrupting the communication and control mechanisms of industrial equipment. OT-based DDoS attacks pose significant risks to industries such as manufacturing, energy, transportation, and utilities, highlighting the importance of securing operational technology environments against cyber threats.