Application/Service Attacks Flashcards
Denial of Service (DOS). P. 241
DOS attack causes a service at a given host to failor become unavailable.
Typically overload a service
Can exploit a design failures or other vulnerabilities in application software
Examples: cutting telephone wire or network cabling
Also motivated by malicious desire to cause trouble
Could be part of a Man in the Middle (MitM) or data exfiltration attack.
Most DoS attempt to deny bandwidth to web servers connected to Internet
Attacks can also be known vulnerabilities in software to cause crashes; worms and viruses can render systems unusable or choke network bandwidth.
Distributed Denial of Service (DDoS)
DoS attacks launched from multiple, compromised computers (referred to as a botnet)
Attacker compromises 1 or 2 computers to act as “hosts” or “herders”.
These handlers compromise hundred and thousands of “agents” or “zombies” forming a botnet
Attacker installs backdoor application that gives them access to computer. Attacker uses backdoor application to install DoS software and trigger the zombies to attack at same time.
Internet of Things (IoT) botnet - all devices that connect to internet (TV, refrigerator, SOHO routers.
Attacks are coordinated between attacker groups
Hacker collectives - target an organization as part of campaign.
Man in the Middle (MitM)
Address Resolution Protocol (ARP)
Buffer Overflow
MitM attacks are when an intruder “sits” between 2 communicating hosts and transparently captures, monitors and replays all communications between the hosts.
Trojan horse is one way to launch one.
MitM attacks can be launched against antiquated protocols (i.e. ARP and DNS)
ARP- maps a network interface hardware (MAC) address to an IP address.
ARP Request -host requests a packet to an IP address but doesn’t know receiving MAC address.
ARP Reply -matching IP responds back
Buffer Overflow - input validation attack that a attacker passes data that delibertly overfills the buffer that application reserves to store expected data.
Principle exploits:
Stack overflow - area of memory used by a program subroutine
Heap overflow - area of memory allocated by the application during execution to store variable.
Array index overflow - variable type stores multiple values
Cross-site Scripting (XSS)
Cross-site request forgery(XSRF)
Cross site scripting is one of the most powerful input validation exploits. Attacker crafts URL to perform code injection against trusted site.Users click link that returns code injected by attacker and then executes.(reflected or non-persistent XSS attack)
IFrame attacks
Stores or persistent attack - aims to insert code into back-end database used by trusted site.
These scripts use the Document Object Model (DOM) to modify content of a web page.
Cross site request forgery - exploit applications that use cookies to authenticate users and track sessions.
Confused Deputy attack - users and user’s browser are not same thing.
Privilege escalation
ARP Poisoning
Privilege escalation - attacker executes own process (Worm or Trojan) with same privilege level as exploited process.
ARP Poisoning - (spoofing) atack works by broadcasting unsolicited ARP reply packets
Trivial ARP poisoning can be launched by adding static entries to target’s ARP cache
Switch port authentication can prevent ARP poisoning, preventing connected devices from changing their MAC address.
Amplification (DRDoS)
DNS Poisoning
Powerful TCP SYN Distributed Reflection DoS -attacker spoofs the victim’s IP address and attempt to open connections with multiple servers
SMURF is a type of Amplification attack - exploits other protocols
Bogus DNS Queries- overwhelms victim’s bandwidth with information
Network Time Protocol (NTP) - keeps server on internet with correct time. Like the DNS amplification attack, direct a short list of hosts to direct a long response to victim network.
DNS Poisoning - redirection attack -corrupts the records held by DNS itself. Object is to redirect traffic for a legitimate domain to a malicious IP address.
Domain hijacking
Man in the Browser
Domain hijacking (typo squatting) - misspelt domain names Kiting - domain name register up to 5 days without paying Tasting - See how much traffic come through for 5 days Hijacking - supplying false credentials to domain register when applying for a new domain. Cybersquatting - acquiring a domain for a company’s trading name or trademark or some spelling variation
Man in the Browser attack is when web browser is compromised by installing malicious plug-ins or scripts or intercepting API calls between browsers process and DLLs
Browser Exploitation Framework (BeEF) is a well known MitB tool
Zero Day Attack
Replay
Zero Day attack is a vulnerability that is exploited before the developer knows about it or can release a patch.
Replay - intercepting a key or password then reusing it to gain access to resource (i.e. Pass-theHash attack)
It is prevented by using once-only session tokens or timestamping sessions.
Pass the Hash (ptH)
Driver Manipulation
Pass the Hash -attacker obtains the hash of a user.
Local administrator account is compromised so advesary can run malware
Adversary hopes to gain domain administrator privilege to replay compromised hash to gain wider privileges.
Driver Manipulation - DLL injection - forced loading of a malicious Dynamic Linked Library
Refactoring - code performs same function but uses different methods (control blocks, variable types).
SHIM - Code library that intercepts and redirect calls to enable legacy mode functionality. .SDB file
MAC Spoofing
IP Spoofing
MAC Spoofing - Layer 2 attack - MAC address of attacker’s host is matched to another known MAC address of target.
IP Spoofing - Attacker changes the source and/or destination address recorded in the IP packet. It’s done to mask real identity of attacker’s host machine.
Mask the origin of the attack
