types of attacks Flashcards
(90 cards)
1
Q
Social Engineering
A
Social engineering involves a hacker attempting to trick an employee into compromising security through social contract such as an email.
2
Q
Impersonation
A
A social engineering attack in which a hacker attempts to impersonate another employee in the organisation. For example, when a hacker impersonates a network administrator.
3
Q
Phishing
A
A social engineering attack in which a hacker typically sends e-meails to users pretending to be a representative form legitimate companies (Banks, Amazon). The email includes falsified information in an attempt to lure the user to click a link redirecting them to a false website in order to obtain/steal personal information
4
Q
Whaling and Vishing
A
Two types of phishing attacks. Whaling is a targeted phishing attack aimed at executive level employees. Vishing utilises phone calls as opposed to e-mails.
5
Q
Smishing
A
A type of phishing attack which the hacker sends text messages to victims, often impersonating official companies to steal sensitive information
6
Q
spIM
A
‘Spam over instant messaging’ is a type of social engineering attack in which bots are utilised to send users instant messages in an attempt to steal user data
7
Q
Spear Fishing
A
A type of phishing attack in which an email sent is spoofed and looks like it comes form a trusted source such as a fellow employee.
8
Q
SPAM
A
A type of social engineering attack in which unsolicited emails are sent to a number of people.
9
Q
Eliciting information
A
A social engineering technique to obtain information from a user that could be used in a future attack.
10
Q
Prepending
A
A social engineering technique in which information is added to the beginning of malicious data. For the attacker may get you
to click a link that is www.banksite.com@192.168.2.1, where the
browser would ignore everything to the left of the @ sign.
11
Q
Invoice Scams
A
is a type of social engineering attack in which an attacker sends out an email message notifying the victim that payment is overdue and immediate payment is required.
12
Q
Credential Harvesting
A
A type of social engineering attack in which hacker collects logon information and then uses that information later to access accounts
13
Q
Influence campaigns
A
Social engineering attack which utilises social media to create fake accounts as well as fake posts that are designed to sway opinion
14
Q
Shoulder Surfing
A
A type of social engineering attack in which a hacker tries to view confidential information that will assist in compromising security by looking over the shoulder of victims to see computer screens
15
Q
Tailgating
A
A type of social engineering attack in which a hacker walks through a secure area by closely following an authorised person who has unlocked the door using their swipe card or passcode. (someone tries to slip through doors behind you after you unlock it)
16
Q
Physical Attacks
A
Involve getting physical access to a system or device and gaining access to the device or performing malicious actions against it
17
Q
Malicious USB cable
A
A type of physical attack that utilises a malicious cable to connect to the system that can then receive commands form the hacker wirelessly
18
Q
Malicious flash drive
A
A physical attack which uses a malicious USB drive that contains malware that executes on the victim system once the flash drive is connected to the USB port of the system
19
Q
Card cloning
A
A physical attack that a hacker copies the card information of a magnetic strip
20
Q
Skimming
A
A physical attack in which a hacker extracts information from the magnetic strip on the card when you swipe you card
21
Q
Principles of Social Engineering
A
Authority, Intimidation, Consensus, Scarcity, Urgency, Familiarity, Trust
22
Q
DoS
A
Denial of Service is a network attack that involves a hacker overloading a system with requests so much that it is too busy and cannot service legitimate requests from other clients.
23
Q
DDoS
A
Distributed Denial of Service is a network attack that uses a number of systems to perform a larger scale DoS attack. With a DDoS attack, the hacker first compromises
and takes control of a number of systems and then uses those systems to
help with the attack. The compromised systems are known as zombie
systems because they have no mind of their own and will do whatever the
hacker tells them to do.
24
Q
Different Types of DDoS attacks
A
Network:
involves using up network
bandwidth or consuming the processing power of network devices so that the network becomes unresponsive or performs poorly
Application:
involves flooding a specific software application or service with requests to cause it to crash or become unresponsive
Operational technology:
DDoS attack against hardware or software that is required to run
industrial equipment
25
Spoofing
A type of network attack where the hackers alters the source address of information to make it look like it is coming from a different person. Spoofing is sometimes referred to as refactoring
26
IP Spoofing
When the source IP address of a packet is altered so that it appears as if the packet comes from a different source
26
MAC Spoofing
When the source MAC address of a frame is altered so that it appears to have come from a different system or device
27
Email Spoofing
When the 'form' address of an email message has been altered so that the email looks like to comes from someone else.
27
Eavesdropping/Sniffing
A type of network attack that the hacker captures network traffic and is able to view the contents of the packets traveling along the network
28
Replay
A network attack that starts as a sniffing attack in order to capture traffic. Then the hacker resubmits the traffic onto the network later. The hacker may alter the traffic
first and then replay it, or the hacker may simply be replaying traffic to generate more traffic.
29
On-Path Attack (MitM attack)
A type of network attack in which a hacker inserts himself in the middle of tow systems that are communicating. The hacker can then pass information between the two.
30
MITB attack
Man-in-the-browser attack is a network attack, where the browser contains a Trojan that was inserted via an add-in being loaded or a script executing within the browser. The Trojan at this point can intercept any data the user inputs into the browser and alter it before sending it to the destination server. Example is Zeus and SpyEye
31
Layer 2 attacks
Layer-2 networking attacks affect layer-2 networking devices, such as switches, or layer-2 components
and protocols, such as MAC addresses and ARP
32
ARP Poisening
Layer 2 attack that involves the hacker altering the ARP cache on a system, or group of systems, so that all systems have the wrong MAC address stored in the ARP cache for a specific IP address—maybe the address of the default gateway. Typically, the hacker will poison the ARP cache so that the default gateway IP address (your router’s IP address) points to the hacker’s MAC address. This will ensure that every time a system tries to send data to the router, it will retrieve the hacker’s MAC address from the local ARP cache and then send the data to the hacker’s system instead of to the router
33
MAC Flooding
Layer 2 attack that n the attacker sends a large number of frames to the switch, causing it to fill the MAC address table and, as a
result, remove old, valid MAC addresses but add the new fake MAC addresses
34
MAC cloning
Layer 2 attack in which the attacker copies the MAC address of another system and uses it for network communication. This could be used to bypass access control lists, where only traffic from specific MAC addresses is allowed on the network
35
DNS Poisening
Is an attack against DNS which involves the hacker compromises a DNS server and poisoning the DNS entries by having the DNS names point to incorrect IP addresses. Often, the hacker will modify the DNS records to point to the
hacker’s system; this will force all traffic for that DNS name to the hacker’s system. DNS poisoning is also the altering of the DNS cache that is located on your company’s local DNS servers.
36
Domain Hijacking
Domain hijacking is a type of attack that involves the hacker taking over a domain name from the original registrant. The hacker may hijack the domain by using social engineering techniques to gain
access to the domain name and then switch ownership, or the hacker could exploit a vulnerability on the systems that host the domain name to gain unauthorized access to the domain registration
37
Uniform Resource Locator Redirection
Uniform Resource Locator
(URL) redirection is a DNS attack that involves the attacker sending a
request for a DNS name to a different location such as a malicious web site that the attacker is running.
38
Domain Reputation
Domain reputation is a rating on your domain name
of whether or not the domain is known to send spam messages. If an employee in your company sends a lot of spam messages, your domain may be flagged as having a poor reputation due to the sending of those spam messages. Spam-filtering systems will block e-mail messages from systems with a poor domain reputation.
39
Pass the Hash
Pass the hash is a hacking technique used to access networks that use Microsoft NT LAN Manager (NTLM) as their authentication protocol. With pass the hash, the hacker first compromises a Windows system and then
performs a hashdump of the SAM database. The hashdump contains all of the password hashes for each of the user accounts on that system. The hacker can then use those hashes in a pass-the-hash attack to move laterally
throughout the network and authenticate to the next system
40
Amplification
Amplification is the process of increasing the strength of a signal so that communication can occur. A hacker may amplify the signal on their wireless card so that they can reach greater distances with wireless
41
Privilege Escalation
Privilege escalation is a popular attack that involves someone who has userlevel access to a system being able to elevate their privileges to gain administrative access to the system. Privilege escalation normally occurs due to a vulnerability within software running on the system or within the
operating system itself
42
Port Scanning Attacks
popular network attack is known as port scanning or a port
scanning attack. With a port scanning attack, the hacker runs software on the network that does a port scan against the system, which indicates to the hacker what ports are open. Once the hacker finds out what ports are open,
they can then try to exploit the ports to gain access to the system
43
TCP connect scan
With a TCP connect scan, shown in Figure 4-9, the hacker performs a TCP three-way handshake with each port on the system. The concept is that if the hacker can do a three-way handshake with a port, then the port must be open
44
SYN scan (half-open scan)
With the SYN scan, the hacker sends a SYN message but doesn’t
send the ACK as the third phase of the three-way handshake after
receiving an ACK/SYN from the victim’s system. The goal here is
to avoid detection by creating less traffic. This scan is also known as
a half-open scan or a stealth scan.
45
XMAS scan
In an XMAS scan, a packet is sent to each port with the
PSH, URG, and FIN flags set in the packet. The term XMAS scan
comes from the fact that you have three of six flags enabled, which
is like turning on a bunch of lights on a Christmas tree. Note that
this is also called an XMAS attack
46
Pharming
Pharming is a term some people
use for an attack on DNS or the hosts file that leads an individual to
the wrong web site.
47
Antiquated protocols
Antiquated protocols are protocols that were
developed without security in mind and that typically now have a
secure version to replace it. Examples of antiquated protocols are most of the protocols in the TCP/IP protocol suite, such as HTTP,
FTP, SMTP, and POP3
48
Session hijacking
Session hijacking is when the hacker kicks one of
the parties out of the communication and impersonates that person
in the conversation. The hacker typically disconnects one of the
parties via a denial of service attack.
49
Null sessions
A null session is when someone connects to a
Windows system without providing any credentials. Once the
person connects to the system, they can enumerate the system if it
has not been secured. Through enumeration, the hacker may be able
to collect the users, groups, and shared folder list. The following
command is used to create a null session with a Windows system:
50
Domain name kiting
In domain name kiting, the hacker obtains a
domain name for free by using the five-day grace period that is
allowed. At the end of the five-day grace period, they cancel the
name and then get it free again for another five days. They continue
doing this to get the name for free
51
Malicious insider threat
A malicious insider threat is when
someone inside the company purposely destroys or discloses
company data. The malicious insider threat could also be someone
who performs fraudulent activities (deterrents against which include
leveraging the concepts of rotation of duties and least privilege).
52
Transitive access (attack)
A transitive attack occurs when a user
receives a hyperlink to another Windows shared folder and clicks
the hyperlink. This forces the user’s system to pass the Windows
user account credentials to the remote system to try to authenticate.
The problem is that if the hacker is using a sniffer and password
cracker, they can then try to crack the account password.
53
Client-side attacks
Client-side attacks are attacks on a system
through vulnerabilities within the software on a client system. Many
client-side attacks come from Internet applications such as web
browsers and messenger applications.
54
Watering hole attack
A watering hole attack is when the hacker
determines sites you may want to visit and then compromises those
sites by planting viruses or malicious code on them. When you visit
the site (which you trust), you are then infected with the virus.
55
Typo squatting/URL hijacking
Typo squatting is also known as
URL hijacking and takes advantage of the fact that some users will
make typos when typing a URL into the browser. The hacker sets up
a web site with a URL that is very similar to the URL of a popular
web site but includes an anticipated typo, leading unwary
misspellers to the hacker’s web site.
56
Dictionary Attack
A dictionary attack involves the hacker using a program that has a list of
popular usernames in one text file and a list of words in a language
dictionary that are to be tried as passwords in another file. The dictionary
file normally contains all of the words in a language and can be downloaded
from the Internet
57
Brute-Force Attack
A brute-force attack is a password attack that involves using the passwordcracking software to mathematically calculate every possible password.
Normally, the hacker would configure the password-cracking software with requirements such as the number of characters and whether to use letters,
numbers, and symbols.
The benefit of a brute-force attack from the hacker’s point of view is that it is very effective—it will crack the passwords on a system if it has enough time to do so. The disadvantage of a brute-force attack is the time it takes to
complete it. Due to the large number of possible passwords, it could take years for the password crack to complete!
58
Hybrid Attack
Another type of password attack is known as a hybrid attack. A hybrid
attack involves the password-cracking software using a dictionary file, but after the software tries a word from the dictionary file, it then tries to modify the word. Examples of modifications that the cracking software will use are to place numbers after the word and possibly to replace characters.
59
Birthday
A birthday attack is type of attack performed on hashing functions. it has been found that if you try enough date, you will find that two different data inputs generate the same hash value .
60
Collision and Downgrade Attacks
Hashing protocols are know to crete collisions, which is when two different pieces of data create the same hash value. The higher number of bits the hash value is, the less chance of there is that two different pieces of data create the same hash value
61
online vs offline password attacks
online attack: the hacker is trying to crack the password against the live system. There is a risk of detection
Offline attack: hacker is able to attempt to crack the password offline if they can get a copy of the user account database
62
SQL injection attacks
SQL injection attacks, the hacker uses the SQL commands that are
executing behind the scene in order to manipulate the data in the database, so the hacker actually inserts some SQL code into the application, knowing the application will pass it to the database. The hacker inserts the SQL commands where you wouldn’t expect them—such as in the password field in the logon screen of the application.
To protect against an SQL injection attack, the developers of the application must validate the input before processing it.
63
Buffer Overflow Attacks
A buffer is an area of memory used to store information sent to an application. A buffer overflow is when a hacker sends too much information to the application, causing the information to fill both the buffer and memory outside the buffer.
If the hacker can store information in memory beyond the buffer area,
the hacker can run whatever code they want with administrative privileges. The software that is susceptible to this attack could be an application or a background service loaded in the operating system.
64
SSL Stripping
An SSL stripping attack is when the hacker is able to place themselves
between the victim and a secure HTTPS site that the victim uses. When the user sends a request to the secure site, the hacker intercepts the request and essentially creates their own secure connection with the target web site. The communication between the victim and the hacker is downgraded to unsecure HTTP communication (allowing the hacker to view all of the data), but the victim traffic is then sent to the secure site by the hacker using HTTPS.
65
Race conditions
A race condition is a software programming issue where code executed by a thread (a thread is a unit of work) must complete in a specific order before another thread can execute that
same logic.
66
Application programming interface (API) attacks
An API is a library of functions that a programmer creates that provides some form of functionality. An API attack is when a hacker tries to use
that API for malicious purposes—typically by making calls to the
functions and performing injection attacks on those functions.
67
Why application vulnerabilities exist
- improper input handling
- improper error handling
- default configuration
- misconfiguration
- weak cipher suites and implementations
- zero day threats/exploits
68
Software Development Life Cycle (SDLC)
Requirement gathering and analysis
Design
Implementation
Testing
Deployment
Maintenance
69
Input Validation
Validating input means that the developer checks to ensure
that the information typed by the user into the application is appropriate for the type of input that is expected. Any input that does not pass the validation test should be discarded and not processed.
70
Elasticity and Scalability
Elasticity is the fact that the
cloud environment can adjust the resources allocated to the application dynamically based on the workload. If there is a heavy load, the cloud environment can allocate more RAM or processing power, and then lower those resources when they are not needed. Scalability is the fact that the cloud provider can manually supply more servers in the background as demand increases over longer periods of time
71
Host Security and application security
Host:
Allow list
Block list
secure coding practices
Application:
input validation
secure cookies
HTTP headers
code signing
72
Fuzzing
The term for software testing that enters invalid or random data into input fields of an application is fuzzing.
73
Types of Monitoring Systems
A signature-based system detects suspicious activity based on
the signatures in a file.
An anomaly-based system knows the normal activity (the baseline) and considers anything outside of the norm to be suspicious.
A heuristic-based system identifies
suspicious activity based on the manufacturer programming the
device for the types of activity that have caused security problems in
the past. Heuristic-based IDSs are great for monitoring for zero-day
exploits.
74
windows commands
netstat:
- Used to show any protocol connection information. The following are useful:
netstat -n
netstat -na -o
net session
- The Windows net session command can be used to display the computers connected to your system through Windows file sharing. The list of sessions presents you with the IP address of clients connected to your system and the username they used to authenticate to the system.
tasklist
- Monitors the processes
running on the system.
taskkill
- When monitoring a system, if you notice a process running in memory that may be the cause of a performance or security issue, you can use the taskkill command to end the process.
whoami
- -If you ever need to know who you are logged in to the system as,
you can use the whoami command. This command will display the current username logged on.
net statistics
- This command will display
information such as the number of sessions accepted, the number of
password violations (failed login attempts), the number of permission violations (access failed due to no permissions), and print jobs spooled to
the system.
75
Linux commands
ps command
- Is used to view a list of
processes running on the system. It is the Linux equivalent to the tasklist command in Windows.
ls command:
- To see a list of files that exist in a directory in Linux, use the ls command for “list.” A good switch to use with the ls command
76
SNMP
The Simple Network Management Protocol (SNMP) has been the standard management and monitoring protocol for devices for many years. It can be used to collect detailed information about a device’s running status, such as
memory utilization, processor utilization, and the number of users
connected
77
Syslog
Syslog is an industry-standard protocol that allows you to have any
systems, devices, and applications that support syslog send log messages to a central syslog server so that you can centrally review and manage your logs. Syslog can be configured on your switches, routers, servers, firewalls, and intrusion detection systems (IDSs) to send logged events to the syslog
server.
78
Consideration for Monitoring Tools
Review reports
packet capture
data inputs
user behavior analysis
sentiment analysis
security monitoring
log aggregation
log collectors
79
Implementing Logging and Auditing
Auditing:
- Typically refers to actions that you wish to monitor on a system or application for security purposes. For example, you may wish to audit the management of user accounts on a system or the deletion of a customer record in an application.
Logging:
- Typically refers to logging all activity that occurs in an application or on a system. For example, you can log all requests to a web site and review the logs later.
80
popular areas to audit
security applications
DNS
performance
access
firewall
antivirus
wireless access point
81
Assesment types
- Risk assessment
- Threat assessment
- Vulnerability Assessment (passive assessments)
- Penetration testing
(verifying a threat exists, bypassing security controls, actively testing security controls, exploiting vulnerabilities)
- Baseline reporting
- Code review
- Determining the attack surface
- Ring architecture
- Design reviews
82
Security assessment standard methodologies
OVAL:
- Open Vulnerability and Assessment Language is an international standard for assessing vulnerabilities to a system.
OVAL has three stages to the assessment: represent system
information, assess vulnerabilities, and report on the vulnerabilities.
OCTAVE:
- Operationally Critical Threat, Asset, and Vulnerability Evaluation is a self-directed security assessment methodology.
OWASP:
- Open Web Application Security Project is a project that standardizes web application security testing procedures.
83
CVE and CVSS
Common Vulnerabilities and Exposures (CVE):
- Is a listing of publicly disclosed vulnerabilities for different operating systems and products. Each vulnerability is assigned a CVE ID, a description, date, and any related comments for the vulnerability.
Common Vulnerability Scoring System (CVSS):
- Is a standard scoring system used to report the severity level of a vulnerability. For example, a vulnerability with a CVSS score of 1 or 2 is not considered severe, but a CVSS score of 9 is considered a severe vulnerability that should be fixed or patched right away.
84
Types of testing (pen-testing)
Unknown environment test:
Formerly known as a black box test.
When an unknown environment test is being performed, or a pentester (penetration tester) is hired to perform the test, the goal is
for the tester to have no information on the organization or its network configuration.
Known environment test:
- Formerly known as a white box test. With a known environment test, you (or the consultants you hire to do the test) are given all the details about the organization’s assets and configuration.
Partially known environment test:
- Formerly known as a gray box
test. A partially known environment test is in the middle: the tester
gets some details about the organization and its configuration, but only limited details.
85
Hacking Process
Profiling:
- (web site, google, whois database, DNS profiling
Scanning and Enumeration :
- (enumerate = collect more information on the system)
Gaining access/initial exploitation
Maintaining access/persistence
covering tracks/ cleanupst
86
steps to perform pentest
initial meeting
draft legal document
create a plan
test plan
perform pentest
create report on findings
present results
destroy any copies of report
87
FIle manipulation in Linux
head:
- A Linux command used to report back the beginning content
of a file (by default the first ten lines).
tail:
- Similar to the head command, but this Linux command is used
to print the last ten lines on the screen.
cat:
- Used to display the contents of one or more text files in Linux.
grep:
- Used to search for a specific string within a file.
chmod:
- Used to change the permissions on a file.
logger:
- Allows you to add log entries to the /var/log/syslog file.
88
