Skip to main content

Module 2. Comparing and Contrasting Attack Types

Social Engineering#

A social engineer is someone who is a master of asking seemingly non-invasive or unimportant questions to gather information over time.

Some typical social engineering attacks are:

Phishing#

Some types of phishing are:

  • Phishing: An attack via electronic communications posing as someone trustworthy.
  • Speak Phishing: A targeted attack appearing to come from a trusted source, typically within the victims own company and from someone in a position of authority.
  • Whaling: A specific attack targeting high-profile business executives.

Vishing#

Voice Phishing.

Using social engineering techniques to obtain information but either in person or over the phone

Attackers pose as legitimate company, repair person, security personnel or someone of trust and could be internal or external to the company

Tailgating#

following someone into a build or badged area. This happens because people want to be helpful, be aware of people who are trying to look like they belong and maybe carrying a lot of items.

Impersonation#

As well as the act of impersonating a person, from a technical point of view there is the ability to capture packets, alter them and then place them back onto the network to look like legitimate packs.

Sequencing can help mitigate this, for example if a network transmission is received out of order or after a time out period the packets need to be re-submitted

Dumpster Diving#

The removal of rubbish from bins that could reveal sensitive information.

Documentation that has sensitive or personally identifiable information should be disposed of securely

Shoulder Surfing#

The act of watching over someones should while they enter sensitive information into a web page or application.

Hoaxes#

A social engineering technique designed to trick the target into revealing sensitive information, these could be in the form of someone acting like a remote technician or employee, an interested party seeking employment or an angry customer filing a complaint.

Watering hole attack#

An attacker may identify a less secure third party site that they have deduced company employees might ues, then attack that site to deploy the malware

Principles (Reasons for Effectiveness)#

Authority#

Authority is a bad actor that appears to know what they are talking about or has special knowledge about the company, if the bad actor has this special information it may appear to give them a position of power.

Intimidation#

an actor can threaten negative actions, like releasing sensitive information

Consensus/Social Proof#

People are more likely to act when they believe they are in alignment with the larger group

Familiarity/Liking#

People like using or buying things they are already familiar with or like. An attacker can establish a common contact or friend so that the trust levels go up.

Trust#

People are more likely to act when tey trust the person or situation.

Scarcity/Urgency#

Tactics to elicit action by making the target think they have to act quickly to obtain a special deal

Application/Service Attacks#

DDoS#

Generally a large scale denial of service attack, they can have the following components

  • Botnets: a collection of hosts that can initiate the attacks and can be spread all over the internet, creating the distributed part of the attack
  • Bot Herders: Someone that will try and infect vulnerable computers to add them to their botnet
  • Control and Command (C&C) centers: The control device for the botnet

Replay Attack#

This involves capturing packets, altering them and then adding them back into the network

Man-In-The-Middle#

Similar to a replay attack but may not be altering the packets, but just intercepting them.

Buffer Overflow#

An attack that causes a system or app to crash and behave unexpectedly. One example is if an application wasn't written correctly and it didn't handle more data being written to the buffer than it can handle, and that extra data is written to a different memory block, that extra code could be executed when it normally would not be allowed.

SQL Injection#

Involves modifying the SQL query that is passed to the web application that can cause vulnerable web site to return queries from databases that could potentially contain usernames and passwords or cause the application to crash or provide remote access.

LDAP Injection#

Similar to SQL injection, but uses LDAP queries and when malicious queries can be passed through a vulnerability it may return user details from the LDAP service.

XML Injection#

Another form of injection but using XML

Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF)#

For XSS he browser runs malicious code because it was served from a site it trusts with XSRF the server performs an action because it was sent a request from a client it trusts.

Privilege Escalation#

Obtaining elevated privileges on the target

ARP Poisoning#

Attackers send out spoofed ARP messages to associate their machine with another host and then intercepts data intended for another recipient.

Smurf Attack (Amplification)#

Victims IP address is spoofed and ping messages are broadcast to a network, then the return pings will flood the victims machine.

DNS Poisoning#

Manipulating the data in a DNS servers cache to point to a different IP address.

Zero Day#

A vulnerability that has been discovered and exploited before the developer has a chance to issue a fix or patch

Pass the Hash#

Harvesting a user's password has to authenticate to a remote server or service, usually the hash is obtained by sniffing the network.

Clickjacking#

tricking the user into performing unintended actions by clicking a concealed link.

Session Hijacking#

Items used to validate a user's session are compromised and reused by a malicious person, like man in the middle attacks and sidejacking.

Typo Squatting and URL Hijacking#

setting up domain names with mis-spellings of popular domains. The sites at these fraudulent sites will then be used to capture the users details.

Shimming#

Shim databases can be used to intercept requests and install code or patches

Refactoring#

modifying an applications source code without changing the underlying functionality.

IP/MAC Spoofing#

Masquerading as another using their IP or MAC address

Wireless Attacks#

Replay Attacks#

sniffing the network, then captures packets, modifies them and then added back on the wire.

IV Attack#

Initialization Vector Attack. When using older weaker encryption the the IV were short and would be repeated fairly quickly allow attacks to derive the IV and gain access. This is how WEP networks are cracked.

Rouge Access Points#

Unauthorised access point that can be used for obtaining sensitive information. An evil twin is a rouge access point that uses the same SSID as a legitimate AP.

WPS Attack#

Easy push button connection option. However the shared pin is only 7 digits which can be brute force cracked in 3 - 5 hours

Bluejacking#

The sending of unauthorised messages or data to a victim's device. Sending a vCard which contains a message using OBEX (OBjectEXchange) protocol.

Bluesnarfing#

This involves pulling data from a victims device

NFC#

Can be used to steal data from a very nearby device.

Dissociation#

An attacker can create a DoS scenario by sending a spoofed dissociation request causing hosts to disconnect.

Cryptographic Attacks#

Brute Force#

attempt to defeat encryption by trying every possible combination of passwords to passphrases.

Dictionary Attack#

using words in a dictionary or defined set of possible words

Birthday Attack#

A brute force attack that works on the cryptographic phenomenon of has collisions

Rainbow Tables#

precomputed table of cryptographic hashes.

Online vs. Offline#

Collision Attack#

Attack that finds two inputs that have the same hash output

Downgrade Attack#

forcing a system to negotiate a lower quality method of communication, typically seen with legacy systems.

Known plain text / cyphertext#

If both the plain text and cyphertext is know then the details can be used to reverse engineer the hash algorithm.

Weak Implementations#

Cryptography is only as strong as the weakest link

  • Don't use weak encryption methods like MD5 or SHA1
  • Use NIST approved algorithms like AES or TDEA (NIST Special publication 800-57 Part 1: Recommendation for Key Management)