CHAPTER 5 ATTACKS

Get Started. It's Free
or sign up with your email address
CHAPTER 5 ATTACKS by Mind Map: CHAPTER 5   ATTACKS

1. COMMON TYPE OF ATTACK:

1.1. SMURF

1.1.1. What is SMURF?

1.1.1.1. Smurf is a network layer distributed denial of service (DDoS) attack, named after the DDoS.Smurf malware that enables it execution.

1.1.2. Smurf Countermeasure:

1.1.2.1. 1. To prevent a Smurf attack, it is important to shut off the broadcast addressing feature of the external router and firewall.

1.1.2.2. 2. Most older routers default to allowing directed broadcast.

1.1.2.3. 3. It is important to note that IP directed broadcast should be disabled on all routers and interfaces that do not need it.

1.1.3. Why it call as Smurf

1.1.3.1. 1. A smurf attack is an exploitation of the Internet Protocol (IP) broadcast addressing to create a denial of service.

1.1.3.2. 2. The attacker uses a program called Smurf to cause the attacked part of a network to become inoperable.

1.2. DOS/DDOS

1.2.1. What DOS/DDOS?

1.2.1.1. A service on the system or the entire system is unavailable to a user because it’s kept busy trying to respond to an exorbitant number of requests. A DoS attack is usually an attack of last resort.

1.2.2. DOS/DDOS Countermeasure:

1.2.2.1. 1. Network-ingress filtering

1.2.2.2. 2.Rate-limiting network traffic

1.2.2.3. 3. Host-auditing tools

1.2.2.4. 4. Network-auditing tools

1.2.2.5. 5. Automated network-tracing tools

1.2.2.6. 6. Automated network-tracing tools

1.3. BOTs/BOTNETs

1.3.1. What is BOTs/BOTNETs

1.3.1.1. A BOT is short for web robot and is an automated software program that behaves intelligently.

1.3.2. How Do Botnets Work?

1.3.2.1. Botnets have been one of the most common methods of malware deployment for the past decade, infecting hundreds of millions of computers. As botnets infect new technologies, such as Internet of Things (IoT) devices in homes, public spaces, and secure areas, compromised systems can put even more unsuspecting users at risk.

1.3.3. BOTs/BOTNETs countermeasure:

1.3.3.1. 1. An open-source honeypot. A honeypot is a system left open to intentionally let an attacker penetrate and infect it.

1.3.3.2. 2. Make them pay. It costs money to run a botnet, so a group of security researchers have proposed a means of discouraging attacks by making them more expensive.

1.3.3.3. 3. An open-source honeypot. A honeypot is a system left open to intentionally let an attacker penetrate and infect it.

1.4. SYN FLOOD

1.4.1. What is SYN FLOOD?

1.4.1.1. A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

1.4.2. Syn Flood Countermeasure:

1.4.2.1. 1. Filtering 2. Increasing Backlog 3. Reducing SYN-RECEIVED Timer 4. Recycling the Oldest Half-Open TCP 5. SYN Cache 6. SYN cookies 7. Hybrid Approaches 8. Firewalls and Proxies

1.5. SESSION HIJACKING

1.5.1. What is SESSION HIJACKING?

1.5.1.1. Session hijacking is when a hacker takes control of a user session after the user has successfully authenticated with a server.

1.5.2. Session Hijacking

1.5.2.1. 1. Use encrypted session negotiation. 2. Use encrypted communication channels. 3. Stay informed of platform patches to fix TCP/IP vulnerabilities, such as predictable packet sequences.

2. MALWARE ATTACK:

2.1. TROJAN HORSE

2.1.1. What is Trojan Horse?:

2.1.1.1. In computing, a Trojan horse, or Trojan, is any malicious computer program which misleads users of its true intent.

2.1.2. Type of trojan horse:

2.1.2.1. 1. Trojan-Downloader: is a type of virus that downloads and installs other malware.

2.1.2.2. 2. Trojan-Droppers are complex programs used by cyber criminals to install malware. Most antivirus programs do not detect droppers as malicious, and hence it is used to install viruses.

2.1.2.3. 3. Ransomware - It is a type of Trojan (Trojan - ransom) that can encrypt the data on your computer/device. The cyber criminals who control this ransomware would demand a ransom for providing the decryption key. It is very difficult to recover the data without the decryption key.

2.1.2.4. 4. Trojan-Banker malware programs steal account-related information related to card payments and online banking.

2.1.2.5. 5. Trojan-Rootkits prevent detection of malware and malicious activities on the computer. These are sophisticated malware that provides control of the victim's device. Rootkits are also used to enroll the victim's device as part of a botnet.

2.1.2.6. 5. Trojan-Backdoor is a popular type of Trojan. It creates a backdoor to allow cyber criminals to access the computer later on from remote using a remote access tool (RAT). As this Trojan provides complete control over the computer, it is a dangerous but commonly used Trojan.

2.1.3. The effect of trojan horse:

2.1.3.1. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised.

2.1.4. Countermeasure:

2.1.4.1. 1. Remain diligent

2.1.4.2. 2. Ensure that your operating system is always up-to-date.

2.1.4.3. 3. Install reliable anti-virus software.

2.1.4.4. 4. Consider installing a firewall.

2.2. VIRUS

2.2.1. What is Virus?:

2.2.1.1. A virus is a program that attempts to damage a computer system and replicate itself to other computer systems.

2.2.2. Type of Virus:

2.2.2.1. 1. File Infectors

2.2.2.2. 2. Encrypted Virus

2.2.2.3. 3. Polymorphic Virus

2.2.2.4. 4. Overwrite Virus

2.2.2.5. 5. Boot Virus

2.2.2.6. 6. Directory Virus

2.2.2.7. 7. I LOVE YOU

2.2.3. What virus can do?:

2.2.3.1. 1. Requires a host to replicate and usually attaches itself to a host file or a hard drive sector.

2.2.3.2. 2. Replicates each time the host is used.

2.2.3.3. 3. Often focuses on destruction or corruption of data.

2.2.3.4. 4. Usually attaches to files with execution capabilities such as .doc, .exe, and .bat extensions.

2.2.3.5. 5. Often distributes via e-mail. Many viruses can e-mail themselves to everyone in your address book.

2.2.4. Countermeasure:

2.2.4.1. 1. Installing an antivirus program: This is pretty significant as it can analyze your system and can disinfect it in case of an virus attack happened

2.2.4.2. 2. Using a firewall: This is either hardware or an application, which is preinstalled in your system, and all you have to do is to enable it, as it makes sure that there is no kind of unauthorized access to your files.

2.2.4.3. 3. Isolating affected drives: If any of your hard drive is already infected with virus, then you should isolate, scan and then repair it.

2.3. WORM

2.3.1. What is Worm?:

2.3.1.1. A worm is a self-replicating program that can be designed to do any number of things, such as delete files or send documents via e-mail. A worm can negatively impact network traffic just in the process of replicating itself.

2.3.2. Type of worm:

2.3.2.1. 1. Code Red

2.3.2.2. 2. Daprosy Worm

2.3.2.3. 3. W32.Alcra.F

2.3.3. What worm can do?:

2.3.3.1. 1. Can install a backdoor in the infected computer.

2.3.3.2. 2. Is usually introduced into the system through a vulnerability.

2.3.3.3. 3. Infects one system and spreads to other systems on the network.

2.3.4. Countermeasure:

2.3.4.1. 1. Keep the computers’ operating system and software up-to-date with vendor-issued security releases. These updates often contain security patches designed to protect computers from newly discovered worms.

2.3.4.2. 2. Avoid opening emails that you don’t recognize or expect, as many computer worms spread via email.

2.3.4.3. 3. Run a firewall and antivirus software to be further protected from computer worms. Software firewalls will keep the computer protected from unauthorized access. Choose an antivirus program that includes download scanning functionality (to detect malicious content in email and web downloads) as well as malware removal tools.

2.4. BACKDOORS

2.4.1. What is Backdoor?:

2.4.1.1. A backdoor is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware.

2.4.2. What backdoor can do?:

2.4.2.1. 1. Unaware PC users can accidentally install typical backdoors on their computers. They can come attached to the e-mail messages or file-sharing programs. Their authors give them unsuspicious names and trick users into opening or executing such files.

2.4.2.2. 2. Some backdoors infect a computer by exploiting certain software vulnerabilities. They work similarly to worms and automatically spread without user knowledge. The user cannot notice anything suspicious, as such threats do not display any setup wizards, dialogs or warnings.

2.4.2.3. 3. Several backdoors are already integrated into particular applications. Even legitimate programs may have undocumented remote access features. The attacker needs to contact a computer with such software installed to instantly get full unauthorized access to the system or take over control over the certain software.

2.4.2.4. 4. Backdoors are often installed by other parasites like viruses, trojans or even spyware. They get into the system without user’s knowledge and consent, and affect each of users who uses a compromised computer. Some threats can be manually installed by malicious users who have sufficient privileges for the software installation. The small part of backdoors can spread by exploiting remote systems with certain security vulnerabilities.

2.4.3. Examples of backdoors

2.4.3.1. 1. FinSpy

2.4.3.2. 2.Tixanbot

2.4.3.3. 3. Briba

2.4.4. Effect of backdoors:

2.4.4.1. 1. Allows the intruder to create, delete, rename, copy or edit any file, execute various commands, change any system settings, alter the Windows registry, run, control and terminate applications, install other software and parasites.

2.4.4.2. 2. Allows the attacker to control computer hardware devices, modify related settings, shutdown or restart a computer without asking for permission.

2.4.4.3. 3. Steals sensitive personal information, valuable documents, passwords, login names, identity details, logs user activity and tracks web browsing habits.

2.4.4.4. 4. Infects files, corrupts installed applications and damages the entire system.

2.4.5. Countermeasure:

2.4.5.1. 1. Auditing

2.4.5.2. 2. Anti-virus and malware code scanning

2.4.5.3. 3. For malicious user-installed backdoors, use access control management and controlled software deployment.

2.4.5.4. 4. For developer-installed backdoors, disable them, change the defaults, or block access.

3. WEB ATTACK

3.1. WEB APPLICATION VULNERABILITIES AND THE COUNTERMEASURE

3.1.1. SQL INJECTION

3.1.1.1. What is SQL INJECTION?

3.1.1.1.1. SQL injection is a code injection technique, used to attack data-driven applications.

3.1.1.2. Test for SQL vulnerabilities:

3.1.1.2.1. 1. Blah’ or 1=1-- 2. Login:blah’ or 1=1-- 3. Password::blah’ or 1=1-- 4. id=blah’ or1=1--

3.1.1.3. SQL INJECTION Vulnerabilities:

3.1.1.3.1. 1. Nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

3.1.1.3.2. 2. Poor coding practices.

3.1.1.3.3. 3. Unpatched system.

3.1.1.3.4. 4. Blank password

3.1.1.4. SQL INJECTION Countermeasure:

3.1.1.4.1. 1. Minimize the privileges of a user’s connection to the database and to enforce strong passwords for SA and Administrator accounts.

3.1.1.4.2. 2. Disable verbose or explanatory error messages so no more information than necessary is sent to the hacker (such information can help them determine whether the SQL server is vulnerable).

3.1.1.4.3. 3. Rejecting known bad input.

3.1.1.4.4. 4. Checking input bounds.

3.1.2. COMMAND INJECTION

3.1.2.1. What is COMMAND INJECTION?

3.1.2.1.1. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.

3.1.2.2. COMMAND INJECTION Vulnerabilities:

3.1.2.2.1. The attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

3.1.2.3. Example of COMMAND INJECTION Vulnerability:

3.1.2.3.1. 1. ping -c 5 127.0.0.1

3.1.2.3.2. 2. ping -c 5 127.0.0.1; id

3.1.2.3.3. 3. ping -c 5 "$(id)"

3.1.2.4. COMMAND INJECTION Countermeasure:

3.1.2.4.1. 1. Avoid user input of any kind inside them unless it is absolutely necessary and deactivate that function in your language's configuration file if you don't need it

3.1.2.4.2. 2. Build a whitelist of possible inputs and check its format. For example integer for a numeric id.

3.1.3. COOKIE POISONING AND SNOOPING

3.1.3.1. What is COOKIE POISONING AND SNOOPING?

3.1.3.1.1. Cookie poisoning is the modification of a cookie (personal information in a Web user's computer) by an attacker to gain unauthorized information about the user for purposes such as identity theft.

3.1.3.2. COOKIE POISONING AND SNOOPING Vulnerabilities:

3.1.3.2.1. The attacker may use the information to open new accounts or to gain access to the user's existing accounts.

3.1.3.3. COOKIE POISONING AND SNOOPING

3.1.3.3.1. 1. Web application firewall (WAF) will protect against cookie poisoning by detecting cookie "set" commands sent by the web server and intercepting all HTTP requests in order to compare them to the information present in the received cookie.

3.1.3.3.2. 2. The Imperva SecureSphere Web Application Firewall (WAF) can block cookie poisoning attacks

3.1.4. AUTHENTICATION HIJACKING

3.1.4.1. What is AUTHENTICATION HIJACKING?

3.1.4.1.1. To identify users, personalize content, and set access levels, many Web applications require users to uthenticate

3.1.4.2. AUTHENTICATION HIJACKING Vulnerabilities:

3.1.4.2.1. Can lead to theft of services, session hijacking, user impersonation, disclosure of sensitive information, and privilege escalation.

3.1.4.3. AUTHENTICATION HIJACKING Countermeasure:

3.1.4.3.1. Use Secure Socket Layer (SSL) to encrypt traffic.

3.1.5. DIRECTORY TRAVERSAL/UNICODE

3.1.5.1. What is DIRECTORY TRAVERSAL/UNICODE?

3.1.5.1.1. Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

3.1.5.2. DIRECTORY TRAVERSAL/UNICODE Vulnerabilities:

3.1.5.2.1. With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.

3.1.5.3. DIRECTORY TRAVERSAL/UNICODE Countermeasure:

3.1.5.3.1. 1. Ensure you have installed the latest version of your web server software, and sure that all patches have been applied.

3.1.5.3.2. 2. Effectively filter any user input. Ideally remove everything but the known good data and filter meta characters from the user input. This will ensure that only what should be entered in the field will be submitted to the server.

3.1.6. BUFFER OVERFLOW

3.1.6.1. What is BUFFER OVERFLOW?

3.1.6.1.1. A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.

3.1.6.2. Types of BUFFER OVERFLOW:

3.1.6.2.1. 1. Stack-based

3.1.6.2.2. 2. Heap-based

3.1.6.3. BUFFER OVERFLOW Vulnerabilities:

3.1.6.3.1. 1. Lack of bounds checking or a lack of input-validation sanitization in a variable field (such as on a web form). If the application doesn’t check or validate the size or format of a variable before sending it to be stored in memory, an overflow vulnerability exits.

3.1.6.3.2. 2. A hacker sends large amounts of data to the application via a form field and sees what the program does as a result.

3.1.6.4. BUFFER OVERFLOW Countermeasure:

3.1.6.4.1. 1. Use safer functions - There are programming languanges that offer more support agianst buffer overflows than C.

3.1.6.4.2. 2. Improved compiler techniques - Compilers, such as Java, automatically check if a memory array index is working within the proper bounds.

3.1.6.4.3. 3. Disable stack execution - If it's already compiled, disable stack execution. There are even programs, such as StackGuard, that harden a stack agaist smashing.

3.2. WEB SERVER VULNERABILITIES

3.2.1. Web servers, like other systems, can be compromised by a hacker. The following vulnerabilities are most commonly exploited in web server

3.2.1.1. 1. Misconfiguration of the web server software

3.2.1.2. 2. Operating system or application bugs, or flaws in programming code

3.2.1.3. 3. Vulnerable default installation of operating system and web server software, and/or lack of patch management to update operating system or web server software

3.2.1.4. 4. Lack of or not following proper security policies and procedures

3.3. WIRELESS HACKING TECHNIQUES

3.3.1. 1. Cracking encryption and authentication mechanisms

3.3.1.1. These mechanisms include cracking WEP, WPA preshared key authentication passphrase, and Cisco’s Lightweight EAP authentication (LEAP).

3.3.1.2. Hackers can use them to connect to the WLAN using stolen credentials or can capture other users’ data and decrypt/encrypt it.

3.3.2. 2. Eavesdropping or sniffing

3.3.2.1. This involves capturing passwords or other confidential information from an unencrypted WLAN or hotspot.

3.3.3. 3. Denial of service

3.3.3.1. DoS can be performed at the physical layer by creating a louder RF signature than the AP with an RF transmitter, causing an approved AP to fail so users connect to a rogue AP.

3.3.3.2. DoS by generating deauthentication frames (deauth attacks) or by continuously generating false frames (Queensland attack).

3.3.4. 4. AP masquerading or spoofing

3.3.4.1. Rogue APs pretend to be legitimate APs by using the same configuration SSID settings or network name.

3.3.5. 5. MAC Spoofing

3.3.5.1. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed. However, many drivers allow the MAC address to be changed. Additionally, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any reason, and it is relatively easy.

3.4. PHYSICAL COUNTERMEASURE

3.4.1. 1. Lock server room

3.4.2. 2. Set up and monitor video surveillance

3.4.3. 3. Secure workstation keep intruders from opening the computer

3.4.4. 4. Protect portable device

3.5. WEB ATTACK

3.5.1. WEB APPLICATION VULNERABILITIES AND THE COUNTERMEASURE

3.5.1.1. SQL INJECTION

3.5.1.1.1. What is SQL INJECTION?

3.5.1.1.2. Test for SQL vulnerabilities:

3.5.1.1.3. SQL INJECTION Vulnerabilities:

3.5.1.1.4. SQL INJECTION Countermeasure:

3.5.1.2. COMMAND INJECTION

3.5.1.2.1. What is COMMAND INJECTION?

3.5.1.2.2. COMMAND INJECTION Vulnerabilities:

3.5.1.2.3. Example of COMMAND INJECTION Vulnerability:

3.5.1.2.4. COMMAND INJECTION Countermeasure:

3.5.1.3. COOKIE POISONING AND SNOOPING

3.5.1.3.1. What is COOKIE POISONING AND SNOOPING?

3.5.1.3.2. COOKIE POISONING AND SNOOPING Vulnerabilities:

3.5.1.3.3. COOKIE POISONING AND SNOOPING

3.5.1.4. AUTHENTICATION HIJACKING

3.5.1.4.1. What is AUTHENTICATION HIJACKING?

3.5.1.4.2. AUTHENTICATION HIJACKING Vulnerabilities:

3.5.1.4.3. AUTHENTICATION HIJACKING Countermeasure:

3.5.1.5. BUFFER OVERFLOW

3.5.1.5.1. What is BUFFER OVERFLOW?

3.5.1.5.2. Types of BUFFER OVERFLOW:

3.5.1.5.3. BUFFER OVERFLOW Vulnerabilities:

3.5.1.5.4. BUFFER OVERFLOW Countermeasure:

3.5.1.6. DIRECTORY TRAVERSAL/UNICODE

3.5.1.6.1. What is DIRECTORY TRAVERSAL/UNICODE?

3.5.1.6.2. DIRECTORY TRAVERSAL/UNICODE Vulnerabilities:

3.5.1.6.3. How to check for DIRECTORY TRAVERSAL/UNICODE vulnerabilities

3.5.1.6.4. DIRECTORY TRAVERSAL/UNICODE Countermeasure:

3.5.2. WEB SERVER VULNERABILITIES

3.5.2.1. Web servers, like other systems, can be compromised by a hacker. The following vulnerabilities are most commonly exploited in web server

3.5.2.1.1. 1. Misconfiguration of the web server software

3.5.2.1.2. 2. Operating system or application bugs, or flaws in programming code

3.5.2.1.3. 3. Vulnerable default installation of operating system and web server software, and/or lack of patch management to update operating system or web server software

3.5.2.1.4. 4. Lack of or not following proper security policies and procedures

3.5.3. WIRELESS HACKING TECHNIQUES

3.5.3.1. 1. Cracking encryption and authentication mechanisms

3.5.3.1.1. These mechanisms include cracking WEP, WPA preshared key authentication passphrase, and Cisco’s Lightweight EAP authentication (LEAP).

3.5.3.1.2. Hackers can use them to connect to the WLAN using stolen credentials or can capture other users’ data and decrypt/encrypt it.

3.5.3.2. 2. Eavesdropping or sniffing

3.5.3.2.1. This involves capturing passwords or other confidential information from an unencrypted WLAN or hotspot.

3.5.3.3. 3. Denial of service

3.5.3.3.1. DoS can be performed at the physical layer by creating a louder RF signature than the AP with an RF transmitter, causing an approved AP to fail so users connect to a rogue AP.

3.5.3.3.2. DoS by generating deauthentication frames (deauth attacks) or by continuously generating false frames (Queensland attack).

3.5.3.4. 4. AP masquerading or spoofing

3.5.3.4.1. Rogue APs pretend to be legitimate APs by using the same configuration SSID settings or network name.

3.5.3.5. 5. MAC Spoofing

3.5.3.5.1. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed. However, many drivers allow the MAC address to be changed. Additionally, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any reason, and it is relatively easy.

3.5.4. PHYSICAL COUNTERMEASURE

3.5.4.1. 1. Lock server room

3.5.4.2. 2. Set up and monitor video surveillance

3.5.4.3. 3. Secure workstation keep intruders from opening the computer

3.5.4.4. 4. Protect portable device