CBROPS 200-201: Chapter 4 - Types of Attacks & Vulnerabilities

1. Understanding passive vs. active reconnaissance

1.1. Passive Reconnaissance

1.1.1. Records that require no direct interaction with a target organizations.

1.1.1.1. Researching the victims public records, social media, DNS, & whois.

1.1.2. Tools

1.1.2.1. Shodan

1.1.2.2. Maltego

1.1.2.3. Recon-ng

1.1.2.4. The Harvester

1.1.2.5. Spiderfoot

1.2. Active Reconnaissance

1.2.1. Actively interacting with a system itself.

1.2.2. Carried out by tools called scanners.

1.2.3. Tools

1.2.3.1. nmap

1.2.3.2. BurpSuite

1.2.3.3. ZAP

1.2.3.4. Nessus

2. Understanding Open-Source Intelligence (OSINT)

2.1. A method of gathering publically available intelligence sources to collect and analyze information about a target. Open-source because collecting this info does not require any covert action.

3. Different types of port-and network-scanning techniques

3.1. Basic Port Scan

3.1.1. Scanning predetermined TCP/UDP ports by sending specially crafted packets.

3.2. TCP Connect Scan

3.2.1. Refers to Unix connect() sys call.

3.2.2. If port open victim completes three-way handshake.

3.3. TCP SYN Scan (Half-Open Scan)

3.3.1. Does not open full TCP connection, the attacker sends SYN and if victim responds with SYN/ACK port is considered open.

3.4. TCP ACK Scan

3.4.1. Sends ACK to determine if port is filtered or unfiltered.

3.4.2. Used to determine if firewalls are deployed and their rule-sets.

3.4.3. TCP FIN packets may be used to bypass legacy firewalls.

3.5. UDP Scan

3.5.1. Victim responds with ICMP "Port Unreachable" messages to determine if port is open.

3.5.2. Adversely affected by firewalls & ICMP rate limiting.

3.6. Strobe Scan

3.6.1. Attackers use this scan to find ports they know how to exploit, execute on a more confined level.

3.7. Stealth Scan

3.7.1. Designed to go undetected by network auditing tools

4. What are phishing, pharming, & malvertising?

4.1. Phishing

4.1.1. The attacker presents a link that looks like a valid, trusted resource to a user usually through email.

4.2. Spear Phishing

4.2.1. Targets specific individuals or companies.

4.3. Pharming

4.3.1. Term used to describe a threat actor redirecting a victim from a valid website or resource to a malicious one that could appear as the valid site.

4.4. Malvertising

4.4.1. Act of incorporating malicious ads on trusted websites.

5. Privilege Escalation Attacks

5.1. Process of taking some level of access and achieving an even greater level of access.

6. Backdoors

6.1. Threat actors may install backdoors on compromised systems to allow future access or collect information.

7. Buffer Overflow & Code Execution

7.1. Remote Code Execution (RCE) allows an attacker to fully compromise the CIA of a system. Buffer Overflows can lead to to RCE.

7.2. Stack-based Buffer Overflows

7.2.1. Stack-based BO relies on overflowing a fixed-length buffer.

7.3. Heap Overflow

7.3.1. A heap overflow relies on overwriting internal structures such as linked list pointers.

8. Man-in-the-Middle attacks

8.1. Results when an attacker places themselves in the middle of two devices communicating with the intent of performing reconnaissance or manipulating data.

8.2. ARP Poisoning

8.2.1. attacker spoofs Layer 2 MAC addresses to trick victim device into believing attacker is the default gateway.

8.2.2. Examples

8.2.2.1. Rogue switches can be used to manipulate Spanning Tree Protocol (STP) to become the root switch.

8.2.2.2. Rogue routers can be used to manipulate network routers into believing the attacker has a better route.

8.3. Mitigations

8.3.1. Safeguard data in motion by using encryption.

9. Identifying the different types of DDoS attacks

9.1. Direct DDoS

9.1.1. an attack where the source of the attack generates the packets and sends them directly to the victim.

9.2. Reflected DDoS

9.2.1. The source of attack is sent spoofed packets that appear to be from the victim and the source becomes attack pawns by sending response traffic to the victim.

9.3. Amplification DDoS Attack

9.3.1. A type of reflected attack where response traffic is made of packets that are much larger than those that were initially sent by the attacker. For example, DNS queries are sent and the DNS responses are much larger in packet size than the initial query packets.

10. What are botnets?

10.1. A collection of compromised machines that an attacker can manipulate from a command and control (C2 or CnC) system.

11. Reflected DDoS attacks

11.1. The source of attack is sent spoofed packets that appear to be from the victim and the source becomes attack pawns by sending response traffic to the victim.

12. What are amplification attacks?

12.1. A type of reflected attack where response traffic is made of packets that are much larger than those that were initially sent by the attacker. For example, DNS queries are sent and the DNS responses are much larger in packet size than the initial query packets.

13. Attack Methods for Data Exfiltration

13.1. Examples

13.1.1. DNS2TCP

13.1.2. DNScat-P

13.1.3. Iodine Protocol v5.00

13.1.4. Iodine Protocol v5.02

13.1.5. OzymanDNS

13.1.6. SplitBrain

13.1.7. TCP-Over-DNS

13.1.8. YourFreedom

14. ARP Cache Poisoning

14.1. Attackers can attack systems on a subnet by intercepting traffic intended for other systems on the subnet by spoofing the MAC address at Layer 2.

14.2. Mitigation

14.2.1. Dynamic ARP inspection validates IP-to-MAC address bindings.

15. Route Manipulation Attacks

15.1. BGP hijacking attack

15.1.1. most popular route manipulation attack, attacker use a rogue router to announce prefixes that have not been assigned by the org, these contains routes to the attacker.

16. Different types of password attacks

16.1. Password-guessing attack

16.1.1. Most common, some methods are brute-force attack (combinations of characters) & dictionary attack (whole words).

16.1.2. Tools

16.1.2.1. Hydra

16.1.2.2. John the Ripper

16.1.2.3. Cain & Abel

16.2. Password-resetting attack

16.2.1. Easier to simply reset the password, most tools contain bootable version of Linux that can mount NTFS volumes to help locate and reset Admin password.

16.3. Password Cracking

16.3.1. Take a password hash and attempt to convert it to it's plaintext.

16.3.2. Rainbow Table

16.3.2.1. Possible hashes put in lookup table called Rainbow Table, hashes can be looked up in rainbow table.

16.4. Password Sniffing

16.4.1. Attacker sniffs authentication packets between server and client to help in cracking.

16.5. Password Capturing

16.5.1. With keyloggers or Trojan horses.

17. The most common attacks against wireless networks

17.1. Installing a rogue access point

17.1.1. Attacker installs access point as a backdoor to obtain network access.

17.2. Jamming wireless signals and causing interference

17.2.1. Create a DoS condition within the wireless network.

17.3. War Driving

17.3.1. Used to find access points wherever they may be, attackers can drive around and gather large amounts of info.

17.4. Bluejacking

17.4.1. Attacker sends unsolicited messages to another device via Bluetooth.

17.5. Evil twin attack

17.5.1. Done when creating rogue access points, attacker configures the access point exactly the same as on the network.

17.6. IV attack

17.6.1. Attacker can cause modification to the IV (Initialization Vector) of an encrypted wireless packet to ultimately generate another key for use in decryption.

17.7. WEP/attack

17.7.1. WEP should never be used, WPA 3 is the latest version of WPA specification. WPA 1 & 2 vulnerable to KRACK.

17.8. WPS attack

17.8.1. WPS password-guessing tools used to gain WPS passwords.

18. Defining & understanding different types of security vulnerabilities

18.1. API-based vulnerabilities

18.1.1. aimed at flaws in APIs

18.2. Authentication & Authorization bypass vulnerabilities

18.2.1. Used to bypass authentication and authorization mechanisms of systems within the network.

18.3. Buffer Overflow

18.3.1. Occurs when a program tries to write past the bounds of a memory buffer. This corruption of memory can lead to Code Execution.

18.4. Cross-site scripting (XSS) vulnerability

18.4.1. Malicious scripts are injected into legitimate and trusted websites.

18.4.2. Successful exploitation may lead to the execution of malicious code, account compromise, session hijacking, redirection, & modification of local files.

18.4.3. Found in HTTP headers, input fields that echo user data, hidden form fields, & error messages that return user input.

18.5. Cross-site request forgery (CSRF) vulnerability

18.5.1. Forces users to execute malicious steps on a web application, exploiting trust between a user and a web app.

18.6. Cryptographic vulnerability

18.6.1. Flaw in a cryptographic protocol or its implementation.

18.7. Deserialization of untrusted data vulnerability

18.7.1. Uses or causes malformed data or unexpected data to abuse application logic.

18.8. Double Free

18.8.1. Occurs in C, C++ languages when free() is called more than once with the same memory address.

18.9. Insufficient Entropy

18.9.1. When crypto applications lack entropy. Pseudo-random Number Generators (PRNGs) are susceptible to insufficient entropy vulnerabilities.

18.10. SQL injection vulnerabilities

19. The Open Web Application Security Project (OWASP)

19.1. OWASP provides references to vulnerabilities as well as mitigations, training, tools, and general infosec material.

20. Accessing Omar's GitHub repository & WebSploit labs

20.1. https://h4cker.org/github

21. Key Terms

21.1. SQL Injection

21.1.1. An attack whereby an attacker injects a SQL query via the input data from a client to the application or database.

21.2. CSRF

21.2.1. Cross-site request forgery. Forces an end user to execute malicious steps typically after the authentication process has occurred by abusing the trust between client and application. Target state changing requests, attackers cannot steal data because they cannot see response. Attacks usually carried out via social engineering.

21.3. XSS

21.3.1. A type of web app attack where malicious scripts are injected into trusted websites. Typically delivered via browser-side scripts.

21.4. Buffer Overflow

21.4.1. A situation where a program writes more data to the buffer than it can hold overwriting adjacent memory space. Can cause memory corruption, DoS, or code execution conditions.

21.5. War Driving

21.5.1. An attacker can drive around and locate wireless access points.

21.6. Rainbow Tables

21.6.1. A lookup table into which an attacker computes possible passwords and their hashes and puts the results. Allows attackers to simply search based on hashes derived from victim system. Mitigate, disable LM hashes & use complex passwords.

21.7. DNS Tunneling

21.7.1. Method in which attackers can encapsulate chunks of data into DNS packets to exfiltrate data.

21.8. Botnet

21.8.1. A collection of compromised machines an attacker can manipulate with a C2 or CNC system to participate in DoS, spam, etc.

21.9. Backdoors

21.9.1. A piece of malware or config change that allows an attacker to control the system remotely. Used for exfiltration or future access.