CBROPS 200-201: Chapter 4 - Types of Attacks & Vulnerabilities
This mind map goes over key topics and definitions from Chapter 4 - Types of Attacks
1. Different types of port-and network-scanning techniques
1.1. Basic Port Scan
1.1.1. Scanning predetermined TCP/UDP ports by sending specially crafted packets.
1.2. TCP Connect Scan
1.2.1. Refers to Unix connect() sys call.
1.2.2. If port open victim completes three-way handshake.
1.3. TCP SYN Scan (Half-Open Scan)
1.3.1. Does not open full TCP connection, the attacker sends SYN and if victim responds with SYN/ACK port is considered open.
1.4. TCP ACK Scan
1.4.1. Sends ACK to determine if port is filtered or unfiltered.
1.4.2. Used to determine if firewalls are deployed and their rule-sets.
1.4.3. TCP FIN packets may be used to bypass legacy firewalls.
1.5. UDP Scan
1.5.1. Victim responds with ICMP "Port Unreachable" messages to determine if port is open.
1.5.2. Adversely affected by firewalls & ICMP rate limiting.
1.6. Strobe Scan
1.6.1. Attackers use this scan to find ports they know how to exploit, execute on a more confined level.
1.7. Stealth Scan
1.7.1. Designed to go undetected by network auditing tools
2. What are phishing, pharming, & malvertising?
2.1. Phishing
2.1.1. The attacker presents a link that looks like a valid, trusted resource to a user usually through email.
2.2. Spear Phishing
2.2.1. Targets specific individuals or companies.
2.3. Pharming
2.3.1. Term used to describe a threat actor redirecting a victim from a valid website or resource to a malicious one that could appear as the valid site.
2.4. Malvertising
2.4.1. Act of incorporating malicious ads on trusted websites.
3. Privilege Escalation Attacks
3.1. Process of taking some level of access and achieving an even greater level of access.
4. Buffer Overflow & Code Execution
4.1. Remote Code Execution (RCE) allows an attacker to fully compromise the CIA of a system. Buffer Overflows can lead to to RCE.
4.2. Stack-based Buffer Overflows
4.2.1. Stack-based BO relies on overflowing a fixed-length buffer.
4.3. Heap Overflow
4.3.1. A heap overflow relies on overwriting internal structures such as linked list pointers.
5. Identifying the different types of DDoS attacks
5.1. Direct DDoS
5.1.1. an attack where the source of the attack generates the packets and sends them directly to the victim.
5.2. Reflected DDoS
5.2.1. The source of attack is sent spoofed packets that appear to be from the victim and the source becomes attack pawns by sending response traffic to the victim.
5.3. Amplification DDoS Attack
5.3.1. A type of reflected attack where response traffic is made of packets that are much larger than those that were initially sent by the attacker. For example, DNS queries are sent and the DNS responses are much larger in packet size than the initial query packets.
6. Reflected DDoS attacks
6.1. The source of attack is sent spoofed packets that appear to be from the victim and the source becomes attack pawns by sending response traffic to the victim.
7. Attack Methods for Data Exfiltration
7.1. Examples
7.1.1. DNS2TCP
7.1.2. DNScat-P
7.1.3. Iodine Protocol v5.00
7.1.4. Iodine Protocol v5.02
7.1.5. OzymanDNS
7.1.6. SplitBrain
7.1.7. TCP-Over-DNS
7.1.8. YourFreedom
8. Route Manipulation Attacks
8.1. BGP hijacking attack
8.1.1. most popular route manipulation attack, attacker use a rogue router to announce prefixes that have not been assigned by the org, these contains routes to the attacker.
9. The most common attacks against wireless networks
9.1. Installing a rogue access point
9.1.1. Attacker installs access point as a backdoor to obtain network access.
9.2. Jamming wireless signals and causing interference
9.2.1. Create a DoS condition within the wireless network.
9.3. War Driving
9.3.1. Used to find access points wherever they may be, attackers can drive around and gather large amounts of info.
9.4. Bluejacking
9.4.1. Attacker sends unsolicited messages to another device via Bluetooth.
9.5. Evil twin attack
9.5.1. Done when creating rogue access points, attacker configures the access point exactly the same as on the network.
9.6. IV attack
9.6.1. Attacker can cause modification to the IV (Initialization Vector) of an encrypted wireless packet to ultimately generate another key for use in decryption.
9.7. WEP/attack
9.7.1. WEP should never be used, WPA 3 is the latest version of WPA specification. WPA 1 & 2 vulnerable to KRACK.
9.8. WPS attack
9.8.1. WPS password-guessing tools used to gain WPS passwords.
10. The Open Web Application Security Project (OWASP)
10.1. OWASP provides references to vulnerabilities as well as mitigations, training, tools, and general infosec material.
11. Key Terms
11.1. SQL Injection
11.1.1. An attack whereby an attacker injects a SQL query via the input data from a client to the application or database.
11.2. CSRF
11.2.1. Cross-site request forgery. Forces an end user to execute malicious steps typically after the authentication process has occurred by abusing the trust between client and application. Target state changing requests, attackers cannot steal data because they cannot see response. Attacks usually carried out via social engineering.
11.3. XSS
11.3.1. A type of web app attack where malicious scripts are injected into trusted websites. Typically delivered via browser-side scripts.
11.4. Buffer Overflow
11.4.1. A situation where a program writes more data to the buffer than it can hold overwriting adjacent memory space. Can cause memory corruption, DoS, or code execution conditions.
11.5. War Driving
11.5.1. An attacker can drive around and locate wireless access points.
11.6. Rainbow Tables
11.6.1. A lookup table into which an attacker computes possible passwords and their hashes and puts the results. Allows attackers to simply search based on hashes derived from victim system. Mitigate, disable LM hashes & use complex passwords.
11.7. DNS Tunneling
11.7.1. Method in which attackers can encapsulate chunks of data into DNS packets to exfiltrate data.
11.8. Botnet
11.8.1. A collection of compromised machines an attacker can manipulate with a C2 or CNC system to participate in DoS, spam, etc.
11.9. Backdoors
11.9.1. A piece of malware or config change that allows an attacker to control the system remotely. Used for exfiltration or future access.
12. Understanding passive vs. active reconnaissance
12.1. Passive Reconnaissance
12.1.1. Records that require no direct interaction with a target organizations.
12.1.1.1. Researching the victims public records, social media, DNS, & whois.
12.1.2. Tools
12.1.2.1. Shodan
12.1.2.2. Maltego
12.1.2.3. Recon-ng
12.1.2.4. The Harvester
12.1.2.5. Spiderfoot
12.2. Active Reconnaissance
12.2.1. Actively interacting with a system itself.
12.2.2. Carried out by tools called scanners.
12.2.3. Tools
12.2.3.1. nmap
12.2.3.2. BurpSuite
12.2.3.3. ZAP
12.2.3.4. Nessus
13. Understanding Open-Source Intelligence (OSINT)
13.1. A method of gathering publically available intelligence sources to collect and analyze information about a target. Open-source because collecting this info does not require any covert action.
14. Backdoors
14.1. Threat actors may install backdoors on compromised systems to allow future access or collect information.
15. Man-in-the-Middle attacks
15.1. Results when an attacker places themselves in the middle of two devices communicating with the intent of performing reconnaissance or manipulating data.
15.2. ARP Poisoning
15.2.1. attacker spoofs Layer 2 MAC addresses to trick victim device into believing attacker is the default gateway.
15.2.2. Examples
15.2.2.1. Rogue switches can be used to manipulate Spanning Tree Protocol (STP) to become the root switch.
15.2.2.2. Rogue routers can be used to manipulate network routers into believing the attacker has a better route.
15.3. Mitigations
15.3.1. Safeguard data in motion by using encryption.
16. What are botnets?
16.1. A collection of compromised machines that an attacker can manipulate from a command and control (C2 or CnC) system.
17. What are amplification attacks?
17.1. A type of reflected attack where response traffic is made of packets that are much larger than those that were initially sent by the attacker. For example, DNS queries are sent and the DNS responses are much larger in packet size than the initial query packets.
18. ARP Cache Poisoning
18.1. Attackers can attack systems on a subnet by intercepting traffic intended for other systems on the subnet by spoofing the MAC address at Layer 2.
18.2. Mitigation
18.2.1. Dynamic ARP inspection validates IP-to-MAC address bindings.
19. Different types of password attacks
19.1. Password-guessing attack
19.1.1. Most common, some methods are brute-force attack (combinations of characters) & dictionary attack (whole words).
19.1.2. Tools
19.1.2.1. Hydra
19.1.2.2. John the Ripper
19.1.2.3. Cain & Abel
19.2. Password-resetting attack
19.2.1. Easier to simply reset the password, most tools contain bootable version of Linux that can mount NTFS volumes to help locate and reset Admin password.
19.3. Password Cracking
19.3.1. Take a password hash and attempt to convert it to it's plaintext.
19.3.2. Rainbow Table
19.3.2.1. Possible hashes put in lookup table called Rainbow Table, hashes can be looked up in rainbow table.
19.4. Password Sniffing
19.4.1. Attacker sniffs authentication packets between server and client to help in cracking.
19.5. Password Capturing
19.5.1. With keyloggers or Trojan horses.
20. Defining & understanding different types of security vulnerabilities
20.1. API-based vulnerabilities
20.1.1. aimed at flaws in APIs
20.2. Authentication & Authorization bypass vulnerabilities
20.2.1. Used to bypass authentication and authorization mechanisms of systems within the network.
20.3. Buffer Overflow
20.3.1. Occurs when a program tries to write past the bounds of a memory buffer. This corruption of memory can lead to Code Execution.
20.4. Cross-site scripting (XSS) vulnerability
20.4.1. Malicious scripts are injected into legitimate and trusted websites.
20.4.2. Successful exploitation may lead to the execution of malicious code, account compromise, session hijacking, redirection, & modification of local files.
20.4.3. Found in HTTP headers, input fields that echo user data, hidden form fields, & error messages that return user input.
20.5. Cross-site request forgery (CSRF) vulnerability
20.5.1. Forces users to execute malicious steps on a web application, exploiting trust between a user and a web app.
20.6. Cryptographic vulnerability
20.6.1. Flaw in a cryptographic protocol or its implementation.
20.7. Deserialization of untrusted data vulnerability
20.7.1. Uses or causes malformed data or unexpected data to abuse application logic.
20.8. Double Free
20.8.1. Occurs in C, C++ languages when free() is called more than once with the same memory address.
20.9. Insufficient Entropy
20.9.1. When crypto applications lack entropy. Pseudo-random Number Generators (PRNGs) are susceptible to insufficient entropy vulnerabilities.