This chapter covers the following topics:
Types of attacks
Types of vulnerabilities
This chapter covers the following topics:
Types of attacks
Types of vulnerabilities
The sophistication of cyber security attacks is increasing every day. In addition, there are numerous types of cyber security attacks and vulnerabilities. This chapter covers the most common.
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in this chapter’s topics. The eight-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time. You can find the answers in Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A Questions.
Table 13-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 13-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
|
Foundation Topics Section |
Questions Covered in This Section |
|
Types of Attacks |
1–5 |
|
Types of Vulnerabilities |
6–8 |
1. Which of the following are examples of vulnerability and port scanners? (Select all that apply.)
a. SuperScan
b. nmap
c. Nexpose
d. Nessus
2. How do UDP scans work?
a. By establishing a three-way handshake.
b. By sending SYN packets to see what ports are open.
c. UDP scans have to rely on ICMP “port unreachable” messages to determine whether a port is open. When the scanner sends a UDP packet and the port is not open on the victim’s system, that system will respond with an ICMP “port unreachable” message.
d. By sending ICMP “port unreachable” messages to the victim.
3. What is a phishing attack?
a. A phishing attack is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.
b. A phishing attack uses SQL injection vulnerabilities in order to execute malicious code.
c. This is a type of denial-of-service (DoS) attack where the attacker sends numerous phishing requests to the victim.
d. This is a type of attack where the attacker presents a link that looks like a valid, trusted resource to a user. When the user clicks it, he is prompted to disclose confidential information such as his username and password.
4. What is a backdoor?
a. A backdoor is a social engineering attack to get access back to the victim.
b. A backdoor is a privilege escalation attack designed to get access from the victim.
c. A backdoor is an application or code used by an attacker either to allow future access or to collect information to use in further attacks.
d. A backdoor is malware installed using man-in-the-middle attacks.
5. What is an amplification attack?
a. An amplification attack is a form of directed DDoS attack in which the attacker’s packets are sent at a much faster rate than the victim’s packets.
b. An amplification attack is a form of reflected attack in which the response traffic (sent by the unwitting participant) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim).
c. An amplification attack is a type of man-in-the-middle attack.
d. An amplification attack is a type of data exfiltration attack.
6. What is a buffer overflow?
a. A buffer overflow is when a program or software cannot write data in a buffer, causing the application to crash.
b. A buffer overflow is when a program or software sends the contents of the buffer to an attacker.
c. A buffer overflow is when an attacker overflows a program with numerous packets to cause a denial-of-service condition.
d. A buffer overflow is when a program or software puts more data in a buffer than it can hold or when a program tries to put data in a memory location past a buffer.
7. What is a cross-site scripting (XSS) vulnerability?
a. A type of web application vulnerability where malicious scripts are injected into legitimate and trusted websites
b. A type of cross-domain hijack vulnerability
c. A type of vulnerability that leverages the crossing of scripts in an application
d. A type of cross-site request forgery (CSRF) vulnerability that is used to steal information from the network
8. What is a SQL injection vulnerability?
a. A type of vulnerability where an attacker can insert or “inject” a SQL query via the input data from the client to the application or database
b. A type of vulnerability where an attacker can “inject” a new password to a SQL server or the client
c. A type of DoS vulnerability that can cause a SQL server to crash
d. A type of privilege escalation vulnerability aimed at SQL servers
As you probably already know, most attackers do not want to be discovered, so they use a variety of techniques to remain in the shadows when attempting to compromise a network. The following sections list the most common types of attacks carried out by threat actors.
Reconnaissance attacks include the discovery process used to find information about the network, users, and victims. It could include scans of the network to find out which IP addresses respond, and further scans to see which ports on the devices at these IP addresses are open. This is usually the first step taken to discover what is on the network and to determine what vulnerabilities to exploit.
Scans can be passive or active. A passive scan can be carried by an attacker just researching information about the victim’s public records, social media sites, and other technical information, such as DNS, whois, and so on. The attacker can use tools such as Maltego to accelerate this “research.” Active scans are carried by tools called “scanners.” The following are a few commercial and open source application and vulnerability scanners:
AppScan by IBM
Burp Suite Professional by PortSwigger
Hailstorm by Cenzic
N-Stalker by N-Stalker
Nessus by Tenable Network Security
NetSparker by Mavituna Security
NeXpose by Rapid7
nmap open source scanner
NTOSpider by NTObjectives
ParosPro by MileSCAN Technologies
QualysGuard Web Application Scanning by Qualys
Retina Web Security Scanner by eEye Digital Security
Sentinel by WhiteHat
Veracode Web Application Security by Veracode
VUPEN Web Application Security Scanner by VUPEN Security
WebApp360 by nCircle
WebInspect by HP
WebKing by Parasoft
WebScanService by Elanize KG
Websecurify by GNUCITIZEN
Be aware that attacks are not launched only from individuals outside your company. They are also launched from people and devices inside your company who have current, legitimate user accounts. This vector is of particular concern these days with the proliferation of organizations allowing employees to use their personal devices—known as “bring your own device” (BYOD)—to seamlessly access to data, applications, and devices on the corporate networks. Perhaps the user is curious, or maybe a backdoor is installed on the computer on which the user is logged in. In either case, it is important to implement a security policy that takes nothing for granted and to be prepared to mitigate risk at several levels.
There are different types of port- and network-scanning techniques. The following are the most common:
Basic port scan: Involves scanning a predetermined TCP/UDP port by sending a specifically configured packet that contains the port number of the port that was selected. This is typically used to determine what ports are “open” or available in a given system.
TCP scan: A TCP-based scan of a series of ports on a machine to determine port availability. If a port on the machine is listening, then the TCP “connect” is successful in reaching that specific port. Earlier you learned that nmap is an open source scanner; nmap refers to TCP scans as “connect scans,” which is named after the UNIX connect() system call. If the scanner finds that a port is open, the victim operating system completes the TCP three-way handshake. In some cases, the port scanner will close the connection to avoid a denial-of-service condition.
TCP SYN scan is one of the most common types of TCP scanning, and it is also referred to as “half-open scanning” because it never actually opens a full TCP connection. The scanner sends a SYN packet, and if the target responds with a SYN-ACK packet, the scanner typically responds with an RST packet.
Another TCP scan type is TCP ACK. This type of scan does not exactly determine whether the TCP port is open or closed; instead, it checks whether the port is filtered or unfiltered. TCP ACK scans are typically used when trying to see if a firewall is deployed and its rule sets. There are also TCP FIN packets that in some cases can bypass legacy firewalls because closed ports may cause a system to reply to a FIN packet with a corresponding RST packet due to the nature of TCP.
UDP scan: Because UDP is a connectionless protocol and does not have a three-way handshake like TCP, the UDP scans have to rely on ICMP “port unreachable” messages to determine if the port is open. When the scanner sends a UDP packet and the port is not open on the victim, the victim’s system will respond with an ICMP “port unreachable” message. This type of scanning will be affected by firewalls and ICMP rate limiting.
Strobe scan: Typically used by an attacker to find the ports that he or she already knows how to exploit. Strobe scans execute on a more confined level.
Stealth scan: Designed to go undetected by network auditing tools.
Example 13-1 shows a basic nmap scan against a Linux machine (172.18.104.139).
Example 13-1 Nmap Scanner Example
bash-3.2$ sudo nmap -sS 172.18.104.139
Password: ****************
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-06 11:13 EDT
Nmap scan report for 172.18.104.139
Host is up (0.024s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
In Example 13-1, the host (172.18.104.139) is listening to TCP ports 22, 25, 80, 110, and 143.
Example 13-2 shows how to perform a “ping sweep” using nmap to see what systems are present in a given subnet (in this example, 172.18.104.129/29).
Example 13-2 Nmap Ping Sweep Example
bash-3.2$ nmap -sP 172.18.104.129/29
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-06 11:22 EDT
Nmap scan report for 172.18.104.129
Host is up (0.0071s latency).
Nmap scan report for 172.18.104.130
Host is up (0.0076s latency).
Nmap scan report for 172.18.104.132
Host is up (0.0076s latency).
Nmap scan report for 172.18.104.133
Host is up (0.0079s latency).
Nmap scan report for 172.18.104.134
Host is up (0.0074s latency).
Nmap scan report for 172.18.104.135
Host is up (0.011s latency).
Nmap done: 8 IP addresses (6 hosts up) scanned in 3.75 seconds
NOTE
Additional examples and details about all the different nmap scanner options can be obtained at http://linuxcommand.org/man_pages/nmap1.xhtml.
Social engineering attacks leverage the weakest link, which is the human user. If the attacker can get the user to reveal information, it is much easier for the attacker to cause harm rather than using some other method of reconnaissance. This could be done through email or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information. Social engineering can also be done in person by an insider or outside entity or over the phone.
A primary example is attackers leveraging normal user behavior. Suppose for a second that you are a security professional who is in charge of the network firewalls and other security infrastructure equipment in your company. An attacker could post a job offer for a very lucrative position and make it very attractive to you, the victim. Let’s say that the job description lists benefits and compensation far beyond what you are already making at your company. You decide to apply for the position. The criminal (attacker) then schedules an interview with you. Because you are likely to “show off’ your skills and work, he may ask you how you configured the firewalls and other network infrastructure devices for your company. You might disclose information about the firewalls used in your network, how you configured them, how they were designed, and so on. This gives the attacker a lot of knowledge about the organization without even performing any type of scanning or reconnaissance on the network.
Other social engineering techniques include the following:
Phishing: Where the attacker presents a link that looks like a valid, trusted resource to a user. When the user clicks it, he is prompted to disclose confidential information such as his username and password.
Pharming: The attacker uses this technique to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user.
Malvertising: The act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.
A security-aware culture must include ongoing training that consistently informs employees about the latest security threats, as well as policies and procedures that reflect the overall vision and mission of corporate information security. This emphasis on security helps employees understand the potential risk of social engineering threats, how they can prevent successful attacks, and why their role within the security culture is vital to corporate health. Security-aware employees are better prepared to recognize and avoid rapidly changing and increasingly sophisticated social engineering attacks, and are more willing to take ownership of security responsibilities.
Official security policies and procedures take the guesswork out of operations and help employees make the right security decisions. Such policies include the following:
Password management: Guidelines such as the number and type of characters that each password must include, how often a password must be changed, and even a simple declaration that employees should not disclose passwords to anyone (even if they believe they are speaking with someone at the corporate help desk) will help secure information assets.
Two-factor authentication: Authentication for high-risk network services such as modem pools and VPNs should use two-factor authentication rather than fixed passwords.
Antivirus/antiphishing defenses: Multiple layers of antivirus defenses, such as at mail gateways and end-user desktops, can minimize the threat of phishing and other social engineering attacks.
Change management: A documented change-management process is more secure than an ad hoc process, which is more easily exploited by an attacker who claims to be in a crisis.
Information classification: A classification policy should clearly describe what information is considered sensitive and how to label and handle it.
Document handling and destruction: Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash.
Physical security: The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.
Privilege escalation is a type of attack and also a type of vulnerability. Privilege escalation is the process of taking some level of access (whether authorized or not) and achieving an even greater level of access (elevating the user’s privileges). An example is an attacker who gains user-mode access to a firewall, router, or server and then uses a brute-force attack against the system that gives him administrative access.
When threat actors gain access to a system, they usually want future access as well, and they want it to be easy. A backdoor application can be installed by the attacker to either allow future access or collect information to use in further attacks.
Many backdoors are installed by users clicking something without realizing that the link they clicked or the file they opened is a threat. Backdoors can also be implemented as a result of a virus, worm, or malware.
When threat actors gain access to a system, they also might be able to take several actions. The type of action depends on the level of access the threat actor has, or can achieve, and is based on permissions granted to the account compromised by the attacker. One of the most devastating actions available to an attacker is the ability to execute code within a device. Code execution could result in an adverse impact to the confidentiality, integrity, and availability of the system or network.
A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating, with the intent of performing reconnaissance or manipulating the data as it moves between the devices. This can happen at Layer 2 or Layer 3. The main purpose is eavesdropping, so the attacker can see all the traffic.
If this happens at Layer 2, the attacker spoofs Layer 2 MAC addresses to make the devices on a LAN believe that the Layer 2 address of the attacker is the Layer 2 address of its default gateway. This is called “ARP poisoning.” Frames that are supposed to go to the default gateway are forwarded by the switch to the Layer 2 address of the attacker on the same network. As a courtesy, the attacker can forward the frames to the correct destination so that the client will have the connectivity needed, and the attacker now sees all the data between the two devices. To mitigate this risk, you could use techniques such as dynamic Address Resolution Protocol (ARP) inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.
The attacker could also implement the attack by placing a switch into the network and manipulating the Spanning Tree Protocol (STP) to become the root switch (and thus gain the ability to see any traffic that needs to be sent through the root switch).
A man-in-the-middle attack can occur at Layer 3 by placing a rogue router on the network and then tricking the other routers into believing that this new router has a better path. This could cause network traffic to flow through the rogue router and again allow the attacker to steal network data. You can mitigate attacks such as these in various ways, including using routing authentication protocols and filtering information from being advertised or learned on specific interfaces.
A man-in-the-middle attack can occur by compromising the victim’s machine and installing malware that can intercept the packets sent by the victim and sending them to the attacker. This type of malware can capture packets before they are encrypted if the victim is using SSL/TLS/HTTPS or any other mechanism.
To safeguard data in motion, one of the best things you can do is to use encryption for the confidentiality of the data in transit. If you use plaintext protocols for management, such as Telnet or HTTP, an attacker who has implemented a man-in-the-middle attack can see the contents of your cleartext data packets, and as a result will see everything that goes across his device, including usernames and passwords that are used. Using management protocols that have encryption built in, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS), is considered a best practice, and using VPN protection for cleartext sensitive data is also considered a best practice.
Denial-of-service (DoS) and distributed DoS (DDoS) attacks have been around for quite some time now, but there has been heightened awareness of them over the past few years. DDoS attacks can generally be divided into the following three categories:
Direct DDoS attacks
Reflected
Amplification DDoS attacks
Direct DDoS attacks occur when the source of the attack generates the packets, regardless of protocol, application, and so on, that are sent directly to the victim of the attack.
Figure 13-1 illustrates a direct DDoS attack.
In Figure 13-1, the attacker launches a direct DoS to a web server (the victim) by sending numerous TCP SYN packets. This type of attack is aimed at flooding the victim with an overwhelming number of packets, oversaturating its connection bandwidth or depleting the target’s system resources. This type of attack is also known as a “SYN flood attack.”
Cyber criminals also can use DDoS attacks to produce added costs to the victim when the victim is using cloud services. In most cases, when you use a cloud service such as Amazon Web Services (AWS), you pay per usage. Attackers can launch DDoS to cause you to pay more for usage and resources.
Another type of DoS is caused by exploiting vulnerabilities such as buffer overflows to cause a server or even network infrastructure device to crash, subsequently causing a denial-of-service condition.
Many attackers use botnets to launch DDoS attacks. A botnet is a collection of compromised machines that the attacker can manipulate from a command and control (CnC) system to participate in a DDoS, send spam emails, and perform other illicit activities. Figure 13-2 shows how a botnet is used by an attacker to launch a DDoS attack.
In Figure 13-2, the attacker sends instructions to the CnC; subsequently, the CnC sends instructions to the bots within the botnet to launch the DDoS attack against the victim.
Reflected DDoS attacks occur when the sources of the attack are sent spoofed packets that appear to be from the victim, and then the sources become unwitting participants in the DDoS attacks by sending the response traffic back to the intended victim. UDP is often used as the transport mechanism because it is more easily spoofed due to the lack of a three-way handshake. For example, if the attacker (A) decides he wants to attack a victim (V), he will send packets (for example, Network Time Protocol [NTP] requests) to a source (S) that thinks these packets are legitimate. The source then responds to the NTP requests by sending the responses to the victim, who was never expecting these NTP packets from the source (see Figure 13-3).
An amplification attack is a form of reflected attack in which the response traffic (sent by the unwitting participant) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim). An example of this is when DNS queries are sent and the DNS responses are much larger in packet size than the initial query packets. The end result is that the victim’s machine gets flooded by large packets for which it never actually issued queries.
There are many different attack methods for data exfiltration. One of the most popular is to use DNS tunneling. Cisco is seeing it used more and more for malware-based data exfiltration out of enterprise networks. An example of this technique is described in detail in a Cisco Talos post at http://blog.talosintel.com/2016/06/detecting-dns-data-exfiltration.xhtml.
Attackers can encapsulate chucks of data into DNS packets to steal sensitive information such as PII information, credit card numbers, and much more. The following are a few examples of DNS tunneling tools used by attackers to exfiltrate data:
DNS2TCP: Uses the KEY, TXT DNS record types. More information can be found at http://www.aldeid.com/wiki/Dns2tcp.
DNScat-P: Uses the A and CNAME DNS record types. More information can be found at http://tadek.pietraszek.org/projects/DNScat/.
Iodine Protocol v5.00: Uses the NULL DNS record type. More information can be found at http://code.kryo.se/iodine/.
Iodine Protocol v5.02: Uses the A, CNAME, MX, NULL, SRV, and TXT DNS record types. More information can be found at http://code.kryo.se/iodine/.
OzymanDNS: Uses the A and TXT DNS record types. More information can be found at http://dankaminsky.com/2004/07/29/51/.
SplitBrain: Uses the A and TXT DNS record types. More information can be found at http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple.
TCP-Over-DNS: Uses the CNAME and TXT DNS record types. More information can be found at http://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152.
YourFreedom: Uses the NULL DNS record type. More information can be found at http://your-freedom.net/.
There are many other tools and DNS tunneling techniques. The following is a good reference that includes many additional types of tools and DNS exfiltration attacks:
https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
DNS tunneling may be detected by analyzing the DNS packet payload or by using traffic analysis such as byte count and frequency of the DNS requests.
Threat actors can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Cisco switches support a feature called “dynamic ARP inspection” that validates ARP packets and intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This feature also protects the network from certain man-in-the-middle attacks. The dynamic ARP inspection feature ensures that only valid ARP requests and responses are relayed by performing the following:
Intercepting all ARP requests and responses on untrusted ports.
Verifying that each of the intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the respective destination host.
Dropping invalid ARP packets.
Determining if an ARP packet is valid based on IP-to-MAC address bindings stored in a trusted database. This database is called the “DHCP snooping binding database.”
On Cisco IOS switches, you can enable dynamic ARP inspection on a per-VLAN basis with the ip arp inspection vlan vlan-range global configuration command. In environments without DHCP configured, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses. You can use the arp access-list acl-name global configuration command to define the ACL.
The following are some additional Layer 2 security best practices for securing your infrastructure:
Select an unused VLAN (other than VLAN 1) and use that for the native VLAN for all your trunks. Do not use this native VLAN for any of your enabled access ports.
Avoid using VLAN 1 anywhere, because it is the default.
Administratively configure switch ports as access ports so that users cannot negotiate a trunk and disable the negotiation of trunking (no Dynamic Trunking Protocol [DTP]).
Limit the number of MAC addresses learned on a given port with the port security feature.
Control spanning tree to stop users or unknown devices from manipulating it. You can do so by using the BPDU Guard and Root Guard features.
Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive. (CDP operates at Layer 2 and may provide attackers information you would rather not disclose.)
On a new switch, shut down all ports and assign them to a VLAN that is not used for anything other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed.
Several other Layer 2 security features can be used to protect your infrastructure:
Port Security: Limits the number of MAC address to be learned on access switch posts.
BPDU Guard: If BPDUs show up where they should not, the switch will protect itself.
Root Guard: Controls which ports are not allowed to become root ports to remote switches.
Dynamic ARP inspection: This feature was covered earlier in this section.
IP Source Guard: Prevents spoofing of Layer 3 information by hosts.
802.1X: Authenticates and authorizes users before allowing them to communicate to the rest of the network.
DHCP snooping: Prevents rogue DHCP servers from impacting the network.
Storm control: Limits the amount of broadcast or multicast traffic flowing through the switch.
Access control lists: Layer 3 and Layer 2 ACLs for traffic control and policy enforcement.
A spoofing attack is when an attacker impersonates another device to execute an attack. The following are a few examples of spoofing attacks:
IP address spoofing attack: The attacker sends IP packets from a fake (or “spoofed”) source address in order to disguise itself. DDoS attacks typically use IP spoofing to make the packets appear to be from legitimate source IP addresses.
ARP spoofing attack: The attacker sends spoofed ARP packets across the Layer 2 network in order to link the attacker’s MAC address with the IP address of a legitimate host. The best practices covered in the previous section help mitigate ARP spoofing attacks.
DNS server spoofing attack: The attacker modifies the DNS server in order to reroute a specific domain name to a different IP address. DNS server spoofing attacks are typically used to spread malware.
There are different route manipulation attacks, but one of the most common is the BGP hijacking attack. BGP is a dynamic routing protocol used to route Internet traffic. The BGP hijacking attack can be launched by an attacker by configuring or compromising an edge router to announce prefixes that have not been assigned to his or her organization. If the malicious announcement contains a route that is more specific than the legitimate advertisement or presents a shorter path, the victim’s traffic may be redirected to the attacker. In the past, threat actors have leveraged unused prefixes for BGP hijacking in order to avoid attention from the legitimate user or organization.
The following are a few examples of the most common password attacks:
Password-guessing attack: This is the most common type of password attack, but some of these techniques may be very inefficient. Threat actors can guess passwords locally or remotely using either a manual or automated approach. Several tools can automate the process of password guessing, such as the following:
Hydra: http://www.thc.org
TSGrinder: http://www.hammerofgod.com/download.htm
SQLRecon: http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=26
These automated password attack tools and crackers leverage different techniques. Some use a method called “the brute-force attack,” where the attacker tries every possible combination of characters for a password. Another technique they use is a password-guessing attack called a “dictionary attack.” Because most passwords consist of whole words, dates, and numbers, these tools use a dictionary of words, phrases, and even the most commonly used passwords (such as qwerty, password1, and so on). Other tools such as John the Ripper (http://www.openwall.com/john) and Cain & Abel (http://www.oxid.it) can take a hybrid approach from brute-force and dictionary attacks.
Password-resetting attack: In many cases, it is easier to reset passwords than to use tools to guess them. Several cracking tools just attempt to reset passwords. In most cases, the attacker boots from a floppy disk or CD-ROM to get around the typical Windows protections. Most password resetters contain a bootable version of Linux that can mount NTFS volumes and help the attacker locate and reset the administrator’s password.
Password cracking: These attacks work by taking a password hash and converting it to its plaintext original. In this case, the attacker needs tools such as extractors for hash guessing, rainbow tables for looking up plaintext passwords, and password sniffers to extract authentication information. The concept of rainbow tables is that the attacker computes possible passwords and their hashes in a given system and puts the results into a lookup table called a “rainbow table.” This allows an attacker to just get a hash from the victim system and then just search for that hash in the rainbow table to get the plaintext password. To mitigate rainbow table attacks, you can disable LM hashes and use long and complex passwords.
Password sniffing: The threat actor just sniffs authentication packets between a client and server and extracts password hashes or enough authentication information to begin the cracking process.
Password capturing: This is typically done by using key loggers or Trojan horses.
The following are a few examples of wireless-specific attacks:
Installing a rogue access point: The attacker basically installs an access point and can create a backdoor and obtain access to the network and its systems.
Jamming wireless signals and causing interference: The purpose of this attack is to cause a full or partial denial-of-service condition in the wireless network.
Evil twin attack: This is done when the attacker is trying to create rogue access points so as to gain access to the network or steal information. Basically the attacker purchases a wireless access point, plugs it into the network, and configures it exactly the same as the existing network.
War driving: This is a methodology used by attackers to find wireless access points wherever they may be. The term war driving is used because the attacker can just drive around and get a very huge amount of information over a very short period of time.
Bluejacking: The attacker sends unsolicited messages to another device via Bluetooth.
IV attack: The attacker can cause some modification on the Initialization Vector (IV) of a wireless packet that is encrypted during transmission. The goal of the attacker is to obtain a lot of information about the plaintext of a single packet and generate another encryption key that then can be used to decrypt other packets using the same IV.
WEP/WPA attack: WEP and several versions of WPA are susceptible to different vulnerabilities and are considered weak.
WPS attack: This attack is carried out with WPS password-guessing tools to obtain the WPS passwords and use them to gain access to the network and its data.
Understanding the weaknesses and vulnerabilities in a system or network is a huge step toward correcting these vulnerabilities or putting in appropriate countermeasures to mitigate threats against them. Potential network vulnerabilities abound, with many resulting from one or more of the following:
Policy flaws
Design errors
Protocol weaknesses
Misconfiguration
Software vulnerabilities
Human factors
Malicious software
Physical access to network resources
Cisco and others have created databases that categorize threats in the public domain. The Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known security vulnerabilities and exposures. A quick search using your favorite search engine will lead you to the website. Also, the National Vulnerability Database (NVD) is a repository of standards-based vulnerability information; you can do a quick search for it, too. (URLs change over time, so it is better to advise you to just do a quick search and click any links that interest you.)
The following are examples of the most common types of vulnerabilities:
API abuse: These are vulnerabilities that are aimed to attack flaws in application programmable interfaces (APIs).
Authentication and authorization bypass vulnerabilities: These vulnerabilities are used to bypass authentication and authorization mechanisms of systems within a network.
Buffer overflow: A buffer overflow occurs when a program or software puts more data in a buffer than it can hold or when a program tries to put data in a memory location past a buffer. This is done so data outside the bounds of a block of allocated memory can corrupt other data or crash the program or operating system. In a worst-case scenario, this could lead to the execution of malicious code. There is a wide variety of ways buffer overflows can occur and, unfortunately, there are many error-prone techniques often used to prevent them.
A buffer overflow vulnerability typically involves many memory manipulation functions in languages such as C and C++, where the program does not perform bounds checking and can easily overwrite the allocated bounds of such buffers. A perfect example is a strncpy() function, which can cause vulnerabilities when used incorrectly.
Let’s take a look at Figure 13-4, where the sample code shows a buffer that includes a small chunk of data (HELLO WORLD).
An attacker can take advantage of this vulnerability and send data that can put data in a memory location past that buffer, as shown in Figure 13-5.
In Figure 13-5, the attacker sent data (EVERY WORLD) that was more than the buffer could hold, causing it to subsequently write to the adjacent memory location. Of course, this example is a very simplistic one, but it represents how an attacker could then write instructions to the system and potentially cause a local or remote code execution. In several of these attacks, the attacker writes “shellcode” to invoke instructions and manipulate the system.
Cross-site scripting (XSS) vulnerability: A type of web application vulnerability where malicious scripts are injected into legitimate and trusted websites. An attacker can launch an attack against an XSS vulnerability using a web application to send malicious code (typically in the form of a browser-side script) to a different end user. XSS vulnerabilities are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. There are several types of XSS vulnerabilities (reflected, stored, and so on). Cisco has a document that explains all the different types of XSS vulnerabilities available at https://supportforums.cisco.com/document/13113946/what-are-cross-site-scripting-xss-vulnerabilities.
Cross-site request forgery (CSRF) vulnerability: A vulnerability that forces an end user to execute malicious steps on a web application. This is typically done after the user is authenticated to such an application. CSRF attacks generally target state-changing requests, and the attacker cannot steal data because he or she has no way to see the response to the forged request. CSRF attacks are carried by being combined with social engineering.
Cryptographic vulnerability: A vulnerability or flaw in a cryptographic protocol or its implementation.
Deserialization of untrusted data vulnerability: To use or cause malformed data or unexpected data to abuse an application logic, cause a DoS attack, or to execute arbitrary code.
Double free: A vulnerability typically in C, C++, and similar languages that occurs when free() is called more than once with the same memory address as an argument.
Insufficient entropy: A vulnerability where a cryptographic application does not have proper entropy. For example, pseudo-random number generators (PRNGs) can be susceptible to insufficient entropy vulnerabilities and attacks when they are initialized.
SQL injection vulnerability: Attackers can insert or “inject” a SQL query via the input data from the client to the application or database. Attackers can exploit SQL injector vulnerabilities in order to read sensitive data from the database, modify or delete database data, execute administration operations on the database, and even issue commands to the operating system.
There are many more types of vulnerabilities. OWASP provides good references to different types of vulnerabilities and how to mitigate them at https://www.owasp.org.
The OWASP Foundation is a not-for-profit charitable organization dedicated to educating organizations to “develop, acquire, operate, and maintain applications that can be trusted.” They maintain many different resources that security professionals use to learn about different attacks and vulnerabilities, and how to protect against them.
Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 13-2 lists these key topics and the page numbers on which each is found.
|
Key Topic Element |
Description |
Page |
|
List |
Different types of port and network scanning techniques |
502 |
|
Summary |
What is phishing, pharming, and malvertising? |
505 |
|
Summary |
What are privilege escalation attacks? |
506 |
|
Summary |
What are backdoors? |
506 |
|
Summary |
What are man-in-the-middle attacks? |
506 |
|
Summary |
What are direct, reflected, and amplification DDoS attacks? |
507 |
|
Summary |
What are botnets? |
508 |
|
Summary |
What is DNS tunneling and how it is used for data exfiltration? |
510 |
|
Summary |
What is ARP cache poisoning? |
511 |
|
List |
Different types of password attacks |
513 |
|
Summary |
Defining and understanding different types of security vulnerabilities |
514 |
|
Summary |
What are buffer overflows? |
515 |
|
Summary |
What is XSS? |
516 |
|
Summary |
What is CSRF? |
516 |
|
Summary |
What are SQL injection vulnerabilities? |
517 |
|
Summary |
What is OWASP? |
517 |
Define the following key terms from this chapter, and check your answers in the glossary:
SQL injection
CSRF
XSS
rainbow tables
DNS tunneling
backdoors
The answers to these questions appear in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Questions.” For more practice with exam format questions, use the exam engine on the website.
1. Which of the following describes a rainbow table?
a. An attacker creates a table of mathematical calculations that can be used to perform cryptanalysis of encryption algorithms.
b. An attacker creates a table of mathematical calculations that can be used to perform cryptanalysis of hashing algorithms.
c. An attacker computes possible passwords and their hashes in a given system and puts the results into a lookup table.
d. An attacker computes possible hashing algorithms used in an encrypted channel and puts the results into a lookup table.
2. Which of the following is a methodology used by attackers to find wireless access points wherever they may be?
a. War driving
b. Wireless LWAP scanning
c. Wireless driving
d. Wireless Aironet scanning
3. Which of the following is a type of web application vulnerability where malicious scripts are injected into legitimate and trusted websites?
a. Buffer overflow
b. Cross-site scripting (XSS)
c. Cross-site injection (XSI)
d. SQL injection
4. Which of the following is a type of vulnerability that attackers can exploit to read sensitive data from the database, modify or delete database data, execute administration operations on the database, and even issue commands to the operating system?
a. SQL injection
b. SQL buffer overflow
c. SQL drop
d. SQL bomb
5. Which one of the following attacks results when attackers place themselves in line between two devices that are communicating, with the intent of performing reconnaissance or manipulating the data as it moves between the devices?
a. Man-in-the-path
b. Man-in-the-middle
c. Routing protocol attacks
d. Routing injection attacks
6. Which of the following is a type of vulnerability where an attacker can use or cause malformed data or unexpected data to abuse an application’s logic, cause a DoS attack, or execute arbitrary code?
a. Deserialization of untrusted data
b. Serialization of untrusted data
c. Deserialization of encrypted data
d. Serialization of encrypted data
7. Which of the following is a type vulnerability that describes when a program or software puts more data in a buffer than it can hold or when a program tries to put data in a memory location past a buffer?
a. Buffer deserialization
b. Buffer injection
c. Cross-site buffer injection
d. Buffer overflow
8. What type of attack is done when the attacker tries to create rogue access points so as to gain access to the network or steal information?
a. SSID injection
b. Evil twin
c. War driving
d. LWAP injection
9. Which of the following is an attack where threat actors can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet?
a. ARP cache injection
b. ARP cache poisoning
c. DHCP snooping
d. ARP snooping
10. Cisco switches support a feature that validates ARP packets and intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. What is this feature called?
a. DHCP cache snooping
b. ARP cache poisoning
c. ARP cache snooping
