6. Identifying Advanced Attacks

Comparing Common Attacks

  • Spoofing
    • Digital Impersonation
    • Email spoofing, for example, is when you make the “from” address in an email appear as if it were from someone else
  • Dos v DDoS
    • How many computers are attacking a target?
    • The goal is to get the target to use up enough resources that it can’t service real users
    • Indicated by sustained, abnormally high traffic
    • Smurf Attacks
      • Spoofs the source address of a directed broadcast ping to flood a victim with ping replies
      • Smurf attack sends a ping as a broadcast but pretends the victim was the source
      • This makes all the recipients of the original ping ping back against the victim
      • Most routers block directed broadcasts by default – this protects them from becoming part of an amplifying network
    • SYN Flood Attacks
      • Utilize the TCP handshake by sending swarms of SYN, but never sending the final ACK
      • Most servers will stop accepting new connections until the half-connections are settled
      • Some servers just crash
      • Flood Guards
        • Use a variety of means to prevent floods
        • Can detect the IP of the attacker and block them
        • Can reduce the wait time for the ACK packet
        • Etc
      • Xmas Attacks
        • Port scan used to get details about an OS
        • It sends bits in the packet header of the TCP port scan that resemble christmas lights
        • This gives it info about how the system responds and what OS it is.
        • It’s more for recon than anything
        • Many IDS and IPS can detect this
      • Man-in-the-Middle Attacks MITM
        • Active interception or eavesdropping
        • Sits in the middle and takes both streams of traffic, and can send on malicious code
        • Kerberos’ mutual authentication can thwart it
      • Replay Attacks
        • Steal all the authentication data transferred between two clients, then try to send out that authentication data again to pretend to be one of the two
        • Timestamps and sequence numbers thwart this
        • Kerberos uses timestamps
      • Password Attacks
        • Attempts to discover or bypass passwords
        • Online Password Attack
          • Attempt to discover password from online system or guess
        • Offline Password Attack
          • Capture database or packet and try to decrypt it
          • WPA cracking
        • Brute Force Attack
          • Get yoself some complex passwords with account lockout policies
        • Dictionary Attack
          • Brute forces all the easy words
        • Password Hash
          • Attack the stored hash of a password rather than the password
          • Websites like MD5 Online can reverse these hashes
        • Birthday Attacks
          • Named after birthday paradox in probability theory
          • Works on easy hashes where you just come up with a password that produces the same hash
          • SHA-2 (Secure Hash Algorithm 2) used 512 bits (compared to MD5’s 128) so its much harder to match
        • Rainbow Table Attacks
          • Rather than hashing every guess individually, you use large tables of preconfigured hashes to check the password hash against
          • Salting passwords makes this more difficult, wherein two random digits are added to a password to make the hash more complex
            • Bcrypt and Password-Based Key Deviation Function 2 (PBKDF2) both use salting to increase the complexity of passwords.
          • Hybrid Attacks
            • Try out multiple things!
          • DNS Attacks
            • DNS Poisoning
              • Modifies or corrupts DNS results
              • If someone typed google.com, they may end up somewhere else
              • DNSSEC (DN System Security Extensions) protects DNS records and prevents poisoning
            • Pharming Attacks
              • Tries to corrupt DNS server or DNS client to redirect users to the wrong site
              • On clients, these modify the hosts file to change the default entry of specific sites
              • This can be a prank, but can really cause trouble
            • Arp Poisoning Attacks
              • Misleads computers or switches about the MAC address of a system
              • ARP sends requests and replies, and its easy to spoof a reply
              • ARP MitM Attack
                • Spoof the ARP cache on a switch so it sends data to the attacker, who saves it and forwards it along like usual
              • ARP DoS Attack
                • Spoof so everyone caches a bogus default gateway MAC address
                • Nobody can communicate properly
              • Typo Squatting/URL Hijacking
                • Similar domain names that people often misspell
              • Watering Hole Attacks
                • Figures out where employees of an org spend their web time and then infects those locales or tries to redirect them to a malicious site
                • Often to install RATs to get access to the org
              • Zero-Day Attacks
                • Exploits undocumented vulnerability
                • Serious until patched
                • Relevancy depends on how known it is
              • Web Browser Concerns
                • Malicious Add-Ons
                • Cookies and Attachments
                  • Normally only the site that makes a cookie can read it, but cross-site scripting can allow attackes to steal personal info from them
                • Session Hijacking
                  • You can also use cookies to session hijack
                • Flash Cookies and LSOs
                  • Cookie made by Adobe Flash Player, also known as Local Shared Objects
                  • Flash cookies can be stored in special places and aren’t always cleared with the rest of the cookies
                  • They track data discretely which has led to a lot of lawsuits
                • Arbitrary Code Execution/Remote Code Execution
                  • Allows attackers to run specific code on a system without user consent
                  • Software bugs often allow this
                • Header Manipulation Attacks
                  • Manipulate the flags in TCP/IP headers to change behavior, or change session ID within the packet
                  • This session ID can allow the attacker to steal your sign-in and access your stuff

Understanding Secure Coding Concepts

  • Input Validation
    • Checking data before using it
    • Can either clear out malicious data or reject the whole submission
    • Verifying Proper Characters – Only the right characters for that field, such as only numbers in a US zip
    • Implementing boundary or range checking – if max purchase is three, can only submit 3 or less
    • Blocking HTML code
    • Preventing the use of certain characters – such as dash, apostrophe, and equal sign
  • Client-Side and Server-Side Input Validation
    • Client side is quicker, but vulnerable
    • Server side takes longer, but is secure
    • If you disable javascript, you can often get through client side validation in a web browser
  • Avoiding Race Conditions
    • Don’t let two parts of an app, or two apps, attempt to access a single resource at once.
    • This can cause obvious conflicts
  • Error and Exception Handling
    • Provide user feedback when there’s an error
      • Errors to users should be general don’t give an attacker too much info
      • Detailed Info should be logged – Debug info goes to support team

Identifying Application Attacks

  • Web Servers
    • Apache – Free Unix/Linux/Windows
    • Internet Information Services (IIS) – Microsoft web server and free with windows server products
  • Buffer Overflows and Buffer Overflow Attacks
    • When an app receives more or different input than it expects
    • Can expose system memory that should be protected
    • A skilled attacker can use this exposed vulnerability to rewrite their own malicious code into system memory
      • This relies on some educated guesses normally
      • NOP (No-op) commands make this easier.
        • Many intel processors use hexadecimal 90 as a NOP command, so a string of x90 characters is a NOP sled
        • When the processor comes across a string of x90 NOP, it just jumps to the next memory location, which the attacker has filled with malicious code
        • BufferOverflowData:NOPs:Malicious Code
      • Integer Overflow
        • By knowing what bitrate the server stores numbers, you know the upper limits of numbers it can store. You can push it above that limit to make it throw an error
      • Injection Attacks
        • SQL Queries and SQL Injection Attacks
          • Structured Query Language
          • SQL Queries
            • Translates user input into a clear database call and returns the selected info
          • SQL Injection Attacks
            • By understanding SQL syntax, you can often inject several extra commands into this search to get the database to return info that its not supposed to
            • Error handling will prevent these injections if configured properly
              • These errors can often give more info about the kind of database being used
            • You can also use logic to tell the computer to return all results ‘1’ = ‘1’
          • Protecting Against SQL Attacks
            • Treat the whole damn user entry as a string lol
          • XML Injection
            • Pretty similar, but in XML
          • NoSQL v SQL Databases
            • Also include documents, graphs, and key-value pairs
            • Allows developers more storage flexibility
            • Uses Unstructured Query Language (UQL)
              • Attackers can learn this, though it may vary with vendor
            • Cross-Site Scripting (XSS)
              • Embed malicious HTML or javascript code into an email or website error
              • Someone embedded code on twitter that infected computers when people looked at the tweet
            • Cross-Site Request Forgery (XSRF)
              • Adding tails to URLs that automatically make people perform actions
              • Combined with auto-logon cookies, this is dangerous
              • Making users re-authenticate before making changes helps
            • Directory Traversal/Command Injection
              • Injecting full system commands and pathways into web page forms
            • LDAP Injection
            • Transitive Access and Client-Side Attacks
              • Utilizes transitive trust properties and injections to piggyback connections and access even MORE data from an initial SQL injection
            • Fuzzing
              • Using a program to send random data to an app
              • Might crash or provide unexpected results, but may reveal a vulnerability
Advertisements
Advertisements

I post all things that interest me. Mainly computers.

%d bloggers like this: