Social Engineering Attacks

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

What is the primary goal of social engineering attacks?

  • To encrypt data for ransomware purposes
  • To exploit software vulnerabilities
  • To manipulate individuals into divulging confidential information or performing actions (correct)
  • To physically damage computer hardware

What is pretexting?

  • Creating a fake social media profile
  • Pretending to need personal data to confirm the recipient's identity (correct)
  • Distributing malicious software through email
  • Gaining unauthorized physical access to a building

What is a key characteristic of phishing attacks?

  • They always involve physical intrusion.
  • They use fraudulent emails disguised as legitimate sources. (correct)
  • They require advanced technical skills to execute.
  • They directly exploit vulnerabilities in operating systems.

What is the defining feature of spear phishing?

<p>It is targeted at a specific individual or organization. (A)</p> Signup and view all the answers

What is another name for spam?

<p>Junk mail (A)</p> Signup and view all the answers

What is the meaning of “Quid pro quo” in the context of social engineering?

<p>Exchanging something for something else, like a request for information in exchange for a gift (B)</p> Signup and view all the answers

What happens in a baiting attack?

<p>A victim unknowingly installs malware from a malware infected flash drive. (A)</p> Signup and view all the answers

What is the main element of impersonation in social engineering?

<p>Pretending to be someone you are not to gain trust (D)</p> Signup and view all the answers

What is the goal of tailgating?

<p>To gain unauthorized access to a secure area (C)</p> Signup and view all the answers

What is shoulder surfing?

<p>Looking over someone's shoulder to steal information (C)</p> Signup and view all the answers

What is the attacker looking for during 'dumpster diving'?

<p>Confidential documents (D)</p> Signup and view all the answers

Specifically, what is the Social Engineering Toolkit (SET) designed for?

<p>Auditing and testing network security through controlled social engineering attacks (C)</p> Signup and view all the answers

What is a key recommendation for protecting against social engineering attacks?

<p>Never give your username and password credentials to anyone (A)</p> Signup and view all the answers

What is the primary effect of a Denial of Service (DoS) attack?

<p>Interruption of network services to users, devices, or applications (A)</p> Signup and view all the answers

What is the main characteristic of an 'Overwhelming Quantity of Traffic' DoS attack?

<p>Sending an enormous amount of data to overwhelm the network (A)</p> Signup and view all the answers

What happens during a 'Maliciously Formatted Packets' DoS attack?

<p>The threat actor sends packets that the receiving device cannot handle, causing it to crash. (A)</p> Signup and view all the answers

How does a Distributed Denial of Service (DDoS) attack differ from a DoS attack?

<p>A DDoS attack uses multiple, coordinated sources, while a DoS attack typically uses a single source. (B)</p> Signup and view all the answers

What are 'zombies' in the context of a DDoS attack?

<p>Infected hosts controlled by a threat actor (C)</p> Signup and view all the answers

What system do threat actors use to control zombies in a DDoS attack?

<p>A command and control (CnC) system (C)</p> Signup and view all the answers

What is the purpose of a bot malware in a DDoS attack?

<p>To make the host a zombie that can communicate with the CnC system (A)</p> Signup and view all the answers

Why is it a security concern if IP does not validate the source IP address?

<p>It allows threat actors to send packets using a spoofed IP address. (B)</p> Signup and view all the answers

What is the purpose of ICMP attacks?

<p>To perform reconnaissance, scanning, and DoS attacks (D)</p> Signup and view all the answers

What do threat actors use ICMP echo packets (pings) for?

<p>To discover subnets and hosts on a protected network (A)</p> Signup and view all the answers

What is the main purpose of amplification and reflection attacks?

<p>To prevent legitimate users from accessing information or services (B)</p> Signup and view all the answers

Which of the following describes address spoofing attacks?

<p>They involve creating packets with false source IP address information. (D)</p> Signup and view all the answers

What is a key difference between non-blind and blind spoofing?

<p>In non-blind spoofing, the threat actor can see the traffic; in blind spoofing, they cannot. (C)</p> Signup and view all the answers

When are MAC address spoofing attacks typically used?

<p>When threat actors have access to the internal network (A)</p> Signup and view all the answers

What can a threat actor create by connecting a rogue DHCP server?

<p>A Man-in-the-Middle (MITM) condition (C)</p> Signup and view all the answers

What does the URG control bit in a TCP segment indicate?

<p>Urgent pointer field significant (C)</p> Signup and view all the answers

What is the purpose of the SYN control bit in a TCP segment?

<p>To synchronize sequence numbers (B)</p> Signup and view all the answers

What does the ACK control bit signify in a TCP segment?

<p>Acknowledgement field significant (C)</p> Signup and view all the answers

What is the meaning of the FIN control bit in a TCP segment?

<p>No more data from sender (D)</p> Signup and view all the answers

What feature incorporated into TCP guarantees delivery of data?

<p>Acknowledgements (D)</p> Signup and view all the answers

What type of communication is established during a TCP three-way handshake?

<p>Stateful communication (A)</p> Signup and view all the answers

Why is TCP SYN Flood attack effective?

<p>It exploits the TCP three-way handshake. (C)</p> Signup and view all the answers

What happens to the target host during a TCP SYN Flood attack?

<p>It is overwhelmed with half-open TCP connections. (D)</p> Signup and view all the answers

What is the purpose of a TCP reset attack?

<p>To terminate TCP communications between two hosts (D)</p> Signup and view all the answers

What is required for TCP session hijacking to be successful?

<p>Spoofing the IP address, predicting sequence number, and sending an ACK (B)</p> Signup and view all the answers

Which protocols commonly use UDP?

<p>DNS, TFTP, NFS (C)</p> Signup and view all the answers

What is a key difference between UDP and TCP?

<p>UDP is connectionless and offers lower overhead than TCP. (A)</p> Signup and view all the answers

Why are UDP attacks a security concern?

<p>UDP does not have built in protection like checksums (C)</p> Signup and view all the answers

What is the primary characteristic of a UDP flood attack?

<p>Flooding a network with UDP packets, consuming resources (B)</p> Signup and view all the answers

Flashcards

Social Engineering

An access attack that manipulates individuals into performing actions or divulging confidential information.

Pretexting

Pretending to need personal or financial data to confirm the recipient's identity.

Phishing

Sending fraudulent emails disguised as legitimate to trick recipients into installing malware or sharing information.

Spear Phishing

A targeted phishing attack tailored for a specific individual or organization.

Signup and view all the flashcards

Spam

Unsolicited email, known as junk mail, containing harmful links, malware, or deceptive content.

Signup and view all the flashcards

Something for Something

Requesting personal information in exchange for something such as a gift.

Signup and view all the flashcards

Baiting

Leaving a malware-infected flash drive in a public location for a victim to find and use.

Signup and view all the flashcards

Impersonation

Pretending to be someone you are not to gain the trust of a victim.

Signup and view all the flashcards

Tailgating

Following an authorized person into a secure location to gain access.

Signup and view all the flashcards

Shoulder Surfing

Inconspicuously looking over someone's shoulder to steal their passwords or information.

Signup and view all the flashcards

Dumpster Diving

Rummaging through trash bins to discover confidential documents.

Signup and view all the flashcards

Denial of Service (DoS)

An attack that causes interruption of network services to users, devices, or applications.

Signup and view all the flashcards

Overwhelming Quantity of Traffic

The threat sends huge number of data that the network cannot handle making it slow and potentially crash.

Signup and view all the flashcards

Maliciously Formatted Packets

The threat actor sends a maliciously formatted packet to a host or application that receiving device cannot handle.

Signup and view all the flashcards

Distributed Denial of Service (DDoS)

Attack originating from multiple, coordinated sources of infected host known as zombies.

Signup and view all the flashcards

IPv4 and IPv6 Vulnerabilities

IP doesn't validate source IP; attackers can send packets with spoofed addresses and tamper with IP headers.

Signup and view all the flashcards

ICMP Attacks

Attackers use ICMP echo packets (pings) to discover subnets, hosts, and alter routing tables for attacks.

Signup and view all the flashcards

Amplification/Reflection Attacks

Attackers prevent legitimate users' access with DoS/DDoS; relies on amplifying requests to overwhelm targets.

Signup and view all the flashcards

Address Spoofing Attacks

Attackers spoof IP addresses in packets to perform blind or non-blind spoofing for nefarious purposes.

Signup and view all the flashcards

Man-in-the-Middle Attack (MITM)

Attackers position themselves between communication to monitor, capture, and control the transmitted data.

Signup and view all the flashcards

ICMP ACL filtering

Strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet.

Signup and view all the flashcards

ICMP echo request/reply

Messages used for host verification and DoS attacks

Signup and view all the flashcards

ICMP unreachable

Message used to trigger recon and scanning attacks

Signup and view all the flashcards

ICMP mask reply

Messages used to map internal IP networks

Signup and view all the flashcards

ICMP redirects

Messages to lure hosts in sending traffic through compromised device

Signup and view all the flashcards

ICMP router discovery

Used to inject bogus route entries into the routing

Signup and view all the flashcards

Amplification

Actor forwards request, message contains victim IP

Signup and view all the flashcards

Reflection

Hosts reply to spoofed IP to overwhelm

Signup and view all the flashcards

Address Spoofing Attacks

Create packets with false source IP to hide ID

Signup and view all the flashcards

Non-Blind Spoofing

To see traffic sent, using to inspect reply packet

Signup and view all the flashcards

Blind Spoofing

Spoofing without able to see the traffic.

Signup and view all the flashcards

MAC address

actors have access to internal network and alter MAC

Signup and view all the flashcards

TCP Segment Header

Segment info appears immediately after IP header.

Signup and view all the flashcards

URG

Urgent pointer field significant

Signup and view all the flashcards

SYN

Synchronize sequence numbers

Signup and view all the flashcards

ACK

Acknowledgement field significant

Signup and view all the flashcards

PSH

Push function

Signup and view all the flashcards

FIN

No more data from sender

Signup and view all the flashcards

RST

Reset the connection

Signup and view all the flashcards

Study Notes

Social Engineering Attacks

  • Social engineering is an access attack that manipulates individuals into performing actions or revealing confidential information
  • Techniques can be in-person, via telephone, or over the internet

Social Engineering Attack Types

  • Pretexting involves an attacker pretending they need personal or financial data to confirm the recipient's identity
  • Phishing involves fraudulent emails disguised as legitimate sources, attempting to trick recipients into installing malware or sharing personal information
  • Spear phishing is a targeted phishing attack tailored to a specific individual or organization
  • Spam, also known as junk mail, is unsolicited email containing harmful links, malware, or deceptive content
  • Something for Something, also known as “Quid pro quo”, involves a threat actor requesting personal information in exchange for a gift
  • Baiting involves a threat actor leaving a malware-infected flash drive in a public location for a victim to find and use, resulting in unintentional malware installation
  • Impersonation is when a threat actor pretends to be someone else to gain a victim's trust
  • Tailgating allows a threat actor to quickly follow an authorized person into a secure location to gain unauthorized access
  • Shoulder surfing is when a threat actor secretly steals passwords or other information by looking over someone's shoulder
  • Dumpster diving is when a threat actor finds confidential documents by going through trash bins
  • The Social Engineering Toolkit (SET) assists white hat hackers and security professionals in creating social engineering attacks to test networks

Denial of Service (DoS) Attacks

  • A DoS attack interrupts network services for users, devices, or applications

Types of DoS Attacks

  • Overwhelming Quantity of Traffic involves a threat actor sending large amounts of data to overwhelm a network, host, or application, causing slowdowns or crashes
  • Maliciously Formatted Packets involve a threat actor sending formatted packets that a host or application is unable to handle, causing slowdowns or crashes
  • DoS attacks pose a major risk by disrupting communication and causing financial losses

Distributed Denial of Service (DDoS) Attacks

  • DDoS attacks are similar to DoS attacks, but originate from multiple coordinated sources
  • A threat actor creates a network of infected hosts (zombies) controlled by a command and control (CnC) system
  • The zombies scan and infect other hosts with bot malware, creating a network called a botnet
  • The threat actor uses the CnC system to instruct the botnet to perform DDoS attacks

IPv4 and IPv6

  • IP doesn't confirm if source IP address in a packet is the correct source
  • This permits threat actors to dispatch packets from a false IP address to execute attacks and also to manipulate other IP header fields
  • Consequently, security analysts need understanding of both IPv4 and IPv6 header fields
  • ICMP attacks utilize Internet Control Message Protocol (ICMP) echo packets (pings) to find subnets/hosts on secured networks, create DoS flood attacks, and change host routing tables
  • Amplification and reflection attacks prevent users from accessing information/services using DoS and DDoS attacks
  • Address spoofing attacks use a spoofed source IP address in an IP packet for blind or non-blind spoofing
  • Man-in-the-middle (MITM) attacks involve threat actors positioning themselves between a source and destination to monitor, capture, and control the communication by inspecting/altering packets

Exploiting ICMP

  • Threat actors use ICMP for reconnaissance and scanning attacks
  • ICMP is used for attacks to map out network topology, find reachable hosts, identify host operating systems (OS fingerprinting), and determine firewall state
  • ICMP is also used for DoS attacks

Mitigation Strategies for ICMP Exploitation

  • Networks should use strict ICMP Access Control List (ACL) filtering on the network edge to prevent ICMP probing from the internet
  • Security analysts should detect ICMP-related attacks by examining captured traffic and log files
  • Security devices (firewalls and intrusion detection systems - IDS) detect ICMP attacks and create alerts

ICMP Messages Used by Hackers

  • ICMP echo request/reply is used to perform host verification and DoS attacks
  • ICMP unreachable is used to perform network reconnaissance and scanning attacks
  • ICMP mask reply is used to map an internal IP network
  • ICMP redirects is used to lure a target host into sending traffic through a compromised device, creating a MITM attack

Amplification and Reflection Exploitation

  • Threat actors use amplification and reflection techniques to create DoS attacks
  • A Smurf attack is an amplification and reflection technique

Smurf Attack

  • Amplification involves a threat actor forwarding ICMP echo request messages to numerous hosts, using the victim's spoofed source IP address
  • Reflection involves hosts replying to the victim's spoofed IP address to overwhelm it
  • Resource exhaustion attacks, used by threat actors, consume resources of a target host or network to cause crashes

Address Spoofing Attacks

  • IP address spoofing involves threat actors creating packets with false source IP addresses to hide their identity or impersonate a legitimate user
  • This enables access to otherwise inaccessible data or circumvention of security configurations
  • Spoofing is often incorporated into other attacks like Smurf attacks

Types of Spoofing

  • Non-blind spoofing enables a threat actor to see traffic between the host and target, allowing them to inspect reply packets, determine firewall state, predict sequence numbers, and hijack authorized sessions
  • Blind spoofing, used in DoS attacks, doesn't allow a threat actor to see traffic between the host and target

MAC Address Spoofing

  • MAC address spoofing occurs when threat actors access the internal network
  • Threat actors change the MAC address of their host to match the MAC address of a target host
  • The attacking host sends a frame throughout the network using the spoofed MAC address
  • When the switch receives the frame, it examines the source MAC address
  • The switch overwrites the current CAM table entry and assigns the MAC address to the new port
  • Frames destined for the target host are then forwarded to the attacking host

Application/Service Spoofing

  • Application or service spoofing is another type of spoofing
  • A threat actor can connect a rogue DHCP server to create an MITM condition

TCP Segment Header

  • It appears directly after the IP header and shown in the diagram
  • The diagram displays the TCP segment fields and the control bits flags

TCP segment control bits

  • URG - Urgent pointer field significant
  • SYN – Synchronize sequence numbers
  • ACK - Acknowledgement field significant
  • PSH - Push function
  • FIN – No more data from sender
  • RST - Reset the connection

TCP Services

  • Reliable delivery includes acknowledgments to guarantee delivery instead of relying on upper layer protocols to detect and resolve errors
  • The sender transmits the data again if timely acknowledgement is not received and this can cause delay
  • Application layer protocols include HTTP, SSL/TLS, FTP and DNS zone
  • Flow control addresses this issue
  • Stateful communication between two parties occurs during the three way handshake which occurs before data is exchanged

TCP three-way handshake involves three steps:

  • Initiating client sends request for a client-to-server communication session with the server
  • The server acknowledges the client-to-server communication session and requests server-to-client communication
  • Initiating client then acknowledges the server

TCP Attacks

  • Network applications use TCP or UDP ports where threat actors conduct port scans to discover services offered
  • TCP SYN flood attacks exploits the TCP three-way handshake
  • Threat actors use TCP SYN session requests with a randomly spoofed IP to a target

TCP SYN Flood attacks

  • The target replies with a TCP SYN-ACK packet to the spoofed IP address and waits for TCP SYN-ACK and ACK packets which never come
  • Eventually the target becomes overwhelm with half-open TCP connections and TCP services are denied

Diagram of TCP SYN Flood Attacks

  • A threat actor sends multiple SYN requests to a web server
  • The web server replies with SYN-ACKs for each SYN Request and waits to complete three-way handshake but threat actor doesn’t respond to SYN-ACKs
  • Valid user cannot access the web server because the server is overwhelmed with requests

TCP Reset Attack

  • A TCP reset attack terminates TCP communications between two hosts in civilized and uncivilized manner
  • Civilized manner is when TCP uses a four-way exchange consisting of a pair of FIN and ACK segments from each TCP endpoint to close TCP connection
  • Uncivilized manner is when a host gets an TCP segment with a RST bit set and the TCP connection is abruptly severed while informing the receiving host to immediate stop using the connection

Four-way Exchange Process in Terminating a TCP Connection

  • When the client no longer has data, it sends a segment with the FIN flag set
  • The server sends an ACK to acknowledge the receipt of the FIN to terminate session from client to server
  • The server sends FIN to the client to terminate the server to client

TCP Session Hijacking

  • TCP session hijacking is another TCP vulnerability in which a threat actor takes over an already authentication host as it communicates with the target
  • The threat actor spoofs the IP address of one host and predicts the next sequence number and sends ACK to the other host
  • When successful, the threat actor could send and receive data from the target device

UDP Segment Header and Operation

  • UDP is commonly used by DNS, TFTP, NFS, and SNMP and also for real-time applications like media and VoIP
  • It’s a connectionless transport layer protocol that has less overhead than TCP
  • It doesn’t offer retransmission, sequencing and flow control

UDP Attacks

  • There’s no encryption on UDP but it can be manually added and this means anyone can see the traffic and alter it and send it to its destination
  • Changing the data in the traffic results in altering the 16-bit checksum but it’s optional and not always used

UDP Attacks that use Checksums

  • When it’s used, the threat actor can create a new checksum based on the new data payload and then record it in the header as a new checksum
  • The destination device will find that the checksum matches the data that has been altered

UDP Flood Attacks

  • All of network resources are consumed in a UDP flood attack
  • The threat actor uses a tool like UDP Unicorn or Low Orbit Ion Cannon to send a flood of UDP packets, often from a spoofed host to a server on the subnet
  • This floods the segment which uses up the most bandwidth which results in a DoS attack
  • The program will sweep through all the known ports trying to find a closed port. This will cause the server to reply with an ICMP port unreachable message

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Related Documents

More Like This

Use Quizgecko on...
Browser
Browser