Podcast
Questions and Answers
What is the primary goal of social engineering attacks?
What is the primary goal of social engineering attacks?
- To encrypt data for ransomware purposes
- To exploit software vulnerabilities
- To manipulate individuals into divulging confidential information or performing actions (correct)
- To physically damage computer hardware
What is pretexting?
What is pretexting?
- Creating a fake social media profile
- Pretending to need personal data to confirm the recipient's identity (correct)
- Distributing malicious software through email
- Gaining unauthorized physical access to a building
What is a key characteristic of phishing attacks?
What is a key characteristic of phishing attacks?
- They always involve physical intrusion.
- They use fraudulent emails disguised as legitimate sources. (correct)
- They require advanced technical skills to execute.
- They directly exploit vulnerabilities in operating systems.
What is the defining feature of spear phishing?
What is the defining feature of spear phishing?
What is another name for spam?
What is another name for spam?
What is the meaning of “Quid pro quo” in the context of social engineering?
What is the meaning of “Quid pro quo” in the context of social engineering?
What happens in a baiting attack?
What happens in a baiting attack?
What is the main element of impersonation in social engineering?
What is the main element of impersonation in social engineering?
What is the goal of tailgating?
What is the goal of tailgating?
What is shoulder surfing?
What is shoulder surfing?
What is the attacker looking for during 'dumpster diving'?
What is the attacker looking for during 'dumpster diving'?
Specifically, what is the Social Engineering Toolkit (SET) designed for?
Specifically, what is the Social Engineering Toolkit (SET) designed for?
What is a key recommendation for protecting against social engineering attacks?
What is a key recommendation for protecting against social engineering attacks?
What is the primary effect of a Denial of Service (DoS) attack?
What is the primary effect of a Denial of Service (DoS) attack?
What is the main characteristic of an 'Overwhelming Quantity of Traffic' DoS attack?
What is the main characteristic of an 'Overwhelming Quantity of Traffic' DoS attack?
What happens during a 'Maliciously Formatted Packets' DoS attack?
What happens during a 'Maliciously Formatted Packets' DoS attack?
How does a Distributed Denial of Service (DDoS) attack differ from a DoS attack?
How does a Distributed Denial of Service (DDoS) attack differ from a DoS attack?
What are 'zombies' in the context of a DDoS attack?
What are 'zombies' in the context of a DDoS attack?
What system do threat actors use to control zombies in a DDoS attack?
What system do threat actors use to control zombies in a DDoS attack?
What is the purpose of a bot malware in a DDoS attack?
What is the purpose of a bot malware in a DDoS attack?
Why is it a security concern if IP does not validate the source IP address?
Why is it a security concern if IP does not validate the source IP address?
What is the purpose of ICMP attacks?
What is the purpose of ICMP attacks?
What do threat actors use ICMP echo packets (pings) for?
What do threat actors use ICMP echo packets (pings) for?
What is the main purpose of amplification and reflection attacks?
What is the main purpose of amplification and reflection attacks?
Which of the following describes address spoofing attacks?
Which of the following describes address spoofing attacks?
What is a key difference between non-blind and blind spoofing?
What is a key difference between non-blind and blind spoofing?
When are MAC address spoofing attacks typically used?
When are MAC address spoofing attacks typically used?
What can a threat actor create by connecting a rogue DHCP server?
What can a threat actor create by connecting a rogue DHCP server?
What does the URG control bit in a TCP segment indicate?
What does the URG control bit in a TCP segment indicate?
What is the purpose of the SYN control bit in a TCP segment?
What is the purpose of the SYN control bit in a TCP segment?
What does the ACK control bit signify in a TCP segment?
What does the ACK control bit signify in a TCP segment?
What is the meaning of the FIN control bit in a TCP segment?
What is the meaning of the FIN control bit in a TCP segment?
What feature incorporated into TCP guarantees delivery of data?
What feature incorporated into TCP guarantees delivery of data?
What type of communication is established during a TCP three-way handshake?
What type of communication is established during a TCP three-way handshake?
Why is TCP SYN Flood attack effective?
Why is TCP SYN Flood attack effective?
What happens to the target host during a TCP SYN Flood attack?
What happens to the target host during a TCP SYN Flood attack?
What is the purpose of a TCP reset attack?
What is the purpose of a TCP reset attack?
What is required for TCP session hijacking to be successful?
What is required for TCP session hijacking to be successful?
Which protocols commonly use UDP?
Which protocols commonly use UDP?
What is a key difference between UDP and TCP?
What is a key difference between UDP and TCP?
Why are UDP attacks a security concern?
Why are UDP attacks a security concern?
What is the primary characteristic of a UDP flood attack?
What is the primary characteristic of a UDP flood attack?
Flashcards
Social Engineering
Social Engineering
An access attack that manipulates individuals into performing actions or divulging confidential information.
Pretexting
Pretexting
Pretending to need personal or financial data to confirm the recipient's identity.
Phishing
Phishing
Sending fraudulent emails disguised as legitimate to trick recipients into installing malware or sharing information.
Spear Phishing
Spear Phishing
Signup and view all the flashcards
Spam
Spam
Signup and view all the flashcards
Something for Something
Something for Something
Signup and view all the flashcards
Baiting
Baiting
Signup and view all the flashcards
Impersonation
Impersonation
Signup and view all the flashcards
Tailgating
Tailgating
Signup and view all the flashcards
Shoulder Surfing
Shoulder Surfing
Signup and view all the flashcards
Dumpster Diving
Dumpster Diving
Signup and view all the flashcards
Denial of Service (DoS)
Denial of Service (DoS)
Signup and view all the flashcards
Overwhelming Quantity of Traffic
Overwhelming Quantity of Traffic
Signup and view all the flashcards
Maliciously Formatted Packets
Maliciously Formatted Packets
Signup and view all the flashcards
Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS)
Signup and view all the flashcards
IPv4 and IPv6 Vulnerabilities
IPv4 and IPv6 Vulnerabilities
Signup and view all the flashcards
ICMP Attacks
ICMP Attacks
Signup and view all the flashcards
Amplification/Reflection Attacks
Amplification/Reflection Attacks
Signup and view all the flashcards
Address Spoofing Attacks
Address Spoofing Attacks
Signup and view all the flashcards
Man-in-the-Middle Attack (MITM)
Man-in-the-Middle Attack (MITM)
Signup and view all the flashcards
ICMP ACL filtering
ICMP ACL filtering
Signup and view all the flashcards
ICMP echo request/reply
ICMP echo request/reply
Signup and view all the flashcards
ICMP unreachable
ICMP unreachable
Signup and view all the flashcards
ICMP mask reply
ICMP mask reply
Signup and view all the flashcards
ICMP redirects
ICMP redirects
Signup and view all the flashcards
ICMP router discovery
ICMP router discovery
Signup and view all the flashcards
Amplification
Amplification
Signup and view all the flashcards
Reflection
Reflection
Signup and view all the flashcards
Address Spoofing Attacks
Address Spoofing Attacks
Signup and view all the flashcards
Non-Blind Spoofing
Non-Blind Spoofing
Signup and view all the flashcards
Blind Spoofing
Blind Spoofing
Signup and view all the flashcards
MAC address
MAC address
Signup and view all the flashcards
TCP Segment Header
TCP Segment Header
Signup and view all the flashcards
URG
URG
Signup and view all the flashcards
SYN
SYN
Signup and view all the flashcards
ACK
ACK
Signup and view all the flashcards
PSH
PSH
Signup and view all the flashcards
FIN
FIN
Signup and view all the flashcards
RST
RST
Signup and view all the flashcards
Study Notes
Social Engineering Attacks
- Social engineering is an access attack that manipulates individuals into performing actions or revealing confidential information
- Techniques can be in-person, via telephone, or over the internet
Social Engineering Attack Types
- Pretexting involves an attacker pretending they need personal or financial data to confirm the recipient's identity
- Phishing involves fraudulent emails disguised as legitimate sources, attempting to trick recipients into installing malware or sharing personal information
- Spear phishing is a targeted phishing attack tailored to a specific individual or organization
- Spam, also known as junk mail, is unsolicited email containing harmful links, malware, or deceptive content
- Something for Something, also known as “Quid pro quo”, involves a threat actor requesting personal information in exchange for a gift
- Baiting involves a threat actor leaving a malware-infected flash drive in a public location for a victim to find and use, resulting in unintentional malware installation
- Impersonation is when a threat actor pretends to be someone else to gain a victim's trust
- Tailgating allows a threat actor to quickly follow an authorized person into a secure location to gain unauthorized access
- Shoulder surfing is when a threat actor secretly steals passwords or other information by looking over someone's shoulder
- Dumpster diving is when a threat actor finds confidential documents by going through trash bins
- The Social Engineering Toolkit (SET) assists white hat hackers and security professionals in creating social engineering attacks to test networks
Denial of Service (DoS) Attacks
- A DoS attack interrupts network services for users, devices, or applications
Types of DoS Attacks
- Overwhelming Quantity of Traffic involves a threat actor sending large amounts of data to overwhelm a network, host, or application, causing slowdowns or crashes
- Maliciously Formatted Packets involve a threat actor sending formatted packets that a host or application is unable to handle, causing slowdowns or crashes
- DoS attacks pose a major risk by disrupting communication and causing financial losses
Distributed Denial of Service (DDoS) Attacks
- DDoS attacks are similar to DoS attacks, but originate from multiple coordinated sources
- A threat actor creates a network of infected hosts (zombies) controlled by a command and control (CnC) system
- The zombies scan and infect other hosts with bot malware, creating a network called a botnet
- The threat actor uses the CnC system to instruct the botnet to perform DDoS attacks
IPv4 and IPv6
- IP doesn't confirm if source IP address in a packet is the correct source
- This permits threat actors to dispatch packets from a false IP address to execute attacks and also to manipulate other IP header fields
- Consequently, security analysts need understanding of both IPv4 and IPv6 header fields
Common IP-Related Attacks
- ICMP attacks utilize Internet Control Message Protocol (ICMP) echo packets (pings) to find subnets/hosts on secured networks, create DoS flood attacks, and change host routing tables
- Amplification and reflection attacks prevent users from accessing information/services using DoS and DDoS attacks
- Address spoofing attacks use a spoofed source IP address in an IP packet for blind or non-blind spoofing
- Man-in-the-middle (MITM) attacks involve threat actors positioning themselves between a source and destination to monitor, capture, and control the communication by inspecting/altering packets
Exploiting ICMP
- Threat actors use ICMP for reconnaissance and scanning attacks
- ICMP is used for attacks to map out network topology, find reachable hosts, identify host operating systems (OS fingerprinting), and determine firewall state
- ICMP is also used for DoS attacks
Mitigation Strategies for ICMP Exploitation
- Networks should use strict ICMP Access Control List (ACL) filtering on the network edge to prevent ICMP probing from the internet
- Security analysts should detect ICMP-related attacks by examining captured traffic and log files
- Security devices (firewalls and intrusion detection systems - IDS) detect ICMP attacks and create alerts
ICMP Messages Used by Hackers
- ICMP echo request/reply is used to perform host verification and DoS attacks
- ICMP unreachable is used to perform network reconnaissance and scanning attacks
- ICMP mask reply is used to map an internal IP network
- ICMP redirects is used to lure a target host into sending traffic through a compromised device, creating a MITM attack
Amplification and Reflection Exploitation
- Threat actors use amplification and reflection techniques to create DoS attacks
- A Smurf attack is an amplification and reflection technique
Smurf Attack
- Amplification involves a threat actor forwarding ICMP echo request messages to numerous hosts, using the victim's spoofed source IP address
- Reflection involves hosts replying to the victim's spoofed IP address to overwhelm it
- Resource exhaustion attacks, used by threat actors, consume resources of a target host or network to cause crashes
Address Spoofing Attacks
- IP address spoofing involves threat actors creating packets with false source IP addresses to hide their identity or impersonate a legitimate user
- This enables access to otherwise inaccessible data or circumvention of security configurations
- Spoofing is often incorporated into other attacks like Smurf attacks
Types of Spoofing
- Non-blind spoofing enables a threat actor to see traffic between the host and target, allowing them to inspect reply packets, determine firewall state, predict sequence numbers, and hijack authorized sessions
- Blind spoofing, used in DoS attacks, doesn't allow a threat actor to see traffic between the host and target
MAC Address Spoofing
- MAC address spoofing occurs when threat actors access the internal network
- Threat actors change the MAC address of their host to match the MAC address of a target host
- The attacking host sends a frame throughout the network using the spoofed MAC address
- When the switch receives the frame, it examines the source MAC address
- The switch overwrites the current CAM table entry and assigns the MAC address to the new port
- Frames destined for the target host are then forwarded to the attacking host
Application/Service Spoofing
- Application or service spoofing is another type of spoofing
- A threat actor can connect a rogue DHCP server to create an MITM condition
TCP Segment Header
- It appears directly after the IP header and shown in the diagram
- The diagram displays the TCP segment fields and the control bits flags
TCP segment control bits
- URG - Urgent pointer field significant
- SYN – Synchronize sequence numbers
- ACK - Acknowledgement field significant
- PSH - Push function
- FIN – No more data from sender
- RST - Reset the connection
TCP Services
- Reliable delivery includes acknowledgments to guarantee delivery instead of relying on upper layer protocols to detect and resolve errors
- The sender transmits the data again if timely acknowledgement is not received and this can cause delay
- Application layer protocols include HTTP, SSL/TLS, FTP and DNS zone
- Flow control addresses this issue
- Stateful communication between two parties occurs during the three way handshake which occurs before data is exchanged
TCP three-way handshake involves three steps:
- Initiating client sends request for a client-to-server communication session with the server
- The server acknowledges the client-to-server communication session and requests server-to-client communication
- Initiating client then acknowledges the server
TCP Attacks
- Network applications use TCP or UDP ports where threat actors conduct port scans to discover services offered
- TCP SYN flood attacks exploits the TCP three-way handshake
- Threat actors use TCP SYN session requests with a randomly spoofed IP to a target
TCP SYN Flood attacks
- The target replies with a TCP SYN-ACK packet to the spoofed IP address and waits for TCP SYN-ACK and ACK packets which never come
- Eventually the target becomes overwhelm with half-open TCP connections and TCP services are denied
Diagram of TCP SYN Flood Attacks
- A threat actor sends multiple SYN requests to a web server
- The web server replies with SYN-ACKs for each SYN Request and waits to complete three-way handshake but threat actor doesn’t respond to SYN-ACKs
- Valid user cannot access the web server because the server is overwhelmed with requests
TCP Reset Attack
- A TCP reset attack terminates TCP communications between two hosts in civilized and uncivilized manner
- Civilized manner is when TCP uses a four-way exchange consisting of a pair of FIN and ACK segments from each TCP endpoint to close TCP connection
- Uncivilized manner is when a host gets an TCP segment with a RST bit set and the TCP connection is abruptly severed while informing the receiving host to immediate stop using the connection
Four-way Exchange Process in Terminating a TCP Connection
- When the client no longer has data, it sends a segment with the FIN flag set
- The server sends an ACK to acknowledge the receipt of the FIN to terminate session from client to server
- The server sends FIN to the client to terminate the server to client
TCP Session Hijacking
- TCP session hijacking is another TCP vulnerability in which a threat actor takes over an already authentication host as it communicates with the target
- The threat actor spoofs the IP address of one host and predicts the next sequence number and sends ACK to the other host
- When successful, the threat actor could send and receive data from the target device
UDP Segment Header and Operation
- UDP is commonly used by DNS, TFTP, NFS, and SNMP and also for real-time applications like media and VoIP
- It’s a connectionless transport layer protocol that has less overhead than TCP
- It doesn’t offer retransmission, sequencing and flow control
UDP Attacks
- There’s no encryption on UDP but it can be manually added and this means anyone can see the traffic and alter it and send it to its destination
- Changing the data in the traffic results in altering the 16-bit checksum but it’s optional and not always used
UDP Attacks that use Checksums
- When it’s used, the threat actor can create a new checksum based on the new data payload and then record it in the header as a new checksum
- The destination device will find that the checksum matches the data that has been altered
UDP Flood Attacks
- All of network resources are consumed in a UDP flood attack
- The threat actor uses a tool like UDP Unicorn or Low Orbit Ion Cannon to send a flood of UDP packets, often from a spoofed host to a server on the subnet
- This floods the segment which uses up the most bandwidth which results in a DoS attack
- The program will sweep through all the known ports trying to find a closed port. This will cause the server to reply with an ICMP port unreachable message
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.