Social Engineering Attacks

Questions and Answers

What is the primary goal of social engineering attacks?

• To encrypt data for ransomware purposes
• To exploit software vulnerabilities
• To manipulate individuals into divulging confidential information or performing actions (correct)
• To physically damage computer hardware

What is pretexting?

• Creating a fake social media profile
• Pretending to need personal data to confirm the recipient's identity (correct)
• Distributing malicious software through email
• Gaining unauthorized physical access to a building

What is a key characteristic of phishing attacks?

• They always involve physical intrusion.
• They use fraudulent emails disguised as legitimate sources. (correct)
• They require advanced technical skills to execute.
• They directly exploit vulnerabilities in operating systems.

What is the defining feature of spear phishing?

It is targeted at a specific individual or organization. (A)

What is another name for spam?

Junk mail (A)

What is the meaning of “Quid pro quo” in the context of social engineering?

Exchanging something for something else, like a request for information in exchange for a gift (B)

What happens in a baiting attack?

A victim unknowingly installs malware from a malware infected flash drive. (A)

What is the main element of impersonation in social engineering?

Pretending to be someone you are not to gain trust (D)

What is the goal of tailgating?

To gain unauthorized access to a secure area (C)

What is shoulder surfing?

Looking over someone's shoulder to steal information (C)

What is the attacker looking for during 'dumpster diving'?

Confidential documents (D)

Specifically, what is the Social Engineering Toolkit (SET) designed for?

Auditing and testing network security through controlled social engineering attacks (C)

What is a key recommendation for protecting against social engineering attacks?

Never give your username and password credentials to anyone (A)

What is the primary effect of a Denial of Service (DoS) attack?

Interruption of network services to users, devices, or applications (A)

What is the main characteristic of an 'Overwhelming Quantity of Traffic' DoS attack?

Sending an enormous amount of data to overwhelm the network (A)

What happens during a 'Maliciously Formatted Packets' DoS attack?

The threat actor sends packets that the receiving device cannot handle, causing it to crash. (A)

How does a Distributed Denial of Service (DDoS) attack differ from a DoS attack?

A DDoS attack uses multiple, coordinated sources, while a DoS attack typically uses a single source. (B)

What are 'zombies' in the context of a DDoS attack?

Infected hosts controlled by a threat actor (C)

What system do threat actors use to control zombies in a DDoS attack?

A command and control (CnC) system (C)

What is the purpose of a bot malware in a DDoS attack?

To make the host a zombie that can communicate with the CnC system (A)

Why is it a security concern if IP does not validate the source IP address?

It allows threat actors to send packets using a spoofed IP address. (B)

What is the purpose of ICMP attacks?

To perform reconnaissance, scanning, and DoS attacks (D)

What do threat actors use ICMP echo packets (pings) for?

To discover subnets and hosts on a protected network (A)

What is the main purpose of amplification and reflection attacks?

To prevent legitimate users from accessing information or services (B)

Which of the following describes address spoofing attacks?

They involve creating packets with false source IP address information. (D)

What is a key difference between non-blind and blind spoofing?

In non-blind spoofing, the threat actor can see the traffic; in blind spoofing, they cannot. (C)

When are MAC address spoofing attacks typically used?

When threat actors have access to the internal network (A)

What can a threat actor create by connecting a rogue DHCP server?

A Man-in-the-Middle (MITM) condition (C)

What does the URG control bit in a TCP segment indicate?

Urgent pointer field significant (C)

What is the purpose of the SYN control bit in a TCP segment?

To synchronize sequence numbers (B)

What does the ACK control bit signify in a TCP segment?

Acknowledgement field significant (C)

What is the meaning of the FIN control bit in a TCP segment?

No more data from sender (D)

What feature incorporated into TCP guarantees delivery of data?

Acknowledgements (D)

What type of communication is established during a TCP three-way handshake?

Stateful communication (A)

Why is TCP SYN Flood attack effective?

It exploits the TCP three-way handshake. (C)

What happens to the target host during a TCP SYN Flood attack?

It is overwhelmed with half-open TCP connections. (D)

What is the purpose of a TCP reset attack?

To terminate TCP communications between two hosts (D)

What is required for TCP session hijacking to be successful?

Spoofing the IP address, predicting sequence number, and sending an ACK (B)

Which protocols commonly use UDP?

DNS, TFTP, NFS (C)

What is a key difference between UDP and TCP?

UDP is connectionless and offers lower overhead than TCP. (A)

Why are UDP attacks a security concern?

UDP does not have built in protection like checksums (C)

What is the primary characteristic of a UDP flood attack?

Flooding a network with UDP packets, consuming resources (B)

Flashcards

Social Engineering

An access attack that manipulates individuals into performing actions or divulging confidential information.

Pretexting

Pretending to need personal or financial data to confirm the recipient's identity.

Phishing

Sending fraudulent emails disguised as legitimate to trick recipients into installing malware or sharing information.

Spear Phishing

A targeted phishing attack tailored for a specific individual or organization.

Spam

Unsolicited email, known as junk mail, containing harmful links, malware, or deceptive content.

Something for Something

Requesting personal information in exchange for something such as a gift.

Baiting

Leaving a malware-infected flash drive in a public location for a victim to find and use.

Impersonation

Pretending to be someone you are not to gain the trust of a victim.

Tailgating

Following an authorized person into a secure location to gain access.

Shoulder Surfing

Inconspicuously looking over someone's shoulder to steal their passwords or information.

Dumpster Diving

Rummaging through trash bins to discover confidential documents.

Denial of Service (DoS)

An attack that causes interruption of network services to users, devices, or applications.

Overwhelming Quantity of Traffic

The threat sends huge number of data that the network cannot handle making it slow and potentially crash.

Maliciously Formatted Packets

The threat actor sends a maliciously formatted packet to a host or application that receiving device cannot handle.

Distributed Denial of Service (DDoS)

Attack originating from multiple, coordinated sources of infected host known as zombies.

IPv4 and IPv6 Vulnerabilities

IP doesn't validate source IP; attackers can send packets with spoofed addresses and tamper with IP headers.

ICMP Attacks

Attackers use ICMP echo packets (pings) to discover subnets, hosts, and alter routing tables for attacks.

Amplification/Reflection Attacks

Attackers prevent legitimate users' access with DoS/DDoS; relies on amplifying requests to overwhelm targets.

Address Spoofing Attacks

Attackers spoof IP addresses in packets to perform blind or non-blind spoofing for nefarious purposes.

Man-in-the-Middle Attack (MITM)

Attackers position themselves between communication to monitor, capture, and control the transmitted data.

ICMP ACL filtering

Strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet.

ICMP echo request/reply

Messages used for host verification and DoS attacks

ICMP unreachable

Message used to trigger recon and scanning attacks

ICMP mask reply

Messages used to map internal IP networks

ICMP redirects

Messages to lure hosts in sending traffic through compromised device

ICMP router discovery

Used to inject bogus route entries into the routing

Amplification

Actor forwards request, message contains victim IP

Reflection

Hosts reply to spoofed IP to overwhelm

Address Spoofing Attacks

Create packets with false source IP to hide ID

Non-Blind Spoofing

To see traffic sent, using to inspect reply packet

Blind Spoofing

Spoofing without able to see the traffic.

MAC address

actors have access to internal network and alter MAC

TCP Segment Header

Segment info appears immediately after IP header.

URG

Urgent pointer field significant

SYN

Synchronize sequence numbers

ACK

Acknowledgement field significant

PSH

Push function

FIN

No more data from sender

RST

Reset the connection

Study Notes

Social Engineering Attacks

• Social engineering is an access attack that manipulates individuals into performing actions or revealing confidential information
• Techniques can be in-person, via telephone, or over the internet

Social Engineering Attack Types

• Pretexting involves an attacker pretending they need personal or financial data to confirm the recipient's identity
• Phishing involves fraudulent emails disguised as legitimate sources, attempting to trick recipients into installing malware or sharing personal information
• Spear phishing is a targeted phishing attack tailored to a specific individual or organization
• Spam, also known as junk mail, is unsolicited email containing harmful links, malware, or deceptive content
• Something for Something, also known as “Quid pro quo”, involves a threat actor requesting personal information in exchange for a gift
• Baiting involves a threat actor leaving a malware-infected flash drive in a public location for a victim to find and use, resulting in unintentional malware installation
• Impersonation is when a threat actor pretends to be someone else to gain a victim's trust
• Tailgating allows a threat actor to quickly follow an authorized person into a secure location to gain unauthorized access
• Shoulder surfing is when a threat actor secretly steals passwords or other information by looking over someone's shoulder
• Dumpster diving is when a threat actor finds confidential documents by going through trash bins
• The Social Engineering Toolkit (SET) assists white hat hackers and security professionals in creating social engineering attacks to test networks

Denial of Service (DoS) Attacks

• A DoS attack interrupts network services for users, devices, or applications

Types of DoS Attacks

• Overwhelming Quantity of Traffic involves a threat actor sending large amounts of data to overwhelm a network, host, or application, causing slowdowns or crashes
• Maliciously Formatted Packets involve a threat actor sending formatted packets that a host or application is unable to handle, causing slowdowns or crashes
• DoS attacks pose a major risk by disrupting communication and causing financial losses

Distributed Denial of Service (DDoS) Attacks

• DDoS attacks are similar to DoS attacks, but originate from multiple coordinated sources
• A threat actor creates a network of infected hosts (zombies) controlled by a command and control (CnC) system
• The zombies scan and infect other hosts with bot malware, creating a network called a botnet
• The threat actor uses the CnC system to instruct the botnet to perform DDoS attacks

IPv4 and IPv6

• IP doesn't confirm if source IP address in a packet is the correct source
• This permits threat actors to dispatch packets from a false IP address to execute attacks and also to manipulate other IP header fields
• Consequently, security analysts need understanding of both IPv4 and IPv6 header fields

Common IP-Related Attacks

• ICMP attacks utilize Internet Control Message Protocol (ICMP) echo packets (pings) to find subnets/hosts on secured networks, create DoS flood attacks, and change host routing tables
• Amplification and reflection attacks prevent users from accessing information/services using DoS and DDoS attacks
• Address spoofing attacks use a spoofed source IP address in an IP packet for blind or non-blind spoofing
• Man-in-the-middle (MITM) attacks involve threat actors positioning themselves between a source and destination to monitor, capture, and control the communication by inspecting/altering packets

Exploiting ICMP

• Threat actors use ICMP for reconnaissance and scanning attacks
• ICMP is used for attacks to map out network topology, find reachable hosts, identify host operating systems (OS fingerprinting), and determine firewall state
• ICMP is also used for DoS attacks

Mitigation Strategies for ICMP Exploitation

• Networks should use strict ICMP Access Control List (ACL) filtering on the network edge to prevent ICMP probing from the internet
• Security analysts should detect ICMP-related attacks by examining captured traffic and log files
• Security devices (firewalls and intrusion detection systems - IDS) detect ICMP attacks and create alerts

ICMP Messages Used by Hackers

• ICMP echo request/reply is used to perform host verification and DoS attacks
• ICMP unreachable is used to perform network reconnaissance and scanning attacks
• ICMP mask reply is used to map an internal IP network
• ICMP redirects is used to lure a target host into sending traffic through a compromised device, creating a MITM attack

Amplification and Reflection Exploitation

• Threat actors use amplification and reflection techniques to create DoS attacks
• A Smurf attack is an amplification and reflection technique

Smurf Attack

• Amplification involves a threat actor forwarding ICMP echo request messages to numerous hosts, using the victim's spoofed source IP address
• Reflection involves hosts replying to the victim's spoofed IP address to overwhelm it
• Resource exhaustion attacks, used by threat actors, consume resources of a target host or network to cause crashes

Address Spoofing Attacks

• IP address spoofing involves threat actors creating packets with false source IP addresses to hide their identity or impersonate a legitimate user
• This enables access to otherwise inaccessible data or circumvention of security configurations
• Spoofing is often incorporated into other attacks like Smurf attacks

Types of Spoofing

• Non-blind spoofing enables a threat actor to see traffic between the host and target, allowing them to inspect reply packets, determine firewall state, predict sequence numbers, and hijack authorized sessions
• Blind spoofing, used in DoS attacks, doesn't allow a threat actor to see traffic between the host and target

MAC Address Spoofing

• MAC address spoofing occurs when threat actors access the internal network
• Threat actors change the MAC address of their host to match the MAC address of a target host
• The attacking host sends a frame throughout the network using the spoofed MAC address
• When the switch receives the frame, it examines the source MAC address
• The switch overwrites the current CAM table entry and assigns the MAC address to the new port
• Frames destined for the target host are then forwarded to the attacking host

Application/Service Spoofing

• Application or service spoofing is another type of spoofing
• A threat actor can connect a rogue DHCP server to create an MITM condition

TCP Segment Header

• It appears directly after the IP header and shown in the diagram
• The diagram displays the TCP segment fields and the control bits flags

TCP segment control bits

• URG - Urgent pointer field significant
• SYN – Synchronize sequence numbers
• ACK - Acknowledgement field significant
• PSH - Push function
• FIN – No more data from sender
• RST - Reset the connection

TCP Services

• Reliable delivery includes acknowledgments to guarantee delivery instead of relying on upper layer protocols to detect and resolve errors
• The sender transmits the data again if timely acknowledgement is not received and this can cause delay
• Application layer protocols include HTTP, SSL/TLS, FTP and DNS zone
• Flow control addresses this issue
• Stateful communication between two parties occurs during the three way handshake which occurs before data is exchanged

TCP three-way handshake involves three steps:

• Initiating client sends request for a client-to-server communication session with the server
• The server acknowledges the client-to-server communication session and requests server-to-client communication
• Initiating client then acknowledges the server

TCP Attacks

• Network applications use TCP or UDP ports where threat actors conduct port scans to discover services offered
• TCP SYN flood attacks exploits the TCP three-way handshake
• Threat actors use TCP SYN session requests with a randomly spoofed IP to a target

TCP SYN Flood attacks

• The target replies with a TCP SYN-ACK packet to the spoofed IP address and waits for TCP SYN-ACK and ACK packets which never come
• Eventually the target becomes overwhelm with half-open TCP connections and TCP services are denied

Diagram of TCP SYN Flood Attacks

• A threat actor sends multiple SYN requests to a web server
• The web server replies with SYN-ACKs for each SYN Request and waits to complete three-way handshake but threat actor doesn’t respond to SYN-ACKs
• Valid user cannot access the web server because the server is overwhelmed with requests

TCP Reset Attack

• A TCP reset attack terminates TCP communications between two hosts in civilized and uncivilized manner
• Civilized manner is when TCP uses a four-way exchange consisting of a pair of FIN and ACK segments from each TCP endpoint to close TCP connection
• Uncivilized manner is when a host gets an TCP segment with a RST bit set and the TCP connection is abruptly severed while informing the receiving host to immediate stop using the connection

Four-way Exchange Process in Terminating a TCP Connection

• When the client no longer has data, it sends a segment with the FIN flag set
• The server sends an ACK to acknowledge the receipt of the FIN to terminate session from client to server
• The server sends FIN to the client to terminate the server to client

TCP Session Hijacking

• TCP session hijacking is another TCP vulnerability in which a threat actor takes over an already authentication host as it communicates with the target
• The threat actor spoofs the IP address of one host and predicts the next sequence number and sends ACK to the other host
• When successful, the threat actor could send and receive data from the target device

UDP Segment Header and Operation

• UDP is commonly used by DNS, TFTP, NFS, and SNMP and also for real-time applications like media and VoIP
• It’s a connectionless transport layer protocol that has less overhead than TCP
• It doesn’t offer retransmission, sequencing and flow control

UDP Attacks

• There’s no encryption on UDP but it can be manually added and this means anyone can see the traffic and alter it and send it to its destination
• Changing the data in the traffic results in altering the 16-bit checksum but it’s optional and not always used

UDP Attacks that use Checksums

• When it’s used, the threat actor can create a new checksum based on the new data payload and then record it in the header as a new checksum
• The destination device will find that the checksum matches the data that has been altered

UDP Flood Attacks

• All of network resources are consumed in a UDP flood attack
• The threat actor uses a tool like UDP Unicorn or Low Orbit Ion Cannon to send a flood of UDP packets, often from a spoofed host to a server on the subnet
• This floods the segment which uses up the most bandwidth which results in a DoS attack
• The program will sweep through all the known ports trying to find a closed port. This will cause the server to reply with an ICMP port unreachable message