Social Engineering Attacks

Questions and Answers

What is the primary goal of social engineering attacks?

• To manipulate individuals into divulging information or performing actions (correct)
• To encrypt data on a target system
• To physically damage computer hardware
• To improve network performance

Which of the following best describes 'pretexting'?

• Pretending to need personal data to confirm identity (correct)
• Stealing passwords by looking over someone's shoulder
• Creating a targeted phishing attack
• Sending unsolicited emails

What is the main characteristic of a spear phishing attack?

• It's disguised as being from a legitimate source.
• It's a widespread email campaign.
• It is targeted at a specific individual or organization. (correct)
• It involves leaving malware-infected devices in public.

What is another name for 'spam'?

Junk mail (A)

Which social engineering technique involves a threat actor requesting information in exchange for a gift?

Something for Something (A)

What is the main characteristic of a 'baiting' attack?

Leaving a malware-infected device in a public place (C)

Which attack involves a threat actor pretending to be someone they are not?

Impersonation (C)

What does 'tailgating' refer to in the context of social engineering?

Following someone into a secure area (B)

What is 'shoulder surfing'?

Looking over someone's shoulder to steal information (C)

Which attack involves rummaging through trash bins to find confidential documents?

Dumpster diving (B)

What is the purpose of the Social Engineering Toolkit (SET)?

To create and test social engineering attacks (D)

Which of the following is a recommended way to protect against social engineering attacks?

Always report suspicious individuals. (A)

What is the main goal of a Denial of Service (DoS) attack?

To interrupt network services (B)

Which of the following is a type of DoS attack?

Overwhelming Quantity of Traffic (A)

What characterizes a 'Distributed' Denial of Service (DDoS) attack?

It originates from multiple, coordinated sources. (D)

In a DDoS attack, what are the infected hosts often called?

Zombies (C)

What is the collection of zombies called in a DDoS attack?

Botnet (D)

What does IP stand for?

Internet Protocol (A)

Why can threat actors send packets using a spoofed source IP address?

IP does not validate the source IP address. (D)

What can threat actors do besides spoofing an IP address?

Tamper with other fields in the IP header (C)

What are ICMP attacks used for?

To discover subnets and hosts on a network. (B)

What is the goal of amplification and reflection attacks?

To prevent legitimate users from accessing services (B)

What does address spoofing involve?

Hiding the source to pose as another user. (C)

What is the difference between blind and non-blind spoofing?

The threat actor can see traffic in non-blind spoofing. (A)

When are MAC address spoofing attacks typically used?

When threat actors have access to the internal network. (D)

What is the first step in establishing a TCP connection using the three-way handshake?

The client sends a SYN. (D)

What is the purpose of the ACK bit in a TCP header?

To acknowledge received data (C)

Which of the following is NOT a control bit in the TCP header?

IP (A)

What is 'stateful communication' in the context of TCP?

Communication that occurs after a three-way handshake. (B)

What is the fundamental characteristic of UDP?

Connectionless (B)

What is a common use case for UDP?

DNS (A)

How does a TCP SYN flood attack work?

By exploiting the TCP three-way handshake. (C)

What happens to the target host in a TCP SYN flood attack?

It is overwhelmed with half-open connections. (A)

What does a TCP reset attack attempt to do?

Terminate a TCP connection. (A)

How is a TCP connection normally terminated?

With a four-way exchange. (C)

What must a threat actor do during TCP session hijacking?

Predict the next sequence number. (C)

What is one of the main security issues with UDP?

It is not protected by encryption by default. (C)

What is a UDP flood attack designed to do?

Consume network resources (B)

What kind of message does a server often reply to in a UDP flood attack?

ICMP port unreachable (B)

Flashcards

Social Engineering

An access attack that manipulates individuals into divulging confidential information or performing actions.

Pretexting

A threat pretends to need data to confirm the recipient's identity.

Phishing

Fraudulent email disguised as legitimate to trick recipients into installing malware or sharing information.

Spear Phishing

A targeted phishing attack tailored for a specific individual or organization.

Spam

Unsolicited email containing harmful links, malware, or deceptive content; also known as junk mail.

Something for Something

Requesting personal information in exchange for something, like a gift.

Baiting

Leaving a malware-infected flash drive in a public place.

Impersonation

Pretending to be someone you are not, to gain trust.

Tailgating

Following an authorized person into a secure location.

Shoulder Surfing

Inconspicuously looking over someone's shoulder to steal passwords or other information.

Dumpster Diving

Rummaging through trash bins to discover confidential documents.

Strict ICMP ACL

An access control list that filters traffic to avoid probing.

Denial of Service (DoS)

Attacks that cause interruptions of network services, using a variety of methods to overwhelm or crash systems.

Overwhelming Quantity of Traffic

Sending an enormous quantity of data that overwhelms the network.

Maliciously Formatted Packets

Sending a maliciously formatted packet to crash a device.

Distributed Denial of Service (DDoS)

DoS attack from multiple, coordinated sources, creating a botnet.

Botnet

Network of infected hosts used to perform DDoS attacks.

ICMP Attack

An IP attack that uses Internet Control Message Protocol to discover subnets and hosts.

Amplification and Reflection Attacks

IP attack that prevents users from accessing information or services using DoS and DDoS attacks.

Address Spoofing Attack

IP attack that spoofs the source IP address in a packet.

Man-in-the-Middle Attack (MITM)

Attack where threat actors position themselves between a source and destination to monitor, capture, and control communication.

ICMP echo request/reply

Used to perform host verification and DoS attacks.

ICMP unreachable

Attack to determine if target is reachable.

ICMP mask reply

Helps map a private network.

ICMP redirects

Lure traffic through a compromised device.

ICMP router discovery

Inject bogus route entries into the routing table.

Amplification

A technique where ICMP echo requests are forwarded to create DoS attacks.

Reflection

Hosts reply to spoofed IP address to overwhelm victim.

Address Spoofing

Creating packets with false IP information to achieve malicious goals.

Non-blind spoofing

Threat actor sees traffic being sent between the host and the target.

Blind spoofing

Threat actor cannot see the traffic being sent between the host and the target.

MAC Address Spoofing

Altering MAC address to match a target's, used in internal network attacks.

Service Spoofing

Impersonating a service.

URG

TCP control bits that is an urgent pointer field significant.

SYN

TCP control bit meaning synchronize sequence numbers.

ACK

field Significant TCP control bit meaning Acknowledgement.

PSH

TCP control bit meaning Push function.

FIN

TCP control bit meaning no more data from sender.

RST

TCP control bit that resets the connection.

Reliable Delivery

TCP incorporates acknowledgments to guarantee delivery.

Stateful Communication

TCP stateful communication between two parties.

Study Notes

Social Engineering Attacks

• Social engineering is an access attack which aims to manipulate someone into divulging confidential information or performing certain actions
• Some social engineering techniques are performed in-person, while other exploits use the telephone or internet

Common Social Engineering Attacks

• Pretexting: A threat pretends needing personal or financial data to confirm the identity of the recipient
• Phishing: A threat actor sends fraudulent email disguised as being from a legitimate, trusted source to trick the recipient into installing malware or sharing personal information
• Spear phishing: A threat actor creates a phishing attack targeted and tailored specifically for an individual or organization
• Spam: Also known as junk mail, unsolicited email containing harmful links, malware, or deceptive content

Additional Social Engineering Attacks

• Something for Something: (Quid pro quo) A threat actor requests personal information from a party in exchange for something such as a gift
• Baiting: A threat actor leaves a malware-infected flash drive in a public location, a victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware
• Impersonation: A threat actor pretends to be someone they are not to gain the trust of a victim
• Tailgating: A threat actor quickly follows an authorized person into a secure location to gain access to a secure area
• Shoulder Surfing: A threat actor inconspicuously looks over someone’s shoulder to steal their passwords or other information
• Dumpster Diving: A threat actor rummages through trash bins to discover confidential documents

Social Engineering Toolkit (SET)

• The Social Engineering Toolkit (SET) assists ethical hackers and network security professionals in creating social engineering attacks to test networks

Denial of Service (DoS) Attacks

• DoS attacks interrupt network services for users, devices, or applications
• Overwhelming Quantity of Traffic: An enormous amount of data from a threat actor overwhelms the network, host, or application, slowing down transmission and response times, or causing a crash
• Maliciously Formatted Packets: A maliciously formatted packet is sent to a host or application; the receiving device runs slowly or crashes as a result

Impact of DoS Attacks

• DoS attacks interrupt communication and cause loss of time and money

Distributed Denial of Service (DDoS) Attacks

• DDoS attacks are similar to DoS attacks, but they originate from multiple, coordinated sources
• A threat actor builds a network of infected hosts, known as zombies
• The threat actor uses a command and control (CnC) system to send control messages to the zombies, who constantly scan and infect more hosts with bot malware
• The bot malware makes the host a zombie that can communicate with the CnC system, the collection of zombies is called a botnet
• The threat actor instructs the CnC system to have the bot net of zombies launches a DDoS attack

IPv4 and IPv6 Vulnerabilities

• IP does not validate whether the source IP address in a packet actually came from that source
• Threat actors can send packets using a spoofed source IP address or tamper with other fields in the IP header
• Security analysts need to know the different fields in both IPv4 and IPv6 headers

Common IP Related Attacks

• ICMP Attacks: Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, generate DoS flood attacks, and alter host routing tables
• Amplification and Reflection Attacks: Threat actors attempt to prevent legitimate users from accessing information or services using DoS and DDoS attacks
• Address Spoofing Attacks: Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind spoofing
• Man-in-the-Middle Attacks (MITM): Threat actors position themselves between a source and destination to transparently monitor, capture, and control communication, eavesdropping by inspecting captured packets or altering packets and forwarding them

ICMP Attacks Explained

• Threat actors use ICMP for reconnaissance and scanning attacks to launch information-gathering attacks to map out a network topology
• Threat actors discover which hosts are active/reachable, identify the host operating system (OS fingerprinting), and determine the state of a firewall
• Threat actors use ICMP for DoS attacks

ICMP Access Control Lists (ACL)

• Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet
• Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files
• Security devices such as firewalls and intrusion detection systems (IDS) detect attacks and generate alerts to security analysts
• ICMP Echo Request and Echo Reply are used to perform host verification and DoS attacks
• ICMP Unreachable is used to perform network reconnaissance and scanning attacks
• ICMP Mask Reply maps an internal IP network
• ICMP Redirects lure a target host into sending all traffic through a compromised device and create a MITM attack

Amplification and Reflection Attacks

• Threat actors use amplification and reflection techniques to create DoS attacks
• Amplification involves the threat actor forwarding ICMP echo request messages to many hosts, containing the source IP address of the victim
• Reflection involves those hosts replying to the spoofed IP address of the victim, overwhelming them
• Threat actors also use resource exhaustion attacks, consuming the resources of a target host to either crash it or consume the resources of a network

Address Spoofing Attacks

• IP address spoofing attacks are when a threat actor creates packets with false source IP address info to hide the identity of the sender or pose as a legitimate user
• The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations
• Spoofing is often incorporated into another attack such as a Smurf attack

Types of Spoofing Attacks

• Non-blind spoofing: The threat actor can see the traffic being sent between the host and the target and uses non-blind spoofing to inspect the reply packet from the target victim
• Non-blind spoofing determines the state of a firewall and sequence-number prediction, and can hijack an authorized session
• Blind spoofing: The threat actor cannot see the traffic being sent between the host and the target, blind spoofing is used in DoS attacks

MAC Address Spoofing Attacks

• These are used when threat actors have access to the internal network
• Threat actors alter the MAC address of their host to match another MAC address of a target host
• The attacking host sends a frame throughout the network with the newly-configured MAC address
• When the switch receives the frame, it examines the source MAC address
• The switch overwrites the current CAM table entry and assigns the MAC address to the new port, and then forwards frames destined for the target host to the attacking host

Other application spoofing

• An application/service spoofing threat actor can connect a rogue DHCP server to create a MITM condition

TCP Segment Header

• TCP segment information appears immediately after the IP header
• The six control bits of the TCP segment:
  • URG (Urgent): Significant urgent pointer field
  • SYN (Synchronize): Synchronize sequence numbers
  • ACK (Acknowledgment): Acknowledgement field significant
  • PSH (Push): Push function
  • FIN: No more data from sender
  • RST: Reset the connection

TCP Services

• Reliable delivery: TCP uses acknowledgments to guarantee delivery, rather than upper layer protocols needing to detect and resolve errors
• If an acknowledgment is not received, the sender retransmits the data, but acknowledgments can cause substantial delays
• Examples of protocols that utilize TCP reliability: HTTP, SSL/TLS, FTP, DNS zone transfers
• Flow control: TCP implements flow control, rather than acknowledge with a single acknowledgment segment
• Stateful communication: TCP stateful communication occurs during the TCP three-way handshake

TCP Three-Way Handshake

• TCP connection is established in three steps:

1. Initiating client requests a client-to-server communication session with server
2. Server acknowledges the client-to-server communication session and requests a server-to-client communication session
3. Initiating client acknowledges the server

TCP Attacks

• Threat actors conduct port scans of target devices to see which services they offer
• TCP SYN Flood Attack: The attack exploits the TCP three-way handshake
• A threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to a target
• The target devices reply with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP SYN-ACK packet
• The responses never arrive, the target host becomes overwhelmed with half-open TCP connections, and TCP services are denied to legitimate users
• A threat actor sends multiple SYN requests to a web server which replies with SYN-ACKs for each SYN request, and waits to complete the three-way handshake, but the threat actor never responds to complete handshake
• A valid user will not be able to access the web server

TCP Reset Attack

• TCP reset attack can terminate TCP communications in a civilized or uncivilized manner
• Civilized manner: When TCP uses a four-way exchange consisting of a pair of FIN and ACK segments from each TCP endpoint to close the TCP connection
• Uncivilized manner: A host receives an TCP segment with the RST bit set, abruptly tearing down the TCP connection and telling the receiving host to immediately stop using it

Terminating a TCP Connection

• Terminating a TCP session uses a four-way exchange process:

1. When the client has no more data to send in the stream, it sends a segment with the FIN flag set
2. The server sends an ACK to acknowledge the receipt of the FIN to terminate the session from client to server
3. The server sends a FIN to the client to terminate the server-to

TCP Session Hijacking

• TCP session hijacking is another TCP vulnerability
• A threat actor takes over an already-authenticated host communicating with the target
• The threat actor must spoof the IP address of one host, predict the next sequence number, and send an ACK to the other host
• If successful, the threat actor could send, but not receive, data from the target device

UDP Segment Header/Operation

• UDP is commonly used by DNS, TFTP, NFS, SNMP, or real-time applications (ex: media streaming/VoIP)
• UDP is a connectionless transport layer protocol which results in lower overhead than TCP as is not connection-oriented and lacks sophisticated retransmission, sequencing, and flow control
• The UDP segment structure is much smaller

UDP Attacks

• UDP is unencrypted by default, enabling anyone to see/change traffic
• Altering traffic changes the 16-bit checksum, but the checksum is optional and not always used
• When the checksum is used, a threat actor can make a new checksum based on the new data payload, and then record it in the header as a new checksum so that the destination device will find that the checksum matches the data without knowing the data has been altered

UDP Flood Attacks

• A UDP flood attack consumes all the resources on a network, this is often facilitated by a threat actor using tools like UDP Unicorn or Low Orbit Ion Cannon
• These tools send a flood of UDP packets, often from a spoofed host, to a server on the subnet
• The program will sweep through all the known ports trying to find closed port
• This causes the server to reply with an ICMP port unreachable message
• Because there are many closed ports on the server, this creates a lot of traffic on the segment, consuming most bandwidth
• Results are very similar to a DoS attack