Social Engineering Attacks

Questions and Answers

What is the primary goal of social engineering attacks?

• To install the latest operating system updates
• To manipulate individuals into divulging confidential information or performing actions (correct)
• To improve network security protocols
• To physically damage computer hardware

What is 'pretexting' in the context of social engineering?

• Creating a false scenario to convince a victim to provide information (correct)
• Sending unsolicited emails in bulk
• Physically following someone into a secured area
• Looking over someone's shoulder to steal information

What does a threat actor do in a phishing attack?

• Pretends to be someone they are not to gain trust
• Rummages through trash bins for confidential documents
• Inconspicuously observes someone's shoulder to steal information
• Sends fraudulent emails disguised as legitimate communications (correct)

What is the main characteristic of a 'spear phishing' attack?

It is a targeted phishing attack tailored for a specific individual or organization. (D)

What is another term for 'spam'?

Junk mail (C)

What is 'something for something' or quid pro quo in social engineering?

A threat actor offers a gift in exchange for personal information. (D)

What is the social engineering attack known as 'baiting'?

Leaving a malware-infected device in a public location (D)

What is the main action performed by a threat actor during 'impersonation'?

Pretending to be someone they are not to gain trust (D)

What is 'tailgating' in the context of physical security?

Following an authorized person into a secure area (C)

What is 'shoulder surfing'?

Looking over someone's shoulder to steal passwords or information (B)

What does 'dumpster diving' involve?

Searching through trash bins to discover confidential documents (A)

What is the Social Engineering Toolkit primarily designed for?

Creating and executing social engineering attacks for testing networks (C)

What is a key recommendation for protecting against social engineering attacks?

Never give your username and password credentials to anyone (C)

What is a Denial of Service (DoS) attack intended to do?

Interrupt network services to users, devices, or applications (D)

What is a common characteristic of a 'Overwhelming Quantity of Traffic' DoS attack?

Sending an enormous amount of data to overwhelm a network or device (D)

What happens in a 'Maliciously Formatted Packets' DoS attack?

A host or application receives a packet it cannot handle, causing it to crash. (D)

What is the key difference between a DoS and a DDoS attack?

A DDoS attack originates from multiple, coordinated sources. (D)

In a DDoS attack, what is a 'botnet'?

A network of infected computers used to carry out attacks (C)

What is the purpose of the CnC system in a DDoS attack?

To send control messages to the zombies (D)

What is a key vulnerability of IP addressed described?

IP does not validate whether the source IP address is legitimate. (C)

What is the purpose of ICMP in the context of network attacks?

Discover subnets and hosts on a protected network (B)

What is the goal of amplification and reflection attacks?

To prevent legitimate users from accessing information or services (B)

What is the primary action in address spoofing attacks?

Spoofing the source IP address in an IP packet (B)

What does a 'Man-in-the-Middle (MITM)' attack involve?

Positioning between a source and destination to monitor or control communication (D)

What is the purpose of using an ICMP access control list (ACL)?

To avoid ICMP probing from the Internet (B)

What is the function of ICMP echo request and echo reply messages?

To perform host verification and DoS attacks (A)

What is the purpose of an ICMP unreachable message?

To perform network reconnaissance and scanning attacks (B)

What type of attack is a Smurf attack?

An amplification and reflection technique used to create a DoS attack. (C)

In amplification attacks, what data is contained within the ICMP echo request messages?

The victim's IP address (A)

What is the purpose of MAC address spoofing attacks?

To alter the MAC address of a host to match another known MAC address. (C)

What is the role of the switch when it receives a frame with a newly-configured MAC address in a MAC spoofing attack?

It examines the source MAC address and updates its CAM table. (D)

What is a result of a successful MAC address spoofing attack?

Traffic destined for the target host is forwarded to the attacking host. (B)

What is a key function of TCP?

Stateful communication (D)

What is the initial step in the TCP three-way handshake?

The client sends a SYN packet to the server. (A)

What is exploited in a TCP SYN Flood attack?

The TCP three-way handshake (B)

What is the result of a successful TCP SYN Flood attack?

The TCP services on the target host are denied to legitimate users. (C)

What is the purpose of a TCP reset attack?

To terminate TCP communications between two hosts. (B)

What is the purpose of the FIN flag in TCP during terminating a connection?

To indicate that there is no more data to send in the stream (C)

What must a threat actor do to conduct a successful TCP session hijacking?

Spoof the IP address of one host and predict the next sequence number. (B)

What is a characteristic of UDP?

Lower overhead than TCP (C)

What commonly happens in a UDP flood attack?

All resources on a network are consumed. (C)

Flashcards

Social Engineering

An attack that attempts to manipulate individuals into divulging confidential information or performing certain actions.

Pretexting

A type of social engineering attack where a threat actor pretends to need personal or financial data to confirm the identity of the recipient.

Phishing

A fraudulent email disguised as being from a legitimate source to trick the recipient into installing malware or sharing personal information.

Spear Phishing

A targeted phishing attack tailored for a specific individual or organization.

Spam

Unsolicited email, often containing harmful links, malware, or deceptive content.

Something for Something

When a threat actor requests personal information in exchange for something such as a gift.

Baiting

A threat actor leaves a malware-infected flash drive in a public location, hoping a victim will insert it into their laptop.

Impersonation

A threat actor pretends to be someone they are not to gain the trust of a victim.

Tailgating

A threat actor quickly follows an authorized person into a secure location to gain access.

Shoulder Surfing

A threat actor inconspicuously looks over someone's shoulder to steal their passwords or other information.

Dumpster Diving

A threat actor rummages through trash bins to discover confidential documents.

Social Engineering Toolkit (SET)

Used to help security professionals create social engineering attacks to test their own networks.

Denial of Service (DoS)

An access attack that crates some sort of interruption of network services to users, devices, or applications.

Overwhelming Quantity of Traffic

A DoS attack where the threat actor sends an enormous quantity of data to overwhelm the network, host, or application.

Maliciously Formatted Packets

A DoS attack where the threat actor sends a maliciously formatted packet to a host or application that the receiver is unable to handle.

Distributed Denial of Service (DDoS)

Similar to a DoS attack, but originates from multiple, coordinated sources.

Botnet

Network of infected hosts, that a threat actor uses a command and control (CnC) system to send control messages to the zombies

Spoofed source IP address

IP does not validate whether the source IP address contained in a packet actually came from that source

ICMP attacks

Attackers use Internet Control Message Protocol echo packets to generate DoS flood attacks, and to alter host routing tables.

Amplification and reflection attacks

Attackers attempt to prevent legitimate users from accessing information or services using DoS and DDoS attacks.

Address spoofing attacks

Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind spoofing.

Man-in-the-middle attack (MITM)

Attackers position themselves between a source and destination to transparently monitor, capture, and control the communication.

ICMP router discovery

This is used to inject bogus route entries into the routing

Non-blind spoofing

The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses this to inspect the reply packet from the target victim.

Blind spoofing

The threat actor cannot see the traffic that is being sent between the host and the target

Spoofing MAC address

Attackers alter the MAC address of their host to match another known MAC address of a target host

TCP Segment Header

TCP segment information appears immediately after the IP header. The flags for the Control Bits field are displayed in the figure.

URG

Flags - Urgent pointer field significant.

SYN

Flags - Synchronize sequence numbers

ACK

Flags - Acknowledgement field significant

PSH

Flags - Push function

FIN

Flags - no more data from sender

RST

Flags - reset the connection

Reliable delivery

TCP incorporates acknowledgments to guarantee delivery, instead of relying on upper layer protocols to detect and resolve errors.

Flow control

Rather than acknowledge with a single acknowledgment segment.

Stateful communication

TCP stateful communication between two parties occurs during the TCP three-way handshake.

Step 1/3 TCP three-way handshake

The initiating client requests a client-to-server communication session with server.

Step 2/3 TCP three-way handshake

The server acknowledges the client-to-server communication session and requests a server-to-client communication session.

Step 3/3 TCP three-way handshake

The initiating client acknowledges the server-to- client communication session, establishing the connection.

Attack

Attack with random destination IPs to flood targets.

Study Notes

Social Engineering Attacks

• Social engineering is an access attack used to manipulate individuals into divulging confidential information or performing certain actions
• Techniques can be performed in person, over the phone or online

Social Engineering Attack Types

• Pretexting: A threat actor pretends to need personal or financial data to confirm the recipient's identity
• Phishing: A fraudulent email disguised as being from a legitimate source tricks the recipient into installing malware or sharing personal data
• Spear Phishing: A targeted phishing attack tailored for a specific individual or organization
• Spam: Unsolicited email, also known as junk mail, containing harmful links, malware, or deceptive content
• Something for Something or "Quid pro quo": A threat actor requests personal data in exchange for something such as a gift.
• Baiting: A threat actor leaves a malware-infected flash drive in a public location
• Impersonation: A threat actor pretends to be someone else to gain the victim's trust
• Tailgating: A threat actor quickly follows an authorized person into a secure location
• Shoulder Surfing: A threat actor steals passwords or other information by inconspicuously looking over someone's shoulder
• Dumpster Diving: A threat actor rummages through trash bins to find confidential documents

Social Engineering Toolkit (SET)

• A tool designed to assist white hat hackers and network security professionals in creating social engineering attacks for network testing purposes

Denial of Service (DoS) Attacks

• DOS attacks cause an interruption of network services
• Overwhelming Quantity of Traffic: A threat actor floods a network with data, causing slow response times or crashes
• Maliciously Formatted Packets: A threat actor sends a corrupted packet to a host, causing it to slow down or crash

Distributed Denial of Service (DDoS) Attacks

• Similar to a DoS attack, the DDoS attack comes from multiple, coordinated sources
• A threat actor builds a network of infected hosts (zombies) and uses a command and control, CnC system to control them
• Bot malware turns infected hosts into the zombies, which form a botnet
• The CnC makes the botnet conducts the DDoS attack

IPv4 and IPv6

• IP doesn't validate the source IP addresses, enabling threat actors to send packets using spoofed IP addresses
• Attackers tamper with IP headers
• Security analysts need to understand IPv4 and IPv6 headers

Common IP Related Attacks

• ICMP Attacks: Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts
• Amplification and Reflection Attacks: Threat actors use these attacks to prevent legitimate users from accessing services using DoS and DDoS attacks
• Address Spoofing Attacks: Threat actors spoof the source IP address in an IP packet to perform blind or non-blind spoofing
• Man-in-the-Middle (MITM) Attack: Threat actors position themselves between a source and destination to monitor, capture and control communication

ICMP Attacks in Detail

• Reconnaissance and scanning attacks are performed via ICMP
• Attackers map out network topology and discover active hosts
• ICMP identifies the host OS and determines firewall state
• ICMP can be used for DoS attacks

Strict ICMP Access Control List (ACL) Filtering

• Networks should have strict ICMP ACL filtering on the network edge to avoid ICMP probing from the internet
• Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files
• Firewalls and Intrusion Detection Systems (IDS) automatically detect such attacks and generate alerts
• ICMP echo request and echo reply is is used to perform host verification and DoS attacks
• ICMP Unreachable is used for reconnaissance and scanning attacks
• ICMP Mask Reply maps an internal IP network
• ICMP Redirects lure a target host through a compromised device thus creating a MITM attack

Amplification and Reflection Techniques

• Threat actors create DoS attacks using amplification and reflection
• Amplification: Threat actors forwards ICMP echo request messages to many hosts using the victim’s spoofed source IP address
• Reflection: The hosts reply to the victim using the spoofed IP address to overwhelm it
• Resources exhaustion attacks consume the resources of a target host to either crash it or consume the resources of a network

Address Spoofing Attacks

• Threat actors create packets with false source IP addresses to hide their identity or impersonate a legitimate user
• Spoofing is incorporated into attacks such as Smurf attacks

Types of Spoofing Attacks

• Non-blind spoofing: The attacker can see the traffic being sent between the host and target and uses this to inspect reply packets and determine firewall state etc
• Blind spoofing: The attacker cannot see the traffic and is often used in DoS attacks

MAC Address Spoofing Attacks

• Threat actors alter the MAC address of their host to match a known address of a target host
• The attacking host sends a frame throughout the network with the newly-configured MAC address
• When the switch receives the frame, it examines the MAC address

CAM Table Manipulation

• The switch overwrites the current CAM table entry and assigns the MAC address to the new port, then forwards frames destined for the target host to the attacker
• This is another spoofing example

TCP Segment Header

• TCP segment information appears immediately after the IP header
• URG: Urgent pointer field significant
• SYN: Synchronize sequence numbers
• ACK: Acknowledgement field significant
• PSH: Push function
• FIN: No more data from sender
• RST: Reset the connection

TCP Services

• Reliable delivery: TCP incorporates acknowledgments to guarantee delivery
• Flow control: TCP implements flow control to address issues with guaranteed delivery
• Stateful communication: Two parties use TCP for stateful communication during the TCP three-way handshake

TCP Three-Way Handshake

• The initiating client requests a TCP connection to a server
• The server acknowledges the client and sends a request to the client to connect back to the server
• The client acknowledges the server, creating connection

TCP Attacks

• Network applications use TCP or UDP ports
• Threat actors use port scans to discover their services

TCP SYN Flood Attack

• Exploits the TCP three-way handshake by flooding the network with SYN requests aimed at a target
• The threat actor sends multiple TCP SYN session requests with a randomly spoofed source IP address to a target, flooding the target
• The target device gets overwhelmed by the amount of requests and eventually crashes

TCP Reset Attack

• Used to terminate TCP communications between hosts which can be done civilly or uncivilly
• A civil TCP connection closes using a four-way exchange using FIN and ACK segments from each TCP
• An uncivil TCP connection closure occurs when a host receives a TCP segment with the RST bit set to tear down the connection

Terminating a TCP Connection

• Client-side terminates the process
• The client has no more data to send in and sends a segment with the FIN flag set
• The server sends an ACK to acknowledge the receipt of the FIN to terminate the session from client to server, and vice versa

TCP Session Hijacking

• Attack that takes over already authenticated host to communicate with a target
• The threat actor spoofs the IP address of one host, predicts the next sequence number, and sends an ACK to the other host
• Data can be sent from the target device but can't be received by it

UDP Segment Header and Operation

• Commonly used by DNS, TFTP, NFS, SNMP, media streaming and VoIP
• Connectionless transport layer protocol with much lower overhead
• Does not offer retransmission, sequencing, and flow control for reliability

UDP Attacks

• Not protected by any encryption by default which means traffic can be inspected or changed
• Alterations change the checksum of the data, but the checksum is optional, and may not be used
• If it is used, the attacker can create a new checksum for the data

UDP Flood Attacks

• In a UDP flood attack, the resources on a network are consumed
• A tool is used that sends UDP packets from a spoofed host to a server on the subnet
• The program sweeps through all known ports trying to find closed ports, which triggers an ICMP port unreachable message, which creates additional traffic
• The result is very similar to a DoS attack