Social Engineering Attacks

Questions and Answers

What is the primary goal of social engineering attacks?

• To physically damage computer hardware
• To improve network performance
• To encrypt data for ransom
• To manipulate individuals into divulging confidential information or performing actions (correct)

Which of the following best describes pretexting?

• Leaving malware-infected USB drives in public places
• Sending unsolicited emails
• Creating a targeted phishing attack
• Pretending to need personal data to confirm the recipient's identity (correct)

What is a common characteristic of phishing attacks?

• They are always sent via SMS
• They involve physical intrusion into a building
• They are disguised as legitimate emails from trusted sources (correct)
• They directly install hardware keyloggers

What distinguishes spear phishing from regular phishing?

Spear phishing is more targeted toward specific individuals or organizations (D)

Which term is used to describe unsolicited email containing harmful links or malware?

Spam (B)

What is 'quid pro quo' best associated with in the context of social engineering?

Something for Something (C)

Which of these attacks involves leaving a malware-infected device in a public location?

Baiting (A)

What does impersonation involve in social engineering?

Pretending to be someone you are not to gain trust (C)

What term describes a threat actor following an authorized person into a secure location?

Tailgating (D)

Which attack involves inconspicuously looking over someone's shoulder to steal information?

Shoulder surfing (B)

What is the purpose of a threat actor engaging in dumpster diving?

To discover confidential documents in the trash (D)

The Social Engineering Toolkit (SET) is primarily designed for what purpose?

To create and test social engineering attacks for security assessments (D)

Which of the following is a key practice to protect against social engineering attacks?

Always reporting suspicious individuals (C)

What is the primary effect of a Denial of Service (DoS) attack?

To interrupt network services to users, devices or applications (C)

What is involved in an 'Overwhelming Quantity of Traffic' DoS attack?

Sending an enormous amount of data to overwhelm a network or host (B)

What is the key characteristic of a 'Maliciously Formatted Packets' DoS attack?

Sending packets with errors, causing the receiving device to slow down or crash (D)

Why are DoS attacks considered a major risk?

They can interrupt communication and cause loss of time and money (C)

What is a key difference between a DoS attack and a DDoS attack?

A DoS attack originates from a single source, while a DDoS comes from multiple coordinated sources (B)

In a DDoS attack, what is a 'botnet'?

A collection of computers infected with malware and controlled by an attacker (C)

What is the role of a command and control (CnC) system in a DDoS attack?

To send control messages to the infected hosts (zombies) (B)

Why is it dangerous that IP does not validate the source IP address?

It allows threat actors to use spoofed IP addresses (D)

What is the purpose of ICMP attacks?

To perform reconnaissance and scanning, discover subnets and hosts (B)

What is the goal of amplification and reflection attacks?

To prevent legitimate users from accessing information or services using DoS and DDoS attacks (D)

Which of these attacks involves spoofing the source IP address?

Address spoofing attack (C)

What is the main goal of a man-in-the-middle (MITM) attack?

To position themselves between a source and destination to monitor, capture, and control the communication (C)

What is the purpose of strict ICMP access control lists (ACL) filtering?

To avoid ICMP probing from the internet (B)

What is the main function of ICMP echo request and echo reply messages?

To perform host verification and DoS attacks (A)

What is the main purpose of ICMP unreachable messages?

To perform network reconnaissance and scanning attacks (B)

What is the purpose of a Smurf attack?

To overwhelm a target host using amplification and reflection techniques (C)

What is the purpose of non-blind spoofing?

To hijack authorized sessions (B)

When are MAC address spoofing attacks typically used?

When threat actors have access to the internal network (C)

What is the purpose of Application or service spoofing attacks?

To create a MITM condition (B)

In a TCP segment header, what does the 'SYN' control bit stand for?

Synchronize sequence numbers (C)

What is the responsibility of the 'ACK' control bit in a TCP segment header?

Acknowledgement field significant (A)

What does 'reliable delivery' mean in the context of TCP services?

TCP guarantees delivery by using acknowledgments and retransmissions (B)

How does TCP ensure stateful communication?

Through the TCP three-way handshake (C)

What is the purpose of a TCP SYN flood attack?

To exploit the TCP three-way handshake to overwhelm a target with half-open connections (D)

In a TCP SYN flood attack, what happens to the target device?

It becomes overwhelmed with half-open TCP connections, denying TCP services to legitimate users (D)

What is the purpose of a TCP reset attack?

To terminate TCP communications between two hosts (D)

Terminating a TCP session uses following four-way exchange process

True (B)

What is the main goal of TCP session hijacking?

To take over an already-authenticated host and communicate with the target (D)

Which protocols commonly use UDP?

DNS, TFTP, NFS, & SNMP (B)

What is a key characteristic of UDP?

It is a connectionless transport layer protocol with lower overhead than TCP (A)

Flashcards

Social Engineering

Access attack that manipulates individuals into performing actions or divulging confidential information.

Pretexting

Pretending to need personal or financial data to confirm the recipient's identity.

Phishing

Fraudulent email disguised as legitimate to trick the recipient into installing malware or sharing information.

Spear Phishing

Targeted phishing attack tailored for a specific individual or organization.

Spam

Unsolicited email, often containing harmful links, malware, or deceptive content.

Something for Something

Requesting personal information in exchange for something, such as a gift.

Baiting

Leaving a malware-infected device in public for a victim to find and use.

Impersonation

Pretending to be someone else to gain a victim's trust.

Tailgating

Following an authorized person into a secure location.

Shoulder Surfing

Inconspicuously looking over someone's shoulder to steal information.

Dumpster Diving

Rummaging through trash bins to discover confidential documents.

Denial of Service (DoS)

Interrupting network services to users, devices, or applications.

Overwhelming Quantity of Traffic

Sending an enormous quantity of data to overwhelm a network or application.

Maliciously Formatted Packets

Sending a maliciously formatted packet that the receiver cannot handle, causing it to crash.

Distributed Denial of Service (DDoS)

Similar to DoS but originates from multiple, coordinated sources.

Botnet

Network of infected hosts used to carry out a DDoS attack.

Command and Control (CnC)

A system used to send control messages to zombies in a DDoS attack.

IPv4 and IPv6 Vulnerabilities

IP doesn't validate source, actors send using a spoofed source IP address, analysts must understand headers.

ICMP Attacks

Actors use ICMP to discover subnets/hosts, generate DoS attacks, or alter routing tables.

Amplification and Reflection Attacks

Preventing legitimate users from accessing information using DoS and DDoS attacks.

Address Spoofing Attacks

Spoofing the source IP address in a packet to perform blind or non-blind spoofing.

Man-in-the-Middle Attack (MITM)

Positioning between source/destination to monitor, capture, and control communication.

ICMP echo request and echo reply

For host verification and DoS attacks.

ICMP unreachable

For network reconnaissance and scanning attacks.

ICMP mask reply

Map an internal IP network.

ICMP redirects

Lure a target to send all traffic through compromised device.

ICMP router discovery

Inject bogus route entries into routing.

Amplification

Forwarding ICMP echo requests to many hosts.

Reflection

Hosts reply to the spoofed IP.

Address Spoofing

Creating packets with false source IP address information to hide the sender.

Non-blind spoofing

Actor sees traffic between host and target.

Blind spoofing

Actor don't see the the traffic.

MAC address

Used internally, alters MAC addresses to match known.

TCP and UDP

Protocols for the internet.

TCP Segment Header

Segment information appears immediately after the IP header.

URG

Significant pointer field.

SYN

Synchronize the sequence numbers.

ACK

Acknowledgement field significant.

FIN

Terminates data from sender.

RST

Resets the connection.

Three way handshake.

Contains three steps.

Study Notes

Social Engineering Attacks

• Social engineering attacks manipulate individuals into performing actions or divulging confidential information
• These attacks can be in-person, over the phone, or online

Types of Social Engineering Attacks

• Pretexting: A threat actor pretends to need personal/financial data to confirm a recipient's identity
• Phishing: A fraudulent email disguised as a legitimate source tricks the recipient into installing malware or sharing personal/financial data
• Spear Phishing: A targeted phishing attack tailored to a specific individual/organization
• Spam: Also known as junk mail, it is unsolicited email containing harmful links, malware, or deception
• Something for Something: Also called "Quid pro quo" where personal information is requested in exchange for a gift
• Baiting: Malware infected flash drives are left in public locations to be found and inserted into a computer, installing malware
• Impersonation: A threat actor pretends to be someone they are not in order to gain a victim's trust
• Tailgating: A threat actor closely follows an authorized person into a secure location
• Shoulder Surfing: A threat actor steals passwords/information by inconspicuously looking over someone's shoulder
• Dumpster Diving: A threat actor rummages through trash bins to find confidential documents

Social Engineering Toolkit

• The Social Engineering Toolkit (SET) helps security professionals create social engineering attacks for network testing

Denial of Service (DoS) Attacks

• DoS attacks interrupt network services for users, devices, or applications
• Overwhelming Quantity of Traffic: Sending an unmanageable amount of data to a network/host/application, slowing or crashing it
• Maliciously Formatted Packets: Sending a malformed packet to a host/application, causing the receiving device to run slowly or crash

Consequences of DoS Attacks

• DoS attacks interrupt communication
• They cause significant losses of time and money

Distributed Denial of Service (DDoS) Attacks

• DDoS attacks are similar to DoS attacks, but originate from multiple, coordinated sources
• A threat actor builds a network of infected hosts aka zombies
• The threat actor uses a command and control (CnC) system to send control messages to the zombies
• Zombies scan and infect more hosts with bot malware
• The collection of zombies is termed a botnet
• When ready, the threat actor uses the CnC system to make the botnet of zombies carry out DDoS attack

IPv4 and IPv6

• IP does not validate the source IP address in a packet
• Spoofing source IP addresses is possible, allowing threat actors to send false packets
• The other fields in the IP header can be tampered with
• It is important to understand the different fields in both the IPv4 and IPv6 headers

Common IP Related Attacks

• ICMP Attacks: Threat actors use ICMP echo packets (pings) to discover subnets/hosts, generate DoS floods, and alter routing tables
• Amplification and Reflection Attacks: Threat actors block legitimate users from accessing information/services using DoS/DDoS attacks
• Address Spoofing Attacks: Threat actors spoof the source IP address in a packet for blind/non-blind spoofing
• Man-in-the-Middle (MITM) Attacks: Threat actors position themselves to monitor, capture, and control communication between source and destination

ICMP Attacks Tactics

• Used for reconnaissance and scanning attacks
• Information-gathering attacks map network topology
• ICMP is used to discover active hosts, identify OS, and determine firewall states
• Also used for DoS attacks

Network Security with ICMP

• Strict ICMP access control list (ACL) filtering on the network edge avoids ICMP probing from the internet
• Security analysts detect ICMP attacks by checking captured traffic/log files
• Firewalls and intrusion detection systems (IDS) detect attacks and alert analysts

ICMP Messages Used by Hackers

• ICMP echo request and echo reply: Used for host verification and DoS attacks
• ICMP unreachable: Used for network reconnaissance and scanning attacks
• ICMP mask reply: Used to map an internal IP network
• ICMP redirects: Used to lure a target host to send all traffic through a compromised device that creates a MITM attack

Amplification and Reflection Attack Details and Prevention

• Threat actors use amplification and reflection techniques to create DoS attacks
• ICMP echo request messages are forwarded to many hosts, containing the victim's spoofed IP address
• All hosts reply to the victim's spoofed IP address to overwhelm it
• Resource exhaustion attacks can also consume a target host or network's resources

Address Spoofing Attacks

• Threat actors create packets with false source IP addresses
• This hides the identity of the sender / impersonates another user
• This can provide access to otherwise inaccessible data/circumvent security
• Often incorporated into other attacks, such as Smurf attacks

Types of Spoofing Attacks

• Non-blind Spoofing: Threat actor sees traffic between host and target and inspects packets to determine firewall state/sequence numbers/session hijacking
• Blind Spoofing: Threat actor cannot see the traffic and is usually used for DoS attacks

MAC Address Spoofing

• MAC address spoofing occurs when threat actors have access to the internal network
• They alter their host's MAC address to match a target host's known MAC address
• After the switch receives a frame, it examines the source MAC address

CAM Table Updates

• The switch overwrites the CAM table entry and assigns the MAC address to a new port
• Frames destined for the target host are sent to the attacking host

Application/Service Spoofing

• Application/Service spoofing is another spoofing example
• A threat actor connects a rogue DHCP server to create an MITM condition

TCP Segment Header Information

• Appears immediately after the IP header
• Includes fields and flags for the Control Bits
• URG: Urgent pointer field significant
• SYN: Synchronize sequence numbers
• ACK: Acknowledgement field significant
• PSH: Push function
• FIN: No more data from sender
• RST: Reset the connection

TCP Services

• Reliable Delivery: Acknowledgments guarantee delivery and retransmit missing data
• Flow Control: Manages data flow to avoid overwhelming the receiver
• Stateful Communication: Managed through a TCP three-way handshake

TCP Three-Way Handshake Steps

• Initiating client requests a client-to-server communication session with server
• The server acknowledges the client-to-server communication session and requests a server-to-client communication session
• The initiating client acknowledges the server-to-client communication session

TCP Attacks

• Network applications use TCP or UDP ports
• Threat actors conduct port scans of target devices to discover which services they offer

TCP SYN Flood Attack

• Exploits the TCP three-way handshake
• The attack continually sends TCP SYN session request packets with a randomly spoofed source IP address to a target
• The target devices replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet
• Those responses never arrive
• Eventually the target host is overwhelm with half-open TCP connections
• TCP services are denied to legitimate users

Syn Flood Attack Details

• The threat actor sends multiple SYN requests to a web server
• The web server replies with SYN-ACKs for each SYN request and waits to complete the three-way handshake
• The threat actor does not respond to the SYN-ACKs, and a valid user cannot access the web server because the server is occupied with the half-open connections

TCP Reset Attack

• A TCP reset attack terminates TCP communications between two hosts in either a civilized or non-civilized manner
• Civilized: uses a four-way exchange with FIN and ACK segments
• Uncivilized: a host receives a TCP segment with the RST bit set, abruptly tearing down the connection

Terminating a TCP Connection Steps

• The client sends a segment with the FIN flag set when has no more data to send in the stream
• The server sends an ACK to acknowledge the receipt of the FIN to terminate the session from client to server
• The server sends a FIN to the client to terminate the server-to-client session

TCP Session Hijacking

• TCP session hijacking is when a threat actor takes over an already-authenticated host
• To do the task you must spoof the IP address of one host, predict the next sequence number, and send an ACK to the other host
• The attacker will be able to send data from the target device but will not be able to read the data received by the target

UDP Segment Header and Operation

• UDP is used by DNS, TFTP, NFS, and SNMP as well as media streaming and VoIP
• A connectionless transport layer protocol, the UDP segment structure is smaller than TCP’s segment structure

UDP Attacks

• UDP is not protected by any encryption
• Anyone can see and change UDP traffic
• It is then sent to its destination
• Altering data changes the 16-bit checksum
• The checksum is optional
• The threat actor can create a new checksum based on the new data payload, and then record it in the header as a new checksum
• The destination device will find that the checksum matches the data without knowing that the data has been altered

UDP Flood Attacks

• UDP flood attacks consume all network resources
• A threat actor uses tools like UDP Unicorn or Low Orbit Ion Cannon
• These tools send a flood UDP packets, often from a spoofed host, to a server on the subnet
• The program sweeps through open ports trying to find a closed port
• This causes the server to reply with an ICMP port unreachable message and creates traffic on the bandwidth
• The result is very similar to a DoS attack