Understanding SSL/TLS Strip Attack

Questions and Answers

What is a primary characteristic of a Man-In-The-Middle (MITM) attack?

• The attacker impersonates a trusted source to gain sensitive information. (correct)
• The attacker captures traffic but cannot decrypt it.
• The attacker disables the victim's firewall.
• The attacker utilizes encryption to protect their identity.

In the process of a DNS poisoning attack, what does the attacker typically provide?

• A fake IP address linked to a malicious site. (correct)
• Real-time traffic monitoring software.
• A secondary DNS server for backup.
• The correct IP address of the legitimate site.

How can end-to-end encryption protect data during transmission?

• By completely eliminating the need for authentication.
• By allowing multiple users to access the same session key.
• By preventing eavesdropping and ensuring only the intended recipients can decrypt the data. (correct)
• By ensuring that all secret parameters are sent in plaintext.

What is the main goal of a DNS amplification attack?

To overwhelm a victim's system with excessive traffic. (C)

What is a possible consequence of insecure settings in encryption protocols?

Compromise of target privacy. (B)

What is a drawback of Network Address Translation (NAT)?

It complicates incoming connection requests. (B)

Which of the following best describes DNS tunneling?

Using DNS requests to encode and transmit non-DNS traffic. (B)

Which cryptographic problem helps secure the exchange of parameters in end-to-end encryption?

Discrete logarithm problem (D)

What is the primary benefit to an attacker maintaining an unencrypted HTTP connection during an SSL strip attack?

The attacker can capture data from the client without encryption. (A)

How does the DNS work in relation to translating hostnames?

It follows a hierarchical naming scheme, querying from root to TLD to authoritative. (A)

Which of the following statements best describes a MITM (Man In The Middle) attack?

It is when an attacker intercepts and relays communications between two parties. (A)

What does HSTS stand for, and what is its function?

HTTP Strict Transport Security; it enforces HTTPS connections. (A)

Which attack involves compromising a DNS resolver to return incorrect IP addresses?

DNS Spoofing (D)

What security measure can browsers employ to prevent SSL strip attacks on initial visits?

Implement a list of sites that must use HTTPS. (C)

During a DDoS attack, what is the primary strategy employed by the attackers?

Flooding the network with excessive traffic. (C)

What is a potential consequence of DNS tunneling?

Establishment of a stealthy communication channel. (B)

What is a key characteristic of a phishing site?

It resembles a legitimate website. (A)

What happens during a subdomain takeover?

An attacker gains control over a subdomain by exploiting a CNAME record. (B)

In DNS tunneling, what is the primary purpose of the attacker's malware on the victim's machine?

To transfer data covertly to an attacker's server. (A)

What type of attack is a DNS flood attack classified as?

Distributed Denial of Service (DDoS) attack (B)

How can an attacker exploit a CNAME record to control a subdomain?

By creating a new account after the original is deleted. (C)

What is one reason an attacker might choose DNS for data exfiltration?

DNS traffic is often overlooked by firewalls. (A)

What does credential theft involve?

Capturing user login information on a fraudulent site. (B)

Which of the following best describes DNS poisoning?

Manipulating DNS settings to redirect traffic. (D)

Study Notes

SSL/TLS Strip

• Browsers typically redirect from non-secure (http) to secure (https) versions of websites.
• In a Man-In-The-Middle (MITM) attack, an attacker intercepts the request and serves the http version instead.
• The attacker maintains an unencrypted connection with the user while connecting securely to the actual site.
• Users believe they are secure but their data is transmitted through the attacker unencrypted.
• Attackers can capture user data without detection by relaying encrypted queries to the actual server.
• HSTS (HTTP Strict Transport Security) ensures browsers always use HTTPS for specific sites, mitigating SSL strip attacks.
• Browsers can have built-in lists of sites that enforce HTTPS, protecting first-time visitors.

DNS Overview

• DNS translates domain names into IP addresses using a hierarchical structure (Root -> TLD -> Authoritative).

DNS Manipulation Attacks

• MITM in DNS Lookup: Attacker compromises DNS to redirect users to malicious sites mimicking legitimate URLs.
• Users input credentials unknowingly on fake sites, leading to data theft.
• DNS Amplification Attack: The attacker floods a victim’s network using a DNS server to send large responses, overwhelming the victim's system.

Network Address Translation (NAT)

• NAT helps conserve IP addresses and allows private networks to access the internet using unregistered IPs.

Phishing and Subdomain Takeover

• Phishing sites replicate legitimate sites to steal user credentials.
• Subdomain Takeover: An attacker registers a non-existing domain linked to a legitimate domain's CNAME, gaining control over the subdomain if the CNAME is not removed.

DNS Tunneling

• Malware makes DNS queries to exfiltrate data where traditional methods may be blocked.
• The attacker uses a domain to receive encoded data through seemingly benign DNS inquiries.

DNS Flood Attack

• A type of DDoS attack targeting DNS servers by generating a high volume of requests from compromised devices (bots), overwhelming the servers.

Description

This quiz explores the SSL/TLS Strip attack, a man-in-the-middle (MITM) vulnerability that allows attackers to intercept and manipulate web traffic. You will learn how this attack occurs when users connect to websites without the secure HTTPS protocol. Test your knowledge of security measures and how to recognize potential vulnerabilities.