Ethical Hacking UNIT 1 PDF

ETHICAL HACKING UNIT 1 Asst. Prof Jesica D’cruz Information Security : Attacks and Vulnerabilities Introduction to information security Terms and terminologies used in the spectrum of information, network security as well as Ethical Hacking Asset Any resource which needs protection from any attacker can be called as an Asset; we need some ways to protect the resources of our system. Some of the common resources in any of the system- i) Computer equipment : This includes Desktop PCs, Laptops, Tablets, Servers etc ii) Communication equipment : Routers, Switches, Firewalls, Modems etc iii) Storage Media: Hard Drive, CD-ROMs, SD cards and any other storage media were the information is stored Access Control It generally deﬁnes the spectrum of accessibility given to any entity Conﬁdentiality, Integrity and Availability (CIA): privacy from 3rd parties, no change in information from source to destination and resource availability to users 24x7 Authentication Authentication is a process by which a person proves himself what he is.There are numerous ways by which Authentication can be done like- passwords, cards or tokens and biometrics Authorization Authorization speciﬁes the spectrum of access of the resource for the Authorised users. Risk Risk is the chances that any of the Resource or Asset may be attacked by an Attacker. We need to make a Risk Analysis which provides the amount of Risk which is looming on the assets of the system. Each Asset can be associated a value to know the actual Risk value. Threat Threat can be deﬁned as the amount of danger the system is facing from attackers. There are many types of Threats which are need to considered like- Snooping, Traffic analysis, Modiﬁcation, Masquerading, Replaying, Repudiation, Denial of service Vulnerability Vulnerability is the weakness or some loopholes either in the Hardware, Software, Applications, and Protocols etc which are exploited by the Attacker and harm the system. Attack Surface The attack surface of a computer system is the combination of software services that an attacker could exploit, through either vulnerabilities or unsecure conﬁgurations Malware Malware is a Malicious Software. Malicious software is software that is intentionally included or inserted in a system for a harmful purpose. Security-Functionality-Ease of Use Triangle In order to make the system more secure we need to add more security so as to prevent any attack and at the same time let the system remain functional to the authorised users. Types of LOGIN PASSWORD malware Some of the common malwares are: i) Worms A worm is a malware (harmful program) which can run independently and does not needs any host program for its execution. A Worm replicates (makes copy of) itself and send the copies from computer to computer across network connections. After infecting a system the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function. A worm actively seeks out more machines to infect and each machine that is infected serves as an automated launching pad for attacks on other machines. ii) Viruses A computer virus is a piece of software (Malware) that can attach itself to other programs by modifying them. It injects itself into the original program and with a routine makes copies of the virus program which can infect other programs. A virus can do anything that other programs do. The difference is that a virus attaches itself to another program and executes secretly when the host program is executed. Once a virus is executes, it can perform any function, such as erasing ﬁles and programs that is allowed by the privileges of the current user. Structure of a Virus: A computer virus has three parts a. Infection mechanism: The means by which a virus spreads as well as replicates. b. Trigger: The event or condition that actives the virus and the virus starts doing the damage. c. Payload: The payload is the actual damage which is done by the Virus. Phases of virus: A virus in its lifetime has the following phases a. Dormant phase: In this phase the Virus is idle and is activated by some event of presence of a program or ﬁle. b. Propagation phase: In this phase the Virus spreads into other programs or system through various mechanisms. c. Triggering phase: In this phase the virus is activated to perform the function for which it was intended. The triggering may be due to some event or may be due to time limit d. Execution phase: In this phase the actual function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data ﬁles Classiﬁcation of a Virus: A Virus can be classiﬁed into the following categories- a. Encrypted virus: In such viruses a portion of the virus program acts as a key and encrypts the remaining portion. The key is stored in the virus, after infecting the system the key decrypts the virus. In this manner the virus may escape through any of the security check b. Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. Hence the entire virus is hidden. c. Polymorphic virus: A virus that mutates with every infection, making detection by the signature of the virus impossible. d. Metamorphic virus: A metamorphic virus mutates with every infection and rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behaviour as well as their appearance. iii) Trojans Trojan is a malicious program which appears to have some useful purpose. In many cases the Trojan appears to perform a desirable function for the user but actually allows a hacker access to the user’s computer system. Trojans are often downloaded along with another program or software package. Trojans can do the following damages to the system as soon as they are installed - They can cause data theft and loss - Watch screen images - Cause system crashes or slowdowns. - Restart or shut down infected hosts. - Launch pads for DDoS - Remotely run commands - Intercept keystrokes iv) Spyware Spywares are the software which is designed for gathering the user interaction information through email address, login information and other details without the permission of the user Spyware hides the ﬁles and processes to avoid detection. Some of the common types of Spyware are a) Adware b) System monitors c) Tracking Cookies Features of Spyware i. Tracking users ii. Monitoring users activity iii. Video recording iv. Audio recording v. Email tracking vi. GPS tracking vii. Locking Application and Services v) Rootkits Rootkit is a collection of software designed to provide privileged access to a remote user over the target system. Rootkits are deployed in the system after attacking the system, and then using Rootkits the Administrative (Privileged) access of the system is explored. Rootkits create a backdoor for accessing the system so that the security checks are bypassed. They hide themselves so that their detection becomes difficult. Types of Rootkits a) Application Level Rootkits: Such Rootkits perform manipulation of application ﬁles, modifying the behaviour of the Application etc b) Kernel-Level Rootkits: Such Rootkits add additional codes and replace the original code of the Kernel which is the Core of the Operating System c) Hardware / Firmware Level Rootkits: Such types of Rootkits are hidden in the Hard disk, NIC card, system BIOS etc. d) Hypervisor Level Rootkits: Such types of Rootkits exploit features like Hardware-assisted Virtualization TYPES OF VULNERABILITIES IDENTIFIED BY Open Web Application Security Project (OWASP) Cross-site scripting (XSS) 1. Cross-site scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into web pages. 2. Attackers use web pages or applications to send malicious code to users. The code is executed when the victim loads the website. 3. Similarly when a parameter entered into a web form is processed by the web application. 4. The correct combination of variables can result in arbitrary command execution. 5. Countermeasure: Validate cookies, query strings, form ﬁelds, and hidden ﬁelds. Cross-site request forgery (CSRF/XSRF) 1. Cross-site request forgery (CSRF) is a cyber attack that tricks a user into performing unwanted actions on a website or web application 2. An attacker tricks a user into clicking a link in an email or chat message that sends a forged request to a server. The user's browser then sends the request to the web application, which treats it as legitimate because the user is already authenticated. 3. The attacker can then perform actions like transferring funds, changing passwords, or making purchases. If the victim is an administrator, the attacker can compromise the entire web application. SQL injection (SQLi) 1. SQL Injection is a security ﬂaw in web applications where attackers insert harmful SQL code through user inputs. This can allow them to access sensitive data, change database contents or even take control of the system. 2. Suppose we have an application based on student records. Any student can view only his or her records by entering a unique and private student ID. 3. Suppose we have a ﬁeld like the one below: SQL Injection based on 1=1 is always true. As you can see in the above example, 1=1 will return all records for which this holds true. So basically, all the student data is compromised. Now the malicious user can also similarly use other SQL queries. SQL Injection Types In-band SQLi The attacker uses the same channel of communication to launch their attacks and to gather their results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. Error-based SQLi The attacker performs actions that cause the database to produce error messages. The attacker can potentially use the data provided by these error messages to gather information about the structure of the database. Blind Boolean-based SQL Injections For this particular SQL injection method, cybercriminals insert harmful SQL injection code into a web application's input ﬁelds forcing the database to return a boolean (true or false) result. For eg. threat actors want to retrieve the ﬁrst character of the admin user's password by injecting the substring function. The query will conﬁrm as true if the password's initial character is 'a,' but if not, the response will be false. SQL Injection Types Time-based SQL Injection In a time-based attack, threat actors craft an SQL command that forces the server to wait a certain period before responding. They send this database query to the server and then observe how long it takes to respond. For eg. To retrieve the admin user's password by injecting the IF statement. If the condition (1=1) is true, the database will pause for 5 seconds using the SLEEP function. If not, the statement is null. The attackers gather information about the database by measuring the time it takes to receive a response. SQL Injection Prevention 1. Utilize prepared statements : These are precompiled SQL statements that separate SQL logic from user input. With these statements, businesses can protect themselves from SQL injection attacks by securing user input ﬁelds from malicious code. 2. Restrict database rights : Do this so users have access only to the data they need to do their jobs. 3. Perform regular vulnerability assessments and pentesting Broken authentication 1. Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities. 2. The attacker may use several under given techniques: Credentials stuffing: In Credential Stuffing an attacker has a standard list of default passwords and usernames. By this list, they can brute-force the accounts and can log in into legitimate accounts. It is hardly recommended for users to change their default usernames and passwords to get secure from such attacks. Unhashed Passwords: Changement of clear-text password into scrambled words through which an attacker can be tricked is called hashing of passwords. What an attacker does is, an attacker can intercept the user request as both of them are on the same network. Using the intercepted request they can clearly see the Clear Text Submission Of passwords that users submit on the website. Using this technique user can lose his Account Authorization & Conﬁdentiality. Misconﬁgured Session Timeouts: The scenario where a user had log out of the account and an attacker has the cookie of that user. Using the cookie, an attacker can still have access to that account. Input parameter manipulation 1. Input parameter manipulation is generally done on the data sent between the browser (client) and the web application. 2. Such types of attacks are simple from the attackers point of view. In a badly designed and developed web application, malicious users can modify things like prices in web carts, session tokens or values stored in cookies and even HTTP headers. 3. No data sent to the browser can be relied upon to stay the same unless cryptographically protected at the application layer. 4. Parameter tampering can often be done with 1. Cookies 2. Form Fields 3. URL Query Strings 4. HTTP Header Sensitive Information Disclosure 1. Sensitive Information Disclosure can occur when an application does not properly protect sensitive information from being disclosed to attackers. 2. For many applications this may be limited to information such as passwords, but it can also include information such as credit card data, session tokens, or other authentication credentials. 3. The most common ﬂaw is simply not encrypting sensitive data. Security Misconﬁguration 1. Many devices come with default conﬁgurations (passwords) from the manufacturer. 2. In many corporate networks while installing new devices the administrator must change the default conﬁgurations. 3. If the defaults are not changed then an attacker who knows the default conﬁgurations would easily access the system and get the sensitive information. As the default conﬁguration has a weak password which can be easily guessed. Broken access control 1. Access control enforces policy such that users cannot act outside their domain. 2. Failures in the mechanism typically lead to unauthorized information disclosure, modiﬁcation or destruction of all data or performing a business functions outside of the limits of the user. 3. Common access control vulnerabilities include - Bypassing access control checks by modifying the URL - Allowing the primary key to be changed to another users record - Permitting viewing or editing someone else's account. - Elevation of privilege. (from simple user to admin) - Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie - Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. XML External Entities 1. Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations. 2. These ﬂaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks. Insufficient Logging and monitoring 1. Insufficient logging and monitoring vulnerability occurs when the security-critical events aren’t logged properly, and the system is not monitoring the current happenings. 2. The result is that, these functionalities can make the malicious activities harder to detect and it affects effective incident handling when an attack happens OWASP MOBILE TOP 10 OWASP Top 10 Mobile Threats are as follows: M1: Improper Credential Usage M2: Inadequate Supply Chain Security: occurs due to a lack of secure coding practices, insufficient code reviews and testing leading to the inclusion of vulnerabilities in the app. M3: Insecure Authentication/Authorization M4: Insufficient Input/Output Validation M5: Insecure Communication M6: Inadequate Privacy Controls M7: Insufficient Binary Protections: The binary could contain valuable secrets, such as commercial API keys or hardcoded cryptographic secrets that an attacker could misuse.Besides collecting information, attackers could also manipulate app binaries to access paid features for free or to bypass other security checks. M8: Security Misconﬁguration M9: Insecure Data Storage M10: Insufficient Cryptography CVE Database 1. Common Vulnerabilities and Exposures (CVE) is a publicly accessible database that identiﬁes and catalogs known security vulnerabilities in software and hardware. 2. Each vulnerability is assigned a unique ID, making it easier for organizations to share information, prioritize ﬁxes, and protect their systems. 3. CVE helps organizations identify and prioritize security issues with documented CVE numbers and CVSS scores to plan and prioritize their vulnerability management programs. 4. A vulnerability qualiﬁes as a CVE if it meets speciﬁc criteria: it must be independently ﬁxable, affect a single codebase, and be acknowledged by the vendor with documented negative security impacts. 5. Each CVE is assigned a unique identiﬁer to facilitate tracking and management across cybersecurity tools and platforms. 6. Each CVE Identiﬁer includes the following: - CVE identiﬁer number - Indication of entry or candidate status - Brief description of the security vulnerability or exposure. - Any other references TYPES OF ATTACKS & THEIR COMMON PREVENTION MECHANISMS KEYSTROKE LOGGING 1. Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. 2. Data can then be retrieved by the person operating the logging program. 3. Keyloggers are hardware or software devices used to gain information entered via the keyboard. 4. Software Keyloggers ➔ API-based keyloggers directly eavesdrop between the signals sent from each keypress to the program you’re typing into. ➔ Form-grabbing keyloggers record data entered into a field. This type of keylogging software is typically deployed on a website rather than downloaded on a victim's computer. ➔ Kernel-based keyloggers are replacement keyboard device drivers. A portion of the logger resides in the OS kernel and receives data directly from the keyboard interface KEYSTROKE LOGGING 5. Hardware Keyloggers ➔ Keyboard hardware keyloggers can be placed in line with your keyboard’s connection cable or built into the keyboard itself. This is the most direct form of interception of your typing signals. ➔ Hidden camera keyloggers may be placed in public spaces like libraries to visually track keystrokes. ➔ USB disk-loaded keyloggers can be a physical Trojan horse that delivers the keystroke logger malware once connected to your device. 6. Countermeasures: ★ Anti-spyware / Anti-virus programs ★ Two-Factor Authentication ★ Automatic form ﬁller programs ★ Only Download Safe Files Denial of Service (DoS) 1. The aim of Denial of service attack is to prevent normal communication with a resource by disabling the resource itself or by disabling an intermediary device providing connectivity to it. The disabled resource can include a form of customer data, website resources, or a speciﬁc service, etc. 2. The most common form of DoS is to ﬂood a victim with so much traffic(data packets) that all other available resources of the system are overﬂowed or ﬂooded and are unable to handle additional requests. 3. A DoS attack typically uses a script or a tool to carry out the attack from a single machine.It is a system-on-system attack 4. Eg. A successful DoS attack against a corporation’s web page or availability of back-end resources could surely result in a loss of millions of dollars in revenue (ﬁnancial impact) depending on company size. Also, considering the negative impact on the brand name and company reputation. Distributed Denial of Service (DDoS) 1. A distributed denial-of-service (DDoS) attack is a DoS attack that uses multiple computers or machines to ﬂood a targeted resource. 2. Conceptually, the process is quite simple. The handler, or master computer is infected with a speciﬁc DDoS software build commonly termed as a bot. The bot in turn looks through the victim’s network searching for potential clients to make slaves, or zombies. 3. Once the handler systems have been compromised and the zombie clients are infected and listening, the attacker need only identify the target and send the go signal to the handlers. 4. A common method of covertly installing a bot on a handler or client is a Trojan horse that carries the bot as a payload. Once the handler and subsequent zombies have been infected, the attacker communicates remotely with the so-called botnet via communication channels such as Internet Relay Chat (IRC) or Peer-to-Peer (P2P). Types of DoS/DDoS Attacks Volume-Based Attacks Volume-based attacks ﬂood a network with too much data, overpowering its bandwidth and making the network unusable. Examples include UDP ﬂoods and ICMP ﬂoods. In a UDP ﬂood, attackers send many UDP packets to random ports on a server, making the server busy trying to handle all these requests, which slows down or stops legitimate traffic. Protocol Attacks Protocol attacks exploit weaknesses in network protocols to use up server resources. Examples are SYN ﬂoods and the Ping of Death. In a SYN ﬂood, attackers send many SYN requests to a server but don’t complete the handshake, leaving the server stuck with half-open connections. The Ping of Death involves sending oversized packets to crash or disrupt the target server. Application Layer Attacks Application layer attacks target speciﬁc applications or services, causing them to crash or become very slow. Examples include HTTP ﬂoods and Slowloris. In an HTTP ﬂood, attackers send many HTTP requests to a web server, consuming its resources. Slowloris keeps many connections to the server open by sending incomplete HTTP requests, preventing the server from handling new, legitimate requests. Reﬂective Attacks Reﬂective attacks involve sending requests to third-party servers with the victim’s IP address. The servers unknowingly send responses to the victim, overwhelming it. Examples are DNS reﬂection and NTP reﬂection. In a DNS reﬂection attack, attackers send requests to a DNS server with the victim’s IP address, causing the DNS server to ﬂood the victim with responses. NTP reﬂection works similarly but uses Network Time Protocol servers to amplify the attack. Teardrop attack A teardrop attack is an attack that sends countless Internet Protocol (IP) data fragments to a network. When the network tries to recompile the fragments into their original packets, it is unable to. For example, the attacker may take very large data packets and break them down into multiple fragments for the targeted system to reassemble. However, the attacker changes how the packet is disassembled to confuse the targeted system, which is then unable to reassemble the fragments into the original packets. DoS/DDoS countermeasures Apply Rate Limiting Rate limiting is one of the ﬁrst techniques used to prevent Distributed Denial of Service (DDoS) attacks by limiting the amount of traffic sent to a network or server. This involves limiting the number of requests or connections that can be made within a speciﬁed time frame. Scaling Up the Bandwidth and Using Anti-DDoS Hardware and Software This involves increasing the network’s bandwidth to handle larger amounts of traffic and using specialized hardware and software designed to detect and mitigate DoS attacks. Moving to the Cloud and Using Cloud-Based Services Cloud-based services can provide a higher level of resilience to DoS attacks because they have large amounts of bandwidth and resources and can scale to absorb the attack. Knowing the Network’s Traffic Patterns and the Symptoms of an Attack This involves monitoring the network’s traffic patterns to identify any unusual activity that could indicate a DoS attack. WATERING HOLE ATTACK 1. Watering hole attacks are any attacks that identify an external, trusted but vulnerable service frequently accessed by users of a given organization. Bad actors exploit these vulnerabilities to deliver a malicious payload to the organization’s network. 2. This is what a Watering Hole looks like: you have your own IT network that you can fully control and protect against network intrusions and exploits. 3. Next, there’s an IT service, an app, a tool, a website or technology that is frequently used by your employees. These services may be integrated with your network or interact directly with your employees, accessing data and communicating a variety of legitimate traffic requests. 4. These services are controlled by a third party, which of course are vulnerable to cyberattacks. By exploiting the vulnerabilities, these third-party services can act as a “watering hole” to deliver a malicious payload to your organization. 5. Countermeasures - Update your software - Watch your network closely - Hide your online activities BRUTE-FORCE ATTACK 1. A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. 2. Types of Brute Force Attacks - Simple Brute Force Attacks: A simple brute force attack occurs when a hacker attempts to guess a user’s login credentials manually without using any software. This is typically through standard password combinations or personal identiﬁcation number (PIN) codes. - Dictionary Attacks: A dictionary attack uses a preselected library of words and phrases to guess possible passwords. - Reverse Brute Force Attacks: A reverse brute force attack sees an attacker begin the process with a known password, which is typically discovered through a network breach. They use that password to search for a matching login credential using lists of millions of usernames. - Credential Stuffing: Attackers collect username and password combinations they have stolen, which they then test on other websites to see if they can gain access to additional user accounts. This approach is successful if people use the same username and password combination or reuse passwords for various accounts and social media proﬁles. PHISHING & FAKE W.A.P 1. Phishing is a type of Social Engineering attack that aims to obtain sensitive information including bank account numbers, usernames, passwords, and credit card details. It is mostly done by sending fake emails that appear to have come from a legitimate source, or it can be in the form of Vishing. 2. Different types of phishing attacks are used by the attacker: - Spear Phishing attack: Spear phishing means that you would only send phishing emails to an `individual company or organization and make the email look like it comes from some vendor or person they work with to get them to provide info. - Clone Phishing: This is a type of attack that works based on copying email messages that came from a worthy or trusted source. Hackers alter the information present in the original email and also add a link or attachment. This link or attachment is malicious and will make the user go to a fake website. When the link or attachment is clicked, the email will be sent to the contacts of the user. - Cat Phishing: Cat phishing is a type of online fraud that involves creating a fake persona to gain access to personal information and money.Cat phishing can occur on dating apps, social media platforms, and email. Catﬁshers often use fake names, pictures, personal information, emotional manipulation, ﬂattery, and inconsistent or unrealistic stories. - Voice Phishing: Voice phishing, or vishing, is a cyberattack that uses phone calls to steal personal and ﬁnancial information. Scammers use social engineering techniques to manipulate people into sharing sensitive information, such as bank account numbers, passwords, and Social Security numbers. - SMS Phishing: Smishing is a social engineering attack that uses fake mobile text messages to trick people into downloading malware, sharing sensitive information or sending money to cybercriminals. - Whaling : targets only those within an organization who are almost certain to have valuable information and works using the same methods as in spear phishing. Fake WAP: A Fake WAP (Wireless Access Point) is a deceptive Wi-Fi network set up by hackers to mimic legitimate public Wi-Fi hotspots. These fake networks often have names that appear trustworthy, such as "CoffeeShop_WiFi" or "Airport_Free_WiFi," to lure unsuspecting users into connecting. Once connected to a Fake WAP, users unknowingly expose their internet traffic to the hacker, who can then monitor and manipulate the data being transmitted. This type of cyberattack is particularly prevalent in public spaces where free Wi-Fi is commonly available, such as coffee shops, airports, and shopping centers. Protecting yourself against Fake WAPs involves a combination of vigilance and the use of security tools. Here are some effective strategies: Use a VPN, Verify Network Names, Disable Auto-Connect, Keep Software Updated, Use Strong Passwords for accounts. Eavesdropping 1. Eavesdropping attacks in the cybersecurity world are when the perpetrator “listens” to and records data that is transmitted between two devices. In simple terms, the hacker reads messages sent via, for example, an open and unsecured network. 2. Eavesdropping, also known as sniffing or snooping, relies on unsecured network communications to access data in transit between devices. Man-in-the-middle 1. An MITM attack places attackers directly between a victim and host connection. 2. Once attackers have successfully placed themselves in the middle of the connection via a technique such as ARP poisoning, they have free rein to passively monitor traffic, or they can inject malicious packets into either the victim machine or the host machine. 3. There are several tools specially designed to perform a MITM attack. Eg- PacketCreator, Ettercap Dsniff, Cain & Abel SESSION HIJACKING 1. A session hijacking attack is a cyberattack that allows an attacker to take control of a user's online session and account. 2. This is done by stealing or guessing the session token, which is the information that veriﬁes a user's active session on a website. 3. Once the attacker has the session token, they can impersonate the user and perform unauthorized actions, such as stealing information or launching further attacks. 4. The session token could be compromised in different ways; the most common are: - Predictable session token; - Session Sniffing; - Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc); - Man-in-the-middle attack - Man-in-the-browser attack To prevent session hijacking, you can: 1. Use a VPN to mask your IP address and encrypt your data 2. Avoid clicking on links in emails unless you know the sender is legitimate 3. Use reputable antivirus software 4. Keep your systems up to date 5. Look for websites with a URL that starts with HTTPS SPOOFING HIJACKING Objective Psychologically manipulate the target and Take control over the target computer system or win their trust by convincing them network connections to steal information without letting the victim know they are being hijacked Requirem Hacker technical Knowledge is required but Technical Knowledge and Coding are Required. ent coding is not that much important. Software The Malicious software needs to be Malicious software may or may not be required to Requirem downloaded to the victim’s computer. download on the victim’s computer. ents Types IP Spoofing, Email Spoofing, URL Spoofing Browser hijacking, session hijacking, domain hijacking, domain name system (DNS) hijacking CLICKJACKING - Clickjacking is an attack that tricks users into thinking they are clicking on one thing when in fact, they are clicking on something else. - For example, imagine an attacker who builds a web site that has a button on it that says “click here for a free iPod”. - However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the “delete all messages” button directly on top of the “free iPod” button. - The victim tries to click on the “free iPod” button but instead actually clicked on the invisible “delete all messages” button. In essence, the attacker has “hijacked” the user’s click, hence the name “Clickjacking”. - Cookie Theft Cookie theft is a cyberattack where an attacker gains access to a user's cookies, which can lead to unauthorized access to their accounts and sensitive information. Cookie theft can also be referred to as session hijacking or cookie hijacking. URL OBFUSCATION - An obfuscated URL is a URL that has been modiﬁed to conceal the legitimate location of a web-based resource, such as a website or server. - Obfuscated URLs are one of the many phishing attacks that can fool Internet users. The spoof site is often an identical clone of the original one in order to fool users into divulging login and other personal information. - An obfuscated URL is also called a hyperlink trick. - There are three primary techniques used to trick users into thinking a website link is real: URL shorteners, URL doppelgangers, and URL redirects. - URL obfuscation is not always used for phishing or cross-site scripting, but it is also used by legitimate websites to hide the true URLs of certain pages so that they cannot be accessed directly by the users or allow certain procedures to be bypassed. It is also used as an anti-hacking procedure. - This is termed as security through obscurity. BUFFER OVERFLOW - A buffer is a temporary area for data storage. When more data (than was originally allocated to be stored) gets placed by a program or system process, the extra data overﬂows. - It causes some of that data to leak out into other buffers, which can corrupt or overwrite whatever data they were holding. - In a buffer-overﬂow attack, the extra data sometimes holds speciﬁc instructions for actions intended by a hacker or malicious user; for example, the data could trigger a response that damages ﬁles, changes data or unveils private information. - For example, a buffer for log-in credentials may be designed to expect username and password inputs of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than expected), the program may write the excess data past the buffer boundary - If boundary-checking logic is applied and executable code or malicious strings are recognized before they can be put to the buffer, this attack technique becomes much more difficult to execute. DNS Cache Poisoning - DNS cache poisoning is the act of entering false information into a DNS cache, so that DNS queries return an incorrect response and users are directed to the wrong websites. - DNS cache poisoning is also known as 'DNS spooﬁng. - DNS servers take the words you type in when looking up a website, such as “amazon.com,” and use them to ﬁnd the IP address associated with it.These addresses are stored in the DNS cache. - If the wrong IP address is put in the cache, traffic goes to the wrong places until the cached information is corrected. - Because there is typically no way for DNS resolvers to verify the data in their caches, incorrect DNS information remains in the cache until the time to live (TTL) expires, or until it is removed manually. DNS Cache Poisoning - A more secure DNS protocol called DNSSEC aims to solve some of these problems, but it has not been widely adopted yet. - DNSSEC is short for Domain Name System Security Extensions(uses public key cryptography), and it is a means of verifying DNS data integrity and origin. - DNS was originally designed with no such veriﬁcation, which is why DNS poisoning is possible. - DNSSEC extensions were published in 2005, but DNSSEC is not yet mainstream, leaving DNS still vulnerable to attacks. ARP Poisoning - An ARP does the following: 1. Accept requests: A new device asks to join the local area network (LAN), providing an IP address. 2. Translate: Devices on the LAN don't communicate via IP address. The ARP translates the IP address to a MAC address. 3. Send requests: If the ARP doesn't know the MAC address to use for an IP address, it sends an ARP packet request, which queries other machines on the network to get what's missing. - ARP Poisoning (also known as ARP Spooﬁng) is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the pairings in its IP to MAC address table. - The goal is to link a hacker's MAC with the LAN. The result means any traffic sent to the compromised LAN will head to the attacker instead. - At the end of a successful ARP attack, a hacker can- Hijack, DoS and do man-in-the-middle attack. ARP Poisoning - Preventive measures 1. Packet ﬁltering: Use this ﬁrewall technique to manage network access by monitoring incoming and outgoing IP packets. Packets are allowed or stopped based on source and destination IP addresses, ports, and protocols. 2. Static ARP: These ARPs are added to the cache and retained on a permanent basis. These will serve as permanent mappings between MAC addresses and IP addresses. 3. Virtual Private Network: The most useful preventive measure against ARP spooﬁng attacks is to use a VPN (Virtual Private Network). 4. ARP Spooﬁng Detection Software: With the help of ARP Spooﬁng Detection Software it is easier to detect ARP spooﬁng attacks as it helps in inspecting and certifying data before data is transmitted. Identity Theft - One of the most prominent and rapidly evolving threats is identity theft, which falls under the heading of social engineering. - Identity theft occurs when someone steals your personal information and credentials to commit fraud. - Identity thieves have been known to run up charges on credit cards, open new accounts, get medical treatment, or secure loans under the victim’s name. - Some signs of identity theft include the following: 1. You see withdrawals from your bank account that you can’t explain. 2. You don’t get your bills or other mail. Merchants refuse your checks. 3. Debt collectors call you about debts that aren’t yours. 4. You ﬁnd unfamiliar accounts or charges on your credit report. 5. Medical providers bill you for services you didn’t use Identity Theft - Protective Measures 1. Monitor your accounts regularly 2. Use strong passwords 3. Enable two-factor authentication (2FA) 4. Be cautious online 5. Watch for phishing scams 6. Consider Credit freezes IoT Attacks - IoT attacks are cyber-attacks that gain access to users' sensitive data with the help of any IoT device. - Attackers usually install malware on the device, harm the device, or gain access to further personal data of the company. - For instance, an attacker may gain access to an organization's temperature control system through a security loophole in any IoT device. He can then inﬂuence the temperature of the rooms connected to the appropriate device. - Some common examples of IoT attacks include 1. distributed denial-of-service (DDoS), 2. malware infections, 3. man-in-the-middle attacks, 4. credential theft. BOTs and BOTNETs - A bot, short for "robot", is a type of software application or script that performs automated tasks on command. - Bad bots perform malicious tasks that allow an attacker to remotely take control over an affected computer. Once infected, these machines may also be referred to as zombies - Botnets are a network of infected computers, or bots, under the control of a single party, known as a “botnet master”. - Hackers infect computers with malware that allows them to remotely operate infected devices as bots. A botnet master can command every device from one central point to perform a coordinated attack. - Botnet master use botnets to perform automated attacks including application DDoS and account takeover. BOTs and BOTNETs - Preventive measures: Set your antivirus and antispyware programs to update automatically. Routinely check for browser and operating system updates and patches. Only click internet links or open emails if you trust the source.

Ethical Hacking UNIT 1 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue