Chapter 2 - 03 - Understand Network-level Attacks - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Module Understand Information Security Attacks Describe Hacking Methodologies and Frameworks Understand Network-level Attacks Understand Application- level and OS-level Attacks Flow Understand Social Engineering Attacks Understand Wireless Networkspecific Attacks Understand IoT, OT, and Cloud Attacks Understand Cryptographic Attacks Copyright © by EC-Council Al Rights Reserved. Reproduction is Strictly Prohibited Understand Network-level Attacks Attackers use various attack strategies to compromise the security of a network, potentially causing disruption, damage, and loss to organizations and individuals. Therefore, it is important for the security professionals to have an understanding of these attack strategies, because such an understanding is essential for protecting the network from various attacks. This section explains different types of network-level attacks. Module 02 Page 173 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 | | Reconnaissance Attacks b4 1 1 1 1 The exploitation of the target network begins with reconnaissance 1 o 1 B Network Information obtained using Reconnaissance Attacks: v Domain Name v Internal Domain Names 1 1 1 v Network Blocks i : " In reconnaissance attacks, attackers attempt to discover information about the target network ¥ IP Addresses of the Reachable Systems ¥ Rogue Websites/Private Websites v Open Ports i - v’ Versions of Running OSes i ! Attackers. can use followung techniques to gather ’ network information about target: : » 1. Social Engineering. ¥ Running TCP and UDP Services v Access Control Mechanisme ardlACES v Networking Protocols v VPN Points ! » Port Scanning ¥ Running Firewalls i » DNS Footprinting v Analog/Digital Telephone Numbers H » Ping Sweeping v' Authentication Mechanisms 1 1 v’ System Enumeration Reconnaissance Attacks In reconnaissance attacks, attackers attempt to obtain all the possible information about a target network, including the information systems, services, and vulnerabilities that may exist in the network. Attackers can use the following techniques to gather network information about target: = Social Engineering = Port Scanning = DNS Footprinting = Ping Sweeping The primary objectives of a reconnaissance attack include collecting the target’s network information, system information, and the organizational information. By carrying out reconnaissance at various network levels, the attacker gathers information on system features such as network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, and access control mechanisms. Further, the attacker collects information such as employee names, phone numbers, contact addresses, designation, and work experience, which can form the basis for social engineering and other phases of the intrusion into the organization’s network. Collecting Network Information The attacker performs operations such as whois database analysis and trace routing to gather network information. Subsequently, the attacker may gain access to sensitive data or may attack the network. Module 02 Page 174 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Network information obtained using reconnaissance attacks: * Domain Name * Internal Domain Names = Network Blocks = |P Addresses of the Reachable Systems * Rogue Websites/Private Websites = QOpen Ports = Versions of Running OSes *= Running TCP and UDP Services = Access Control Mechanisms and ACLs = Networking Protocols = VPN * Running Firewalls * Analog/Digital Telephone Numbers = Authentication Mechanisms = System Enumeration Points Collecting System Information Prior to performing an attack, an attacker identifies vulnerabilities to exploit in order to gain access to a system. Once the attacker gains system access, they can use various tools and utilities to perform illegal activities such as stealing sensitive data, attacking other systems, sending forged emails from the system, and deleting data. Collect Organization Information An attacker obtains information about an organization from its website. In addition, they can query the target’s domain name against the whois database and get valuable information such as location, people names and phone numbers. The information can then be used to identify key employees in the company and launch social engineering attacks to extract sensitive data about the organization. Types of reconnaissance attack Reconnaissance attacks can be active or passive. = Active reconnaissance attacks Active reconnaissance attacks mostly include port scans and operating system scans. Here, the attacker uses tools to send packets to the target system. For example, the traceroute tool helps gather all the IP addresses of routers and firewalls. The attacker also gathers further information regarding the services running on the target system. Module 02 Page 175 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Passive reconnaissance attacks Passive reconnaissance attacks gather information from the network traffic in a passive manner. Here, the attackers perform sniffing to obtain details of vulnerabilities in the network. The attackers use various tools to gain information about the target. Examples of Reconnaissance attacks Packet sniffing: Packet sniffing monitors every packet that passes through a network. Through various packet sniffing tools, attackers capture usernames, passwords, and other user information. In protocols like telnet and HTTP, user information is available in plain text. Packet sniffing can be used to map the network and break into a target computer. Port scanning: Port scanning provides attackers access to any open ports on the target machine. Once access is obtained, an intrusion can be executed. Ping sweeping: Ping sweeping is a technique that can locate open/live ports in a network through an ICMP request. A well-configured access control list (ACL) can prevent ping sweeping in the network. DNS footprinting: DNS footprinting, which can be used to gather information about specific domains and IP addresses in the network, can be performed with DNS queries consisting of DNS lookup and whois. Social engineering: Social engineering refers to techniques by which unsuspecting target individuals are persuaded to share their credentials or personal information on the network. Attackers then use this information to perform an attack on the target. Module 02 Page 176 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Network Scanning Network Scanning Process 0O Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network Sends TCP/IP probes O Network scanning is one of the components [ of intelligence gathering which can be used | S G;z:‘:‘a“:’]z': Attacker by an attacker to create a profile of the N Q. Q Network target organization Objectives of Network Scanning » Todiscover live hosts, IP address, and open ports of live hosts » Todiscover operating systems and system architecture 5 1 giscover services running on hosts » Todiscover vulnerabilities in live hosts Copyright © by E&- L All Rights Reserved. Reproduction trictly Prohibited Network Scanning Scanning is the process of gathering additional detailed information about the target using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. Network scanning is also used for discovering active machines in a network and identifying the OS running on the target machine. It is one of the most important phases of intelligence gathering for an attacker, which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s OS and system architecture, and the ports along with their respective services running on each computer. Sends D TCP/IP probes —1 Sesssssssssssssssssssssstsssssasansnsanss) ‘ X ) - Gets network information. !g! Q Attacker Network Figure 2.6: Network scanning process The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and track the ones that are responsive or useful to an attacker’s particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more information about the target system to determine the presence of any configuration lapses. The attacker then uses the information obtained to develop an attack strategy. Module 02 Page 177 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Types of Scanning = Port Scanning — Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports of the target system to determine whether the services are running or are in a listening state. The listening state provides information about the OS and the application currently in use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to run software with vulnerabilities. * Network Scanning — Lists the active hosts and IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network. * Vulnerability Scanning — Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily through updated security patches and a clean web document. A thief who wants to break into a house looks for access points such as doors and windows. These are usually the house’s points of vulnerability, as they are easily accessible. When it comes to computer systems and networks, ports are the doors and windows of a system that an intruder uses to gain access. A general rule for computer systems is that the greater the number of open ports on a system, the more vulnerable is the system. However, there are cases in which a system with fewer open ports than another machine presents a much higher level of vulnerability. Objectives of Network Scanning The more the information at hand about a target organization, the higher are the chances of knowing a network’s security loopholes, and, consequently, for gaining unauthorized access to it. Some objectives for scanning a network are as follows: = Discover the network’s live hosts, IP addresses, and open ports of the live hosts. Using the open ports, the attacker will determine the best means of entering into the system. = Discover the OS and system architecture of the target. This is also known as fingerprinting. An attacker can formulate an attack strategy based on the 0S’s vulnerabilities. » Discover the services running/listening on the target system. Doing so gives the attacker an indication of the vulnerabilities gaining access to the target system. Module 02 Page 178 (based on the service) that can be exploited for Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 = |dentify specific applications or versions of a particular service. = |dentify vulnerabilities in any of the network systems. This helps compromise the target system or network through various exploits. Module 02 Page 179 an attacker to Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.