Chapter 2 - 03 - Understand Network-level Attacks_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Module Understand Information Security Attacks Describe Hacking Methodologies and Frameworks Understand Network-level Attacks Understand Application- level and OS-level Attacks Flow Understand Social Engineering Attacks Understand Wireless Networkspecific Attacks Understand IoT, OT, and Cloud Attacks Understand Cryptographic Attacks Copyright © by EC-Council Al Rights Reserved. Reproduction is Strictly Prohibited Understand Network-level Attacks Attackers use various attack strategies to compromise the security of a network, potentially causing disruption, damage, and loss to organizations and individuals. Therefore, it is important for the security professionals to have an understanding of these attack strategies, because such an understanding is essential for protecting the network from various attacks. This section explains different types of network-level attacks. Module 02 Page 173 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 | | Reconnaissance Attacks b4 1 1 1 1 The exploitation of the target network begins with reconnaissance 1 o 1 B Network Information obtained using Reconnaissance Attacks: v Domain Name v Internal Domain Names 1 1 1 v Network Blocks i : " In reconnaissance attacks, attackers attempt to discover information about the target network ¥ IP Addresses of the Reachable Systems ¥ Rogue Websites/Private Websites v Open Ports i - v’ Versions of Running OSes i ! Attackers. can use followung techniques to gather ’ network information about target: v Access Control Mechanisme ardlACES v Networking Protocols : » 1. » Port Scanning ¥ Running Firewalls i » DNS Footprinting v Analog/Digital Telephone Numbers H » Ping Sweeping v' Authentication Mechanisms ! 1 1 Social Engineering ¥ Running TCP and UDP Services. v VPN Points v’ System Enumeration Reconnaissance Attacks In reconnaissance attacks, attackers attempt to obtain all the possible information about a target network, including the information systems, services, and vulnerabilities that may exist in the network. Attackers can use the following techniques to gather network information about target: = Social Engineering = Port Scanning = DNS Footprinting = Ping Sweeping The primary objectives of a reconnaissance attack include collecting the target’s network information, system information, and the organizational information. By carrying out reconnaissance at various network levels, the attacker gathers information on system features such as network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, and access control mechanisms. Further, the attacker collects information such as employee names, phone numbers, contact addresses, designation, and work experience, which can form the basis for social engineering and other phases of the intrusion into the organization’s network. Collecting Network Information The attacker performs operations such as whois database analysis and trace routing to gather network information. Subsequently, the attacker may gain access to sensitive data or may attack the network. Module 02 Page 174 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Network information obtained using reconnaissance attacks: * Domain Name * Internal Domain Names = Network Blocks = |P Addresses of the Reachable Systems * Rogue Websites/Private Websites = QOpen Ports = Versions of Running OSes *= Running TCP and UDP Services = Access Control Mechanisms and ACLs = Networking Protocols = VPN * Running Firewalls * Analog/Digital Telephone Numbers = Authentication Mechanisms = System Enumeration Points Collecting System Information Prior to performing an attack, an attacker identifies vulnerabilities to exploit in order to gain access to a system. Once the attacker gains system access, they can use various tools and utilities to perform illegal activities such as stealing sensitive data, attacking other systems, sending forged emails from the system, and deleting data. Collect Organization Information An attacker obtains information about an organization from its website. In addition, they can query the target’s domain name against the whois database and get valuable information such as location, people names and phone numbers. The information can then be used to identify key employees in the company and launch social engineering attacks to extract sensitive data about the organization. Types of reconnaissance attack Reconnaissance attacks can be active or passive. = Active reconnaissance attacks Active reconnaissance attacks mostly include port scans and operating system scans. Here, the attacker uses tools to send packets to the target system. For example, the traceroute tool helps gather all the IP addresses of routers and firewalls. The attacker also gathers further information regarding the services running on the target system. Module 02 Page 175 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Passive reconnaissance attacks Passive reconnaissance attacks gather information from the network traffic in a passive manner. Here, the attackers perform sniffing to obtain details of vulnerabilities in the network. The attackers use various tools to gain information about the target. Examples of Reconnaissance attacks Packet sniffing: Packet sniffing monitors every packet that passes through a network. Through various packet sniffing tools, attackers capture usernames, passwords, and other user information. In protocols like telnet and HTTP, user information is available in plain text. Packet sniffing can be used to map the network and break into a target computer. Port scanning: Port scanning provides attackers access to any open ports on the target machine. Once access is obtained, an intrusion can be executed. Ping sweeping: Ping sweeping is a technique that can locate open/live ports in a network through an ICMP request. A well-configured access control list (ACL) can prevent ping sweeping in the network. DNS footprinting: DNS footprinting, which can be used to gather information about specific domains and IP addresses in the network, can be performed with DNS queries consisting of DNS lookup and whois. Social engineering: Social engineering refers to techniques by which unsuspecting target individuals are persuaded to share their credentials or personal information on the network. Attackers then use this information to perform an attack on the target. Module 02 Page 176 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Network Scanning Network Scanning Process 0O Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network Sends TCP/IP probes O Network scanning is one of the components [ of intelligence gathering which can be used | S G;z:‘:‘a“:’]z': Attacker by an attacker to create a profile of the N Q. Q Network target organization Objectives of Network Scanning » Todiscover live hosts, IP address, and open ports of live hosts » Todiscover operating systems and system architecture 5 1 giscover services running on hosts » Todiscover vulnerabilities in live hosts Copyright © by E&- L All Rights Reserved. Reproduction trictly Prohibited Network Scanning Scanning is the process of gathering additional detailed information about the target using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. Network scanning is also used for discovering active machines in a network and identifying the OS running on the target machine. It is one of the most important phases of intelligence gathering for an attacker, which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s OS and system architecture, and the ports along with their respective services running on each computer. Sends D TCP/IP probes —1 Sesssssssssssssssssssssstsssssasansnsanss) ‘ X ) - Gets network information. !g! Q Attacker Network Figure 2.6: Network scanning process The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and track the ones that are responsive or useful to an attacker’s particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more information about the target system to determine the presence of any configuration lapses. The attacker then uses the information obtained to develop an attack strategy. Module 02 Page 177 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Types of Scanning = Port Scanning — Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports of the target system to determine whether the services are running or are in a listening state. The listening state provides information about the OS and the application currently in use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to run software with vulnerabilities. * Network Scanning — Lists the active hosts and IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network. * Vulnerability Scanning — Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily through updated security patches and a clean web document. A thief who wants to break into a house looks for access points such as doors and windows. These are usually the house’s points of vulnerability, as they are easily accessible. When it comes to computer systems and networks, ports are the doors and windows of a system that an intruder uses to gain access. A general rule for computer systems is that the greater the number of open ports on a system, the more vulnerable is the system. However, there are cases in which a system with fewer open ports than another machine presents a much higher level of vulnerability. Objectives of Network Scanning The more the information at hand about a target organization, the higher are the chances of knowing a network’s security loopholes, and, consequently, for gaining unauthorized access to it. Some objectives for scanning a network are as follows: = Discover the network’s live hosts, IP addresses, and open ports of the live hosts. Using the open ports, the attacker will determine the best means of entering into the system. = Discover the OS and system architecture of the target. This is also known as fingerprinting. An attacker can formulate an attack strategy based on the 0S’s vulnerabilities. » Discover the services running/listening on the target system. Doing so gives the attacker an indication of the vulnerabilities gaining access to the target system. Module 02 Page 178 (based on the service) that can be exploited for Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 = |dentify specific applications or versions of a particular service. = |dentify vulnerabilities in any of the network systems. This helps compromise the target system or network through various exploits. Module 02 Page 179 an attacker to Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 DNS Footprinting O O DNS records provide important information about the location and types of servers Attackers can gather DNS information to determine key hosts Record Type ‘ A Description Points to a host’s IP address MX Points to domain’s mail server NS Points to host’s name server CNAME Canonical naming allows aliases to a host SOA Indicate authority for a domain SRV Service records PTR Maps IP address to a hostname RP Responsible person HINFO Host information record includes CPU type and OS TXT Unstructured text records DNS Footprinting (Cont’d) DNSdumpster O Attackers query DNS servers using DNS interrogation tools, such as DNSdumpster.com and DNS Records, to retrieve the record structure that contains information about the target DNS DNS Footprinting DNS footprinting reveals information about DNS zone data. DNS zone data include DNS domain names, computer names, IP addresses, and much more information about a network. An attacker uses DNS information to determine key hosts in the network and then performs social engineering attacks to gather even more information. Module 02 Page 180 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 DNS footprinting helps in determining the following records about the target DNS: Record Type A Description Points to a host’s IP address MX Points to domain’s mail server NS Points to host’s name server CNAME Canonical naming allows aliases to a host SOA Indicate authority for a domain SRV Service records PTR Maps IP address to a hostname RP Responsible person HINFO XT Host information record includes CPU type and OS Unstructured text records Table 2.1: DNS records and their description DNS interrogation tools such as DNSdumpster (https://dnsdumpster.com) and DNS Records (https://network-tools.com) enable the user to perform DNS footprinting. DNSstuff (Professional Toolset) extracts DNS information about IP addresses, mail server extensions, DNS lookups, Whois lookups, and so on. It can extract a range of IP addresses using an IP routing lookup. If the target network allows unknown, unauthorized users to transfer DNS zone data, then it is easy for an attacker to obtain the information about DNS with the help of the DNS interrogation tool. When the attacker queries the DNS server using the DNS interrogation tool, the server responds with a record structure that contains information about the target DNS. DNS records provide important information about the location and types of servers. Module 02 Page 181 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Hosting NS (IP Exam 212-82 block ocumers) GeolIP Host Locations Servers n32.bluchost.com. 162.159.35.175 QOxXre n3l.blochost. QOdxXsr MX of £32.blushost.com com. 162.159.24.80 o £3l.Bluahost.com Records 0 mail.certifiedhacker.com. 162.241.216.11 =xXe TXT Box3131.blealost.com Records “wv=spfl a mx ptr include:bluehost.com 2all” Host Recorxds (A) soc.certifiedhacker.com =HOoxXe 162.241.216.11 Bom33)1. BluaRost, UNIFIFDIAYFR-AS-1 com Daitad Statas Figure 2.7: Screenshot of DNSdumpster Attackers also use DNS lookup tools such as Bluto, and Domain Dossier to retrieve DNS records for a specified domain or hostname. These tools retrieve information such as domains and IP addresses, domain Whois records, DNS records, and network Whois records. Module 02 Page 182 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Packet Sniffing O Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device O 1t allows an attacker to observe and access the entire network traffic from a given point in order to gather sensitive information such as Telnet passwords, email traffic, syslog traffic, etc. ! through the switch v Packet Sniffing Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most networks today work on switches. A switch is an advanced computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network. An attacker needs to manipulate the functionality of the switch to see all the traffic passing through it. A packet sniffing program (also known as a sniffer) can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network. Often, any laptop can plug into a network and gain access to it. Many enterprises’ switch ports are open. A packet sniffer placed on a network in promiscuous mode can therefore capture and analyze all the network traffic. Sniffing programs turn off the filter employed by Ethernet network interface cards (NICs) to prevent the host machine from seeing other stations’ traffic. Thus, sniffing programs can monitor all traffic. Although most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy. It allows an attacker to observe and access the entire network traffic from one point. Packet sniffers can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS Module 02 Page 183 traffic, email traffic, web traffic, chat sessions, and FTP passwords. This Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 allows an attacker to read passwords in cleartext, the actual emails, credit card numbers, financial transactions, etc. It also allows an attacker to sniff SMTP, POP, IMAP traffic, IMAP, HTTP Basic, telnet authentication, SQL database, SMB, NFS, and FTP traffic. An attacker can gain a substantial amount of information by reading captured data packets; then, the attacker can use that information to break into the network. An attacker carries out more effective attacks by combining these techniques with active transmission. The following diagram depicts an attacker sniffing the data packets between two legitimate network users: M Switch M........................................... m Smith }“" Copy of data passing : through the switch ' < Lena Attacker Figure 2.8: Packet sniffing scenario Module 02 Page 184 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 How a Sniffer Works A sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment g' Attacker PC running NIC Card in Promiscuous Mode A : X. oosssnisannatsaitoesisionsineiseese Home i e. : - AtthtErforcesg switch to behave asahub : Switch Copyright © by EC How Internet L All Rights Reserved. Reproduction is Strictly Prohibited. a Sniffer Works The most common way of networking computers is through an Ethernet connection. A computer connected to a local area network (LAN) has two addresses: a MAC address and an Internet Protocol (IP) address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The data link layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The network layer is responsible for mapping IP network addresses to the MAC address as required by the data link protocol. It initially looks for the MAC address of the destination machine in a table, usually called the Address Resolution Protocol (ARP) cache. If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local subnetwork. The machine with that particular address responds to the source machine with its MAC address. The source machine’s ARP cache adds this MAC address to the table. The source machine, in all its communications with the destination machine, then uses this MAC address. There are two basic types of Ethernet environments, These two types are: = and sniffers work differently in each. Shared Ethernet In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. In this environment, all the other machines receive packets meant for one machine. Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the network with the destination MAC address of machine 2, along with its own source MAC address. The other machines in the shared Ethernet (machines 3 and 4) compare the frame’s destination MAC address with their own and discard the unmatched frame. Module 02 Page 185 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 However, a machine running a sniffer ignores this rule and accepts all the frames. Sniffing in a shared Ethernet environment is passive and, hence, difficult to detect. = Switched Ethernet In a switched Ethernet environment, the hosts connect with a switch instead of a hub. The switch maintains a table that tracks each computer’s MAC address and the physical port on which that MAC address is connected, and then delivers packets destined for a particular machine. The switch is a device that sends packets to the destined computer only; furthermore, it does not broadcast them to all the computers on the network. This results in better utilization of the available bandwidth and improved security. Hence, the process of putting a machine NIC into promiscuous mode to gather packets does not work. As a result, many people think that switched networks are secure and immune to sniffing. However, this is not true. Although a switch following methods: = is more secure than a hub, sniffing the network is possible using the ARP Spoofing ARP is stateless. A machine can send an ARP reply even without asking for it; furthermore, it can accept such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. The ARP cache of the target machine will have an incorrect entry for the gateway. Thus, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address. * MACFlooding Switches maintain a translation table that maps various MAC addresses to the physical ports on the switch. As a result, they can intelligently route packets from one host to another. However, switches have a limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, it becomes easy to perform sniffing. macof is a utility that comes with the dsniff suite and helps the attacker to perform MAC flooding. Once a switch turns into a hub, it starts broadcasting all packets it receives to all the computers in the network. By default, promiscuous mode is turned off in network machines; therefore, the NICs accept only those packets that are addressed to a user’s machine and discard the packets sent to the other machines. A sniffer turns the NIC of a system to promiscuous mode so that it listens to all the data transmitted on its segment. A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packets. Attackers configure the NIC in their machines to run in promiscuous mode so that the card starts accepting all the packets. Thus, the attacker can view all the packets that are being transmitted in the network. Module 02 Page 186 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks -. Exam 212-82 Attacker PC running NIC Card in Promiscuous x LEI - _( = Mode Internet Figure 2.9: Working of a sniffer Module 02 Page 187 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Man-in-the-Middle ‘ Attack The man-in-the-middle attack is used to intrude into an existing connection between systems and intercept the messages being exchanged O Attackers use different techniques and Victim split the TCP connection into two Web Server modify, and insert fraudulent data into the intercepted communication Attackers use tools such as Cain & Abel to perform man-in-the-middle attack MITM : Connection Connection @ O E 2 After the interception of the TCP connection, an attacker can read, ANIDS-0)- 4P eNY T Attacker-to-server connection sesssssssssssssssnnee » 2 Client-to-attacker connection 1. Client-to-attacker » = =. ) connections: Man-in-the-Middle Attack A man-in-the-middle (MITM) attack is used to intrude into an existing connection between systems and to intercept messages being transmitted. In this attack, attackers use different techniques and split a TCP connection into two: a client-to-attacker connection and an attackerto-server connection. After the successful interception of a TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication. In the case of an HTTP transaction, the TCP connection between the client and server is the target. Victim - Web Server A g: A : E Y 3. s g § i mitm £ - : Q2 g MIT™ : 2 & Connection Connection 0 - B : T s -. “ 3 N O "8 D S——— nmassiabolls 1 - - Attacker Figure 2.10: Prediction of session ID using a man-in-the-middle (MITM) attack Module 02 Page 188 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Attackers use tools such as Cain & Abel to Abel is a password recovery tool that allows and cracking encrypted passwords. The ARP sending free spoofed ARPs to the network’s to attack a middleman. '-] R File View Configure Tools AwElhmRR & Decoders IE Network Ifl I. APR E) APR-Cent perform man-in-the-middle (MITM) attack. Cain & the recovery of passwords by sniffing the network poisoning feature of the Cain & Abel tool involves host victims. This spoofed ARP can make it easier - ' Help +v RaynEE0%E Sniffer [of Cracker Ié Traceroute | CCDU [')" B =N = = 6?0 Wireless |13 Query | Status 1P address MAC address Packets -> | I Bing —_— Google @ \> TN o 2o @ B w ‘l' geesssssssssnsnsnanannnnnns Certified Cybersecurity Technician Information Security Attacks Figure 2.12: lllustration of a normal DNS request.................... QN Py TessssessssescasenessP yahoo : - : g l 7.8, : Poisoned DNS H - Malicious Servers - — l l 5 i Servers : W—...- Figure 2.13: lllustration of a poisoned DNS request Module 02 Page 191 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks O Exam 212-82 Domain hijacking is an attack in which the domain ownership is changed to the attacker’s server without the consent of the actual owner Q The attacker attempts to infiltrate the domain registrar account using techniques such as phishing or social engineering i Attacker. *......... Registrar eee % Hij aclting‘ » J.................................. L Registrant Domain * Legitimate website........ Registry I ° ° e E E E_a DNS server Malicious DNS server Copyright © by Malicious website EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Domain Hijacking Domain hijacking is an attack in which the domain ownership is changed to the attacker’s server without the consent of the actual owner. In this attack, the attacker attempts to infiltrate the domain registrar account using techniques such as phishing or social engineering. After obtaining the registrar account credentials, the attacker masquerades as the legitimate owner of the account, exploits some identified vulnerabilities, and changes the ownership of the original registered domain to the attacker’s domain name. Later, when a client or user sends a request to the original website, the DNS server sends a response with the malicious domain name that belongs to the attacker. As the response webpage appears similar to the original webpage, it lures the user into entering sensitive information such as usernames, passwords, and bank credentials. Through domain hijacking, attackers even install malware on their website, which when accessed by a victim automatically downloads and installs malware such as viruses, worms, starts executing covertly in the background. Module 02 Page 192 or Trojans in the victim’s system and Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Working of Domain Hijacking : Attacker Registrar Registrant «ccccininiiiiiiiiiiiii, 0 Registry ° Legitimate website DNS server Malicious Malicious website DNS server Figure 2.14: Domain hijacking = Step 1: The attacker compromises the registrar account using techniques phishing or social engineering and logs in to the registrar account. such as = Step 2: After successful login, the attacker modifies the registration details of the actual owner of the domain. The attacker changes the actual IP (178.15.10.43) to a malicious IP address (99.99.99.99). = Step 3: When the legitimate user requests for the website www.realwebsite.com, the request reaches the DNS name server to be resolved into the domain name. = Step 4: As the domain name has already been updated, the DNS response contains the attacker’s malicious IP address, i.e., 99.99.99.99. = Step 5: The user unknowingly logs in to the malicious website www.fakewebsite.com. Module 02 Page 193 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 ARP Spoofing Attack How Does ARP Spoofing Work Address Resolution A " MAC address is AL1.81. C1-01-E1F2 ,/ ) Protocol (ARP) is a protocol used for mapping an IP address to a physical @:&n -. " Pelasned ARD cache [ e | wac | _ 0 1 want to connect to machine address which is 10113,bt nees recognized in the local : network 9 SO o ARP spoofing/poisoning User A involves Sending a large. number of forged entries 21-56-88-99-55-66 10111 11-22-33-43-55-66 e — AR 10110 Sends e MAC address ARP cache ; D lamm_x 1.1 nnd + : User C Actual legitimate user : respondsto the ARP request i Ialommlon for IP address 10.1.1.1 is now being sentto address 11-22-33-44-55-66 4 : ee ) : e : Malicious user eavesdrops on § the ARP request snd responses and spoofs lemimaleusef ll 22-33-44-55-66 MAC 8 User B [EaTa] «3g-e oo e Sends his malicious to the target machine’s Switch broadcasts the wire Switch % ) = ARP request onto ARP request V/ @ a as the $ User D E Attacker ARP Spoofing Attack Address Resolution Protocol (ARP) is a protocol used for mapping an IP address to a physical machine address which is recognized in the local network. ARP packets can be forged to send data to the attacker’s machine. ARP spoofing involves constructing a large number of forged ARP request and reply packets to overload a switch. When a machine sends an ARP request, it assumes that the ARP reply will come from the right machine. ARP provides no means of verifying the authenticity of the responding device. Even systems that have not made an ARP request can accept the ARP replies coming from other devices. Attackers use this flaw in ARP to create malformed ARP replies containing spoofed IP and MAC addresses. Assuming it to be the legitimate ARP reply, the victim’s computer blindly accepts the ARP entry into its ARP table. Once the ARP table is flooded with spoofed ARP replies, the switch is set in forwarding mode, and the attacker intercepts all the data that flows from the victim’s machine without the victim being aware of the attack. Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. ARP spoofing is an intermediary for performing attacks such as DoS, MITM, and session hijacking. How does ARP Spoofing Work? ARP spoofing is a method of attacking an Ethernet LAN. When a legitimate user initiates a session with another user in the same layer 2 broadcast domain, the switch broadcasts an ARP request using the recipient's IP address, while the sender waits for the recipient to respond with a MAC address. An attacker eavesdropping on this unprotected layer 2 broadcast domain can respond to the broadcast ARP request and replies to the sender by spoofing the intended recipient’s IP address. The attacker runs a sniffer and turns the machine’s NIC adapter to promiscuous mode. Module 02 Page 194 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 ARP spoofing is a method of attacking an Ethernet LAN. It succeeds by changing the of the attacker’s computer to that of the target computer. A forged ARP request packet can find a place in the target ARP cache in this process. As the ARP reply forged, the destination computer (target) sends frames to the attacker’s computer, attacker can modify the frames before sending them to the source machine IP address and reply has been where the (User A) in an MITM attack. The attacker can also launch a DoS attack by associating a non-existent MAC address to the IP address of the gateway; alternatively, the attacker may sniff the traffic passively and then forward it to the target destination. Yes, | am here Thisis10.1.1.1 and my MACaddressis Al-B1- C1-D1-E1-F1 Poisoned ARP cache e 10.1.1.0 T e 21-56-88-99-55-66 | want to connect to 10.1.1.1 11-22-33-44-55-66 10.1.1.1,but1 10112 55-88-66-55.33.44 e e d Sends. V 9 ARP request O Do User A (10.1.1.0) - ey | Switch OIS “ Switch broadcasts : s Actual legitimate user : the wire ¢ ¥ ¥ responds to the ARP request & \/ it ssssesy M L : e Sends his malicious e MAC address : S : : : : lam 10.1.1.1and my MAC address is Usir C 4 ARP request onto : : User B : I e sessss ST ) g : : Malicious user eavesdrops on the ARP request and responses and spoofs as the legitimate user v User D ; 11-22-33-44-55-66 Information for IP address 10.1.1.1is now being sent to Attacker MAC address 11-22-33-44-55-66 Figure 2.15: Working of an ARP spoofing attack Module 02 Page 195 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks DHCP Starvation Attack DHCP is a configuration protocol that assigns valid IP addresses to host systems out of a L = pre-assigned DHCP pool Py DHCP starvation attack is a process of inundating DHCP servers with fake DHCP requests and using all the available IP addresses erver Server runs out of IP addresses to allocate to valid users User will be unable to get the valid IP address DHCP Scope 10.10.10.1 10.10.10.2 e This results in a denial-of-service attack, where the DHCP server cannot issue new IP S Attacker sends many 10.10.10.3 e addresses to genuine host requests 10.10.10.254 Copyright © by E DHCP IL All Rights Reserved. Reproductionis Strictly Prohibited. Starvation Attack DHCP is a configuration protocol that assigns valid IP addresses to host systems from a preassigned DHCP pool. In a DHCP starvation attack, an attacker floods the DHCP server by sending numerous DHCP requests and uses all of the available IP addresses that the DHCP server can issue. As a result, the server cannot issue any more IP addresses, leading to a DoS attack. Because of this issue, valid users cannot obtain or renew their IP addresses; thus, they fail to access their network. An attacker broadcasts DHCP requests with spoofed MAC addresses with the help of tools such as Yersinia, Hyenae, and Gobbler. P User '7 User will be unable to getthe valid IP address _ DHCP Server Server runs out of IP 4;\",,, P4 gi‘os\',?,.-"' VS?G?’O-":. NS é‘sé" to valid users ST.-';\85' & S JREINGN addresses to allocate 4—, _.-"'g#q";\’ o il it : 2 ] AN : AT, St DHCP Scope 10.10.10.1 10.10.10.2 10.10.10.3 Attacker sends many i different DHCP requests with many source MACs : Attacker 10.10.10.254 Figure 2.16: DHCP starvation attack Module 02 Page 196 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 DHCP Spoofing Attack The attacker sets up a on the network and responds to DHCP requests with bogus IP addresses resulting in compromised network access This attack works in conjunction with the DHCP starvation attack; the attacker sends a /IP se to the user after knocking him/her out from the genuine DHCP server DHCP Server IP Address: 10.0.0.20 Subnet Mask: Default Routers: DNS Servers: 192.168.168.3 Tz i 9 Py ) é 255.255.255.0 10.0.0.1 192.168.168.2, : o. H o e. By running a rough DHCP server, an attacker can send incorrect TCP/IP setting Wrong Default Gateway => Attacker is the gateway Wrong DNS server =» Attacker is the DNS server Wsirnnmsnyssnse Wrong IP Address DoS with spoofed IP Copyright Dby £ DHCP Spoofing Attack In addition to DHCP starvation attacks, an attacker can perform MITM attacks such as sniffing. An attacker who succeeds in exhausting the DHCP server’s IP address space can set up a rogue DHCP server on the network, which is not under the control of the network administrator. The rogue DHCP server impersonates a legitimate server and offers IP addresses and other network information to other clients in the network, acting as a default gateway. Clients connected to the network with the addresses assigned by the rogue server will now become victims of MITM and other attacks, whereby server first. packets forwarded from a client’s machine will reach the rogue In a DHCP spoofing attack, an attacker will introduce a rogue server into the network. This rogue server can respond to clients’ DHCP discovery requests. Although both the rogue and actual DHCP servers respond to the request, the client accepts the response that comes first. In the case where the rogue server responds earlier than the actual DHCP server, the client takes the response of the rogue server. The information provided to the clients by this rogue server can disrupt their network access, causing a DoS attack. The DHCP response from the attacker’s rogue DHCP server may assign the IP address that serves as a client’s default gateway. As a result, the attacker’s IP address receives all the traffic from the client. The attacker then captures all the traffic and forwards it to the appropriate default gateway. The client thinks that everything is functioning correctly. This type of attack is difficult for the client to detect for long periods. Sometimes, the client uses a rogue DHCP server instead of the standard one. The rogue server directs the client to visit fake websites in an attempt to gain their credentials. Module 02 Page 197 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 To mitigate a rogue DHCP server attack, set the connection between the interface and the rogue server as untrusted. This action will block all incoming DHCP server messages from that interface. DHCPDISCOVERY (IPva) / SOLICIT (IPv6) (Broadcast) < DHCPOFFER (1Pv4) / ADVERTISE (IPv6) (Unicast) from Rogue Server SEsssssRREREERRssRRRREEE T eee ene TR DHCPREQUEST (IPvd) / REQUEST (IPv6) (Broadcast) DHCP Server User IP Address: Subnet Mask: Default < By running a rough DHCP server, an attacker can send incorrect TCP/IP setting 10.0.0.20 255.255.285.0 Routera: Wrong Default Gateway > Attacker is the gateway 10.0,0.1 DNS Servers: 192.168.168.2, 192.168.168.3 Lease Tinme: Wrong DNS server => Attacker is the DNS server 2 days Wrong IP Address = DoS with spoofed IP Rogue Server Figure 2.17: DHCP spoofing attack Module 02 Page 198 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Switch Port Stealing Layer 2 Switch The Switch Port Stealing sniffing technique uses MAC flooding to sniff the packets O0000O0O | J i J < brrw p— The attacker floods the switch with forged gratuitous ARP packets with the target MAC address as the source and his/her own MAC address as the destination A race condition of the attacker’s flooded packets and the target host’s packets occurs; thus the switch must change its MAC address, binding constantly between two different ports In such a case, if the attacker is fast enough, he/she will able to direct the packets intended for the target host toward his/her switch port The attacker now manages to steal the target host’s switch port and sends ARP requests to the stolen switch port to discover the target host’s IP address ==== When the attacker gets an ARP reply, this indicates that the target host’s switch port binding has been restored, and the attacker can now sniff the packets sent toward the targeted host ------ Copyright © by EC Logical Connection Real Connection L Al Rights Reserved. Reproductionis Strictly Prohibited Switch Port Stealing The switch port stealing sniffing technique uses MAC flooding to sniff the packets. The attacker floods the switch with forged gratuitous ARP packets with the target MAC address as the source and his/her own MAC address as the destination. A race condition of the attacker’s flooded packets and target host packets will occur, and thus, the switch has to change its MAC address to bind constantly between two different ports. In this case, if the attacker is fast enough, he/she will be able to direct the packets intended for the target host toward his switch port. Here, the attacker manages to steal the target host switch port and sends an ARP request to this switch port to discover the target host’s IP address. When the attacker gets an ARP reply, this indicates that the target host’s switch port binding has been restored and the attacker can now sniff the packets sent towards the targeted host. Module 02 Page 199 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 { m : Layer 2 Switch | | M : ---- Logical Connection ------ Real Connection | { m- HARE: | Figure 2.18: Switch port stealing Assume that there attacker’s Host C. are three machines in a network: Host A, the target’s Machine MAC Address IP Address Ports Host A aa-bb-cc-dd-ee-ff 10.0.0.1 Port A Host B bb-cc-dd-ee-ff-gg 10.0.0.2 Port B Host C cc-dd-ee-ff-gg-hh 10.0.0.3 Port C Host B, and the Table 2.2: Details of three hosts in a network The switch’s ARP cache and MAC table contain the following values: MAC Table Vian MAC Address Type Learn Age Ports P Host A aa-bb-cc-dd-ee-ff 10.0.0.1 0 Port A 5 Host B bb-cc-dd-ee-ff-gg 10.0.0.2 0 Port B 5 Host C cc-dd-ee-ff-gg-hh 10.0.0.3 0 Port C Table 2.3: MAC table Module 02 Page 200 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 ARP Cache IP MAC 10.0.0.1 aa-bb-cc-dd-ee-ff 10.0.0.2 bb-cc-dd-ee-ff-gg 10.0.0.3 cc-dd-ee-ff-gg-hh Table 2.4: ARP cache table 1. Switch port stealing is a sniffing technique used by an attacker who spoofs both the IP address and the MAC address of the target machine (Host B). Machine MAC Address IP Address Ports Host A aa-bb-cc-dd-ee-ff 10.0.0.1 Port A Host B bb-cc-dd-ee-ff-gg 10.0.0.2 Port B Host C bb-cc-dd-ee-ff-gg 10.0.0.2 Port C Table 2.5: Switch updated with a spoofed entry 2. The attacker’s machine runs a sniffer that turns the machine’s NIC adapter to promiscuous mode. 3. Host A, associated with the IP address (10.0.0.1), wants to communicate with Host B, associated with the IP address (10.0.0.2). Therefore, host A sends an ARP request (I want to communicate with 10.0.0.2. What is the MAC address of 10.0.0.2?). 4. The switch broadcasts this ARP request to all the machines in the network. 5. Before Host B (the target machine) can respond to the ARP request, the attacker responds to the ARP request by sending an ARP reply containing the spoofed MAC and IP addresses (I am 10.0.0.2, and my MAC address is bb-cc-dd-ee-ff-gg). The attacker can achieve this by launching an attack such as denial of service (DoS) on Host B, which slows down its response. 6. Now the ARP cache in the switch records the spoofed MAC and IP addresses. P MAC 10.0.0.1 aa-bb-cc-dd-ee-ff 10.0.0.2 bb-cc-dd-ee-ff-gg 10.0.0.2 bb-cc-dd-ee-ff-gg Table 2.6: ARP cache updated with a spoofed entry 7. The spoofed MAC address of target Host B (bb-cc-dd-ee-ff-gg) and the port connect to the attacker’s machine (Port C) and update the switch’s CAM table. Now, a connection is established between Host A and the attacker’s machine (Host C). Module 02 Page 201 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 VLAN MAC Address Type Learn Age Ports 255 Host A aa-bb-cc-dd-ee-ff 10.0.0.1 0 Port A 5 Host B bb-cc-dd-ee-ff-gg 10.0.0.2 0 Port B 5 Host C bb-cc-dd-ee-ff-gg 10.0.0.2 0 Port C Table 2.7: MAC Table updated with a spoofed entry 8. Now, the system will forward all the packets directed towards Host B to Host C through Port C, i.e., the attacker’s machine. Thus, an attacker can sniff the packets sent to Host B. Module 02 Page 202 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 MAC Spoofing/Duplicating/Cloning O A MAC duplicating/cloning attack is launched by sniffing a network for MAC addresses of clients who are actively associated with a switch port and re-using one of those addresses Q By listening to the traffic on the network, a malicious user can intercept and use a legitimate user's MAC address to receive all the traffic destined for the user QO This attack allows an attacker to gain access to the network and take over someone’s identity on the network My MAC address Is aa:bb:cc:dd:ee:ff Switch Rule: Allow access to the network only if your MAC address is aa:bb:cc:dd:ee:ff Switch * Legitimate User | No! My MACAddress is _aabbicc:dd:ee:ff. ) ; i Attacker sniffs the network for MAC addresses of the currently associated users and then uses that MAC address to attack other users associated to the same switch port Attacker Internet Copyright © by EC L All Rights Reserved. Reproduction is Strictly Prohibited. MAC Spoofing/Duplicating/Cloning MAC duplicating or cloning refers to spoofing a MAC address with the MAC address of a legitimate user on the network. A MAC duplicating attack involves sniffing a network for MAC addresses of legitimate clients connected to the network. In this attack, the attacker first retrieves the MAC addresses of clients who are actively associated with the switch port. Then, the attacker spoofs a MAC address with the MAC address of the legitimate client. If the spoofing is successful, then the attacker can receive all the traffic destined for the client. Thus, an attacker can gain access to the network and take over the identity of someone on the network. Attackers perform this attack by changing the vendor-assigned MAC address of the NIC card using OS commands or software such as packet crafting tools. The diagram shows how an attacker performs a MAC spoofing/duplicating/cloning attack. My MAC address Switch Rule: Allow access to the network only Is aa:bb:cc:dd:ee:ff if your MAC address is aa:bb:cc:dd:ee:ff Legitimate User Switch No! My MAC Address is \) N aabbccddeeff\/ ‘ Attacker sniffs the network for MAC addresses of i the currently associated users and then uses that 3 MAC address to attack other users associated to the same switch port ¥ Attacker Internet Figure 2.19: MAC spoofing/duplicating/cloning attack Module 02 Page 203 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 (0 MAC MAC flooding involves the flooding of the CAM table with fake MAC address and IP pairs until it is full Flooding T The switch then acts as a hub by broadcasting packets to all machines on the network, and therefore, the attackers can sniff the traffic easily MAC i A Mac Flooding Switches with macof £ macof is a Unix/Linux tool that floods the switch CAM tables (131,000 per min) by sending bogus MAC entries 2, user1 tps//www.monkey.org Copyright © by EC-Comncil. Al Rights Reserved. Reproductionis Strictly Prohibited. MAC Flooding MAC flooding is a technique used to compromise the security of network switches that connect network segments or devices. Attackers use the MAC flooding technique to force a switch to act as a hub so that they can easily sniff the traffic. In a switched network, an Ethernet switch contains a CAM table that stores all the MAC addresses of devices connected in the network. A switch acts as an intermediate device between one or more computers in a network. It looks for Ethernet frames, which carry the destination MAC address; then, it tallies this address with the MAC address in its CAM table and forwards the traffic to the destined machine. Unlike a hub, which broadcasts data across the network, a switch sends data only to the intended recipient. Thus, a switched network is more secure compared to a hub network. However, the size of the CAM table is fixed, and as it can store only a limited number of MAC addresses in it, an attacker may send numerous fake MAC address to the switch. No problem occurs until the MAC address table is full. Once the MAC address table is full, any further requests may force the switch to enter fail-open mode. In the fail-open mode, the switch starts behaving like a hub and broadcasts incoming traffic through all the ports in the network. The attacker then changes his/her machine’s NIC to promiscuous mode to enable the machine to accept all the traffic entering it. Thus, attackers can sniff the traffic easily and steal sensitive information. Module 02 Page 204 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks dd MACI Address Floo d -........-..--...-..-.--.)—.|~,, AAA —_— Attacker ‘:* User1l | : E A. o Switch : Figure 2.20 MAC flooding MAC Flooding Switches with macof Source: https://www.monkey.org macof is a Unix/Linux tool that is a part of the dsniff collection. It floods the local network with random thereby MAC and IP addresses, causing some switches to fail and open in repeating mode, facilitating sniffing. This tool floods the switch’s CAM tables (131,000 per min) by sending forged MAC entries. When the MAC table fills up, and the switch converts to hub-like operation, an attacker can monitor the data being broadcast. o0 File Parrot Terminal Edit View Search 1-[ @parrot #macof -i eth® 5d:27:98:3c:94:6d 4890(0) win win win 74:88:e0:40:8b:3c 4:bb:21:27:82:db 9f:84:98:37:ec:55 512 53:e8:38:25:¢7:42 win win 0.0.0.0.39850 > 0.0.0.0.49263: 0.0.0.0.48709 > 0.0.0.0.9433 > 0.0.0.0.62409: 1044800461:1044 S 1330659371:1330659 > 0.0.0.0.6910: a6:94:65:25:c7:ad 0.0.0.0.58215 > 0.0.0.0.56497: S 447162501:4471 win 512 cb:b9:b9:59:8d:67 0.0.0.0.17385 > 0.0.0.0.28393: S 1018850322:101 b9:f1:34:7€:9:67 0.0.0.0.60630 > 0.0.0.0.3405: af:dd:77:46:4e:26 0.0.0.0.56144 > 0.0.0.0.16970: win 512 S 628366088:62836 0.0.0.0.27895 > 0.0.0.0.61217: S S 1066823910:1066 99214739:99214739 512 le:e:ab:4:d3:16 68613(0) S 0.0.0.0.57830 95:a0:68:c:1d:fc win 586168580:5861 3f:4c:6a:1f:el:d6 8T7:6a:9d:2b:ea:ec (0) 746864890:74686 S 0.0.0.0.15710: 35:23:C:5e:59:b6 823910(0) S 512 27:d5:2e:56:23:74 8850322(0) 0.0.0.0.45855: 512 60:7c:41:47:e9:c2 62501(0) > 512 3:1e:f4:12:9:e 6088(0) 0.0.0.0.21067 512 14:83:59:7f:2f:fc 371(0) 10| 512 win 800461(0) -n Help ) 9a:5:5b:17:75:13 7f:e8:cc:4a:51:59 68580(0) Terminal win S 1864068613:18640 512 Figure 2.21: MAC flooding using macof Module 02 Page 205 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 IP Address Spoofing O 1P spoofing refers to changing the source IP addresses so that the attack appears to be coming from someone else O When the victim replies to the address, it goes back to the spoofed address rather than the attacker’s real address Q Attackers modify the address information in the IP packet header and the source address bits field in order to bypass the IDS or firewall IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7 Attacker sending a packet with a spoofed :’ i; address 7.7.7.7 Victim IP address 5.5.5.5 = Real address 71777 Note: You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses Copyright © by E L All Rights Reserved. Reproductionis Strictly Prohibited IP Address Spoofing Most firewalls filter packets based on the source IP address. These firewalls examine the source IP address and determine whether the packet is coming from a legitimate source or an illegitimate source. The IDS filters packets from illegitimate sources. Attackers use IP spoofing technique to bypass such IDS/firewalls. IP address spoofing is a hijacking technique in which an attacker obtains a computer’s IP address, alters the packet headers, and sends request packets to a target machine, pretending to be a legitimate host. The packets appear to be sent from a legitimate machine but are actually sent from the attacker’s machine, while his/her machine's IP address is concealed. When the victim replies to the address, it goes back to the spoofed address and not to the attacker’s real address. Attackers mostly use IP address spoofing to perform DoS attacks. When the attacker sends a connection request to the target host, the target host replies to the spoofed IP address. When spoofing a nonexistent address, the target replies to a nonexistent system and then hangs until the session times out, thus consuming a significant amount of its own resources. Module 02 Page 206 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7 Attacker sending a packet with a spoofed address 7.7.7.7 Victim IP address [2 5.5.5.5 - i “ ) — Real address 71.7.1.7 Figure 2.22: IP Spoofing using Hping3 IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7 You can use Hping3 to perform IP spoofing. The above command TCP/IP packets to network hosts. helps you to send arbitrary Note: You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses. Module 02 Page 207 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 ' Denial-of-Sexvice Attack (DoS) P Ol Denial-of-Service (DoS)is an attack on a computer or network that H( icts, or | nts accessibility of system resources to its legitimate users O Attackers flood the victim system with icto overload its resources O Attackers use toolssuch as n hping3 to perform a DoS Attack Malicious Traffic Malicious traffic consumes all the available bandwidth Internet - AttackTrafic I Regular Traffic ommmEee | E g Regular Traffic Server Cluster Copyright © by EC 1 , All Rights Reserved. Reproduction Is Strictly Prohibited. Denial-of-Sexrvice Attack (DoS) A DoS attack is an attack on a computer or network that reduces, restricts, or prevents access to system resources for legitimate users. In a DoS attack, attackers flood a victim’s system with nonlegitimate service requests or traffic to overload its resources and bring down the system, leading to the unavailability of the victim’s website or at least significantly reducing the victim’s system or network performance. The goal of a DoS attack is to keep legitimate users from using the system, rather than to gain unauthorized access to a system or to corrupt data. The following are examples for types of DoS attacks: * Flooding the victim’s system with more traffic than it can handle * Flooding a service (e.g., Internet Relay Chat (IRC)) with more events than it can handle = Crashing a TCP/IP stack by sending corrupt packets = Crashing a service by interacting with it in an unexpected manner * Hanging a system by causing it to go into an infinite loop Module 02 Page 208 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Malicious Traffic fl 4 iy snsnnnny _ Malicious traffic consumes all the available bandwidth PER— -. E— Internet : L seeanend. I o : :. Sl Attack Traffic Ll Regular Traffic Regular Traffic =< e Server Cluster Figure 2.23: Schematic of a DoS attack DoS attacks have following: various forms and target various services. The attacks may = Consumption of resources * Consumption of bandwidth, disk space, CPU time, or data structures » Actual physical destruction or alteration of network components = Destruction of programming and files in a computer system cause the In general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic by using existing network resources, thereby depriving legitimate users of these resources. Connectivity attacks overflow a system with a large number of connection requests, consuming all available OS resources to prevent the system from processing legitimate user requests. Consider a food catering company that conducts much of its business over the phone. If an attacker wants to disrupt this business, they need to find a way to block the company’s phone lines, which would make it impossible for the company to do business. A DoS attack works along the same lines—the attacker uses up all the ways to connect to the victim’s system, making legitimate business impossible. DoS attacks are a kind of security breach that does not generally result in the theft of information. However, these attacks can harm the target in terms of time and resources. Furthermore, security failure might cause the loss of a service such as email. In the worst-case scenario, a DoS attack can cause the accidental destruction of the files and programs of millions of people who were connected to the victim’s system at the time of the attack. Module 02 Page 209 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Attackers use tools such as hping3 to perform a DoS Attack. = hping3 Source: http://www.hping.org hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and rawIP protocols. Figure 2.24: Screenshot of hping3 Module 02 Page 210 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Distributed Denial-of-Service Attack (DDoS) ’ Distributed denial-of-service (DDoS) is a coordinated attack that involves a multitude of compromised systems (Botnet) attacking a single target, thereby denying service to users of the targeted system How do DDoS Attacks Work? e Handler infects computers over the Internet P \ handler system 1% k| g [am....... @) _."- Handler @ — @ r o= —=- @............. target server l::t':ubclt::v:::::a:ei % ‘a —— Attacker Q Distributed Denial-of-Service Attack (DDoS) Source: https://searchsecurity.techtarget.com A DDoS attack is a large-scale, coordinated attack on the availability of services on a victim’s system or network resources, and it is launched indirectly through many compromised computers (botnets) on the Internet. As defined by the World Wide Web Security FAQ, “A distributed denial-of-service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial of service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms.” The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to legitimate users. The services under used to launch the performing a DDoS making it difficult to attack belong to the “primary victim,” whereas the compromised systems attack are called “secondary victims.” The use of secondary victims in attack enables the attacker to mount a large and disruptive attack while track down the original attacker. The primary objective of a DDoS attack is to first gain administrative access on as many systems as possible. In general, attackers use a customized attack script to identify potentially vulnerable systems. After gaining access to the target systems, the attacker uploads and runs DDoS software on these systems at the time chosen to launch the attack. DDoS attacks have become popular because of the easy accessibility of exploit plans and the negligible amount of brainwork required to execute them. These attacks can be very dangerous because they can quickly consume the largest hosts on the Internet, rendering them Module 02 Page 211 useless. Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks The impacts of DDoS disabled organizations. Exam 212-82 include the loss of goodwill, disabled networks, financial losses, and How do DDoS Attacks Work? In a DDoS attack, many applications barrage a target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the DDoS attack by sending a command to zombie agents, which are Internet-connected computers compromised by an attacker through malware programs to perform various malicious activities through a command and control (C&C) server. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim, which causes the reflector systems to presume that these requests originate from the victim’s machine instead of the zombie agents. Hence, the reflector systems send the requested information (response to the connection request) to the victim. Consequently, the victim’s machine is flooded with unsolicited responses from several reflector computers simultaneously, which may either reduce the performance or cause the victim’s machine to shut down completely. Handler infects a large number of computers over @ @ Zombie systems are the Internet = Attacker sets a x.* handler system... @ '..'.".@'.....'.targetsewef 0 g " IIHI""'"@'""". instructed to attack a Handler @ lad | @..‘ Compromised PCs (Zombies).é — Handler @. @ = lad | @ i - @. @ Compromised PCs (Zombies) Figure 2.25: Schematic of a DDoS attack Module 02 Page 212 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Distributed Reflection Denial-of-Service (DRDoS) Attack O Adistributed reflected denial-of-service attack (DRD0S), also known as a spoofed attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application QO Attackers launch this attack by sending requests to the intermediary hosts, which then redirect the requests to the secondary machines, which in turn reflect the attack traffic to the target Advantages » The primary target seems to be directly attacked by the secondary victim rather \ than the actual attacker » Multiple intermediary victim servers are used, fi which results in an increase in attack bandwidth f i o RN P Fos ( Attacker W \\’T/ * R L Ll T v o | N \ - IntermediaryVictims |- ‘ Primary Target Mo g Secondary Victims Copyright© by EC-Comncil. All Rights Reserved, Reproduction is Strictly Prohibited. ‘ Distributed Reflection Denial-of-Service (DRDoS) Attack A distributed reflection DoS (DRDoS) attack, also known as a “spoofed” attack, involves the use of multiple intermediary and secondary machines that contribute to a DDoS attack against a target machine or application. A DRDoS attack exploits the TCP three-way handshake vulnerability. This attack involves an attacker machine, intermediary victims (zombies), secondary victims (reflectors), and a target machine. The attacker launches this attack by sending requests to the intermediary hosts, which in turn reflect the attack traffic to the target. The process of a DRDoS attack is as follows. First, the attacker commands the intermediary victims (zombies) to send a stream of packets (TCP SYN) with the primary target’s IP address as the source IP address to other non-compromised machines (secondary victims or reflectors) in order to exhort them to establish a connection with the primary target. Consequently, the reflectors send a huge volume of traffic (SYN/ACK) to the primary target to establish a new connection with it because they believe the host requested it. The primary target discards the SYN/ACK packets received from the reflectors because they did not send the SYN packet. Meanwhile, the reflectors wait for the ACK response from the primary target. Assuming that the packet was lost, the reflector machines resend SYN/ACK packets to the primary target to establish the connection, until a time-out occurs. In this manner, the target machine is flooded with a heavy volume of traffic from the reflector machines. The combined bandwidth of these reflector machines overwhelms the target machine. A DRDoS attack is an intelligent attack because it is very difficult or even impossible to trace the attacker. Instead of the actual attacker, the secondary victims (reflectors) seem to attack the primary target directly. This attack is more effective than a typical DDoS multiple intermediary and secondary victims generate huge attack bandwidth. Module 02 Page 213 attack because Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks - \ Exam 212-82 - - "“_-—-_~‘~s\ -~ -~ ~ ‘\\ \ o SR Ve o= - - --‘s~ \ a8 __..,—------.‘~ | Attacker 5\ Intermediary Victims Secondary Victims v Figure 2.26: Distributed reflection DoS (DRDoS) attack Module 02 Page 214 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Malware Attacks O Malware are software programs or malicious code that install on a system without the user’s knowledge O A malware attack disrupts services, damages systems, gathers sensitive information, etc. O Examples of malware include viruses, trojans, adware, spyware, rootkits, and backdoors ! Malware Attacks A malware is a piece of malicious software that is designed to perform activities intended by the attacker without user consent. It may be in the form of executable code, active content, scripts, or other kinds of software. An attacker can use malware for various objectives such as to compromise system security, intercept computer operations, gather sensitive information, modify, delete or add content to a website, and control a user’s computer. It is used against government agencies or corporate companies to extract highly confidential information. Examples of malware include viruses, Trojans, adware, spyware, rootkits, and backdoors Module 02 Page 215 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Advanced Persistent Threats (APTSs) Q Advanced persistent threats (APTs) are defined as a type of network attack, where an attacker gains unauthorized access to a target network and remains undetected for a long period of time Q The main objective behind these attacks is to obtain sensitive information rather than sabotaging the organization and its network Information Obtained during APT attacks = ~\ ++ Classified documents ¢ Transaction information W % User credentials % Credit card information %+ Personal information about employees or customers ¢+ Organization’s business strategy information % Network information ¢+ Control system access information Copyright © byY EC-Council All Rights Reserved. Reproduction is Strictly y Prohibited pyrig g Advanced Persistent Threats (APTs) An advanced persistent threat is defined as a type of network attack whereby an attacker gains unauthorized access to a target network and remains in the network without being detected for a long time. The word “advanced” signifies the use of techniques to exploit the underlying vulnerabilities in the system. The word “persistent” signifies the external command-and-control (C&C) system that continuously extracts the data and monitors the victim’s network. The word “threat” signifies human involvement in coordination. APT attacks are highly sophisticated attacks whereby an attacker uses well-crafted malicious code along with a combination of multiple zero-day exploits to gain access to the target network. These attacks involve well- planned and coordinated techniques whereby attackers erase evidence of their malicious activities after their objectives have been fulfilled. APT attacks are usually performed on organizations possessing valuable information, such as financial, healthcare, defense and aerospace, manufacturing, and business organizations. The main objective of these attacks is to obtain sensitive information rather than sabotaging the organization and its network. Information obtained by an attacker through APT attacks includes: * (Classified documents * Transaction information * User credentials * (Credit card information = Employee’s or customer’s personal information * QOrganization’s business strategy information = Network information = Control system access information Module 02 Page 216 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Physical Attacks Malicious Universal Serial Bus (USB) Cable ;ii""o']] N Malicious Flash Drive thi of a credit 1 by copying information from Physical Attacks Attackers perform physical attacks by interacting with physical assets such as systems or with networks to damage or spread malware in the entire infrastructure of the target. Attackers create a route to the target system or network by bypassing the physical security of a building or company and implant malicious code or software. It is difficult to detect or defend against such types of attacks as most of these attacks originate from insiders and trusted assets. The following are the possible types of physical attacks. = Malicious Universal Serial Bus (USB) Cable This type of attack is performed by embedding a USB cable containing a small chip with a Wi-Fi controller, which when plugged into a computer can execute commands from the attacker’s system. The victim cannot identify the difference in the cable, and the attacker can control the system remotely. = Malicious Flash Drive Malicious flash drives contain harmful code with autorun capability that can damage the system, steal data, or spread malware to another system in the network. These malicious drives contain viruses, worms, Trojans, or adware, which are installed in the system immediately after plugging in. = Card Cloning Card cloning is the process of creating a copy or duplicate of a credit card or access card by copying information from the original card. This process of copying information from cards is called skimming, which is performed using an electronic device and software. The extracted information is written on another card. Module 02 Page 217 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Skimming Skimming is the process of extracting payment and personal information from credit cards using special devices called skimmers. Identity thieves use a small skimmer attached to an ATM machine or a swipe machine to capture payment information. Module 02 Page 218 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Adversarial Artificial Intelligence (AI) @ T QO Adversarial artificial intelligence is a new technology attack vector designed by attackers with malicious intent to mislead ML models O Attackers leverage the flaws in ML systems and introduce malicious traffic into the target ML systems to gain control over the network Tainted Training Data for Machine Learning +*+ Tainted training data means infecting or contaminating the training data of machine learning models * «* Attackers can contaminate the data with malicious inputs that can disrupt the system performance and cause disturbances in retraining Security of Machine Learning Algorithms %+ The primary task in securing ML algorithms involves securing the dataset used for training the ML system. The potential ML security risks include: v’ Confidentiality of Data v Manipulating the Online System v Making False Predictions v’ Poisoning the Data v’ Transfer Learning Attack Copyright © by EC L All Rights Reserved. Reproductionis Strictly Prohibited. 1 Adversarial Artificial Intelligence (AI) Adversarial artificial intelligence (Al) is a new technology attack vector designed by attackers with malicious intent to mislead machine learning (ML) models. It can be implemented by changing the system inputs and converting the system behavior to favor the attackers. Attackers can also leverage the flaws in ML systems and inject malicious traffic into legitimate ones for holding persistence on the network. To trigger such attacks on ML models, attackers use custom Al resources as weapons, referred to as adversarial Al. Al is a crucial component to defend against the latest cyberattacks. It automates most of the tasks while securing the infrastructure from cyberattacks with deep learning capabilities and expedites data processing. However, attackers can misuse the capabilities of Al by creating adversarial examples and giving false inputs that resemble normal inputs, which change the behavior of the security model and deteriorates its performance. * Tainted Training Data for Machine Learning Tainted training data implies infecting or contaminating the training data of ML models. ML systems utilize the operational data aggregated during retraining operations. For example, security solutions such as intrusion detection systems use operational data to learn and retrain to defend against future cyberattacks. Attackers can also contaminate the data with malicious inputs that can disrupt the system performance and cause disturbances in retraining. When the training data are tainted, the machine learning algorithm is retrained with the malicious data and acts according to the instructions of the attacker. Module 02 Page 219 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Security of Machine Learning Algorithms It is important to ensure the security of ML algorithms, similar to software applications. The primary task in securing ML algorithms involves securing the dataset used for training the ML system. Researchers have stated that 60% of the risks associated with ML algorithms and systems can be attributed to their training dataset. The potential ML security risks are listed below: o] Confidentiality of Data It is difficult to maintain data confidentiality, especially for the data used by ML systems for training. Attackers might perform sophisticated attacks to exfiltrate confidential data from ML systems while training. To overcome this risk, it is essential to build security protocols from the initial phase of an ML life cycle. Manipulating the Online System ML systems are generally built online, especially when learning and updating their behavior during operational use. can mislead an ML system by providing wrong inputs. To security team must select the right algorithm and secure systems. they are continuously A highly skilled attacker alleviate this issue, the the operations of ML Making False Predictions Attackers can fool ML system models with malicious inputs that resemble genuine inputs, thus corrupting the ML system. Attackers can send deceptive images to systems that enable incorrect learning processes. Such attacks are associated with high risks that can lead to system malfunction. Poisoning the Data ML systems usually rely on operational data for learning and retraining. If attackers can alter the operational data, then they can compromise the entire ML system. Therefore, ML engineers must secure all training data sources and focus on those sources with high potential risks. Transfer Learning Attack Transfer learning attacks are most common in ML systems if the system is fine-tuned with some common or pre-trained capabilities. If a pre-trained model is stored on a public repository, an attacker can use it to conceal the behavior with their malicious ML. Hence, while using transfer models, users must check the functions of the trained model and the controls that can be implemented by developers to mitigate risks. Module 02 Page 220 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.