Chapter 2 - 04 - Understand Application-level and OS-level Attacks - 04_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cross-Site Request Forgery (CSRF) Attack How CSRF Attacks Work Cllent Side Code DOV e Shares User logs into trusted [l [Pt orheees emieereserecilt o> session_start()’ : el 2..”'..-"-'3’...‘.?)1'7.‘,’5 el A User A: : v 3. : E: e. L (bu e— s UEST[" \ s bt && ($_REQ! |] y_stocks ($_REQUEST symbol [ ' symbo f?‘-‘Y_’tm ’ ;) $_REQUEST(['shares']) $_REQUEST(['shares']);} —- 1 - j4 ruste Truste: — Fo— R™ N — - : H: r 5- isset (S($ REQUEST['shares'])) REQUEST['shares'])) cookie in the user’s browser ssnsns ssssssssssssssssssnens 4sessssssssssssssssn FOTTT TN cssases ssssssssssssssessssesnssnssnnse : c sH Py ;: H Ma.llaous code is : H. H : W ] prerem oo session_start(); 4 ?;”im‘—’t‘“‘t” i ['symbol'] (isset($_REQUEST (isset($ _REQUEST['symbol'] se = H N Server Code a- Server sets a session : type="text Symbol: I i1 =‘;‘ B What is the IP Address of certifiedhacker.com? Please.= : Serverof Serverof certifiedhacker. II centifiedhacker. %+ comknowsit :.com NameSpace of certifiedhacker.com?.9......................... ¥ Wk s [ e 'a\// Q\/ but.com NameSpace should Root should have have the the answer answer Root Servers Servers |0 0eesesessssssesasroscsecscsnsnsacnns Pasvsssstinsnnssntassansstsnisssaing I 1L centifedhackercom) _|177771111 certifiedhacker.com)_|777117 é 9 AA Whatisthe T. HereistheIP Whatisthe PP T HereistheIP Address of :& Addressof Vo Lo certifiedhacker.com? : Address of -* Addressof & certifiedhacker.com Primary DNS DNS Server Server ofof certifiedhacker.com :o} e : = Here lissthe IPAddress the IP Address P Here § ¢ YYoy of certifiedhacker.com centifiedhacker.com I H & Server Victim's Victim's Server Victim’s IP Address DNS Amplification Attack Recursive DNS query is a method of requesting DNS mapping. The query goes through DNS servers recursively until it fails to find the specified domain name to IP address mapping. Module 02 Page 238 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 The following are the steps involved illustrated in the below figure. = in processing recursive DNS requests; these steps are Step1l: Users who desire to resolve a domain name to its corresponding IP address send a DNS query to the primary DNS server specified in its Transmission Control Protocol (TCP)/IP properties. = Steps2to?7: If the requested DNS mapping does not exist on the user’s primary DNS server, the server forwards the request to the root server. The root server forwards the request to the.com namespace, where the user can recursively until the DNS mapping is resolved. = find DNS mappings. This process repeats Step8: Ultimately, when the system finds the primary DNS server for the requested mapping, it generates a cache for the IP address in the user’s primary DNS server. ' What is the IP Address of certifiedhacker.com? User’s PC DNS Where can | find the IP Address of Here s the IP 9 Address of certifiedhacker.com I do not know but.com NameSpace \/..-u-uuouuuuonun-u---n-unun-> should have the answer User's Primary DNS Server (Recursion Allowed) Root Servers (.......................................: Hereis theIP Address of : certifiedhacker.com & 9. Primary DNS Server of certifiedhacker.com What is the IP Address of T What is the IP Address of certifiedhacker.com? certifiedhacker.com?.com NameSpace \/ Primary DNS Server of certifiedhacker.com Figure 2.36: Recursive DNS query Attackers exploit recursive DNS queries to perform a DNS amplification attack that results in DDoS attacks on the victim’s DNS server. The following are the steps involved in a DNS amplification attack; these steps are illustrated in the below figure. = Step1l: The attacker instructs compromised hosts (bots) to make DNS queries in the network. = Step 2: All the compromised hosts spoof the victim’s IP address and send DNS query requests to the primary DNS server configured in the victim’s TCP/IP settings. Module 02 Page 239 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Steps3to8: If the requested DNS mapping does not exist on the victim’s primary DNS server, the server forwards the requests to the root server. The root server forwards the request to the.com or respective top-level domain (TLD) namespaces. This process repeats recursively until the victim’s primary DNS server resolves the DNS mapping request. = Step9: After the primary DNS server finds the DNS mapping for the victim’s request, it sends a DNS mapping response to the victim’s IP address. This response goes to the victim because bots use the victim’s IP address. The replies to copious DNS mapping requests from the bots result in DDoS on the victim’s DNS server. o pereed ¢: Sends signals to & activate bots.& " activate bots §: () D @ =) g.n ‘ D G What Is the IP Address of certifiedhacker.com? Please reply to the Victim'sIP address > ] — PRA T } \/‘—' Botnet compromised PCs A ARAP AN.......... 9 | IR > What is the IP Address certifiedhack ? certifiedhacker.com?. ofoffcertifiedhacker.com? ': User's Primary DNS Servers (Recursion Allowed) (Not suthoritative for (Notouthoriiaiivafor S C."lfi.dh.:k’h(om) C."lfi.dh.:k’l’.(om) :...-.....-.....--.-..--> E Primary DNS Serverof sHI :: certifiedhacker H \/ § H - Where can |l find the IP Address 1.com knowsit Whatis the IP1P & Addressof & certifiedhacker.com? E (< 1 do not know but.com NameSpace should have the answer Root Servers [|**°"*******sssessssensssnnsesennsesnany [IPeecteosrorreresennsansssuntessreaseesney O..!l"ll.lll!lll..'!'ll"ll...l'.l.lll: Peeccccccsnsccsnssecenssceseccssscsseny '* Hereisthe IP Addressof = certifiedhacker.com 28 Here is the IP Address FE of certifiedhacker.com :+ : A.com NameSpace Primary DNS Server of certifiedhacker.com : I A Victim's Server Victim's IP Address Victim’s Figure 2.37: DNS amplification attack Module 02 Page 240 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.