Chapter 2 - 04 - Understand Application-level and OS-level Attacks - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cross-Site Request Forgery (CSRF) Attack How CSRF Attacks Work Cllent Side Code DOV e Shares User logs into trusted [l [Pt orheees emieereserecilt o> session_start()’ : el 2..”'..-"-'3’...‘.?)1'7.‘,’5 el Shares: ( : : : Attacker sends a phishing mail tricking user to send a request to a malicious site Attacker ( Response page contains malicious code '.......................................e e. > User requests a page from the malicious server Malicious Code e I i1 - 4 Attacker reply to the Victim's IP address > Botnet compromised PCS = What is the IP Address of certifiedhacker.com? Please = Serverof I certifiedhacker. % comknowsit :.com NameSpace Pri DN u”‘r:xu:;: Allosws:d';’e“ 4o | (Nor authorieative fop (Not authoritative for Where can | find the IP Address of certifiedhacker.com?......................... [ e but.com NameSpace should have the answer Address of & Lo certifiedhacker.com? : HereistheIP * Address of & certifiedhacker.com Primary DNS Server of certifiedhacker.com Root Servers |0 0eesesessssssesasroscsecscsnsnsacnns - _|177771111 centifedhackercom) é A Whatisthe P T Q\/ I :e = Here is the IP Address P Yoy of centifiedhacker.com I Victim's Server Victim’s IP Address DNS Amplification Attack Recursive DNS query is a method of requesting DNS mapping. The query goes through DNS servers recursively until it fails to find the specified domain name to IP address mapping. Module 02 Page 238 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 The following are the steps involved illustrated in the below figure. = in processing recursive DNS requests; these steps are Step1l: Users who desire to resolve a domain name to its corresponding IP address send a DNS query to the primary DNS server specified in its Transmission Control Protocol (TCP)/IP properties. = Steps2to?7: If the requested DNS mapping does not exist on the user’s primary DNS server, the server forwards the request to the root server. The root server forwards the request to the.com namespace, where the user can recursively until the DNS mapping is resolved. = find DNS mappings. This process repeats Step8: Ultimately, when the system finds the primary DNS server for the requested mapping, it generates a cache for the IP address in the user’s primary DNS server. ' What is the IP Address of certifiedhacker.com? User’s PC DNS Where can | find the IP Address of Here s the IP 9 Address of certifiedhacker.com I do not know but.com NameSpace \/..-u-uuouuuuonun-u---n-unun-> should have the answer User's Primary DNS Server (Recursion Allowed) Root Servers (.......................................: Hereis theIP Address of : certifiedhacker.com & 9. Primary DNS Server of certifiedhacker.com What is the IP Address of T What is the IP Address of certifiedhacker.com? certifiedhacker.com?.com NameSpace \/ Primary DNS Server of certifiedhacker.com Figure 2.36: Recursive DNS query Attackers exploit recursive DNS queries to perform a DNS amplification attack that results in DDoS attacks on the victim’s DNS server. The following are the steps involved in a DNS amplification attack; these steps are illustrated in the below figure. = Step1l: The attacker instructs compromised hosts (bots) to make DNS queries in the network. = Step 2: All the compromised hosts spoof the victim’s IP address and send DNS query requests to the primary DNS server configured in the victim’s TCP/IP settings. Module 02 Page 239 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Steps3to8: If the requested DNS mapping does not exist on the victim’s primary DNS server, the server forwards the requests to the root server. The root server forwards the request to the.com or respective top-level domain (TLD) namespaces. This process repeats recursively until the victim’s primary DNS server resolves the DNS mapping request. = Step9: After the primary DNS server finds the DNS mapping for the victim’s request, it sends a DNS mapping response to the victim’s IP address. This response goes to the victim because bots use the victim’s IP address. The replies to copious DNS mapping requests from the bots result in DDoS on the victim’s DNS server. o : Sends signals to & activate bots & : () n D @ - D What Is the IP Address of certifiedhacker.com? Please reply to the Victim'sIP address > ] — A T Botnet AR AN 9 | IR : User's Primary DNS Servers What is the IP Address compromised PCs (Recursion Allowed) of certifiedhacker.com? (Not suthoritative for H E Primary DNS Serverof :: certifiedhacker I H H S C."lfi.dh.:k’h(om) :...-.....-.....--.-..--> - Where can | find the IP Address 1.com knowsit Whatis the 1P & Addressof & certifiedhacker.com? E (< but.com NameSpace should have the answer Root Servers [|**°"*******sssessssensssnnsesennsesnany O..!l"ll.lll!lll..'!'ll"ll...l'.l.lll: * Hereisthe IP Addressof = certifiedhacker.com 28 Here is the IP Address FE of certifiedhacker.com + : A.com NameSpace Primary DNS Server of certifiedhacker.com : A Victim's Server Victim’s IP Address Figure 2.37: DNS amplification attack Module 02 Page 240 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.