Chapter 2 - 04 - Understand Application-level and OS-level Attacks - 08_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Malicious Code or Script Execution PowerShell » Python A powerful command-oriented and scripting utility that helps administrators or security » teams automate complicated tasks »> Attackers leverage Python features such as easy syntax, online tutorials, and the wide collection of repositories, libraries, and other tools that are available on online platforms such as GitHub and PyPI ker often n use fileless lel wi h that can Attackers malware be integrated into running applications using a PowerShell script » If any vulnerable server, application, or webpage is exposed on the web, script kiddies can take advantage of Python scripts downloaded from open-source platforms to intrude into the target server a Copyright © by EC- CIL All Rights Reserved. Reproductionis Strictly Prohibited. Malicious Code or Script Execution (Cont’d) Bash ++ Bash scripts can be employed to download malicious files or programs and run them on the target machine %+ Leveraging the vulnerabilities in the bash script, attackers can remotely inject malicious files or executables into servers and spread infections to all other vulnerable servers Macros === Copyright © by EC-Co el Al Rights Reserved. Reproductionis Strictly Prohibited. Malicious Code or Script Execution A malicious code or script is a harmful piece of content designed to perform security breaches and cause unwanted effects on the target system or network. A malicious script is a security threat that cannot be completely averted through conventional antivirus solutions, because the code can include malware such as worms, backdoors, and Trojans. The malicious script or code can be integrated within software to conceal its identity while bypassing security controls or mechanisms. Once the script successfully enters the network, it can be stored in network drives Module 02 Page 257 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 to spread infection across the network. The malicious script can also overload the mail server and network by sending spam emails, and it can delete files and folders, steal credentials, and remove sensitive data from hard drives. The following are different scripting technologies that can be exploited for malicious purposes. PowerShell It is @ powerful command-oriented scripting utility that helps administrators or security teams automate complicated tasks. However, this utility is used as a weapon by attackers to perform cyber-attacks. Trojans and infected files are conventional malware types that can be detected using various defensive techniques such as allowing browsers to inspect downloaded files and requiring permissions before installing an application. To overcome these constraints, attackers often use fileless malware that can be integrated into running applications using a PowerShell script. This script can be developed easily to deliver payloads without being tracked. PowerShell serves as a powerful channel for executing attacks owing to its wide delivery feature and its access to all segments of a server system through the.NET framework. Python Python programs or scripts can also be used as attacking tools in cyberspace. Attackers can leverage Python’s features such as its easily obtainable syntaxes, online tutorials, and wide collection of repositories, libraries, and other tools that are available on online platforms such as GitHub and PyPl. The majority of Python scripts attackers use are prebuilt in an authorized application that is designed for testing vulnerabilities. However, soon after the tool is deployed on open-source platforms such as GitHub, they become public, allowing attackers to download and use it for malicious purposes. If any vulnerable host server, application, or webpage is exposed on the web, script kiddies can take advantage of Python scripts downloaded from open-source platforms to intrude into the target server. Bash Bash scripts can be employed to download malicious files or programs and run them on the target machine. A bash script can be used to configure tools, libraries, and dependencies that help attackers perform remote attacks on host servers. Once the malicious bash script is executed, it terminates an actively running process. This can be achieved via Common Gateway Interface (CGI) scripts that are transmitted through environment variables from a host to a derived process and can be executed by a bash script through susceptible versions of bash. By leveraging the vulnerabilities in the bash script, attackers can also remotely inject malicious files or executables to servers and spread infections to all other vulnerable servers. The vulnerabilities that are generally present in the bash shell interpreter enables attackers to integrate system-level commands into bash. Module 02 Page 258 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Macros Macros are purpose-based scripts that can be employed to automate common tasks or processes inside a software or application. Generally, a macro contains a sequence of commands and tasks that are created using a standard coding language or a dedicated macro language. The series of commands is automatically executed by the software or application at the occurrence of a specific event. Macros are integrated within office suites for automating processes. When any program permits customized code to be run in the background, attackers can leverage office suites to execute harmful scripts and take control of the victim’s system. Macros are generally used as a point of source for spreading infections, and they can download and run another payload before termination. Visual Basic for Applications (VBA) VBA is employed for automating processes and allows programs such as Excel and Word to serve more effectively. However, when VBA scripts can be executed within a program, there is a probability of an attacker using VBA to run malicious scripts alongside legitimate ones. Attackers leverage VBA scripts to obfuscate and evade security mechanisms. Using its rapidly changing capacity, attackers can employ new bypass mechanisms and exploits that contain solid file structures, making it difficult to be modified for the same process without disturbing its functionality. Another benefit of using VBA malware scripts for malicious purposes is that scripts are not bounded to specific Microsoft Office versions, allowing victims to execute them on a flawed version of Microsoft Office. Module 02 Page 259 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Copyright © by EC iL Al Rights Reserved. Reproduction is Strictly Prohibited OS-Level Attacks Attackers employ various techniques to identify vulnerabilities in the target system and exploit them to gain remote access to the system. After gaining access, attackers attempt to elevate their privileges using various techniques such as DLL hijacking. This section discusses various types of OS-level attacks that are performed by attackers to gain access, escalate privileges, and maintain access to the target system. Module 02 Page 260 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Password Cracking Password cracking techniques are used to recover passwords from computer Attackers use password cracking techniques to gain unauthorized access Most of the password cracking techniques are successful because of weak or easily systems to vulnerable systems guessable passwords Password Cracking Password cracking is the process of recovering passwords from the data transmitted by a computer system or from the data stored in it. The purpose of cracking a password might be to help a user recover a forgotten or lost password, administrators to check for easily breakable unauthorized system access. Hacking often begins with as a passwords, password-cracking preventive measure by system or for use by an attacker to gain attempts. A password is a key piece of information necessary to access a system. Consequently, most attackers use password-cracking techniques to gain unauthorized access. An attacker may either crack a password manually by guessing it or use automated tools and techniques such as a dictionary or a brute-force method. Most password-cracking techniques are successful because of weak or easily guessable passwords. Module 02 Page 261 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 =7P Types of Password Attacks o Non-Electronic Attacks The attacker does not need technical knowledge to crack the password, henceitis known as a non-technical attack < E fat Active Online Attacks The attacker performs password cracking by directly communicating with the victim’s machine Types of Password Attacks (Cont’d) Passive Online Attacks The attacker performs password cracking without communicating with the authorizing party S e [l -79 Offline Attacks The attacker copies the target’s password file and then tries to crack passwords on his own system at a different location Types of Password Attacks Password cracking is one of the crucial stages of system hacking. Password-cracking mechanisms often exploit otherwise legal means to gain unauthorized system access, such as recovering a user’s forgotten password. Module 02 Page 262 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Classification of password attacks depends on the attacker’s actions, which are of the following four types: Non-Electronic Attacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or system exploitation. Techniques used to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc. Active Online Attacks: This is one of the easiest ways to gain unauthorized administrator-level system access. Here, the attacker communicates with the target machine to gain password access. Techniques used to perform active online attacks include password guessing, dictionary and brute-forcing attacks, hash injection, rulebased attack, etc. Passive Online Attacks: A passive attack is a type of system attack that does not lead to any changes in the system. In this attack, the attacker does not have to communicate with the system, but passively monitor or record the data passing over the communication channel, to and from the system. The data are then used to break into the system. Techniques used to perform passive online attacks include wire sniffing, man-in-the-middle attacks, replay attacks, etc. Offline Attacks: Offline attacks refer to password attacks in which an attacker tries to recover cleartext passwords from a password hash dump. Offline attacks are often timeconsuming but have a high success rate, as the password hashes can be reversed owing to their small keyspace and short length. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attacks. Module 02 Page 263 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.