ARP Poisoning
Alters the system used to track the MAC addresses of hosts on a system. As the name sounds, Address Resolution Protocol resolves the IP addresses of hosts on a system to their MAC address, storing the data in the ARP cache. As previously discussed TCP/IP uses the IP address to get a packet to a destination network and one on he destination network, uses the MAC address to get it to the correct host. As part of this process, ARP uses two primary messages:
- ARP request: The ARP request broadcasts the IP address and essentially asks, “Who has this IP address?”
- ARP reply: The computer with the IP address in the ARP request responds with its MAC address. The computer sending the ARP request caches the MAC address for the IP, as will other computers that hear the ARP reply
A flaw with ARP is that it has no security and believes any ARP reply packet, allowing attackers to create ARP reply packets with illegitimate MAC addresses, poisoning the ARP cache on systems in the network. allowing man- in-the-middle or DoS attacks to take place.
ARP Man-in-the-Middle Attacks: After poisoning the ARP cache of the victim, traffic is redirected to the attacker meaning that the victim now sends all traffic destined for the router to the attacker; the attacker captures the data for analysis and then uses IP forwarding to send the traffic to the router so that the victim is unaware of the attack.
ARP DoS Attacks: An attacker can send an ARP reply with a bogus MAC address for the default gateway, the IP address of a router connection that provides a path out of the network so if all the computers cache a bogus MAC address for the default gateway, no traffic gets out of the network.
Denial of Service Attacks
The goal of denial of service attacks is preventing users from accessing the target computer. The difference between a denial-of-service (DoS) and a distributed denial-of-service (DDoS) is that a DoS attack originates from one attacker while a DDoS attack is from two or more computers against a single target and include sustained, abnormally high network traffic on the network interface card of the attacked computer.
Amplification attack: A type of DDoS attack that significantly increases the amount of traffic sent to, or requested from, a victim.
- Smurf attack: Flood a victim with ping replies by spoofing the source address of a directed broadcast ping packet:
- A ping sends ICMP echo requests to one computer and it responds with ICMP echo responses.
- A smurf attack involves sends the ping out as a broadcast. In a broadcast, one computer sends the packet to all other computers in the subnet.
- The smurf attack spoofs the source IP with the IP address of the victim, so the victim gets flooded with these ICMP replies. Additionally, rather than just asking for a single record, these attacks tell the DNS servers to send as much zone data as possible, amplifying the data sent to the victim, overloading the target system.
- Network Time Protocol (NTP) amplification attack: Leverages the “monlist” command. When used normally, it sends a list of the last 600 hosts that connected to the NTP server.
- In an attack with “monlist”, the attacker spoofs the source IP address when sending the command which results in the NTP server flooding the victim with details of the last 600 systems that requested the time from the NTP server.
DNS Attacks
As previously discussed, DNS , which runs over TCP and UDP using port 53, resolves host names to IP addresses, eliminating the need to remember the IP address for web sites; a DNS server responds with the correct IP address for a given web site and the system connects to the web site using the IP address.
DNS also provides reverse lookups, so when a client sends an IP address to a DNS server, it resolves to a name, which can be used as a security mechanism to detect spoofing; an attacker may spoof the computer’s identity by using a different name during a session but the TCP/IP packets in the session include the real IP address of the masquerading system, allowing a reverse lookup shows the system’s actual name. If the names are different, it shows suspicious activity. While not 100% reliable, reverse lookups because they are optional on DNS servers, when available, they are useful.
- DNS poisoning attack: A modification/corruption of DNS results, modifying the legitimate IP address associated with a website and replacing it with the IP address of another web site; Each DNS queries DNS for the IP address of legitimate website gets the DNS server responds with the IP address of the malicious web site. In order to prevent this attack, many current DNS servers use Domain Name System Security Extensions (DNSSEC) to protect the DNS records and prevent DNS poisoning attacks.
- DNS pharming attack: Manipulates the DNS name resolution process by corrupting the DNS server client. Similar to how a DNS poisoning redirects users to different web sites, pharming attack redirects a user to a different web site by modifying the hosts file used to map IP addresses to host names.
- DDoS DNS Attacks: Leverage bot nets to send enough queries to overwhelmed the DNS servers and prevented regular users from accessing dozens of web sites.
Driver Manipulation
Drivers are used to interact with hardware devices or software components and present numerous vulnerabilities. When a driver is no longer compatible with its external environment, there are two options to deal with the situation:
- Shimming: Is a method to make older drivers compatible with newer software. A driver shim is additional code runs instead of the original driver.
- Refactoring: The process of rewriting a program’s code, without modifying the output.
In this situation, attackers can leverage incompatible drivers by either creating a shim, or refactoring it.
Hijacking Attacks
Hijacking attacks come in a range of flavors including:
- Clickjacking: tricks users into clicking something other than what they think they’re clicking. most clickjacking attacks use Hypertext Markup Language (HTML) frames, allowing one web page to display another web page within an area defined as a frame or iframe.
- Domain Hijacking: A change in the registration of a domain name without knowledge from the owner and often involve social engineering techniques to gain unauthorized access to the domain owner’s email account.
- Session hijacking: When users log on to a web site, the web site often returns a small text file, a cookie, that contains a session ID; this cookie is stored on the user’s system and remains active until the user logs off. If the user closes the session and returns to the web site, the web site reads the cookie and automatically logs the user on. This is convenient but exploitable; session hijacking takes advantage of session IDs stored in cookies. The attacker utilizes the user’s session ID to impersonate the user to the web server, which doesn’t know the difference between the original user and the attacker because it is only identifying the user based on the session ID.
- If the user closes the session and returns to the web site, the web site reads the cookie and automatically logs the user on. This is convenient for the user, but can be exploited by an attacker.,
- There are several methods for reading cookies stored on the user’s system such as through cross-site scripting attack. Once they have the session ID, they can insert it into the HTTP header and send it to the web site. If the web server uses this session ID to log the user on automatically, it gives the attacker access to the user’s account.
- Typo squatting/URL hijacking: occurs when someone buys a domain name that is close to a legitimate domain name for malicious purposes, including:
- Earning ad revenue by host ads.
- Hosting a malicious web site in order to install drive-by malware on users’ systems when they visit
- Reselling the domain to the owner of the original.
Attacking Memory Buffers
A computer system’s memory or buffers are vulnerable to attack so it is important to use secure memory management techniques when developing code. Application usually only accesses specific area of memory, called a “buffer“. A buffer overflow occurs when an application receives more input than it expects, exposing normally protected and inaccessible system memory; this allows an attacker to write malicious code into this normally protected area of memory.
- Memory Leaks: a computer application bug that causes it to consume more and more memory the longer it runs, eventually crashing the operating system; typically caused by an application that doesn’t release memory it reserved for short-term use.
- Integer Overflow: create a numeric value that is too big for an application to handle, resulting in the application gives inaccurate results. As an example, if an application reserves 8 bits to store a number, it can store any value between 0 and 255. If the application attempts to multiply two values such as 95 × 59, the result is 5,605. This number cannot be stored in the 8 bits, so it causes an integer overflow error.
- In some situations, an integer overflow error occurs if an application expects a positive number, but receives a negative number instead. If the application doesn’t have adequate error- and exception-handling routines, this might cause a buffer overflow error.
In and of itself, a buffer overflow doesn’t necessarily cause damage by itself, but rather it presents an opportunity to exploit and overwrite memory locations with their own code as seen in the diagram below. Usually the goal of an attack is inserting malicious code in a memory location that the system will execute.
Part of the challenge of a buffer attack is figuring out a memory location to store the code; a popular method to help figure this out is the “NOP slide” or “NOP sled“. This technique use “no operation” (NOP) commands as part of the overall buffer overflow attack, which includes several different elements, that occur simultaneously.
- The attacker sends a single string of data to the application.
- The first part of the string causes the buffer overflow.
- The next part of the string is a long string of NOPs with the malicious code.
- Some processors use hexadecimal 90 as a NOP command, so a string of x90 characters is a NOP sled. The attacker writes a long string of x90 instructions into memory, followed by malicious code. When a computer is executing code from memory and it comes to a NOP, it just goes to the next memory location. With a long string of NOPs, the computer simply slides through all of them until it gets to the last one and then executes the code in the next instruction. If the attacker can get the computer to execute code from a memory location anywhere in the NOP slide, the system will execute the attacker’s malicious code.
- This code is stored in the target system’s memory.
- The malicious code gets executed. The code could:
- Spread a worm through the web server’s network.
- Modifies the web application so that the web application tries to infect user who visits the web site with other malware.
Although error-handling routines and input validation can prevent most buffer overflows, attackers occasionally discover a bug allowing them to send a specific string of data to an application, causing a buffer overflow.
DLL Injection: A dynamic Link Library (DLL) is a compiled set of code that an application can reuse rather than having the code writing within the application. DLL injection injects a DLL into a system’s memory and causes it to run. In a successful injection attack, the attacker attaches to a running process, allocating memory within the running process, connects the malicious DLL within the allocated memory, and then executes functions within the DLL.
Pointer Dereference: Some programming languages use pointers/references to store a reference to a piece of data. This is used as a memory efficient alternative to passing the data itself to another part of the software. Dereferencing is the process of using the pointer to access the data array.
Failed dereferencing operation can subtly corrupt memory, result in the application using incorrect data and is caused when pointer that references a nonexistent data target; pointer dereferencing problems can be difficult to debug as they aren’t so easy to discover.
Password Attacks
A range of attacks of varying sophistication that attempt to discover/bypass passwords used for authentication on systems/networks/files.
- Brute Force Attacks: Attempts to guess all possible character combinations via online or offline techniques
- Online attack: Attempts to discover a password from an online system by repeatedly guessing the username and password.
- Can automate the process.
- Account lockout policies effective against online brute force password attacks. These settings often thwart brute force attacks against these services.
- Offline attacks: Discovery of passwords from a captured database or packet scans.
- Thwart offline brute force attacks with the use complex passwords (mix uppercase letters, lowercase letters, numbers, and special characters) and storing the passwords in an encrypted/hashed format.
- Online attack: Attempts to discover a password from an online system by repeatedly guessing the username and password.
- Dictionary Attacks: Uses a dictionary/list of words and attempts every word in the dictionary to see if it works.
- Thwarted with the use of complex passwords typically not found in a dictionary.
- Hashes Attacks: Well secured systems store a hash of the password, not the actual password for an account so a hash attacks tries to find the hash of a password instead of the password. ==The system then calculates the hash of the. password that the user entered, and compares the calculated hash against the stored hash. If they match, it indicates the user entered the correct password.
- Passwords are rarely sent across the network in cleartext so a protocol analyzers can capture and view a password if it is sent across a network in cleartext. To prevent this, hashes are sent across the networks rather than the password, buy if the hash is passed unencrypted across the network, the attacker may be able to capture the hash and use it to log on to a system so most authentication protocols encrypt the password or the hash before sending it across the network.
- Pass the Hash Attacks: Attacker discovers the hash of the user’s password and then uses it to log on to the system as the user. Any authentication protocol that passes the hash over the network in an unencrypted format, like Microsoft LAN Manager (LM) and NT LAN Manager (NTLM), two older security protocols used to authenticate Microsoft clients that are susceptible to pass the hash attacks.
Any system using LM or NTLM is susceptible to a pass the hash attack.- Prevention of this attack is using NTLMv2 or Kerberos instead and configuring authenticating servers to refuse any use of LM or NTLM.
- Easily done via a Group Policy setting.
- Birthday Attacks: named after the birthday paradox that states that for any random group of 23 people, there is a 50 percent chance that 2 of them have the same birth day. This is not the same year, but instead one of the 365 days in any year. In the context of password cracking, the goal is to create a hash collision which is password that produces the same hash as the user’s actual password.
- A collision occurs when the hashing algorithm creates the same hash from different passwords.
- Thwarted by increasing the number of bits used in the hash to increase the number of possible hashes.
- Rainbow Table Attacks: A rainbow table is a huge database of precomputed hashes used in an attempt to discover the password from the hash. When working without a rainbow table, a password cracker applications assuming that an attacker has the hash of a password takes the following steps to crack it:
- The application guesses a password
- The application hashes the guessed password.
- The application compares the original password hash with the
guessed password hash. - If they are the same, the application now knows the password.
- If they aren’t the same, the application repeats the guessing, hashing and comparing process until finding a match.
- By using a rainbow tables, you save time by not needing to hash the guessed password.
- In a rainbow table attack, the application simply compares the hash of the original password against hashes stored in the rainbow table. When a match is found, it identifies the password used to create the hash.
- You can prevent rainbow attack by salting passwords; a salt is a set of random data such as two additional characters and password salting adds these additional characters to a password before hashing it, adding to the complexity of the password. This results in a different hash than the system would create using only the original password, causing the rainbow attack to fail.
Plaintext Attacks
Many cryptographic attacks attempt to decrypt encrypted data, which is just human readable plaintext that has been run through an encryption algorithm, creating ciphertext. A “known plaintext attack” requires samples of both the plaintext and the ciphertext to reverse engineer the encryption key and if successful, you can use the same decryption method on other ciphertext.
A “chosen plaintext attack” is when the attacker doesn’t have access to all the plaintext.
In a “ciphertext only attack“, the attacker doesn’t have any information on the plaintext and are typically only successful on weak encryption algorithms.
Privilege Escalation
The goal of almost all remote access trojan (RAT) and persistent access attacks is privilege escalation in order to gain more and more access to a system or a network.
Learn more about preventing privilege escalation:
Replay Attacks
Utilizes data that was already part of a previous communication session to impersonate a client that is involved in the original session. Many protocols, like Kerberos, use timestamps sequence numbers to thwart replay attacks.
Spoofing Attacks
A situation where one person/entity impersonates or masquerades as someone or something else and typically involve:
Media access control (MAC) address spoofing: The network interface card (NIC) within computers have globally unique media access control (MAC) address assigned via hard coding. MAC addresses are involved in a number of cyber threats:
- MAC flood attacks: An attacker overwhelms a switch with spoofed MAC addresses. Flood guards prevent these types of attacks.
- Circumventing MAC address filtering: Spoofing the MAC address of authorized systems allows for the circumvention of MAC address based security protocols.
Internet Protocol (IP) address spoofing: An attacker can change the source address so that it looks like the IP packet originated from a different source. This can allow an attacker to launch an attack from a single system, while it appears that the attack is coming from different IP addresses.
SYN Flood Attacks
Commonly used against Internet servers, “SYN flood” attacks are easy to launch, difficult to defend against; it works by disrupting the TCP handshake process and can prevent legitimate clients from connecting. As part of standard operating procedures, TCP sessions use a three-way handshake when establishing a session by exchanging three packets as seen in the diagram below.
The process is as follows:
- The client sends a SYN (synchronize) packet to the server.
- The server responds with a SYN/ACK (synchronize/acknowledge) packet.
- The client completes the handshake by sending an ACK (acknowledge) packet.
After establishing the session, the data exchange begins. In a “SYN flood” attack, the attacker never completes the handshake and instead they sends a barrage of SYN packets (either as a DoS or DDoS attack), leaving the server with multiple half-open connections that consume a server’s resources while it is waiting for the third packet. In order to prevent crashing, servers limit the number of these half-open connections so once this limit is hit, the server doesn’t accept more connections, blocking legitimate users.
Man-in-the-Middle Attacks
A separate computer that accepts traffic from the parties in a conversation and forwards the traffic between the two while all the while being transparent code. Since the MITM computer can control the entire conversation, it is easy to insert malicious code and send it to the computers.
A MITM attack can be launched by Address Resolution Protocol (ARP) poisoning while Kerberos uses mutual authentication to prevent man-in-the-middle attacks by not allowing a malicious system to insert itself in the middle of the conversation without the knowledge of the other two systems.
Man-in-the-Browser: type of proxy Trojan horse that infects vulnerable web browsers and capture browser session data. This includes keyloggers to capture keystrokes, along with all data sent to and from the web browser.
Zero-Day Attacks
Unknown/undocumented vulnerabilities that even the vendor isn’t aware of the issue. Attackers want to learn about them so that they can exploit them. Most security experts want to know about them so that they can help ensure that vendors patch them before causing damage to users.
Summary: What Are The Different Types Of Network Attacks
- A denial-of-service (DoS) attack is an attack from a single source that attempts to disrupt the services provided by another system. A distributed denial-of-service (DDoS) attack includes multiple computers attacking a single target. DDoS attacks typically include sustained, abnormally high network traffic.
- DNS poisoning attacks attempt to corrupt DNS data. Amplification attacks increase the amount of traffic sent to or requested from a victim and can be used against a wide variety of systems, including individual hosts, DNS servers, and NTP servers.
- ARP poisoning attacks attempt to mislead systems about the actual MAC address of a system. ARP poisoning is sometimes used in man-in-the-middle attacks.
- Brute force attacks attempt to guess passwords. Online attacks guess the password of an online system. Offline attacks guess the password stored within a file, such as a database. Dictionary attacks use a file of words and common passwords to guess a password. Account lockout policies help protect against brute force attacks and complex passwords thwart dictionary attacks.
- Passwords are typically stored as hashes. A pass the hash attack attempts to use an intercepted hash to access an account. Salting adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks. A hash collision occurs when the hashing algorithm creates the same hash from different passwords. Birthday attacks exploit collisions in hashing algorithms.
- Attackers purchase similar domain names in typo squatting (also called URL hijacking) attacks. Users visit the typo squatting domain when they enter the URL incorrectly with a common typo. In a session hijacking attack, the attacker utilizes the user’s session ID to impersonate the user. In a domain hijacking attack, an attacker changes the registration of a domain name without permission from the owner.
- Buffer overflows occur when an application receives more data than it can handle, or receives unexpected data that exposes system memory. Buffer overflow attacks often include NOP instructions (such as x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent buffer overflow attacks.
