1 / 82

Ch 7: Identifying Advanced Attacks

Ch 7: Identifying Advanced Attacks. CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson. Comparing Common Attacks. Spoofing. Pretending to be someone else MAC address spoofing to get onto wireless networks Smurf attack spoofs source IP

myriamc
Download Presentation

Ch 7: Identifying Advanced Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ch 7: Identifying Advanced Attacks CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson

  2. Comparing Common Attacks

  3. Spoofing • Pretending to be someone else • MAC address spoofing to get onto wireless networks • Smurf attack spoofs source IP • Email sent with spoofed "From" address

  4. Denial of Service (DoS) • Makes system unavailable to users • D0S is from a single source • DDoS is from many sources

  5. Distributed Denial of Service(DDoS) • Many computers attack a target simultaneously • Botnets with thousands of zombies are common • Can be very difficult to stop • "Slashdot effect" can resemble a DDoS, if thousands of real customers visit your page simultaneously

  6. Smurf Attack • Send a PING to a broadcast address, with target's IP in the source field • Target gets many replies for every ping sent • Packet Amplification

  7. SYN Flood • TCP handshake: SYN, SYN/ACK, ACK • Each SYN sent burdens the server because it has to calculate the SYN/ACK and remember to wait for the ACK • SYN floods are more effective than other packets, such as pings, at DoS

  8. TCP Handshake and SYN Flood

  9. Flood Guard Techniques • Defend against SYN floods • Block source IP addresses that send too many SYNs • But attacker can randomize the source IP • Shorten timeout for half-open connection • But you may lose some real users • SYN Cookies • A way to more efficiently process half-open connections

  10. Botnet • Zombie computers are infected with malware • Under control of a bot herder • Command and Control (C&C) server • C&C traffic can be detected in firewall logs • Connections can be seen on a zombie with netstat

  11. IRC (Internet Relay Chat) • An early chat service • Used to control many older botnets • Blocked at many companies now

  12. Botnet Attacks • Download additional malware, such as keyloggers • Launch DDoS attacks • Send spam email

  13. XMAS Scan • Sends TCP packets with many flags set • Used to identify the server's OS, not to bring it down

  14. Man in the Middle (MITM) • Intercept traffic • "Active eavesdropping" • Can insert malicious code into traffic stream • ARP Poisoning redirects traffic to put the attacker in the middle • Kerberos prevents MITM attacks with mutual authentication and a trusted authentication server (link Ch 7a)

  15. sslstrip Proxy Changes HTTPS to HTTP To Internet HTTPS Attacker: sslstrip Proxyin the Middle HTTP TargetUsingFacebook

  16. Replay • Attacker captures network packets and replays them to impersonate a client • Countermeasures • Kerberos • HTTPS • Secure cookies

  17. Cookie Cadger • Replays cookies to hijack sessions

  18. Password Attacks • Online attack • Try to guess password in a live online system • Best defense: account lockout policy • Offline attack • Capture a database or packets • Guess passwords to match the data • Used for WPA cracking

  19. Brute Force Attack • Uses every combination of characters • Very slow for longer passwords • Typically 80x slower for each added character

  20. Dictionary Attack • Use a list of common passwords • Very effective because so many real password lists have been published

  21. Password Hashes • Many systems no longer store plaintext password • Hash value is stored instead • Windows uses MD4, others use MD5 or SHA-1 or SHA-2 • Hashes can be cracked with dictionary or brute-force attacks

  22. Hash Collisions • If two different passwords create the same hash, that is called a collision • A strong hash function should have no known collisions • Collisions always exist, but they should be so rare that they can never be found

  23. Birthday Attack • If 23 people compare their birthdays, month and day • Most likely, two birthdays are the same • Because there are 23*22/2 pairs of people • Hash collisions follow the same logic • A 128-bit hash will have a collision after 2^64 guesses • A 160-bit hash will have a collision after 2^80 guesses

  24. Rainbow Table Attack • Also called time-memory tradeoff • A large table of precomputed hash values is stored in RAM • Brute-force attack is faster because it looks up hashes instead of calculating them

  25. Salting a Password • Add random characters to password before salting • Prevents rainbow table attacks

  26. Windows Password Hashes

  27. Linux Password Hashes

  28. Mac OS X Password Hash • Link Ch 8c

  29. Hybrid Attacks • Combine dictionary and brute force attacks • Modify dictionary words • Dictionary has "apple" • So try "Apple", "APPLE", "4pp13", "apple1", etc.

  30. DNS Servers • Resolve domain names like www.ccsf.edu to IP addresses like 147.144.1.212 • Results are held in a cache for a few minutes on each client • Reverse DNS finds domain names from IP addresses • Sometimes used to block spam, making sure the IP address matches the "From" email address

  31. DNS Attacks • DNS Cache Poisoning • Like ARP poisoning, tricks the target machine into resolving domain names to incorrect IP addresses • Pharming • Changing the hosts file to redirect traffic to a spoofed website • DNS Cache Snooping • Can find out what sites people have been visiting

  32. ARP Request and Reply • Client wants to find Gateway • ARP Request: Who has 192.168.2.1? • ARP Reply: • MAC: 00-30-bd-02-ed-7b has 192.168.2.1 ARP Request ARP Reply Client Gateway Facebook.com

  33. ARP Poisoning

  34. ARP Poisoning • Redirects Traffic at Layer 2 • Sends a lot of false ARP packets on the LAN • Can be easily detected • DeCaffienateID by IronGeek • http://k78.sl.pt

  35. ARP Poisoning DoS • Attacker can change MAC address of the gateway to a bogus value • This renders the Internet unavailable

  36. Typosquatting/URL Hijacking • Purchasing a domain close to a real one • Like yahooo.com or hushmali.com • At the domain, put • Site containing ads or malware • Phishing site that looks like the real page • Insulting or offensive page to motivate the real site to buy the domain

  37. Watering Hole Attacks • Put up or find a page of interest to the targets • Put drive-by download malware on that page • Visitors get infected with RAT (Remote Access Trojan)

  38. Zero Day Attacks • Exploit an undocumented vulnerability • No vendor patch available • Attackers can get in easily until the 0-day is detected and patched • 0-days sell for highi prices at exploit brokers

  39. Web Browser Concerns • Malicious add-ons • Cookies • May contain private data • May be used in replay attacks • Session Hijacking • Old version: Inject packets into a TCP session • New version: Replay authentication cookies • Technical name: Cross-Site Request Forgery (CSRF or XSRF)

  40. Flash Cookies and LSOs • Flash cookies are created by Adobe Flash Player • Also called Local Shared Objects • Stored in multiple locations • Difficult to delete

  41. Deletes Google cookies • Link Ch 7c

  42. Securing Applications

  43. Basic Application Hardening Steps • Harden the server itself • Disable unnecessary services • Disable default accounts • Change passwords • Follow vendor guidelines for application • Change default passwords • Disable unnecessary accounts • Eliminate backdoors

  44. Software Development Life Cycle • SDLC models • Waterfall • Spiral • V-Shaped • Rapid Application Model

  45. Software Development Life Cycle Goals • Requirements and design identification • Secure code review • at many stages of development • Testing • Best technique is black-box testing by external experts • "Black box" means they don't know any internal details of the application

  46. Performing Input Validation • Checking data for validity before using it • Never trust anything that came from the user! • Error-handling routines should be friendly and helpful but not disclose too much information

  47. Input Attacks • All these attacks can be prevented with input validation • Buffer overflow • Input too long • SQL injection • Input misinterpreted as code and executed • Cross-site scripting • Input misinterpreted as code and executed

  48. Understanding Secure Coding Concepts

  49. Input Validation • Don't use data that came from external sources, such as the user, without cleaning it first • Only allow proper characters, such as digits in a Zip code • Range checking: only accept values in allowed range (such as 9-digit SSNs) • Limit length • Remove special characters like < " %

More Related