CompTIA Security+ SYO-401

Certification Training
9323 Learners
View Course Now!
33 Chapters +

Summarize Various Types of Attacks Tutorial

1 Summarize various Types of Attacks

Nowadays, so many people try to deliberately exploit our vulnerabilities, typically motivated by social or political reasons using a variety of means. Obviously, security breaches can have a serious impact on our personal and professional lives. In this lesson, we’ll explore a few of those cyber-attack tools and techniques used to compromise computer systems. After completing this lesson, you will be able to: • Define Cyber Attack and its types, • Identify what is Phishing, and its different forms, • Explain Xmas Attack, Pharming, Privilege Escalation, • Describe Malicious Insider Threat, DNS and ARP Poisoning, and Transitive access, and • Define Client Side Attack, Password Attack, Typosquatting / URL high jacking, and Watering Hole Attack.

2 Attacks and its Common Types

In this topic, we will learn about attack and its common types. An attack is an intentional attempt by a hacker to damage or destroy a computer network or system. It occurs due to the presence of weakness or vulnerability in the Security System. On the basis of vulnerability type, attacks occur in different forms. It is quite obvious that if a system is attached to any type of network, then it is exposed to various types of attacks. Now, let’s look at some of the most common types of attacks in detail. In the Man in the Middle, or MITM, attack, the attacker takes over a session to view or alter the transferred information between the user and the server. The communicating parties assume that they are transferring information through a secured communication link, however, the attacker can access and potentially modify the communication. In this attack, the attacker not only alters the traffic, but also poisons name-resolution of the systems such as, Domain Name System or DNS, Address Resolution Protocol or ARP, NetBIOS, and Windows Internet Name Service or WINS. Moreover, the attackers perform two roles: for the client they become the server and for server they act as a client. So when the client enters the login credentials, first it goes to the attacker, acting as a fake server, and then the credentials are sent to the actual server. This way, a link is created between the user and the attacker and between the attacker and the server. Now, the attacker can read and access the communicating data and can choose to modify it. Attackers use certain tools such as Ettercap, Cain, Juggernaut, and Hunt to inject the MITM attack. However, if you follow certain countermeasures, you can protect yourself from these attacks. You can use a strong encryption protocol such as IPsec. You could also use strong authentication such as Domain Name System Security Extensions or D-N-S-S-E-C, Kerberos, certificates, multifactor authentication, Server Message Block signing or SMB, and mutual authentication. The Denial of Service attack attempts to stop the service of the target server. Attackers have various means to carry out this attack. Some exploit flaws in the Operating System, whereas others focus on installed applications, services, or protocols. DoS attacks usually occur between one attacker and one victim. Some of the DoS attacks misuse specific protocols, such as Internet Protocol or IP, Transmission Control Protocol or TCP, Internet Control Message Protocol or ICMP, and User Datagram Protocol or UDP. In this type of attack, the attackers engage some form of intermediary entities like a participant, who is not aware about the attack, to hide the attacker from the victim. The two most common forms of DoS attack are distributed denial of service and distributed reflective denial-of-service. D-R-DoS attack uses amplification or a bounce network that works as an unknowing participant who receives broadcast messages from the attacker, and then does the job of bouncing or responding to the messages. In this type of attack, the attacker sends spoofed message packets to the amplification network’s broadcast address, and victims the host server with whom the primary target is communicating. Due to this, every single packet from the attacker is distributed to all hosts present in that network. Once packets are received, each host sends a reply that goes directly to the victim due to its falsified source. Ultimately, every single packet from the attacker is transformed into numerous packets and floods the victim server’s communication path. The attack is successful! There are numerous specific DoS attack tools and methods. Now let’s look at a few of them. Smurf Attack is a DRDoS attack wherein the attacker sends the ICMP echo packets to slaves, and in turn, they reply to the target or victim. Fraggle attack uses U-D-P packets in place of ICMP echo packets used in smurfing. So, this is also a kind of D-R-DoS attack. SYN Flood exploits the T-C-P three-way handshake. In a three-way handshake, the client sends the S-Y-N packet to the server, and the server replies with S-Y-N/A-C-K packet, and then the client sends an A-C-K packet to complete the connection. In this attack, the attacker continuously sends S-Y-N packets without ACK. This leads to the consumption of all network resources and rules out the possibility of a new connection. Teardrop attack sends fragmented IP Packets with overlapping sequences and offset values. When the victim attempts to assemble these IP packets, due to insufficient information, it Land Attack sends numerous SYN packets with source and destination addresses spoofed as the victim’s address. This results in crashing the victim’s computer. Ping Flood sends continuous ping echo packets to victim that can flood the network. This way, no one else can use the legitimate network. Ping of Death sends oversized packets to the victim. Since the victim may not be able to handle these packets, system may crash. Bonk attack sends corrupted UDP packets to DNS port 53. It may cause the victim’s system to crash. Boink attack is similar to bonk attack but the packets are sent to multiple ports, not only on port 53, and may cause the victim’s system to crash. Now let’s look at some of the key countermeasures and ways to safeguard your network from the DoS attack. • Always work out a response plan with your ISP. • Add firewalls, routers, and intrusion detection systems to detect DoS traffic and automatically block the port or filter packets based on the source or destination address. • Disable Echo replies on external systems. • Disable Broadcast features on border systems. • Block all spoofed packets from entering or leaving your network. • Keep all systems updated with the most current security updates from vendors. A distributed denial-of-service attack, or DDoS, is a specific type of DoS attack. The major objective of this attack is preventing the victimized system from executing a valid activity or responding to a valid traffic. DoS attack has two basic types. The first type exploits a weakness, an error, or a standard feature of the software to cause a system to hang, freeze, and consume all system resources. This results in preventing the victimized computer from processing legitimate tasks. The second type floods the victim’s communication pipeline with garbage network traffic and results in stopping the victimized computer from sending or receiving authentic network communications. A DDoS attack compromises one or more intermediary systems. Then, the attacker installs remote-control like bots, Zombies, or agents into these systems. After that, at a certain point, the attacker conducts a DoS attack against the victim. Here, the victim may be able to discover the zombies causing the DoS attack but probably won’t be able to track down the actual attacker.

3 Replay, Spoofing, Spam and Spim

In this topic, you will study Replay, Spoofing, Spam, and Spim. As the name suggests, Replay attack captures network traffic, and then replays the captured traffic to gain unauthorized access to the system. It is a type of passive online attack in which important information is sniffed and replayed later by the attacker. In this attack, the attacker focuses on network traffic that performs authentication between a client and server. If the attacker gains access over the authenticate traffic packet, which can contain username and password, certificates, token responses, or biometric values, then the replay attack helps the attacker log on to a system by retransmitting the captured packets. Let’s look at an example: The client transmits its logon credentials to the server; the attacker then intercepts and snoops on that transmission. Next, the attacker replays those captured authentication packets against the server to falsify a logon as the original client. A successful replay attack gives the same level of user authentication to the attacker. To prevent such attacks, you may use modern operating systems, networks, protocols, services, and applications that apply various replay-protection mechanisms. Also, you can use packet sequencing and timestamps as countermeasures. Packet sequencing drops a packet that is not in proper order. Whereas Packet timestamps drop the packet that is received outside a specific timeframe. Kerberos is one of the best examples of a countermeasure to the Replay attack. It uses the timestamp technique. Spoofing is the act of falsifying data. Usually it changes the source address of network packets. Due to the address change, the attacker redirects packet responses and replies, and echoes them to some other system. Thus, victims are unable to identify the actual attacker. Spoofing allows unwanted mails, known as spam. Neither can you reply to these spoofed e-mails nor can you identify the original sender. This can also be used to redirect packets, bypass traffic filters, steal data, perform social-engineering attacks, and even create a fake social networking account. Now let’s look at a few of the key countermeasures against the spoofing attacks. • Enable spam and spoofing filters. • Ignore or discard all incoming packets received by border systems with the source destination from inside your private network. • Drop all outgoing packets received by border systems with the source destination from outside your private network. • Drop all packets with a LAN address in their header and the LAN address isn’t officially issued to a valid system. Spam is undesired or uninvited e-mail. It refers to sending the same message to a large number of users and can contain malicious code. Spam can cause problems due to several reasons, such as: • It may carry malicious codes such as virus, logic bombs, or Trojan horses. • Also, it can cause social engineering attacks like hoax e-mails. • It is an unwanted e-mail that wastes your time while you sort through it looking for legitimate messages. • Another reason is that it wastes Internet resources like storage capacity, computing cycles, and throughput. Let’s look at a few countermeasures against Spam: The primary countermeasure is employing an e-mail filter. It contains list of e-mail addresses, domain names, or IP addresses from where spam is known to originate. If a message is expected from one of the listed spam sources, then filter blocks or discards it. The second countermeasure is deploying client application or client-side spam filters or enterprise spam tools. These filters reduce spam distribution internally by blocking and removing undesirable messages before they access storage space on e-mail servers or make their way to clients. Using spam filters can sometimes be problematic. For example, if a defined keyword for spam is present in any e-mail, it will be treated as spam. To avoid this issue, set a separate folder for spam e-mails so that users can check this folder for misidentified mails and retrieve them. Another issue is that spam may contain spoofed e-mail that has a fake address. E-mail servers perform a reverse lookup on the source address when they receive any message. But in this case, due to a nonexistent source address, the message will be discarded. To avoid spoofed messages, always check the source address against blacklists and filtering on invalid entries present in the message header.Spim is sending spam messages over an Instant Messenger, or IM. It uses some form of instant messaging service to send spam to a large number of users. The message may contain malicious code. Additionally, attackers may use short messages service, or SMS, to send spam messages.

4 Phishing and its Different Forms

In this topic, you will learn about Phishing and its different forms. Phishing is related to e-mail attacks. It is an e-mail that seems genuine, or sent by a known or trusted source, but in reality contains malicious code to redirect the user to a fake phishing site. This type of attack is used to acquire sensitive information such as usernames, passwords, credit card details, and other personally identifiable information. Phishing e-mails are generally sent to everyone in the targeted list. This is also termed a blind attack. Phishing can be classified into Spear Phishing and Whaling. The former is a specified form of phishing where the message is sent to a single person or a specific group of individuals instead of being broadcasted to everyone. Whereas the latter is a form of phishing where the attackers target specific high-net individuals on the basis of title, industry, and media coverage. This is a customized message sent according to the need and interests of the target. To prevent phishing, do not open any unexpected e-mail attachments and always avoid sharing sensitive information via e-mail. Vishing is another form of phishing attack done via VoIP services. In vishing, it is difficult to trace the source or origin of the attack. The best way to avoid this attack is by verifying every received phone call even though it may seem to have the correct caller ID. Always verify the caller, or hang up on them, and then call them back on a known or trusted phone number, such as the number present on the back of your credit card, or number on the caller’s official website.

5 Xmas Attack, Pharming, Privilege Escalation

In this topic, you will study Xmas Attack, Pharming, and Privilege Escalation. Xmas attack is Xmas scan. In this attack, the attacker scans ports using port scanners, such as, Nmap, Xprobe, and hping2. Xmas attack takes place when someone sends Xmas-flagged packets to one or more ports on a computer. In this attack, the attacker enables multiple flags of TCP Headers such as URG, PSH, and FIN at a one go and then sends those headers toward multiple ports to know whether a port is open or closed. Why is this attack referred to as XMAS? Let’s find out. Xmas scan sends a TCP packet to a target port with the flags that create a flag byte of 00101001 in the TCP header. This is said to be representative of alternate flashing lights on a Christmas tree. That’s why the attack was named an XMAS attack. According to TCP specifications, if the victim replies with RST, then the port gets closed, otherwise the port remains open. This is applicable for all systems except the ones with the Windows Operating System. This is because the Windows OS sends RST for many invalid packets even if the port is open. If packet scanning is large, then it may affect the performance of the targeted system or consume the available bandwidth. Thus, this process may automatically lead to DoS. In Pharming, the victim is redirected from a valid web address to a fake website. This seems similar to phishing attack and is attempted by attackers to seek the User ID and Password information of the victim. Attackers can save this information and then redirect the victim to the original site. This can be done by manipulating IP resolutions, or by changing hosts file, or by poisoning or spoofing DNS resolution. Day-by-day, pharming has become more problematic as hackers have discovered numerous ways to take advantage of DNS vulnerabilities to pharm several domain names for large groups of targeted users. Gaining unauthorized access or greater privilege over resources where one doesn’t have access given by an organization is called privilege escalation. This can take place via weaknesses in the OS. Hacking tools can be utilized to make full use of a programming weakness that allows attackers to gain permanent or temporary access to the administrators’ group. Identity theft or credential compromise, such as keystroke capturing or password cracking are examples of privilege escalation. Privilege escalation is nothing but a violation of security. Most often it breaks the authorization restrictions or authentication. To minimize privilege escalation, all operating systems should be updated with patches from the vendor. Auditing and monitoring should be arranged to keep an eye on privilege-escalation symptom, such as repeated attempts of managing account by unauthorized person and multiple attempts to access resources that are greater than a user’s assigned authorization level. In this topic, you will learn about Malicious Insider Threat, DNS and ARP Poisoning, and Transitive access.

6 Malicious Insider Threat, DNS and ARP Poisoning

Till now we have seen attacks performed by an attacker. But an organization is at risk even from its internal users. When an insider is responsible for malicious activities, usually the threat is bigger, as they have already passed physical security without any barrier, and possess the rights and permission to easily breach the logical security. Even for hacking, at times, hackers use the insiders’ presence within the facility, or their user accounts. For example, malicious insiders can bring in malicious code from outside on various storage devices, such as mobile phones, memory cards, optical discs, and USB drives. We can avoid a Malicious Insider Threat by simply following some measures, such as detailed background checks, robust policies with severe penalties, thorough user activity, auditing and monitoring, restricting access to external and private storage devices, and using whitelists to reduce unauthorized code execution. D-N-S poisoning involves attacking the real D-N-S server and placing incorrect information into its zone file. This causes the real D-N-S server to send false data back to clients. Let’s look at the four-step process that a client performs when it needs to resolve a D-N-S name into an IP address: • Checking the local cache • Checking the local host’s file • Sending a D-N-S query to a known D-N-S serve • Sending a broadcast query to any possible local subnet D-N-S server An attacker uses many ways to attack or exploit DNS. Let’s look at each technique. The first is deploying a Rogue D-N-S Server. In this technique, a rogue DNS server listens in on network traffic for any DNS query or specific D-N-S queries related to a target site. Then it sends a D-N-S response to the client with false IP information. For this attack, it is necessary that the rogue DNS server get its response back to the client before the real D-N-S server responds. Once the client receives the response from the rogue D-N-S server, it closes the DNS query session, so the response from real D-N-S server is dropped or ignored as an out-of-session packet. Next, we have D-N-S Poisoning. In this technique, the attacker attacks the real D-N-S server and places incorrect information into its zone file. This causes the real D-N-S server to send false data back to clients. Third on our list is altering the Hosts File. This method involves modifying the host’s file on the client by placing false DNS data into the host file, which redirects users to false locations. The fourth technique is corrupting the IP Configuration. This technique refers to corrupting the IP configuration which results in a client with a false DNS server definition. This can be accomplished either directly on the client or on the network’s D-H-C-P server. Finally, we have the Use Proxy Falsification technique. This is useful only against web communications. This involves planting false web proxy data into a client’s browser and then operating the rogue proxy server attack. In this attack, it is possible that the rogue proxy server modifies the HTTP traffic packets to re-route request to a site that the hacker desires. Now, let’s look at security measures that can reduce the DNS poisoning threat. • Restrict zone transfers from internal DNS servers to external DNS servers. • Restrict External DNS servers from which internal DNS servers pull zone transfers. • Install a network intrusion detection system, or NIDS, to watch for abnormal DNS traffic. • Appropriately strengthen all DNS, server, and client systems in your private network. • Employ DNSSEC to protect your DNS infrastructure. Address Resolution Protocol, or ARP, Poisoning is the act of spoofing a MAC address in a local area network, for both users and server, to hack their communication. The attacker then subsequently alters the information to its benefit. This protocol uses a two-step process to resolve IP addresses into MAC addresses. • The first step is verifying the local ARP cache. • And the next step is transmitting an ARP broadcast if the verification fails. An attacker uses the following techniques to attack or exploit ARP. These techniques are as follows: The first technique is Poisoning the local ARP: This involves poisoning the local ARP cache. ARP poisoning is commonly used in active sniffing attacks. Next, we have False ARP replies or announcements: This technique involves transmitting poisoned ARP replies or announcements. If a host obtains a false MAC address for an IP address, its transmission goes to the wrong location. It is effective for a single subnet and not for multiple sub networks. False ARP announcements are used to overload the MAC mapping cache of a switch to force it into a fault-tolerant mode of transmitting data to all ports. To avoid ARP poisoning, you should undertake two important steps. • First, use a tool like ARP-Watch to observe and check for ARP Poisoning. • And second, provide port security on the access switch level to defend the ARP-based attacks.

7 Attack Types

In this topic, you will be able to explore Client side attack, Password attack, Typosquatting / URL hijacking, and Watering Hole Attack. A client-side attack is any attack that compromises a client. Client side attacks can occur over any communication protocol. We normally think that targets for attack would be servers or server-side components. But, the client itself, or a process on the client side, can be the target. This attack can occur over any communication protocol and not only on HTTP. An example of the client side attack is a malicious website transferring malicious mobile code to a vulnerable browser running on the client. Do you keep passwords to protect data? Unfortunately, passwords can also be cracked. Let’s understand what a password attack is. Password attacks can be done on websites or remote targets directly by opening the login page of the targeted server and then using several password-attacking techniques. While referring to a password attack, you need to understand that the attacker first acquires the password through various ways, and then it is cracked by using password- cracking or guessing techniques. The attacker uses the following ways to acquire a password. First, we have Active Online. In this method, the attacker accesses the server login portal and hacks the login credentials. The next way is Passive Online. Here, the attacker waits for users to log on using their credentials, and then sniffs the credentials through network sniffing. The third way is Offline attack. Here, the attacker can get password hashes and keys from the network, and then uses any of the password-cracking tools to crack the password. Finally, the fourth method is Non-Electronic attack. This includes shoulder surfing, dumpster diving, and other social engineering attacks. The attacker uses five techniques to crack or steal user passwords. These involve sneaking into the authentication server’s account database, or intercepting the network traffic, and acquiring the hash of a password, which is then reverse-engineered. The five password- cracking techniques are Brute-force attacks, Dictionary Attacks, Hybrid Attacks, Birthday Attacks, and Rainbow Tables. Let’s look at each technique in detail. Brute-force attack: Brute-force attacks generate hashes based on retrieved passwords. They show any combination of letters, numbers, and special characters such as AER123@1. Dictionary attack: Dictionary attacks are used to crack dictionary-based simple password such as pass, password, and others. These passwords are very easy to crack. This technique calculates the hashes for the dictionary words and matches them with the found target. Hybrid attack: Hybrid attacks first take the base dictionary list attack. Then it performs various single-character and multi character manipulations on the base passwords. This contains adding numbers or replacing letters with numbers or symbols. For example, Pass@123. Birthday attack: Birthday attacks guess the user’s personal information in passwords, as most users use their birthday, anniversary, their own name, or names of their spouse, children, or even their pet. The advantage of this technique is that guessing becomes easy. This is because there are only 366 possible birthdays, including leap year, and every wrong option removes it from the remaining pool. The next guess has a greater chance of being correct. Rainbow tables: Rainbow attack uses a table of precomputed hash values to make brute-force faster so that hashes can be matched to get the password. This attack is also known as a really worrisome password attack. Usually, to crack a password, the attacker converts the stolen password into hash and then performs the Exclusive Or or X-OR method on it. The hashing technique is slower than the XOR process; so in the process of password cracking, the time spent on hashing is higher than the time spent on cracking the password. To eliminate this, the attackers have evolved a new form of password cracking that reduces the hashing time. This new technique involves a massive database of hashes for every potential password. This database is known as the Rainbow table. Currently, a rainbow table is available that can crack Windows OS passwords of 1 to 14 characters generated by using any character key. To protect from this threat, it is recommended that you change your Windows and network passwords to a minimum of 16 characters, or use one or more higher-order ASCII characters in a password of at least 8 characters with the permission of the security administrator. Have you ever searched for particular website and landed on another page which looks similar to or is spelled like your intended website? This is typosquatting. Typosquatting or URL hijacking occurs when a user mistypes the URL of the webpage that he wants to visit, but is unable to identify whether he is on the wrong website because of the similar name of the website, or the attacker has taken that URL and created a fake website. Let’s take some examples of the variations used for typosquatting: • Common misspellings such as googel.com • Typing errors such as gooogle.com • Variations of a name or word like writing plurals as in googles.com • Different top-level domains such as google.org Watering hole attack is a targeted attack that remains specific to a region, a group, or an organization. It is performed to retrieve information about victims’ browsing history. The attacker identifies locations such as a common resource or site that one or more members visit frequently. Then, he tries to manipulate the browsing locations by setting up malware in these locations. These locations are called water holes. Next, the attacker waits for members of the targeted group to visit the poisoned water hole location, and then attacks them to infect the network or the group’s credentials.

9 Summary

Let’s summarize the topics covered in this lesson. • An attack is an intentional attempt by a hacker to damage or destroy a computer network or system. • In the MITM attack, the attacker takes over a session to view or alter the transferred information between the user and the server. • The DoS attack is attempted to stop the service of the target server. The two forms of DoS attacks are D-R-DoS and DDoS. • In the Replay attack, important information is sniffed and replayed later by the attacker. • In the Xmas attack, the attacker scans ports using port scanners such as, Nmap, Xprobe, and hping2. • D-N-S poisoning involves attacking the real D-N-S server and placing incorrect information into its zone file. • ARP, or Address Resolution Protocol, Poisoning is the act of spoofing a MAC address in a local area network for both users and servers to hack their communication. • The five password cracking techniques are Brute-force attacks, Dictionary Attacks, Hybrid Attacks, Birthday Attacks, and Rainbow Tables. With this, we conclude this lesson “Summarize various types of attacks.” In the next lesson, we will look at “Summarize social engineering attacks and the associated effectiveness with each attack.”

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*