3.2 Compare and contrast common network vulnerabilities and threats - Paiet/Tech-Journal-for-Everything GitHub Wiki
3.2 Compare and contrast common network vulnerabilities and threats
- Attacks/threats
- Denial of service (DoS)
- Interrupting the access to resources by clients to servers
- Web services
- Logon services
- File access
- Network access
- Distributed DoS
- DoS attack from multiple attack computers
- Botnet
- A collection of compromised computers that are running a program that attacks a specific target
- Low Orbit Ion Canon (LOIC)
- Dos
- Spam
- Malware propagation
- A collection of compromised computers that are running a program that attacks a specific target
- Traffic spike
- Dramatic increase in traffic to the network or to a service
- Coordinated attack
- Usually comprised of a botnet attacking a specific target
- Could also be a group of hackers attacking a specific target
- Reflective/amplified
- Sending requests to many different devices using a spoofed IP of target PC. The devices then reply to the intended target which is unable to process the sudden increase in traffic
- DNS
- Uses public DNS servers to flood the victim with DNS response traffic like full zone transfers
- Spoofs the target ip address in its request to the DNS servers
- NTP
- Similar to DNS reflection/amplification attack
- NTP requests return large amounts of data for a simple request
- Smurfing
- Sends ICMP echo requests to the broadcast address of a network causing an ICMP flood
- Older attack that is patched for the most part
- How to fix
- Configure router to not respond to ICMP requests or broadcasts
- Configure router to not forward packets that have been directed to the broadcast address
- This is configured by default in modern routers
- Disable this by entering...
Router(config-if)# no ip directed-broadcast
- Friendly/unintentional DoS
- Caused by a sudden increase in popularity which in turn drastically increases the traffic
- Ellen breaks twitter
- Caused by a sudden increase in popularity which in turn drastically increases the traffic
- Physical attack
- Permanent DoS
- Exploiting a piece of hardware to gain access to it, then installing illegitimate firmware which bricks the device
- Permanent DoS
- Interrupting the access to resources by clients to servers
- ARP cache poisoning
- Fooling a device into thinking that your layer 2 MAC address is the MAC for another device
- This tricks layer 2 devices into sending the frames meant for another device to come to you
- Usually done for the purposes of sniffing a switched network illegally
- Ettercap
- Fooling a device into thinking that your layer 2 MAC address is the MAC for another device
- Packet/protocol abuse
- Using a protocol in a way that it wasn't intended
- Spoofing IP addresses inside of packets to evade firewall detection
- Fragmenting a packet so that the target can't reassemble it causing a DoS
- Session hijacking by observing the TCP sequence numbers and then taking over the session by "butting in"
- Adding malicious data to the payload of an ICMP packet to evade firewalls/IDS
- Using a protocol in a way that it wasn't intended
- Spoofing
- Impersonation of a trusted device
- IP Spoofing
- Email spoofing
- Wireless
- Evil twin
- Seemingly legitimate AP, but is really a malicious AP
- Gathers information from the users that connect to it
- Usernames/passwords
- CC info
- Rogue AP
- Unauthorized AP on the network
- Creates a gaping hole in the armor
- Allows unauthorized access to the network when setup without any type of security or encryption
- Makes all the data sniffable
- Man-in-the-Middle
- War driving
- Driving around looking for open wifi or wifi with poor security for purposes of gaining access
- Netstumbler, airsnort, kismet
- Can work in conjunction with a GPS to map out open networks
- War chalking (Create Diagram)
- Graphically tagging a wall, curb, or sidewalk with certain symbols to identify the area as having an insecure wireless network
- Bluejacking
- Sending unwanted data to bluetooth devices like messages or advertisements
- Even video or images
- Can spread viruses
- Secure the bluetooth device by configuring them to reject anonymous connections and turn off discovery
- Sending unwanted data to bluetooth devices like messages or advertisements
- Bluesnarfing
- Gains access to bluetooth device's email, contacts, calendar, text messages, and even images/videos
- Turn off discovery and reject anonymous connections
- WPA/WEP/WPS attacks
- Breaking wireless encryption
- IV Attack (Initialization Vector)
- IV generates random numbers that is used in conjunction with the secret key for encryption
- The problem is that the IV is small (3 bytes)
- This means there will be many repeats
- The IV is also sent in clear text
- Packet Sniffing
- Wireshark demo
- Evil twin
- Denial of service (DoS)
3.2 Compare and contrast common network vulnerabilities and threats Pt2
-
Continued from Part 1
- Wireless
- Evil twin
- Seemingly legitimate AP, but is really a malicious AP
- Gathers information from the users that connect to it
- Usernames/passwords
- CC info
- Rogue AP
- Unauthorized AP on the network
- Creates a gaping hole in the armor
- Allows unauthorized access to the network when setup without any type of security or encryption
- Makes all the data sniffable
- Man-in-the-Middle
- War driving
- Driving around looking for open wifi or wifi with poor security for purposes of gaining access
- Netstumbler, airsnort, kismet
- Can work in conjunction with a GPS to map out open networks
- War chalking (Create Diagram)
- Graphically tagging a wall, curb, or sidewalk with certain symbols to identify the area as having an insecure wireless network
- Bluejacking
- Sending unwanted data to bluetooth devices like messages or advertisements
- Even video or images
- Can spread viruses
- Secure the bluetooth device by configuring them to reject anonymous connections and turn off discovery
- Sending unwanted data to bluetooth devices like messages or advertisements
- Bluesnarfing
- Gains access to bluetooth device's email, contacts, calendar, text messages, and even images/videos
- Turn off discovery and reject anonymous connections
- WPA/WEP/WPS attacks
- Breaking wireless encryption
- IV Attack (Initialization Vector)
- IV generates random numbers that is used in conjunction with the secret key for encryption
- The problem is that the IV is small (3 bytes)
- This means there will be many repeats
- The IV is also sent in clear text
- Packet Sniffing
- Wireshark demo
- Evil twin
- Brute force
- Attempting to crack a password by trying every possible alpha/numeric/character combination in attempt to guess the password
- Helps expose weak passwords
- Too short
- Not enough complexity
- How secure is your password?
- Commonly Used Passwords
- Man-in-the-middle
- Attacker sits in between a client and server and pretends to be both devices
- The client thinks the attacker is the server
- The server thinks the attacker is the client
- The attacker uses spoofing techniques to fool them
- Spoofing MAC or IP or both
- Attacker sits in between a client and server and pretends to be both devices
- Session hijacking
- A type of man in the middle attack
- You gather data from the network looking for session ID for logins to websites found in tracking cookies
- Copy the session ID to the attacking computer's cookie
- The website now thinks you are the victim
- Social engineering
- VLAN hopping
- Switch spoofing
- Attacker forces their switchport to switch from access mode to trunking mode by sending Dynamic Trunking Protocol(DTP) frames from the attacker PC
- You can also just connect a rogue switch that is in trunking mode to the legit switchport that is in auto or "dynamic desireable"
- Vlan traffic is then forwarded to the attacker
- Attacker forces their switchport to switch from access mode to trunking mode by sending Dynamic Trunking Protocol(DTP) frames from the attacker PC
- Disable trunking on ports that don't need to enable trunking mode
- Double tagging
- Attacker adds vlan tags for other vlans to the data packets
- This done with packet crafting tools
- Scapy
- Yersinia
- This done with packet crafting tools
- These modified packets are forwarded by the next switch which sees only the false Vlan info
- The native vlan info is not visible because native vlan doesn't use tagging
- Don't use VLAN 1 for user access!!!
- Attacker adds vlan tags for other vlans to the data packets
- Switch spoofing
- Compromised system
- Effect of malware on the network
- Steals data
- Deletes data
- Slows downs systems and networks
- Crashes services or computers
- Annoying redirects
- Spam
- Unauthorized remote access
- Insider threat/malicious employee
- Double agent
- Angry/revenge
- Advantage of having authorized access to the systems
- Zero day attacks
- Developers have "zero days" to patch the problem
- Wireless
-
Vulnerabilities
- Unnecessary running services
- Open ports
- Unpatched/legacy systems
- Unpatched = PC with current OS, but patches aren't up to date
- Legacy = PC running OS after vendor support has ceased, usually to run a legacy app
- Unencrypted channels
- Any connection that doesn't use encryption
- FTP
- Telnet
- HTTP
- Any connection that doesn't use encryption
- Clear text credentials
- Could be stored in a database, text file, email, or sent over an unencrypted channel
- Unsecure protocols (all data is sent cleartext)
- TELNET
- HTTP
- SLIP
- FTP
- TFTP
- SNMPv1 and SNMPv2
- TEMPEST/RF emanation
- Unintentionally emitting RF signals
- Monitors, phones, radios, cameras
- With the right equipment those signals can be remotely captured and reconstructed
- TEMPEST describes both spying and protection with regards to RF emanation
- Developed by NSA and NATO
- Certification available
- Codename: "TEMPEST" wiki article
- Unintentionally emitting RF signals