Showing posts with label Attacks. Show all posts
Showing posts with label Attacks. Show all posts

CEH Hacker Attack Types


Another area for memorization in our stroll through this introduction concerns the various types of attacks a hacker could attempt. Most of these are fairly easy to identify and seem, at times, fairly silly to even categorize. After all, do you care what the attack type is called if it works for you? For this exam, EC-Council broadly defines all these attack types in four categories.

  Operating system (OS) attacks   Generally speaking, these attacks target the common mistake many people make when installing operating systems—accepting and leaving all the defaults. Administrator accounts with no passwords, all ports left open, and guest accounts (the list could go on forever) are examples of settings the installer may forget about. Additionally, operating systems are never released fully secure—they can’t be, if you ever plan on releasing them within a timeframe of actual use—so the potential for an old vulnerability in newly installed operating systems is always a plus for the ethical hacker.

  Application-level attacks   These are attacks on the actual programming code and software logic of an application. Although most people are cognizant of securing their OS and network, it’s amazing how often they discount the applications running on their OS and network. Many applications on a network aren’t tested for vulnerabilities as part of their creation and, as such, have many vulnerabilities built into them. Applications on a network are a gold mine for most hackers.

  Shrink-wrap code attacks   These attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. The old refrain “Why reinvent the wheel?” is often used to describe this attack type. Why spend time writing code to attack something when you can buy it already “shrink-wrapped”? These scripts and code pieces are designed to make installation and administration easier but can lead to vulnerabilities if not managed appropriately.

  Misconfiguration attacks   These attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security. Remember the triangle earlier and the maxim “As security increases, ease of use and functionality decrease”? This type of attack takes advantage of the administrator who simply wants to make things as easy as possible for the users. Perhaps to do so, the admin will leave security settings at the lowest possible level, enable every service, and open all firewall ports. It’s easier for the users but creates another gold mine for the hacker.

at 7:11 AM 5 comments
Labels: ,

Smurf and SYN Flood Attacks



smurf attack sends a large amount of ICMP Echo (ping) traffic to a broadcast IP address with the spoofed source address of a victim. Each secondary victim's host on that IP network replies to the ICMP Echo request with an Echo reply, multiplying the traffic by the number of hosts responding. On a multiaccess broadcast network, hundreds of machines might reply to each packet. This creates a magnified DoS attack of ping replies, flooding the primary victim. IRC servers are the primary victim of smurf attacks on the Internet.
SYN flood attack sends TCP connection requests faster than a machine can process them. The attacker creates a random source address for each packet and sets the SYN flag to request a new connection to the server from the spoofed IP address. The victim responds to the spoofed IP address and then waits for the TCP confirmation that never arrives. Consequently, the victim's connection table fills up waiting for replies; after the table is full, all new connections are ignored. Legitimate users are ignored as well and can't access the server.
A SYN flood attack can be detected through the use of the netstat command. An example of the netstat output from a system under a SYN flood is shown in Figure 1.

 
Figure 1: netstat output under a SYN flood attack
Here are some of the methods used to prevent SYN flood attacks:
  • SYN Cookies SYN cookies ensure the server does not allocate system resources until a successful three-way handshake has been completed.
  • RST Cookies Essentially the server responds to the client SYN frame with an incorrect SYN ACK. The client should then generate an RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.
  • Micro Blocks Micro blocks prevent SYN floods by allocating only a small space in memory for the connection record. In some cases, this memory allocation is as small as 16 bytes.
  • Stack Tweaking This method involves changing the TCP/IP stack to prevent SYN floods. Techniques of stack tweaking include selectively dropping incoming connections or reducing the timeout when the stack will free up the memory allocated for a connection.
In Exercise 1, you will learn how to prevent SYN flood attacks on Windows 2000 servers.
Exercise 1: Preventing SYN Flood Attacks on Windows 2000 Servers
  1. Run the Windows Registry editor by clicking Start ð Run and typing Regedit.
  2. Navigate to the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Registry key.
  3. Add the SynAttackProtect=2 DWORD value to the Registry key.
  4. Close the regedit program.
This change will allow the operating system to handle more SYN requests. When the value of SynAttackProtect is 2, Windows delays the creation of a socket until the three-way handshake is completed. This change will effectively prevent SYN flood attacks from tying up resources on a Windows server.
at 10:10 AM 2 comments
Labels: , ,

NetBIOS DoS Attacks



A NetBIOS denial-of-service (DoS) attack sends a NetBIOS Name Release message to the NetBIOS Name Service on a target Windows systems and forces the system to place its name in conflict so that the name can no longer be used. This essentially blocks the client from participating in the NetBIOS network and creates a network DoS for that system.
Another way to create a more secure and memorable password is to follow a repeatable pattern, which will enable to password to be re-created when needed.
  1. Start with a memorable phrase, such as
    • Maryhadalittlelamb
  2. Change every other character to uppercase, resulting in
    • MaRyHaDaLiTtLeLaMb
  3. Change a to @ and i to 1 to yield
    • M@RyH@D@L1TtLeL@Mb
  4. Drop every other pair to result in a secure repeatable password or
    • M@H@L1LeMb
Now you have a password that meets all the requirements, yet can be "remade" if necessary.
at 2:21 AM 4 comments
Labels: , , ,

Redirecting the SMB Logon to the Attacker



Another way to discover passwords on a network is to redirect the Server Message Block (SMB) logon to an attacker's computer so that the passwords are sent to the hacker. In order to do this, the hacker must sniff the NTLM responses from the authentication server and trick the victim into attempting Windows authentication with the attacker's computer. A common technique is to send the victim an email message with an embedded link to a fraudulent SMB server. When the link is clicked, the user unwittingly sends their credentials over the network.
  • SMBRelay An SMB server that captures usernames and password hashes from incoming SMB traffic. SMBRelay can also perform man-in-the-middle (MITM) attacks.
  • SMBRelay2 Similar to SMBRelay but uses NetBIOS names instead of IP addresses to capture usernames and passwords.
  • pwdump2 A program that extracts the password hashes from a SAM file on a Windows system. The extracted password hashes can then be run through L0phtCrack to break the passwords.
  • Samdump Another program that extracts NTLM hashed passwords from a SAM file.
  • C2MYAZZ A spyware program that makes Windows clients send their passwords as cleartext. It displays usernames and their passwords as users attach to server resources.
at 3:56 AM 1 comments
Labels: ,

Types of Social Engineering-Attacks



Social engineering can be broken into two common types:
  • Human-Based Human-based social engineering refers to person-to-person interaction to retrieve the desired information. An example is calling the help desk and trying to find out a password.
  • Computer-Based Computer-based social engineering refers to having computer software that attempts to retrieve the desired information. An example is sending a user an email and asking them to reenter a password in a web page to confirm it. This social-engineering attack is also known as phishing.
We'll look at each of these more closely in the following sections.

Human-Based Social Engineering

Human-based social engineering techniques can be broadly categorized as follows:
  • Impersonating an Employee or Valid User In this type of social-engineering attack, the hacker pretends to be an employee or valid user on the system. A hacker can gain physical access by pretending to be a janitor, employee, or contractor. Once inside the facility, the hacker gathers information from trashcans, desktops, or computer systems.
  • Posing as an Important User In this type of attack, the hacker pretends to be an important user such as an executive or high-level manager who needs immediate assistance to gain access to a computer system or files. The hacker uses intimidation so that a lower-level employee such as a help desk worker will assist them in gaining access to the system. Most low-level employees won't question someone who appears to be in a position of authority.
  • Using a Third Person Using the third-person approach, a hacker pretends to have permission from an authorized source to use a system. This attack is especially effective if the supposed authorized source is on vacation or can't be contacted for verification.
  • Calling Technical Support Calling tech support for assistance is a classic social-engineering technique. Help desk and technical support personnel are trained to help users, which makes them good prey for social-engineering attacks.
  • Shoulder Surfing Shoulder surfing is a technique of gathering passwords by watching over a person's shoulder while they log in to the system. A hacker can watch a valid user log in and then use that password to gain access to the system.
  • Dumpster Diving Dumpster diving involves looking in the trash for information written on pieces of paper or computer printouts. The hacker can often find passwords, filenames, or other pieces of confidential information.
A more advanced method of gaining illicit information is known as reverse social engineering. Using this technique, a hacker creates a persona that appears to be in a position of authority so that employees ask the hacker for information, rather than the other way around. For example, a hacker can impersonate a help desk employee and get the user to give them information such as a password.


Computer-Based Social Engineering

Computer-based social-engineering attacks can include the following:
  • Email attachments
  • Fake websites
  • Pop-up windows

Insider Attacks

If a hacker can't find any other way to hack an organization, the next best option is to infiltrate the organization by getting hired as an employee or finding a disgruntled employee to assist in the attack. Insider attacks can be powerful because employees have physical access and are able to move freely about the organization. An example might be someone posing as a delivery person by wearing a uniform and gaining access to a delivery room or loading dock. Another possibility is someone posing as a member of the cleaning crew who has access to the inside of the building and is usually able to move about the offices. As a last resort, a hacker might bribe or otherwise coerce an employee to participate in the attack by providing information such as passwords.

Identity Theft

A hacker can pose as an employee or steal the employee's identity to perpetrate an attack. Information gathered in dumpster diving or shoulder surfing in combination with creating fake ID badges can gain the hacker entry into an organization. Creating a persona that can enter the building unchallenged is the goal of identity theft.

Phishing Attacks

Phishing involves sending an email, usually posing as a bank, credit card company, or other financial organization. The email requests that the recipient confirm banking information or reset passwords or PINs. The user clicks the link in the email and is redirected to a fake website. The hacker is then able to capture this information and use it for financial gain or to perpetrate other attacks. Emails that claim the senders have a great amount of money but need your help getting it out of the country are examples of phishing attacks. These attacks prey on the common person and are aimed at getting them to provide bank account access codes or other confidential information to the hacker.

Online Scams

Some websites that make free offers or other special deals can lure a victim to enter a username and password that may be the same as those they use to access their work system. The hacker can use this valid username and password once the user enters the information in the website form.
Mail attachments can be used to send malicious code to a victim's system, which could automatically execute something like a software keylogger to capture passwords. Viruses, Trojans, and worms can be included in cleverly crafted emails to entice a victim to open the attachment. Mail attachments are considered a computer-based social-engineering attack.
Here is an example of an email that which tries to convince the receiver to open an unsafe attachment:
Mail server report.
    Our firewall determined the e-mails containing worm copies are being sent from your computer.
    Nowadays it happens from many computers, because this is a new virus type (Network Worms).
    Using the new bug in the Windows, these viruses infect the computer unnoticeably.
    After the penetrating into the computer the virus harvests all the e-mail addresses and sends the
    copies of itself to these e-mail addresses
    Please install updates for worm elimination and your computer restoring.
    Best regards,
    Customer support service
Pop-up windows can also be used in computer-based engineering attacks, in a similar manner to email attachments. Pop-up windows with special offers or free stuff can encourage a user to unintentionally install malicious software.

URL Obfuscation

The URL (uniform resource locator) is commonly used in the address bar of a web browser to access a particular website. In lay terms, it is the website address. URL obfuscation consists of hiding a fake URL in what appear to be a legitimate website address. For example, a website of 204.13.144.2/Citibank may appear to be a legitimate web address for Citibank but in fact is not. URL obfuscation is used in phishing attacks and some online scams to make the scam seem more legitimate. A website address may be seen as an actual financial institution name or logo, but the link leads to a fake website or IP address. When users click the link, they're redirected to the hacker's site.
Addresses can be obfuscated in malicious links by the use of hexadecimal or decimal notations. For example, the address 192.168.10.5 looks like 3232238085 as a decimal. The same address looks like C0A80A05 in IP hex. This conversion requires that you divide 3232238085 by 16 multiple times. Each time the remainder reveals the address, starting from the least significant value.
Here's the explanation:
  • 3232238085/16 = 202014880.3125 (.3125 × 16 = 5)
  • 202014880/16 = 12625930.0 (.0 × 16 = 0)
  • 12625930/16 = 789120.625 (.625 × 16 = 10 = A)
  • 789120/16 = 49320.0 (.0 × 16 = 0)
  • 49320.0/16 = 3082.5 (.5 × 16 = 8)
  • 3082/16 = 192.625 (.625 × 16 = 10 = A)
  • 192/16 = 12 = C
at 7:07 AM 1 comments
Labels: , ,
Subscribe to: Posts (Atom)

Popular Posts

  • The Phases of Ethical Hacking
    The process of ethical hacking can be broken down into five distinct phases.  An ethical hacker follows processes similar to those of a mal...
  • Scanning Methodology
    As you’re probably aware by now, EC-Council is in love with methodology. Sure, in the real world you may not follow the steps blindly in or...
  • Understanding Email Tracking & Web Spiders
    Understanding Email Tracking Email-tracking programs allow the sender of an email to know whether the recipient reads, forwards, modifies, ...
  • nmap Command Switches
    Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address dete...
  • Network Footprinting | Footprinting Methods and Tools
    Discovering and defining the network range can be another important footprinting step to consider. Knowing where the target’s IP addresses...
  • Search Engines | Footprinting Methods and Tools
    When I was a kid and someone asked me how to do something I’d never done, to define something I’d never heard of, or to comment on some hi...
  • How to Be Ethical
    Ethical hacking is usually conducted in a structured and organized manner, usually as part of a penetration test or security audit. The de...
  • Preventing Session Hijacking
    To defend against session hijack attacks, a network should employ several defenses. The most effective protection is encryption, such a...
  • Google Hacking | Footprinting Methods and Tools
    A useful tactic in footprinting a target was popularized mainly in late 2004 by a guy named Johnny Long, who was part of an IT security te...
  • Banner Grabbing and OS Fingerprinting Techniques
    Banner grabbing and operating system identification—which can also be defined as  fingerprinting  the TCP/IP stack—is the fourth step in...