OWASP API Top 10
Kerberos! (I’m still floored that Active Directory uses hashes for actual authentication, rather than as a check that valid authentication credentials have been supplied.)
Of course, other things can use hashes in this way. TL;DR is to just not compute password hashes client-side - these should always be a check that is performed server side!
Initialization Vector (IV) Attack: Gather encrypted packets, and then use statistical techniques to derive the initial encryption key (thus breaking the security of the connection being analyzed). Only works if the network’s cryptography is vulnerable to it (WEP).
“Bluejacking” involves trying to trick the target into accepting incoming bluetooth messages (does anything actually accept unsolicited bluetooth connections these days?). This can lead to “bluesnarfing”, where the attacker actually tricks the target into pairing with the malicious bluetooth device, allowing for data exfiltration or manipulation.
NFC is a species of RFID, but RFID is not NFC (much older, more broadly used, protocol). (NFC chips combine both the “reader” and “tag” functionality of RFIDs.) RFIDs come in “active” and “passive” varieties, distinguished by whether they contain their own power source (or are powered by the reader).
A.k.a. the good old man-in-the-middle (MITM) attack. Best prevented with encryption, tight session and device management, and strict (physical) access controls.
Proxies are legitimate man-in-the-middle boxes.
A more common variation is “man-in-the-browser” (MITB), which involves compromising the target’s browser to act as the attacker’s proxy. Typically MITB attacks are delivered via trojans.
As in, attacks that operate on the link layer. Examples:
Defenses against ARP poisoning include pre-associating known MAC addresses with IPs in client ARP tables, and configuring switches such that MAC addresses are (pre) bound to a single port. Also, IDS.
A URL Redirection Attack involves an attacker using legitimate (but poorly locked-down) redirect functionality to redirect a user from a (seemingly) legitimate URL to an attacker-controller URL. Basically another species of improper input handling.
I found the explanation of DNS cache poisoning in Exam Cram somewhat confusing. Cloudflare’s is much clearer, and highlights that the underlying vulnerability is the lack of a full handshake with UDP packets. This means that all the attacker needs to do is respond to a DNS lookup from a recursive server using a forged reply before the legitimate authoritative server can respond. So this is both a species of MITM attack, and a race condition of sorts (in the sense that the attacker is racing the actual authoritative server, which I will acknowledge is not normally how “race condition” is used).
The main defenses against DNS cache poisoning are DNSSEC and limiting which domains local DNS servers will resolve.
Be aware that most DoS attacks will use “reflection”, where the attacker substitutes a third-party IP address for the packet source. The idea here is not only for the attacker to mask their own identity, but to trick the system receiving the malicious packets to do the DoS attack for the attacker! This is particularly useful when the spoofed packet is sent to a DNS or NTP server, which may respond with a much larger packet than the attacker’s (forged) request, thus amplifying the attack. Reflection and amplification basically require the use of UDP.
DoS attacks can also be made against the application layer. While such an attack is more expensive for the attacker, it’s also generally (much) more expensive for the victim.
Exam Cram indicates that the Security+ questions may consider the following indicative of a DoS attack (though, IMHO, only the last is clear-cut):
Filtering and DoS mitigation services are your best defense here.
Macro viruses and file-less malware, again.
Injection: Supplying some type of untrusted input.
Throw it [the target system] input, and see what happens. See if it breaks. And how does it break? That’s what’s important.
- Dan Lowrie
Terms likely to appear on the Security+ test:
Types of cross-site scripting (XSS):
Cross-site request forgery is very similar to reflected XSS (almost a subspecies), in that a target is induced to click on a link on one website (maybe webmail) that causes an action of the attacker’s choice to be taken on another website that the target is currently logged into.
Server-side request forgery induces a server to communicate with another server in an unauthorized fashion. This is mostly about firewall bypass.
Basically, cross-site request forgery abuses the trust relationship between the user and the server, while server-side request forgery abuses the trust relationship between different servers (typically frontend and backend).
Replay Attack: The retransmission (and potential modification) of a transmission of data.
Pass-the-hash is a specific type of replay attack.
Sequence numbers, nonces, and timestamps can help guard against replay attacks by making replayed packets easy to recognize. (Note that TCP already includes sequence numbers and timestamps, though only IPSEC seems to actually do things with these.)
Keep in mind that DNS cache poisoning can be applied to a machine’s local DNS cache by malware, in addition to intercepting/spoofing the conversation between the recursive and authoritative DNS servers.
DNS Hijacking: An attacker manipulates the target’s preferred (local) DNS servers (perhaps via malware) to point to a malicious DNS server rather than a (legitimate) organizational or ISP server.
Domain hijacking is then about actually compromising the domain record (via the registrar or, more likely, a compromised user account). So, the really bad one.
Display current Windows DNS settings:
ipconfig /displaydns | more
(SIDE NOTE: So, it turns out that Windows has a
more command, and you can pipe things to it!)
Flush local DNS cache on Windows:
A reminder of where various bits of network hardware sit in the OSI model:
You can examine the ARP cache in Windows using
Physical denial of service attack: Block the heat exchangers in a data center.
Types of D/DoS attacks:
Hybrid attacks are also possible (technically an amplified attack is already a hybrid attack).
The key to preventing MITM attacks is really just to use encrypted protocols. (The key to preventing MITB attacks is to… well… avoid getting infected.)
SIDE NOTE: The “Follow” option in Wireshark’s right-click menu displays all of the packets related to a particular connection/session. This is particularly powerful when used against plain text protocols, as it allows the entire conversation to be easily reverse engineered.
The “initialization vector” (IV) is basically a “salt” (sometimes also called a nonce) that’s added to data on a wireless network to help prevent cryptanalysis. IVs were easy to attack on WEP, but WPA lengthened the IV and added some other controls that make these attacks much less feasible.
The most common attack against RFID is cloning. Typically used to gain access to secure sites (by cloning badges).
One NFC attack that wasn’t mentioned in the Exam Cram (which seemed to treat NFC attacks as mostly theoretical) is a relay attack, in which the victim is tricked into starting an NFC transaction with a malicious device that then relays that transaction to a second device which then interacts with a second target. For example, kicking off a payment transaction between the target device and a terminal in another location. (That said, as far as I’m aware this is still all pretty theoretical, and this attack would seem to require some degree of target interaction given the NFC approval flow on most smartphones…)
ITPro.TV defines “bluejacking” as the interception of bluetooth communications, and “bluesnarfing” as the insertion of additional commands in an existing bluetooth communication stream. This is a significantly different take than the Exam Cram.