ITPro.TV: CompTIA Security+ (SY0-601)

author: Nathan Acks
date: 2022-02-27

CompTIA Security+ Exam Cram

Introduction to Application Attacks

It looks like this section will cover attacks on both local and web-based applications.

Race Conditions

Example: Time-of-check to time-of-use (TOCTOU).

Null pointer errors (when an application dereferences a pointer that it later expects to be valid) can be caused by race conditions. Race conditions can also by exploited in some cases for privilege escalation (for example, CVE 2021-3560).

Improper Software Handling

This section lumps together oversights in input and error handling. These (sometimes in combination) are a big part of what I’ve studied so far w.r.t. penetration testing (SQL injection comes to mind here as an immediate example that can have aspects of both improper input and error handling).

Resource Exhaustion

Mostly about denial of service.

Example: Memory leaks.

Overflows

Buffer overflows: When an application attempts to write more data into a space (normally a variable in memory) than has been allocated to it. For example, CVE 2021-4034.

Integer overflow: Writing a larger integer into a variable than there are allocated (binary) digits. The ultimate impact of an integer overflow depends on whether the variable ultimately stores the first/high or last/low set of “good” bits. (I’ve almost always seen overflows result in the variable taking the low set of bits - typified by roll-overs to zero - but apparently in some cases the high bits are stored instead.)

Code Injections

RCE via buffer overflow typically results in code that’s executed outside of the context of the target application. Code injection, by contrast, is about running code within the context of the target application.

Examples:

It’s also sometimes possible to conduct SQL injection-like attacks against LDAP servers. And, of course, there’s dynamic library injection in general.

The through-line for these attacks on the web is lack of proper input validation. Locally, it’s about manipulating otherwise legitimate features (dynamic library loading) once a toehold has already been established.

Code signing is a guard against malicious dynamic libraries. As is compiling everything statically (which is not always possible, and has its own drawbacks).

Cram Exam implies that the Security+ exam will generally ask about code injection attacks in the context of a particular system, which should clue you in to which kind of attack is being used.

Driver Manipulation

Examples:

As with dynamic library attacks, code signing is really the only way to guard against these attack. (Well, maybe also monolithic kernels, but then you can’t support devices you didn’t plan for from the get-go!)

Request Forgeries

Cross-site request forgeries (CSRF/XSRF) is about using a malicious URL to cause an action to be taken on behalf of legitimately signed-in users. This URL might point to the target site directly, or might reflect through another (potentially attacker-controlled) site, exploiting improperly scoped authentication cookies.

Server-side request forgeries (SSRF) are about using malicious URLs to trick a server into disclosing data or executing commands outside of its normal context. For example, this could be about tricking a web server to make a request to another server behind a firewall that the attacker doesn’t have direct access to. Local file inclusion (LFI) attacks are a species of SSRF.

While CSRF is about exploiting the trust between a server and one of its users, SSRF is about exploiting the trust relationship between (or within) servers.

Directory Traversal

Local file inclusion (and friends), again.

Note that Exam Cram seems to imply that the Security+ test will make a distinction between the ability to access the server’s filesystem in unexpected ways (directory traversal) and the ability to access restricted portions of an application (privilege escalation).

Replay Attack

This is about replaying previous requests, possibly with altered data. Think Burp Suite’s “repeater” module.

Session replay attacks are a variation of this where a session cookie is intercepted and presented again to a web server in order to gain the access of the authenticated user.

Replay attacks can be guarded against by using nonces, timestamps (though I’d personally be wary of this - seems like asking for a race condition), or rapidly rotating identifiers (such as a session cookie that is replaced with every request).

Apparently, some web apps accept session ID GET parameters before a user is even logged in. This means that if a target is induced to click on a link containing such a parameter, then the attacker will be able to use the same link (with the attacker-supplied session parameter) to log in as if they were the user! ☠️

Secure Sockets Layer (SSL) Stripping

A species of man-in-the-middle attack where the attacker terminates the SSL connection on a server they control and then presents an unencrypted connection to the target user. Less common these days, what with HSTS and browsers making initial connections over HTTPS instead of HTTP.

Application Programming Interface (API) Attacks

There isn’t really anything new here - this is all the same set of vulnerabilities we’ve always been working with, just over a much larger playing field (and with laxer development standards).

Pass-the-Hash Attack

Kerberos! (I’m still floored that Active Directory uses hashes for actual authentication, rather than as a check that valid authentication credentials have been supplied.)

Of course, other things can use hashes in this way. TL;DR is to just not compute password hashes client-side - these should always be a check that is performed server side!

Wireless

Initialization Vector (IV) Attack: Gather encrypted packets, and then use statistical techniques to derive the initial encryption key (thus breaking the security of the connection being analyzed). Only works if the network’s cryptography is vulnerable to it (WEP).

“Bluejacking” involves trying to trick the target into accepting incoming bluetooth messages (does anything actually accept unsolicited bluetooth connections these days?). This can lead to “bluesnarfing”, where the attacker actually tricks the target into pairing with the malicious bluetooth device, allowing for data exfiltration or manipulation.

NFC is a species of RFID, but RFID is not NFC (much older, more broadly used, protocol). (NFC chips combine both the “reader” and “tag” functionality of RFIDs.) RFIDs come in “active” and “passive” varieties, distinguished by whether they contain their own power source (or are powered by the reader).

On-Path Attack

A.k.a. the good old man-in-the-middle (MITM) attack. Best prevented with encryption, tight session and device management, and strict (physical) access controls.

Proxies are legitimate man-in-the-middle boxes.

A more common variation is “man-in-the-browser” (MITB), which involves compromising the target’s browser to act as the attacker’s proxy. Typically MITB attacks are delivered via trojans.

Layer 2 Attacks

As in, attacks that operate on the link layer. Examples:

Defenses against ARP poisoning include pre-associating known MAC addresses with IPs in client ARP tables, and configuring switches such that MAC addresses are (pre) bound to a single port. Also, IDS.

Domain Name System (DNS) Attacks

A URL Redirection Attack involves an attacker using legitimate (but poorly locked-down) redirect functionality to redirect a user from a (seemingly) legitimate URL to an attacker-controller URL. Basically another species of improper input handling.

I found the explanation of DNS cache poisoning in Exam Cram somewhat confusing. Cloudflare’s is much clearer, and highlights that the underlying vulnerability is the lack of a full handshake with UDP packets. This means that all the attacker needs to do is respond to a DNS lookup from a recursive server using a forged reply before the legitimate authoritative server can respond. So this is both a species of MITM attack, and a race condition of sorts (in the sense that the attacker is racing the actual authoritative server, which I will acknowledge is not normally how “race condition” is used).

The main defenses against DNS cache poisoning are DNSSEC and limiting which domains local DNS servers will resolve.

Denial of Service

Be aware that most DoS attacks will use “reflection”, where the attacker substitutes a third-party IP address for the packet source. The idea here is not only for the attacker to mask their own identity, but to trick the system receiving the malicious packets to do the DoS attack for the attacker! This is particularly useful when the spoofed packet is sent to a DNS or NTP server, which may respond with a much larger packet than the attacker’s (forged) request, thus amplifying the attack. Reflection and amplification basically require the use of UDP.

DoS attacks can also be made against the application layer. While such an attack is more expensive for the attacker, it’s also generally (much) more expensive for the victim.

Exam Cram indicates that the Security+ questions may consider the following indicative of a DoS attack (though, IMHO, only the last is clear-cut):

Filtering and DoS mitigation services are your best defense here.

Malicious Code and Script Execution

Macro viruses and file-less malware, again.

ITPro.TV: CompTIA Security+ (SY0-601)

Application Attacks - Injections

Injection: Supplying some type of untrusted input.

Throw it [the target system] input, and see what happens. See if it breaks. And how does it break? That’s what’s important.

  • Dan Lowrie

Application Attacks - System Resources

System resources:

Terms likely to appear on the Security+ test:

Application Attacks - XSS And XSRF

Types of cross-site scripting (XSS):

Cross-site request forgery is very similar to reflected XSS (almost a subspecies), in that a target is induced to click on a link on one website (maybe webmail) that causes an action of the attacker’s choice to be taken on another website that the target is currently logged into.

Server-side request forgery induces a server to communicate with another server in an unauthorized fashion. This is mostly about firewall bypass.

Basically, cross-site request forgery abuses the trust relationship between the user and the server, while server-side request forgery abuses the trust relationship between different servers (typically frontend and backend).

Application Attacks - Replay Attacks

Replay Attack: The retransmission (and potential modification) of a transmission of data.

Pass-the-hash is a specific type of replay attack.

Sequence numbers, nonces, and timestamps can help guard against replay attacks by making replayed packets easy to recognize. (Note that TCP already includes sequence numbers and timestamps, though only IPSEC seems to actually do things with these.)

Network Attacks - DNS Attacks

Keep in mind that DNS cache poisoning can be applied to a machine’s local DNS cache by malware, in addition to intercepting/spoofing the conversation between the recursive and authoritative DNS servers.

DNS Hijacking: An attacker manipulates the target’s preferred (local) DNS servers (perhaps via malware) to point to a malicious DNS server rather than a (legitimate) organizational or ISP server.

Domain hijacking is then about actually compromising the domain record (via the registrar or, more likely, a compromised user account). So, the really bad one.

Display current Windows DNS settings:

ipconfig /displaydns | more

(SIDE NOTE: So, it turns out that Windows has a more command, and you can pipe things to it!)

Flush local DNS cache on Windows:

ipconfig /flushdns

Network Attacks - Layer 2 Attacks

A reminder of where various bits of network hardware sit in the OSI model:

You can examine the ARP cache in Windows using arp -a.

Network Attacks - DoS And DDoS

Physical denial of service attack: Block the heat exchangers in a data center.

Types of D/DoS attacks:

Hybrid attacks are also possible (technically an amplified attack is already a hybrid attack).

Network Attacks - MiTM And MiTB

The key to preventing MITM attacks is really just to use encrypted protocols. (The key to preventing MITB attacks is to… well… avoid getting infected.)

SIDE NOTE: The “Follow” option in Wireshark’s right-click menu displays all of the packets related to a particular connection/session. This is particularly powerful when used against plain text protocols, as it allows the entire conversation to be easily reverse engineered.

Network Attacks - Wireless

The “initialization vector” (IV) is basically a “salt” (sometimes also called a nonce) that’s added to data on a wireless network to help prevent cryptanalysis. IVs were easy to attack on WEP, but WPA lengthened the IV and added some other controls that make these attacks much less feasible.

The most common attack against RFID is cloning. Typically used to gain access to secure sites (by cloning badges).

One NFC attack that wasn’t mentioned in the Exam Cram (which seemed to treat NFC attacks as mostly theoretical) is a relay attack, in which the victim is tricked into starting an NFC transaction with a malicious device that then relays that transaction to a second device which then interacts with a second target. For example, kicking off a payment transaction between the target device and a terminal in another location. (That said, as far as I’m aware this is still all pretty theoretical, and this attack would seem to require some degree of target interaction given the NFC approval flow on most smartphones…)

ITPro.TV defines “bluejacking” as the interception of bluetooth communications, and “bluesnarfing” as the insertion of additional commands in an existing bluetooth communication stream. This is a significantly different take than the Exam Cram.