335.1 - Common Security Vulnerabilities and Threats
Key Knowledge Areas:
- Conceptual understanding of threats against individual nodes
- Conceptual understanding of threats against networks
- Conceptual understanding of threats against application
- Conceptual understanding of threats against credentials and confidentiality
- Conceptual understanding of honeypots
The following is a partial list of the used files, terms and utilities:
- Trojans
- Viruses
- Rootkits
- Keylogger
- DoS and DDoS
- Man in the Middle
- ARP and NDP forgery
- Rogue Access Points, Routers and DHCP servers
- Link layer address and IP address spoofing
- Buffer Overflows
- SQL and Code Injections
- Cross Site Scripting
- Cross Site Request Forgery
- Privilege escalation
- Brute Force Attacks
- Rainbow tables
- Phishing
- Social Engineering
Terms
Trojan
Malware which misleads users by masking as a legitimate program while performing malicious actions.
Virus
Malware which replicates by embedding itself into other programs. Affected systems are referred to as “infected”, per the metaphor of the biological virus.
Rootkit
Collection of software which is designed to provide privileged access to a system from an otherwise unprivileged account. The term is made up of root (privileged account) + kit (software components).
Keylogger
Attack where key presses are logged by a keylogger (aka keystroke recorder). These logs are then targeted for extraction by the attacker. It is also known as: keystroke logging, keyboard capturing.
DoS / DDoS
Attack where resources are made unavailable to users by disruption. In a distributed denial of service (DDoS) attack malicous traffic is submitted from many distinct sources.
Man-in-the-middle
Attack where traffic between two parties who believe they are communicating directly is diverted and possibly altered through a third system. It is also known as: MITM, on-path attack.
ARP spoofing
Attack where the attacker sends spoofed ARP messages onto the network. The goal is to associate the attacker’s MAC address with the target’s IP address, thereby routing traffic destined for the target (e.g., default gateway) to the attacker instead. It is also known as: ARP cache poisoning, ARP poison routing.
NDP spoofing
Attack which is the IPv6 equivalent of ARP poisoning. The attacker submits forged Neighbor Advertisement (NA) messages claiming ownership of a target’s IPv6 address.
Rogue Access Point / Router
Wireless access point which is installed on a managed network without authorization from the network administrator.
DHCP server
DHCP server which is not controlled by the network administrator.
Link layer address / IP address spoofing
Several attacks on computer networks are related to link layer addresses:
- CAM table exhaustion: Content Address Tables map a network switch port to MAC addresses, this allows for an optimizing traffic flow through the network switch by only outputting traffic destinated for a specific MAC address on the port where that MAC address is mapped. This attack floods the network switch with MAC-to-port mappings until its mapping table memory is full. The network switch will then be unable to route traffic in optimized fashion and instead will forward all traffic to all its ports. This way an attacker can capture traffic from the wider network outside the segment of the attacker’s client.
- ARP spoofing: Address Resolution Protocol translates IP addresses to MAC addresses. Network switches maintain an IP-to-MAC mapping table which can be queried by another network switch or client. This attack submits the attacker’s MAC address together with the target’s IP address to adjust the IP-to-MAC mapping and receiving traffic for the target on the attacker’s client instead.
- DHCP starvation: Dynamic Host Configuration Protocol allows network clients to learn essential details of the network by submitting a generic request. The client will receive an IP address on a lease, and often also a gateway router address and name server address which it uses to access the wider network. This attack keeps requesting IP addresses from the DHCP server until its pool is exhausted. Afterwards no DHCP client will be able to obtain a lease from this DHCP server. This is a denial of service attack. On top of this a rogue DHCP server attack could be staged which can be used to route traffic to a system which is controlled by the attacker.
Wireless
Specific wireless network attacks include:
- hidden node: In a wireless network the nodes share a common medium (airspace). In order to avoid clashing traffic a client sends a Ready to Send (RTS) signal and awaits a Clear to Send (CTS) broadcast signal before it starts transmitting. This attack floods the network with CTS signals which cause clients to hold off on transmitting. This is a denial of service attack.
- de-auth: Wireless clients authenticate to an access point (AP) upon joining a network. When the client leaves the network it transmits a de-authentication request to the AP. This attack sends de-auth requests from the attacker’s client with a target client’s IP address, making the target disconnect. This causes the target client to re-authenticate and allows the attacker to study the authentication handshake.
Buffer Overflow
Anomaly where a program writes data beyond allocated memory and thus potentially interfering with another program’s memory.
SQL injection
Attack where a program fails to properly validate external data (e.g., user input) which causes it to interpret the data as database queries.
Code injection
Attack where a program fails to properly validate external data (e.g., user input) which causes it to interpret the data as executable commands.
Cross-site Scripting
Exploit of a web page to inject client-side scripting. It exploits the trust a user has for a particular site. It is also known as: XSS.
Cross-site Request Forgery
Exploit of a web application where unauthorized commands are submitted from a trusted user. It exploits the trust a web site has in a user’s browser. The attacker’s goal is to have a user unknowingly submit a malicious web request to a website the user accesses. It is also known as: one-click attack, session riding, CSRF or XSRF.
Privilege escalation
Exploit of a weakness in a computer system to gain elevated access to resources which are otherwise inaccessible.
Brute-force attack
Attack that attempts to guess a valid secret by submitting many inputs. It is also known as: exhaustive key search.
Rainbow table
A precomputed table for caching the outputs of a cryptographic hash function. It is commonly used to match hashed passwords to rainbow table entries, thus revealing the plain text password.
Phishing
A form of social engineering and scamming. Techniques and vectors include email spam, vishing (voice phishing), targeted phishing (spear phishing, whaling), smishing (SMS), quishing (QR code), cross-site scripting, and MiTM 2FA attacks.
Social Engineering
Use of psychological pressure to make people perform actions or share confidential information.
Notes
Honeypot
Security mechanism to detect, deflect, or counteract attempts at unauthorized use of computer systems by providing apparent legitimate data to lure attackers.