Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 3 Application and Networking-Based Attacks Chapter 3 Application and Networking-Based Attacks

Objectives List and explain the different types of server-side web application attacks Define client-side attacks Explain how overflow attacks works List different types of networking-based attacks Objectives List and explain the different types of server-side web application attacks Define client-side attacks Explain how overflow attacks works List different types of networking-based attacks Security+ Guide to Network Security Fundamentals, Fifth Edition

Conceptual Networked System Network used to connect different clients and servers together Clients and servers run an operating system Operating system controls applications Applications manipulate data Each represents an attack vector to exploit Attacks on the applications in a networked computer system can be directed toward the server, the client, or both Conceptual Networked System Networks used to connect different clients and servers together Clients and servers run an operating system Operating system controls applications Applications manipulate data Each represents an attack vector to exploit Attacks on the applications in a networked computer system can be directed toward the server, the client, or both Security+ Guide to Network Security Fundamentals, Fifth Edition

Conceptual Networked Computer System (Figure 3-1) A figure of a conceptual networked computer system. A larger network box contains a client back and a server box. Both the client and server boxes contain an operating system box that contains three application boxes, each of which has an internal data box. Security+ Guide to Network Security Fundamentals, Fifth Edition

Server-Side Web Application Attacks Content provided for users who are “surfing the Web” is generated by a software application running on a server In providing web services to clients, web servers also expose those same services to attackers Important characteristic of server-side web applications to create dynamic content based on inputs from user Server-Side Web Application Attacks Content provided for users who are “surfing the Web” is generated by a software application running on a server In providing web services to clients, web servers also expose those same services to attackers Important characteristic of server-side web applications to create dynamic content based on inputs from user Security+ Guide to Network Security Fundamentals, Fifth Edition

Server-Side Web Application Process Client’s web browser makes a request using the Hypertext Transport Protocol (HTTP) to a web server Server may be connected to one or more web application servers Application servers run the specific “web apps,” which in turn are directly connected to databases on internal network Information from databases retrieved and returned to web server so dynamic information can be sent back to the user’s web browser Server-Side Web Application Process Client’s web browser makes a request using the Hypertext Transport Protocol (HTTP) to a web server Server may be connected to one or more web application servers Application servers run the specific “web apps,” which in turn are directly connected to databases on internal network Information from databases retrieved and returned to web server so dynamic information can be sent back to the user’s web browser Security+ Guide to Network Security Fundamentals, Fifth Edition

Server-Side Web Application Infrastructure (Figure 3-2) A figure with a client computer at the far left. Arrows of HTTP traffic connect it to a Web server computer. Arrows connect the Web server computer to three App servers, each of which is connected to its own database. Security+ Guide to Network Security Fundamentals, Fifth Edition

Securing Web Applications Securing server-side web applications often considered more difficult than protecting other systems Traditional network security devices cannot always block web application attacks because many traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks Securing Web Applications Securing server-side web applications often considered more difficult than protecting other systems Traditional network security devices cannot always block web application attacks because many traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks Security+ Guide to Network Security Fundamentals, Fifth Edition

Zero Day Attacks Many web application attacks (as well as other application attacks) exploit previously unknown vulnerabilities Zero day attacks - Exploit previously unknown vulnerabilities so victims have no time to prepare or defend Zero Day Attacks Many web application attacks (as well as other application attacks) exploit previously unknown vulnerabilities Zero day attacks - Exploit previously unknown vulnerabilities so victims have no time to prepare or defend Security+ Guide to Network Security Fundamentals, Fifth Edition

Common Application Attacks Many server-side web application attacks target the input that the applications accept from users Common web application attacks: Cross-site scripting SQL injection XML injection Command injection/directory traversal Common Web Application Attacks Many server-side web application attacks target the input that the applications accept from users Common web application attacks: Cross-site scripting SQL injection XML injection Command injection/directory traversal Security+ Guide to Network Security Fundamentals, Fifth Edition

Cross-Site Scripting Not all attacks on websites are designed to steal content or deface it Some attacks use web server as a platform to launch attacks on other computers that access it Cross-site scripting (XSS) - Injects scripts into web application server to direct attacks at unsuspecting clients Many web applications are designed to customize content for user by taking what user enters and then displaying that input back to user Cross-Site Scripting Not all attacks on websites are designed to steal content or deface it Some attacks use web server as a platform to launch attacks on other computers that access it Cross-site scripting (XSS) - Injects scripts into web application server to direct attacks at unsuspecting clients Many web applications are designed to customize content for user by taking what user enters and then displaying that input back to user Security+ Guide to Network Security Fundamentals, Fifth Edition

Customized Responses (Table 3-1) A table with four columns and four rows. The first row is composed of column headers: User input, Variable that contains input, Web application response, and Coding example. Row 2. User input: Search term Variable that contains input: search_term Web application response: Search term provided in output Coding example: “Search results for search_term” Row 3. User input: Incorrect input Variable that contains input: user_input Web application response: Error message that contains incorrect input Coding example: “user_input is not valid” Row 4. User input: User’s name Variable that contains input: name Web application response: Personalized response Coding example: “Welcome back name” Security+ Guide to Network Security Fundamentals, Fifth Edition

Cross-Site Scripting Platform Cross-site scripting attacks occur when attacker takes advantage of web applications that accept user input without validation and then present back to user For example: Input that the user enters for Name is not verified Instead is automatically added to a code segment that becomes part of an automated response An attacker can use this vulnerability in XSS attack by tricking valid website into feeding malicious script to another user’s web browser to execute Cross-Site Scripting Platform Cross-site scripting attacks occur when attacker takes advantage of web applications that accept user input without validation and then present back to user For example: Input that the user enters for Name is not verified Instead is automatically added to a code segment that becomes part of an automated response An attacker can use this vulnerability in XSS attack by tricking valid website into feeding malicious script to another user’s web browser to execute Security+ Guide to Network Security Fundamentals, Fifth Edition

Bookmark Page That Accepts User Input (Figure 3-3) A figure of the Contoso Bookmark Page – Windows Internet Explorer. The page contains a form with three entries: Your Name, Description, and Bookmark. A small window says “Thank you ABBY for your submission!” Security+ Guide to Network Security Fundamentals, Fifth Edition

Input Used In Response (Figure 3-4) A figure of two Web browser windows. The outer window says “Thank you ABBY for your submission.” An arrow links “ABBY” to code in the inner window that says, “ou.Text = “Thank you” + Name + “for your submission!”; Security+ Guide to Network Security Fundamentals, Fifth Edition

SQL Injection SQL (Structured Query Language) - Used to manipulate data stored in relational database SQL Injection - Targets SQL servers by introducing malicious commands SQL Injection SQL (Structured Query Language) - Used to manipulate data stored in relational database SQL Injection - Targets SQL servers by introducing malicious commands Security+ Guide to Network Security Fundamentals, Fifth Edition

Forgotten Password Example Attacker enters incorrectly formatted e-mail address Response lets attacker know whether input is being validated Attacker enters email field in SQL statement Statement processed by the database Example statement: SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’ Result is all user email addresses will be displayed Forgotten Password Example Forgotten password example: Attacker enters incorrectly formatted e-mail address Response lets attacker know whether input is being validated Attacker enters email field in SQL statement Statement processed by the database Example statement: SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’ Result is all user email addresses will be displayed Security+ Guide to Network Security Fundamentals, Fifth Edition

SQL Injection Statements (Table 3-2) A table with two columns and six rows. The first row is composed of column headers: SQL injection statement and Result. Row 2. SQL injection statement: whatever’ AND email IS NULL; --  Result: Determine the names of different fields in the database Row 3. SQL injection statement: whatever’ AND 1=(SELECT COUNT(*) FROM tabname); — Result: Discover the name of the table Row 4. SQL injection statement: whatever’ OR full_name LIKE ‘%Mia%’ Result: Find specific users Row 5. SQL injection statement: whatever’; DROP TABLE members; --  Result: Erase the database table Row 6. SQL injection statement: whatever’; UPDATE members SET email = ‘attacker-email@evil.net’ WHERE email = ‘Mia@good.com’; Result: Mail password to attacker’s email account Security+ Guide to Network Security Fundamentals, Fifth Edition

XML (Extensible Markup Language) Markup language - Method for adding annotations to text Example is HTML: Uses tags surrounded by brackets Instructs browser to display text in specific format XML (Extensible Markup Language): Carries data instead of indicating how to display it No predefined set of tags Users define their own tags XML (Extensible Markup Language) Markup language - Method for adding annotations to text Example is HTML: Uses tags surrounded by brackets Instructs browser to display text in specific format XML (Extensible Markup Language): Carries data instead of indicating how to display it No predefined set of tags Users define their own tags Security+ Guide to Network Security Fundamentals, Fifth Edition

XML Attack XML Attack - Similar to SQL injection attack Attacker discovers Web site that does not filter user data Injects XML tags and data into the database Xpath injection: Specific type of XML injection attack Attempts to exploit XML Path Language queries XML Attack XML Attack - Similar to SQL injection attack Attacker discovers Web site that does not filter user data Injects XML tags and data into the database Xpath injection: Specific type of XML injection attack Attempts to exploit XML Path Language queries Security+ Guide to Network Security Fundamentals, Fifth Edition

Directory Traversal/Command Injection Web server users typically restricted to root directory Users may be able to access subdirectories but not parallel or higher level directories Helps to protect sensitive files Directory traversal - Uses malformed input or takes advantage of vulnerability to move from root directory to restricted directories Command injection - Attacker enters commands to execute on server or view confidential files Directory Traversal/Command Injection Web server users typically restricted to root directory Users may be able to access subdirectories but not parallel or higher level directories Helps to protect sensitive files Directory traversal - Uses malformed input or takes advantage of vulnerability to move from root directory to restricted directories Command injection - Attacker enters commands to execute on server or view confidential files Security+ Guide to Network Security Fundamentals, Fifth Edition

Directory Traversal Attack (Figure 3-6) A figure of a directory traversal attack. The folder C:\ is at the top, connected with lines to the Windows and Inetpub folders. The Windows folder connects to a System32 folder. The Inetpub connects to the wwwroot folder, which connects to the news folder. A bold line links from the wwwroot folder to the Inetpub folder to the Windows folder to the System 32 folder. Security+ Guide to Network Security Fundamentals, Fifth Edition

Client-Side Application Attacks Web application attacks are server-side attacks Client-side attacks target vulnerabilities in client applications: Interacting with a compromised server Client initiates connection with server, which could result in an attack Client-Side Application Attacks Web application attacks are server-side attacks Client-side attacks target vulnerabilities in client applications: Interacting with a compromised server Client initiates connection with server, which could result in an attack Security+ Guide to Network Security Fundamentals, Fifth Edition

Drive-By Download Drive-by download: Client computer compromised simply by viewing a Web page Attackers inject content into vulnerable Web server to gain access to server’s operating system Attackers craft a zero pixel frame to avoid visual detection Embed an HTML document inside main document Client’s browser downloads malicious script Instructs computer to download malware Drive-By Download Drive-by download: Client computer compromised simply by viewing a Web page Attackers inject content into vulnerable Web server to gain access to server’s operating system Attackers craft a zero pixel frame to avoid visual detection Embed an HTML document inside main document Client’s browser downloads malicious script Instructs computer to download malware Security+ Guide to Network Security Fundamentals, Fifth Edition

HTTP Header HTTP header consists of fields that characterize data being transmitted Header fields are comprised of: Field name Colon Field value Example Content-length: 49. HTTP header field names and values may be any application-specific strings, but core set standardized by Internet Engineering Task Force HTTP Header HTTP header consists of fields that characterize data being transmitted Header fields are comprised of: Field name Colon Field value Example Content-length: 49. HTTP header field names and values may be any application-specific strings, but core set standardized by Internet Engineering Task Force Security+ Guide to Network Security Fundamentals, Fifth Edition

HTTP Header Fields (Table 3-3) A table with four columns and five rows. The first row is composed of column headers: HTTP field name, Source, Explanation, and Example. Row 2. HTTP field name: Server Source: Web server Explanation: Type of web server Example: Server: Apache Row 3. HTTP field name: Referer or Referrer Source: Web browser Explanation: The address of the previous webpage from which a link to the currently requested page was followed Example: Referer: http://www.askapache.com/show-error-502/ Row 4. HTTP field name: Accept-Language Source: Web browser Explanation: Lists of acceptable languages for content Example: Accept-Language:en-us,en;q=0.5 Row 5. HTTP field name: Set-Cookie Source: Web server Explanation: Parameters for setting a cookie on the local computer Example: Set-Cookie: UserID=ThomasTrain; Max-Age=3600; Version=1 Security+ Guide to Network Security Fundamentals, Fifth Edition

Header Manipulation HTTP header manipulation - Attack modifies HTTP headers HTTP header manipulation is not actual attack but rather vehicle through which other attacks like (XSS) can be launched. HTTP header manipulation allows an attacker to pass malicious instructions from own malicious website or through an infected site to the web browser via HTTP headers Header Manipulation HTTP header manipulation - Attack modifies HTTP headers HTTP header manipulation is not actual attack but rather vehicle through which other attacks like (XSS) can be launched. HTTP header manipulation allows an attacker to pass malicious instructions from own malicious website or through an infected site to the web browser via HTTP headers Security+ Guide to Network Security Fundamentals, Fifth Edition

HTTP Header Attacks Examples of HTTP header attacks: Referer - Can bypass security by modifying Referer field to hide fact came from another site Accept-Language – Because some web applications pass contents of field directly to database attacker can inject SQL command by modifying header Response splitting - Inserting a CRLF in an HTTP header can give attackers control of the remaining HTTP headers and body of the response HTTP Header Attacks Examples of HTTP header attacks: Referer - Can bypass security by modifying Referer field to hide fact came from another site Accept-Language – Because some web applications pass contents of field directly to database attacker can inject SQL command by modifying header Response splitting - Inserting a CRLF in an HTTP header can give attackers control of the remaining HTTP headers and body of the response Security+ Guide to Network Security Fundamentals, Fifth Edition

Cookies Cookies - Store user-specific information on user’s local computer Web sites use cookies to identify repeat visitors Examples of information: Travel Web sites may store user’s travel itinerary Personal information provided when visiting a site Only Web site that created a cookie can read it Cookies Cookies - Store user-specific information on user’s local computer Web sites use cookies to identify repeat visitors Examples of information: Travel Web sites may store user’s travel itinerary Personal information provided when visiting a site Only Web site that created a cookie can read it Security+ Guide to Network Security Fundamentals, Fifth Edition

Types of Cookies First-party cookie - Cookie created by Web site user currently visiting Third-party cookie - Site advertisers (third parties) place cookie to record user preferences Session cookie - Stored in RAM and expires when browser is closed Persistent cookie - Recorded on computer’s hard drive and does not expire when browser closes Types of Cookies First-party cookie - Cookie created by Web site user currently visiting Third-party cookie - Site advertisers (third parties) place cookie to record user preferences Session cookie - Stored in RAM and expires when browser is closed Persistent cookie - Recorded on computer’s hard drive and does not expire when browser closes Security+ Guide to Network Security Fundamentals, Fifth Edition

Locally Shared Object (LSO) Locally shared object (LSO) or Flash cookie - named after the Adobe Flash player Different from regular cookies: Store data more complex Store up to 100 KB of data from a website (25 times data as regular cookie) Cannot be deleted through browser's normal configuration settings Saved in multiple locations on hard drive Can be used to reinstate regular cookies that user deleted or blocked Locally Shared Object (LSO) Locally shared object (LSO) or Flash cookie - named after the Adobe Flash player Different from regular cookies: Store data more complex Store up to 100 KB of data from a website (25 times data as regular cookie) Cannot be deleted through browser's normal configuration settings Saved in multiple locations on hard drive Can be used to reinstate regular cookies that user deleted or blocked Security+ Guide to Network Security Fundamentals, Fifth Edition

Risks of Cookies Cookies have security and privacy risks First-party cookies can be stolen and used to impersonate the user Third-party cookies can be used to track the browsing or buying habits of a user When multiple websites are serviced by a single marketing organization, cookies can be used to track browsing habits on all client’s site Risks of Cookies Cookies have security and privacy risks First-party cookies can be stolen and used to impersonate the user Third-party cookies can be used to track the browsing or buying habits of a user When multiple websites are serviced by a single marketing organization, cookies can be used to track browsing habits on all client’s site Security+ Guide to Network Security Fundamentals, Fifth Edition

Attachments Attachments - Files that are coupled to email messages Malicious attachments commonly used to spread viruses, Trojans, and other malware when opened Most users routinely open any email attachment received even if from an unknown sender Attackers often include information in the subject line that entices even reluctant users to open the attachment, such as a current event Attachments Attachments - Files that are coupled to email messages Malicious attachments commonly used to spread viruses, Trojans, and other malware when opened Most users routinely open any email attachment received even if from an unknown sender Attackers often include information in the subject line that entices even reluctant users to open the attachment, such as a current event Security+ Guide to Network Security Fundamentals, Fifth Edition

Session Token User accessing secure web application needs be verified to prevent an imposter from “jumping in” to interaction Session token - Verification through which random string assigned to interaction between user and web application currently being accessed (session) Web application server assigns a unique session token Each subsequent request from user’s web browser to web application contains session token verifying user identity Session Token User accessing secure web application needs be verified to prevent an imposter from “jumping in” to interaction Session token - Verification through which random string assigned to interaction between user and web application currently being accessed (session) Web application server assigns a unique session token Each subsequent request from user’s web browser to web application contains session token verifying user identity Security+ Guide to Network Security Fundamentals, Fifth Edition

Session Hijacking Session hijacking - Attacker attempts to impersonate the user by using er session token Attacker can attempt to obtain session token: Use XSS or other attacks to steal the session token cookie from the victim’s computer Eavesdropping on the transmission Guessing the session token (successful if generation of session tokens not truly random) Session Hijacking Session hijacking - Attacker attempts to impersonate the user by using er session token Attacker can attempt to obtain session token: Use XSS or other attacks to steal the session token cookie from the victim’s computer Eavesdropping on the transmission Guessing the session token (successful if generation of session tokens not truly random) Security+ Guide to Network Security Fundamentals, Fifth Edition

Session Hijacking Attack (Figure 3-7) A figure with a victim computer. A line labeled “Session token” connects it to a Web server computer. A line that contains 64da9DACOqgoipxqQDdywg connects the victim computer to the Web server. An attacker’s computer connects to the line labeled “Attacker intercepts session token.” Another line connects the Attacker computer to the Web server that contains 64da9DACOqgoipxqQDdywg and is labeled “Attacker uses stolen session token.” Security+ Guide to Network Security Fundamentals, Fifth Edition

Plug-Ins and Add-Ons Tools be added to enhance user’s interaction with website through web browser Plug-in - Third-party library (Java, Adobe Flash player, Apple QuickTime, Adobe Acrobat Reader) that attaches to web browser and can be embedded inside a webpage (but affects only specific page) Add-ons or extensions - Tools that add functionality to the web browser itself Plug-Ins and Add-Ons Tools be added to enhance user’s interaction with website through web browser Plug-in - Third-party library (Java, Adobe Flash player, Apple QuickTime, Adobe Acrobat Reader)t hat attaches to web browser and can be embedded inside a webpage (but affects only specific page) Add-ons or extensions - Tools that add functionality to the web browser itself Security+ Guide to Network Security Fundamentals, Fifth Edition

Malicious Add-Ons Attackers can create malicious add-ons to launch attacks against user’s computer ActiveX - Set of rules for how applications under the Microsoft Windows operating system should share information ActiveX controls (add-ons) - Specific way of implementing ActiveX and are sometimes called ActiveX applications ActiveX controls can be invoked from webpages through the use of a scripting language or directly by HTML command Malicious Add-Ons Attackers can create malicious add-ons to launch attacks against user’s computer ActiveX - Set of rules for how applications under the Microsoft Windows operating system should share information ActiveX controls (add-ons) - Specific way of implementing ActiveX and are sometimes called ActiveX applications ActiveX controls can be invoked from webpages through the use of a scripting language or directly by HTML command Security+ Guide to Network Security Fundamentals, Fifth Edition

Impartial Overflow Attacks “Impartial” attacks can target either server or client Many these attacks designed to “overflow” areas of memory with instructions from the attacker Types of attacks: Buffer overflow attacks Integer overflow attacks Arbitrary/remote code execution attacks. Impartial Overflow Attacks “Impartial” attacks can target either server or client Many these attacks designed to “overflow” areas of memory with instructions from the attacker Types of attacks: Buffer overflow attacks Integer overflow attacks Arbitrary/remote code execution attacks. Security+ Guide to Network Security Fundamentals, Fifth Edition

Buffer Overflow Attack Buffer overflow attack - Process attempts to store data in RAM beyond boundaries of fixed-length storage buffer Data overflows into adjacent memory locations Attacker can change “return address” of memory location of code and redirect to memory address containing malware code Buffer Overflow Attack Buffer overflow attack - Process attempts to store data in RAM beyond boundaries of fixed-length storage buffer Data overflows into adjacent memory locations Attacker can change “return address” of memory location of code and redirect to memory address containing malware code Security+ Guide to Network Security Fundamentals, Fifth Edition

Buffer Overflow Attack (Figure 3-8) A figure of a buffer overflow attack. A box labeled “Normal process” contains four sections: Program instructions, Buffer storing integer data, Buffer storing character data, and Return address pointer. A line labeled “Program jumps to address of next instruction” goes from Return address pointer to Program instructions. A box labeled “Buffer Overflow” contains four sections: Program instructions, Buffer storing integer data, Buffer storing character data, and Return address pointer. An inner box covering the Buffer storing character data and Return address pointer contains the labels Malware, Fill and overflow buffer, and New pointer. A line labeled “Program jumps to attacker malware” goes from Return address pointer to Malware. Security+ Guide to Network Security Fundamentals, Fifth Edition

Integer Overflow Integer overflow - Condition occurs when result of arithmetic operation (addition or multiplication) exceeds the maximum size of the integer type used to store it When overflow occurs, the interpreted value then wraps around from maximum value to minimum value Integer Overflow Integer overflow - Condition occurs when result of arithmetic operation (addition or multiplication) exceeds the maximum size of the integer type used to store it When overflow occurs, the interpreted value then wraps around from maximum value to minimum value Security+ Guide to Network Security Fundamentals, Fifth Edition

Integer Overflow Attack Example: 8-bit signed integer has a maximum value of 127 and a minimum value of ‒128 If the value 127 is stored in a variable and 1 is added to it, the sum exceeds the maximum value for this integer type Wraps around to become ‒128. Integer overflow attack - Attacker changes value of variable to something outside the range programmer had intended by using an integer overflow Integer Overflow Attack Example: 8-bit signed integer has a maximum value of 127 and a minimum value of ‒128 If the value 127 is stored in a variable and 1 is added to it, the sum exceeds the maximum value for this integer type Wraps around to become ‒128. Integer overflow attack - Attacker changes value of variable to something outside the range programmer had intended by using an integer overflow Security+ Guide to Network Security Fundamentals, Fifth Edition

Arbitrary/Remote Code Execution Heap spray - Targeted to insert data only in certain parts of memory Arbitrary/remote code execution - Allows attacker to run programs and execute commands on different computer Once under the attacker’s control, computer can perform virtually any command from the attacker Arbitrary/remote code execution attacks often take advantage of malicious attachments like Microsoft Visio file or PDF file Arbitrary/Remote Code Execution Heap spray - Targeted to insert data only in certain parts of memory Arbitrary/remote code execution - Allows attacker to run programs and execute commands on different computer Once under the attacker’s control, computer can perform virtually any command from the attacker Arbitrary/remote code execution attacks often take advantage of malicious attachments like Microsoft Visio file or PDF file Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Attacks Attackers place high priority on targeting networks Exploiting single vulnerability may expose hundreds or thousands of devices to an attacker Types of attacks that target a network or network process: Denial of service Interception Poisoning Attacks on access rights Network Attacks Attackers place high priority on targeting networks Exploiting single vulnerability may expose hundreds or thousands of devices to an attacker Types of attacks that target a network or network process: Denial of service Interception Poisoning Attacks on access rights Security+ Guide to Network Security Fundamentals, Fifth Edition

Denial of Service (DoS) Denial of service (DoS) - Attempts to prevent system from performing normal functions Distributed denial of service (DDoS) - Uses thousands zombie computers in botnet Ping flood attack - Ping utility used to send large number of echo request messages and overwhelms server Smurf attack - Ping request with originating address changed (spoofing) and appears as if target computer is asking for response from all computers on the network Denial of Service (DoS) Denial of service (DoS) - Attempts to prevent system from performing normal functions Distributed denial of service (DDoS) - Uses thousands zombie computers in botnet Ping flood attack - Ping utility used to send large number of echo request messages and overwhelms server Smurf attack - Ping request with originating address changed (spoofing) and appears as if target computer is asking for response from all computers on the network Security+ Guide to Network Security Fundamentals, Fifth Edition

SYN Flood Attack SYN flood attack - Takes advantage of procedures for establishing connection Attacker sends SYN segments in IP packets to server but modifies source address of each packet to computer addresses that do not exist or cannot be reached Server continues to wait for a response (which is not coming) while receiving more false requests and keeping more lines open for responses Server ultimately runs out of resources and can no longer respond to legitimate requests SYN Flood Attack SYN flood attack - Takes advantage of procedures for establishing connection Attacker sends SYN segments in IP packets to server but modifies source address of each packet to computer addresses that do not exist or cannot be reached Server continues to wait for a response (which is not coming) while receiving more false requests and keeping more lines open for responses Server ultimately runs out of resources and can no longer respond to legitimate requests Security+ Guide to Network Security Fundamentals, Fifth Edition

SYN Flood Attack (Figure 3-9) A figure of a SYN flood attack. At the top the Attacker’s computer connects to a line to the Server with the description, “Sends SYN segments in IP packets to server with modified source addresses.” Five computers, Computer A through Computer E, have lines from the Server. Each line is labeled “SYN+ACK.” A box next to the line says “Waiting for reply from A”, “Waiting for reply from B”, “Waiting for reply from C”, “Waiting for reply from D”, and “Waiting for reply from E.” The computers are labeled “Nonexistent or unreachable IP addresses.” Security+ Guide to Network Security Fundamentals, Fifth Edition

Interception Man-in-the-middle - Interception of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data, active attack alters contents of transmission before sending to recipient Replay - Similar to passive man-in-the-middle attack Replay makes a copy of the transmission before sending it to the recipient for use at a later time (the man-in-the-middle replays it) Interception Man-in-the-middle - Interception of legitimate communication Forging a fictitious response to the sender Passive attack records transmitted data, active attack alters contents of transmission before sending to recipient Replay - Similar to passive man-in-the-middle attack Replay makes a copy of the transmission before sending it to the recipient for use at a later time (the man-in-the-middle replays it) Security+ Guide to Network Security Fundamentals, Fifth Edition

ARP Poisoning ARP poisoning Attacker modifies MAC address in ARP cache to point to different computer ARP Poisoning ARP poisoning Attacker modifies MAC address in ARP cache to point to different computer Table 3-4 ARP poisoning attack A table with four columns and four rows. The first row is composed of column headers: Device, IP and MAC address, ARP cache before attack, and ARP cache after attack. Row 2. Device: Attacker IP and MAC address: 92.146.118.200-AA-BB-CC-DD-02 ARP cache before attack: 192.146.118.3=>00-AA-BB-CC-DD-03192.146.118.4=>00-AA-BB-CC-DD-04 ARP cache after attack: 192.146.118.3=>00-AA-BB-CC-DD-03192.146.118.4=>00-AA-BB-CC-DD-04 Row 3. Device: Victim 1 IP and MAC address: 192.146.118.300-AA-BB-CC-DD-03 ARP cache before attack: 192.146.118.2=>00-AA-BB-CC-DD-02192.146.118.4=>00-AA-BB-CC-DD-04 ARP cache after attack: 192.146.118.2=>00-AA-BB-CC-DD-02192.146.118.4=>00-AA-BB-CC-DD-02 Row 4. Device: Victim 2 IP and MAC address: 192.146.118.400-AA-BB-CC-DD-04 ARP cache before attack: 192.146.118.2=>00-AA-BB-CC-DD-02192.146.118.3=>00-AA-BB-CC-DD-03 ARP cache after attack: 192.146.118.2=>00-AA-BB-CC-DD-02192.146.118.3=>00-AA-BB-CC-DD-02 Table 3-4 ARP poisoning attack Security+ Guide to Network Security Fundamentals, Fifth Edition

Attacks From ARP Poisoning (Table 3-5) A table with two columns and five rows. The first row is composed of column headers: Attack and Description. Row 2. Attack: Steal data Description: An attacker can substitute her own MAC address and steal data intended for another device. Row 3. Attack: Prevent Internet access Description: An attacker can substitute an invalid MAC address for the network gateway so that no users can access external networks. Row 4. Attack: Man-in-the-middle Description: A man-in-the-middle device can be set to receive all communications by substituting that MAC address. Row 5. Attack: DoS attack Description: The valid IP address of the DoS target can be substituted with an invalid MAC address, causing all traffic destined for the target to fail. Table 3-5 Attacks from ARP poisoning Security+ Guide to Network Security Fundamentals, Fifth Edition

DNS Poisoning Domain Name System - Current basis for name resolution to IP address DNS poisoning - Substitutes DNS addresses to redirect computer to another device DNS poisoning Two locations for DNS poisoning: Local host table External DNS server DNS Poisoning Domain Name System - Current basis for name resolution to IP address DNS poisoning - Substitutes DNS addresses to redirect computer to another device DNS poisoning Two locations for DNS poisoning: Local host table External DNS server Security+ Guide to Network Security Fundamentals, Fifth Edition

Sample HOSTS file (Figure 3-11) A figure of a sample hosts file. The IP addresses relate the domain names: 127.0.0.1 – localhost; 16.6.18.20 – www.wku.edu; 74.125.47.99 – www.google.com; 216.77.188.41 – www.att.net; 204.15.20.80 – www.facebook.com. Security+ Guide to Network Security Fundamentals, Fifth Edition

DNS Poisoning (Figure 3-12) The attacker’s computer has a line to the Valid DNS server labeled, “1. What is the address of www.evil.net?” Lines form the Valid DNS server to the Attacker’s DNS server ns.evil.net is labeled, “2. Please send IP address of www.evil.net.” A box is labeled “3. Here are all evil addresses: www.good.net -192.168.1.1, www.better.net – 192.168.1.1, www.best.net – 192.168.1.1.” A line connects the Valid DNS server to the Victim’s computer is labeled “4. What is the address of www.good.net?” with the response “192.168.1.1 (An attacker’s address.” Security+ Guide to Network Security Fundamentals, Fifth Edition

Attacks on Access Rights Privilege escalation - Exploiting software vulnerability to gain access to restricted data Two types of privilege escalation: Vertical privilege escalation exist - User with lower privilege uses privilege escalation to grant self access functions reserved for higher-privilege users Horizontal privilege escalation - User with restricted privileges accesses the different restricted functions of a similar user Attacks on Access Rights Privilege escalation - Exploiting software vulnerability to gain access to restricted data Two types of privilege escalation: Vertical privilege escalation exist - User with lower privilege uses privilege escalation to grant self access functions reserved for higher-privilege users Horizontal privilege escalation - User with restricted privileges accesses the different restricted functions of a similar user Security+ Guide to Network Security Fundamentals, Fifth Edition

Transitive Trust Transitive - Relation with a property so that if a relation exists been A and B, and there is also a relation between B and C, then there is a relation between A and C Transitive trust - If Alice trusts Bob, and Bob trusts Carol, then Alice trusts Carol Transitive Trust Transitive - Relation with a property so that if a relation exists been A and B, and there is also a relation between B and C, then there is a relation between A and C Transitive trust - If Alice trusts Bob, and Bob trusts Carol, then Alice trusts Carol Security+ Guide to Network Security Fundamentals, Fifth Edition

Transitive Access Transitive trust can result in transitive access: System 1 can access System 2, and because System 2 can access System 3, then System 1 can access System 3 Intention may not be for System 1 to access System 3, but instead for System 1 to be restricted to accessing only System 2 Inadvertent and unauthorized access can result in serious security risks Transitive Access Transitive trust can result in transitive access: System 1 can access System 2, and because System 2 can access System 3, then System 1 can access System 3 Intention may not be for System 1 to access System 3, but instead for System 1 to be restricted to accessing only System 2 Inadvertent and unauthorized access can result in serious security risks Security+ Guide to Network Security Fundamentals, Fifth Edition

Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 3 Application and Networking-Based Attacks Chapter 3 Application and Networking-Based Attacks