1. Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 3
Application and Networking-Based Attacks
Chapter 3
Application and Networking-Based Attacks

2. Objectives
List and explain the different types of server-side web application attacks
Define client-side attacks
Explain how overflow attacks works
List different types of networking-based attacks
Objectives
List and explain the different types of server-side web application attacks
Define client-side attacks
Explain how overflow attacks works
List different types of networking-based attacks
Security+ Guide to Network Security Fundamentals, Fifth Edition

3. Conceptual Networked System
Network used to connect different clients and servers together
Clients and servers run an operating system
Operating system controls applications
Applications manipulate data
Each represents an attack vector to exploit
Attacks on the applications in a networked computer system can be directed toward the server, the client, or both
Conceptual Networked System
Networks used to connect different clients and servers together
Clients and servers run an operating system
Operating system controls applications
Applications manipulate data
Each represents an attack vector to exploit
Attacks on the applications in a networked computer system can be directed toward the server, the client, or both
Security+ Guide to Network Security Fundamentals, Fifth Edition

4. Conceptual Networked Computer System (Figure 3-1)
A figure of a conceptual networked computer system. A larger network box contains a client back and a server box. Both the client and server boxes contain an operating system box that contains three application boxes, each of which has an internal data box.
Security+ Guide to Network Security Fundamentals, Fifth Edition

5. Server-Side Web Application Attacks
Content provided for users who are “surfing the Web” is generated by a software application running on a server
In providing web services to clients, web servers also expose those same services to attackers
Important characteristic of server-side web applications to create dynamic content based on inputs from user
Server-Side Web Application Attacks
Content provided for users who are “surfing the Web” is generated by a software application running on a server
In providing web services to clients, web servers also expose those same services to attackers
Important characteristic of server-side web applications to create dynamic content based on inputs from user
Security+ Guide to Network Security Fundamentals, Fifth Edition

6. Server-Side Web Application Process
Client’s web browser makes a request using the Hypertext Transport Protocol (HTTP) to a web server
Server may be connected to one or more web application servers
Application servers run the specific “web apps,” which in turn are directly connected to databases on internal network
Information from databases retrieved and returned to web server so dynamic information can be sent back to the user’s web browser
Server-Side Web Application Process
Client’s web browser makes a request using the Hypertext Transport Protocol (HTTP) to a web server
Server may be connected to one or more web application servers
Application servers run the specific “web apps,” which in turn are directly connected to databases on internal network
Information from databases retrieved and returned to web server so dynamic information can be sent back to the user’s web browser
Security+ Guide to Network Security Fundamentals, Fifth Edition

7. Server-Side Web Application Infrastructure (Figure 3-2)
A figure with a client computer at the far left. Arrows of HTTP traffic connect it to a Web server computer. Arrows connect the Web server computer to three App servers, each of which is connected to its own database.
Security+ Guide to Network Security Fundamentals, Fifth Edition

8. Securing Web Applications
Securing server-side web applications often considered more difficult than protecting other systems
Traditional network security devices cannot always block web application attacks because many traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks
Securing Web Applications
Securing server-side web applications often considered more difficult than protecting other systems
Traditional network security devices cannot always block web application attacks because many traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks
Security+ Guide to Network Security Fundamentals, Fifth Edition

9. Zero Day Attacks
Many web application attacks (as well as other application attacks) exploit previously unknown vulnerabilities
Zero day attacks - Exploit previously unknown vulnerabilities so victims have no time to prepare or defend
Zero Day Attacks
Many web application attacks (as well as other application attacks) exploit previously unknown vulnerabilities
Zero day attacks - Exploit previously unknown vulnerabilities so victims have no time to prepare or defend
Security+ Guide to Network Security Fundamentals, Fifth Edition

10. Common Application Attacks
Many server-side web application attacks target the input that the applications accept from users
Common web application attacks:
Cross-site scripting
SQL injection
XML injection
Command injection/directory traversal
Common Web Application Attacks
Many server-side web application attacks target the input that the applications accept from users
Common web application attacks:
Cross-site scripting
SQL injection
XML injection
Command injection/directory traversal
Security+ Guide to Network Security Fundamentals, Fifth Edition

11. Cross-Site Scripting
Not all attacks on websites are designed to steal content or deface it
Some attacks use web server as a platform to launch attacks on other computers that access it
Cross-site scripting (XSS) - Injects scripts into web application server to direct attacks at unsuspecting clients
Many web applications are designed to customize content for user by taking what user enters and then displaying that input back to user
Cross-Site Scripting
Not all attacks on websites are designed to steal content or deface it
Some attacks use web server as a platform to launch attacks on other computers that access it
Cross-site scripting (XSS) - Injects scripts into web application server to direct attacks at unsuspecting clients
Many web applications are designed to customize content for user by taking what user enters and then displaying that input back to user
Security+ Guide to Network Security Fundamentals, Fifth Edition

12. Customized Responses (Table 3-1)
A table with four columns and four rows. The first row is composed of column headers: User input, Variable that contains input, Web application response, and Coding example. Row 2. User input: Search term Variable that contains input: search_term Web application response: Search term provided in output Coding example: “Search results for search_term” Row 3. User input: Incorrect input Variable that contains input: user_input Web application response: Error message that contains incorrect input Coding example: “user_input is not valid” Row 4. User input: User’s name Variable that contains input: name Web application response: Personalized response Coding example: “Welcome back name”
Security+ Guide to Network Security Fundamentals, Fifth Edition

13. Cross-Site Scripting Platform
Cross-site scripting attacks occur when attacker takes advantage of web applications that accept user input without validation and then present back to user
For example:
Input that the user enters for Name is not verified
Instead is automatically added to a code segment that becomes part of an automated response
An attacker can use this vulnerability in XSS attack by tricking valid website into feeding malicious script to another user’s web browser to execute
Cross-Site Scripting Platform
Cross-site scripting attacks occur when attacker takes advantage of web applications that accept user input without validation and then present back to user
For example:
Input that the user enters for Name is not verified
Instead is automatically added to a code segment that becomes part of an automated response
An attacker can use this vulnerability in XSS attack by tricking valid website into feeding malicious script to another user’s web browser to execute
Security+ Guide to Network Security Fundamentals, Fifth Edition

14. Bookmark Page That Accepts User Input (Figure 3-3)
A figure of the Contoso Bookmark Page – Windows Internet Explorer. The page contains a form with three entries: Your Name, Description, and Bookmark. A small window says “Thank you ABBY for your submission!”
Security+ Guide to Network Security Fundamentals, Fifth Edition

15. Input Used In Response (Figure 3-4)
A figure of two Web browser windows. The outer window says “Thank you ABBY for your submission.” An arrow links “ABBY” to code in the inner window that says, “ou.Text = “Thank you” + Name + “for your submission!”;
Security+ Guide to Network Security Fundamentals, Fifth Edition

16. SQL Injection
SQL (Structured Query Language) - Used to manipulate data stored in relational database
SQL Injection - Targets SQL servers by introducing malicious commands
SQL Injection
SQL (Structured Query Language) - Used to manipulate data stored in relational database
SQL Injection - Targets SQL servers by introducing malicious commands
Security+ Guide to Network Security Fundamentals, Fifth Edition

17. Forgotten Password Example
Attacker enters incorrectly formatted address
Response lets attacker know whether input is being validated
Attacker enters field in SQL statement
Statement processed by the database
Example statement:
SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’
Result is all user addresses will be displayed
Forgotten Password Example
Forgotten password example:
Attacker enters incorrectly formatted address
Response lets attacker know whether input is being validated
Attacker enters field in SQL statement
Statement processed by the database
Example statement:
SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’
Result is all user addresses will be displayed
Security+ Guide to Network Security Fundamentals, Fifth Edition

18. SQL Injection Statements (Table 3-2)
A table with two columns and six rows. The first row is composed of column headers: SQL injection statement and Result. Row 2. SQL injection statement: whatever’ AND IS NULL; --  Result: Determine the names of different fields in the database Row 3. SQL injection statement: whatever’ AND 1=(SELECT COUNT(*) FROM tabname); — Result: Discover the name of the table Row 4. SQL injection statement: whatever’ OR full_name LIKE ‘%Mia%’ Result: Find specific users Row 5. SQL injection statement: whatever’; DROP TABLE members; --  Result: Erase the database table Row 6. SQL injection statement: whatever’; UPDATE members SET = WHERE = Result: Mail password to attacker’s account
Security+ Guide to Network Security Fundamentals, Fifth Edition

19. XML (Extensible Markup Language)
Markup language - Method for adding annotations to text
Example is HTML:
Uses tags surrounded by brackets
Instructs browser to display text in specific format
XML (Extensible Markup Language):
Carries data instead of indicating how to display it
No predefined set of tags
Users define their own tags
XML (Extensible Markup Language)
Markup language - Method for adding annotations to text
Example is HTML:
Uses tags surrounded by brackets
Instructs browser to display text in specific format
XML (Extensible Markup Language):
Carries data instead of indicating how to display it
No predefined set of tags
Users define their own tags
Security+ Guide to Network Security Fundamentals, Fifth Edition

20. XML Attack XML Attack - Similar to SQL injection attack
Attacker discovers Web site that does not filter user data
Injects XML tags and data into the database
Xpath injection:
Specific type of XML injection attack
Attempts to exploit XML Path Language queries
XML Attack
XML Attack - Similar to SQL injection attack
Attacker discovers Web site that does not filter user data
Injects XML tags and data into the database
Xpath injection:
Specific type of XML injection attack
Attempts to exploit XML Path Language queries
Security+ Guide to Network Security Fundamentals, Fifth Edition

21. Directory Traversal/Command Injection
Web server users typically restricted to root directory
Users may be able to access subdirectories but not parallel or higher level directories
Helps to protect sensitive files
Directory traversal - Uses malformed input or takes advantage of vulnerability to move from root directory to restricted directories
Command injection - Attacker enters commands to execute on server or view confidential files
Directory Traversal/Command Injection
Web server users typically restricted to root directory
Users may be able to access subdirectories but not parallel or higher level directories
Helps to protect sensitive files
Directory traversal - Uses malformed input or takes advantage of vulnerability to move from root directory to restricted directories
Command injection - Attacker enters commands to execute on server or view confidential files
Security+ Guide to Network Security Fundamentals, Fifth Edition

22. Directory Traversal Attack (Figure 3-6)
A figure of a directory traversal attack. The folder C:\ is at the top, connected with lines to the Windows and Inetpub folders. The Windows folder connects to a System32 folder. The Inetpub connects to the wwwroot folder, which connects to the news folder. A bold line links from the wwwroot folder to the Inetpub folder to the Windows folder to the System 32 folder.
Security+ Guide to Network Security Fundamentals, Fifth Edition

23. Client-Side Application Attacks
Web application attacks are server-side attacks
Client-side attacks target vulnerabilities in client applications:
Interacting with a compromised server
Client initiates connection with server, which could result in an attack
Client-Side Application Attacks
Web application attacks are server-side attacks
Client-side attacks target vulnerabilities in client applications:
Interacting with a compromised server
Client initiates connection with server, which could result in an attack
Security+ Guide to Network Security Fundamentals, Fifth Edition

24. Drive-By Download Drive-by download:
Client computer compromised simply by viewing a Web page
Attackers inject content into vulnerable Web server to gain access to server’s operating system
Attackers craft a zero pixel frame to avoid visual detection
Embed an HTML document inside main document
Client’s browser downloads malicious script
Instructs computer to download malware
Drive-By Download
Drive-by download:
Client computer compromised simply by viewing a Web page
Attackers inject content into vulnerable Web server to gain access to server’s operating system
Attackers craft a zero pixel frame to avoid visual detection
Embed an HTML document inside main document
Client’s browser downloads malicious script
Instructs computer to download malware
Security+ Guide to Network Security Fundamentals, Fifth Edition

25. HTTP Header
HTTP header consists of fields that characterize data being transmitted
Header fields are comprised of:
Field name
Colon
Field value
Example Content-length: 49.
HTTP header field names and values may be any application-specific strings, but core set standardized by Internet Engineering Task Force
HTTP Header
HTTP header consists of fields that characterize data being transmitted
Header fields are comprised of:
Field name
Colon
Field value
Example Content-length: 49.
HTTP header field names and values may be any application-specific strings, but core set standardized by Internet Engineering Task Force
Security+ Guide to Network Security Fundamentals, Fifth Edition

26. HTTP Header Fields (Table 3-3)
A table with four columns and five rows. The first row is composed of column headers: HTTP field name, Source, Explanation, and Example. Row 2. HTTP field name: Server Source: Web server Explanation: Type of web server Example: Server: Apache Row 3. HTTP field name: Referer or Referrer Source: Web browser Explanation: The address of the previous webpage from which a link to the currently requested page was followed Example: Referer: Row 4. HTTP field name: Accept-Language Source: Web browser Explanation: Lists of acceptable languages for content Example: Accept-Language:en-us,en;q=0.5 Row 5. HTTP field name: Set-Cookie Source: Web server Explanation: Parameters for setting a cookie on the local computer Example: Set-Cookie: UserID=ThomasTrain; Max-Age=3600; Version=1
Security+ Guide to Network Security Fundamentals, Fifth Edition

27. Header Manipulation
HTTP header manipulation - Attack modifies HTTP headers
HTTP header manipulation is not actual attack but rather vehicle through which other attacks like (XSS) can be launched.
HTTP header manipulation allows an attacker to pass malicious instructions from own malicious website or through an infected site to the web browser via HTTP headers
Header Manipulation
HTTP header manipulation - Attack modifies HTTP headers
HTTP header manipulation is not actual attack but rather vehicle through which other attacks like (XSS) can be launched.
HTTP header manipulation allows an attacker to pass malicious instructions from own malicious website or through an infected site to the web browser via HTTP headers
Security+ Guide to Network Security Fundamentals, Fifth Edition

28. HTTP Header Attacks Examples of HTTP header attacks:
Referer - Can bypass security by modifying Referer field to hide fact came from another site
Accept-Language – Because some web applications pass contents of field directly to database attacker can inject SQL command by modifying header
Response splitting - Inserting a CRLF in an HTTP header can give attackers control of the remaining HTTP headers and body of the response
HTTP Header Attacks
Examples of HTTP header attacks:
Referer - Can bypass security by modifying Referer field to hide fact came from another site
Accept-Language – Because some web applications pass contents of field directly to database attacker can inject SQL command by modifying header
Response splitting - Inserting a CRLF in an HTTP header can give attackers control of the remaining HTTP headers and body of the response
Security+ Guide to Network Security Fundamentals, Fifth Edition

29. Cookies
Cookies - Store user-specific information on user’s local computer
Web sites use cookies to identify repeat visitors
Examples of information:
Travel Web sites may store user’s travel itinerary
Personal information provided when visiting a site
Only Web site that created a cookie can read it
Cookies
Cookies - Store user-specific information on user’s local computer
Web sites use cookies to identify repeat visitors
Examples of information:
Travel Web sites may store user’s travel itinerary
Personal information provided when visiting a site
Only Web site that created a cookie can read it
Security+ Guide to Network Security Fundamentals, Fifth Edition

30. Types of Cookies
First-party cookie - Cookie created by Web site user currently visiting
Third-party cookie - Site advertisers (third parties) place cookie to record user preferences
Session cookie - Stored in RAM and expires when browser is closed
Persistent cookie - Recorded on computer’s hard drive and does not expire when browser closes
Types of Cookies
First-party cookie - Cookie created by Web site user currently visiting
Third-party cookie - Site advertisers (third parties) place cookie to record user preferences
Session cookie - Stored in RAM and expires when browser is closed
Persistent cookie - Recorded on computer’s hard drive and does not expire when browser closes
Security+ Guide to Network Security Fundamentals, Fifth Edition

31. Locally Shared Object (LSO)
Locally shared object (LSO) or Flash cookie - named after the Adobe Flash player
Different from regular cookies:
Store data more complex
Store up to 100 KB of data from a website (25 times data as regular cookie)
Cannot be deleted through browser's normal configuration settings
Saved in multiple locations on hard drive
Can be used to reinstate regular cookies that user deleted or blocked
Locally Shared Object (LSO)
Locally shared object (LSO) or Flash cookie - named after the Adobe Flash player
Different from regular cookies:
Store data more complex
Store up to 100 KB of data from a website (25 times data as regular cookie)
Cannot be deleted through browser's normal configuration settings
Saved in multiple locations on hard drive
Can be used to reinstate regular cookies that user deleted or blocked
Security+ Guide to Network Security Fundamentals, Fifth Edition

32. Risks of Cookies Cookies have security and privacy risks
First-party cookies can be stolen and used to impersonate the user
Third-party cookies can be used to track the browsing or buying habits of a user
When multiple websites are serviced by a single marketing organization, cookies can be used to track browsing habits on all client’s site
Risks of Cookies
Cookies have security and privacy risks
First-party cookies can be stolen and used to impersonate the user
Third-party cookies can be used to track the browsing or buying habits of a user
When multiple websites are serviced by a single marketing organization, cookies can be used to track browsing habits on all client’s site
Security+ Guide to Network Security Fundamentals, Fifth Edition

33. Attachments Attachments - Files that are coupled to email messages
Malicious attachments commonly used to spread viruses, Trojans, and other malware when opened
Most users routinely open any attachment received even if from an unknown sender
Attackers often include information in the subject line that entices even reluctant users to open the attachment, such as a current event
Attachments
Attachments - Files that are coupled to messages
Malicious attachments commonly used to spread viruses, Trojans, and other malware when opened
Most users routinely open any attachment received even if from an unknown sender
Attackers often include information in the subject line that entices even reluctant users to open the attachment, such as a current event
Security+ Guide to Network Security Fundamentals, Fifth Edition

34. Session Token
User accessing secure web application needs be verified to prevent an imposter from “jumping in” to interaction
Session token - Verification through which random string assigned to interaction between user and web application currently being accessed (session)
Web application server assigns a unique session token
Each subsequent request from user’s web browser to web application contains session token verifying user identity
Session Token
User accessing secure web application needs be verified to prevent an imposter from “jumping in” to interaction
Session token - Verification through which random string assigned to interaction between user and web application currently being accessed (session)
Web application server assigns a unique session token
Each subsequent request from user’s web browser to web application contains session token verifying user identity
Security+ Guide to Network Security Fundamentals, Fifth Edition

35. Session Hijacking
Session hijacking - Attacker attempts to impersonate the user by using er session token
Attacker can attempt to obtain session token:
Use XSS or other attacks to steal the session token cookie from the victim’s computer
Eavesdropping on the transmission
Guessing the session token (successful if generation of session tokens not truly random)
Session Hijacking
Session hijacking - Attacker attempts to impersonate the user by using er session token
Attacker can attempt to obtain session token:
Use XSS or other attacks to steal the session token cookie from the victim’s computer
Eavesdropping on the transmission
Guessing the session token (successful if generation of session tokens not truly random)
Security+ Guide to Network Security Fundamentals, Fifth Edition

36. Session Hijacking Attack (Figure 3-7)
A figure with a victim computer. A line labeled “Session token” connects it to a Web server computer. A line that contains 64da9DACOqgoipxqQDdywg connects the victim computer to the Web server. An attacker’s computer connects to the line labeled “Attacker intercepts session token.” Another line connects the Attacker computer to the Web server that contains 64da9DACOqgoipxqQDdywg and is labeled “Attacker uses stolen session token.”
Security+ Guide to Network Security Fundamentals, Fifth Edition

37. Plug-Ins and Add-Ons
Tools be added to enhance user’s interaction with website through web browser
Plug-in - Third-party library (Java, Adobe Flash player, Apple QuickTime, Adobe Acrobat Reader) that attaches to web browser and can be embedded inside a webpage (but affects only specific page)
Add-ons or extensions - Tools that add functionality to the web browser itself
Plug-Ins and Add-Ons
Tools be added to enhance user’s interaction with website through web browser
Plug-in - Third-party library (Java, Adobe Flash player, Apple QuickTime, Adobe Acrobat Reader)t hat attaches to web browser and can be embedded inside a webpage (but affects only specific page)
Add-ons or extensions - Tools that add functionality to the web browser itself
Security+ Guide to Network Security Fundamentals, Fifth Edition

38. Malicious Add-Ons
Attackers can create malicious add-ons to launch attacks against user’s computer
ActiveX - Set of rules for how applications under the Microsoft Windows operating system should share information
ActiveX controls (add-ons) - Specific way of implementing ActiveX and are sometimes called ActiveX applications
ActiveX controls can be invoked from webpages through the use of a scripting language or directly by HTML command
Malicious Add-Ons
Attackers can create malicious add-ons to launch attacks against user’s computer
ActiveX - Set of rules for how applications under the Microsoft Windows operating system should share information
ActiveX controls (add-ons) - Specific way of implementing ActiveX and are sometimes called ActiveX applications
ActiveX controls can be invoked from webpages through the use of a scripting language or directly by HTML command
Security+ Guide to Network Security Fundamentals, Fifth Edition

39. Impartial Overflow Attacks
“Impartial” attacks can target either server or client
Many these attacks designed to “overflow” areas of memory with instructions from the attacker
Types of attacks:
Buffer overflow attacks
Integer overflow attacks
Arbitrary/remote code execution attacks.
Impartial Overflow Attacks
“Impartial” attacks can target either server or client
Many these attacks designed to “overflow” areas of memory with instructions from the attacker
Types of attacks:
Buffer overflow attacks
Integer overflow attacks
Arbitrary/remote code execution attacks.
Security+ Guide to Network Security Fundamentals, Fifth Edition

40. Buffer Overflow Attack
Buffer overflow attack - Process attempts to store data in RAM beyond boundaries of fixed-length storage buffer
Data overflows into adjacent memory locations
Attacker can change “return address” of memory location of code and redirect to memory address containing malware code
Buffer Overflow Attack
Buffer overflow attack - Process attempts to store data in RAM beyond boundaries of fixed-length storage buffer
Data overflows into adjacent memory locations
Attacker can change “return address” of memory location of code and redirect to memory address containing malware code
Security+ Guide to Network Security Fundamentals, Fifth Edition

41. Buffer Overflow Attack (Figure 3-8)
A figure of a buffer overflow attack. A box labeled “Normal process” contains four sections: Program instructions, Buffer storing integer data, Buffer storing character data, and Return address pointer. A line labeled “Program jumps to address of next instruction” goes from Return address pointer to Program instructions. A box labeled “Buffer Overflow” contains four sections: Program instructions, Buffer storing integer data, Buffer storing character data, and Return address pointer. An inner box covering the Buffer storing character data and Return address pointer contains the labels Malware, Fill and overflow buffer, and New pointer. A line labeled “Program jumps to attacker malware” goes from Return address pointer to Malware.
Security+ Guide to Network Security Fundamentals, Fifth Edition

42. Integer Overflow
Integer overflow - Condition occurs when result of arithmetic operation (addition or multiplication) exceeds the maximum size of the integer type used to store it
When overflow occurs, the interpreted value then wraps around from maximum value to minimum value
Integer Overflow
Integer overflow - Condition occurs when result of arithmetic operation (addition or multiplication) exceeds the maximum size of the integer type used to store it
When overflow occurs, the interpreted value then wraps around from maximum value to minimum value
Security+ Guide to Network Security Fundamentals, Fifth Edition

43. Integer Overflow Attack
Example:
8-bit signed integer has a maximum value of 127 and a minimum value of ‒128
If the value 127 is stored in a variable and 1 is added to it, the sum exceeds the maximum value for this integer type
Wraps around to become ‒128.
Integer overflow attack - Attacker changes value of variable to something outside the range programmer had intended by using an integer overflow
Integer Overflow Attack
Example:
8-bit signed integer has a maximum value of 127 and a minimum value of ‒128
If the value 127 is stored in a variable and 1 is added to it, the sum exceeds the maximum value for this integer type
Wraps around to become ‒128.
Integer overflow attack - Attacker changes value of variable to something outside the range programmer had intended by using an integer overflow
Security+ Guide to Network Security Fundamentals, Fifth Edition

44. Arbitrary/Remote Code Execution
Heap spray - Targeted to insert data only in certain parts of memory
Arbitrary/remote code execution - Allows attacker to run programs and execute commands on different computer
Once under the attacker’s control, computer can perform virtually any command from the attacker
Arbitrary/remote code execution attacks often take advantage of malicious attachments like Microsoft Visio file or PDF file
Arbitrary/Remote Code Execution
Heap spray - Targeted to insert data only in certain parts of memory
Arbitrary/remote code execution - Allows attacker to run programs and execute commands on different computer
Once under the attacker’s control, computer can perform virtually any command from the attacker
Arbitrary/remote code execution attacks often take advantage of malicious attachments like Microsoft Visio file or PDF file
Security+ Guide to Network Security Fundamentals, Fifth Edition

45. Network Attacks Attackers place high priority on targeting networks
Exploiting single vulnerability may expose hundreds or thousands of devices to an attacker
Types of attacks that target a network or network process:
Denial of service
Interception
Poisoning
Attacks on access rights
Network Attacks
Attackers place high priority on targeting networks
Exploiting single vulnerability may expose hundreds or thousands of devices to an attacker
Types of attacks that target a network or network process:
Denial of service
Interception
Poisoning
Attacks on access rights
Security+ Guide to Network Security Fundamentals, Fifth Edition

46. Denial of Service (DoS)
Denial of service (DoS) - Attempts to prevent system from performing normal functions
Distributed denial of service (DDoS) - Uses thousands zombie computers in botnet
Ping flood attack - Ping utility used to send large number of echo request messages and overwhelms server
Smurf attack - Ping request with originating address changed (spoofing) and appears as if target computer is asking for response from all computers on the network
Denial of Service (DoS)
Denial of service (DoS) - Attempts to prevent system from performing normal functions
Distributed denial of service (DDoS) - Uses thousands zombie computers in botnet
Ping flood attack - Ping utility used to send large number of echo request messages and overwhelms server
Smurf attack - Ping request with originating address changed (spoofing) and appears as if target computer is asking for response from all computers on the network
Security+ Guide to Network Security Fundamentals, Fifth Edition

47. SYN Flood Attack
SYN flood attack - Takes advantage of procedures for establishing connection
Attacker sends SYN segments in IP packets to server but modifies source address of each packet to computer addresses that do not exist or cannot be reached
Server continues to wait for a response (which is not coming) while receiving more false requests and keeping more lines open for responses
Server ultimately runs out of resources and can no longer respond to legitimate requests
SYN Flood Attack
SYN flood attack - Takes advantage of procedures for establishing connection
Attacker sends SYN segments in IP packets to server but modifies source address of each packet to computer addresses that do not exist or cannot be reached
Server continues to wait for a response (which is not coming) while receiving more false requests and keeping more lines open for responses
Server ultimately runs out of resources and can no longer respond to legitimate requests
Security+ Guide to Network Security Fundamentals, Fifth Edition

48. SYN Flood Attack (Figure 3-9)
A figure of a SYN flood attack. At the top the Attacker’s computer connects to a line to the Server with the description, “Sends SYN segments in IP packets to server with modified source addresses.” Five computers, Computer A through Computer E, have lines from the Server. Each line is labeled “SYN+ACK.” A box next to the line says “Waiting for reply from A”, “Waiting for reply from B”, “Waiting for reply from C”, “Waiting for reply from D”, and “Waiting for reply from E.” The computers are labeled “Nonexistent or unreachable IP addresses.”
Security+ Guide to Network Security Fundamentals, Fifth Edition

49. Interception
Man-in-the-middle - Interception of legitimate communication
Forging a fictitious response to the sender
Passive attack records transmitted data, active attack alters contents of transmission before sending to recipient
Replay - Similar to passive man-in-the-middle attack
Replay makes a copy of the transmission before sending it to the recipient for use at a later time (the man-in-the-middle replays it)
Interception
Man-in-the-middle - Interception of legitimate communication
Forging a fictitious response to the sender
Passive attack records transmitted data, active attack alters contents of transmission before sending to recipient
Replay - Similar to passive man-in-the-middle attack
Replay makes a copy of the transmission before sending it to the recipient for use at a later time (the man-in-the-middle replays it)
Security+ Guide to Network Security Fundamentals, Fifth Edition

50. ARP Poisoning ARP poisoning
Attacker modifies MAC address in ARP cache to point to different computer
ARP Poisoning
ARP poisoning
Attacker modifies MAC address in ARP cache to point to different computer
Table 3-4 ARP poisoning attack
A table with four columns and four rows. The first row is composed of column headers: Device, IP and MAC address, ARP cache before attack, and ARP cache after attack. Row 2. Device: Attacker IP and MAC address: AA-BB-CC-DD-02 ARP cache before attack: =>00-AA-BB-CC-DD =>00-AA-BB-CC-DD-04 ARP cache after attack: =>00-AA-BB-CC-DD =>00-AA-BB-CC-DD-04 Row 3. Device: Victim 1 IP and MAC address: AA-BB-CC-DD-03 ARP cache before attack: =>00-AA-BB-CC-DD =>00-AA-BB-CC-DD-04 ARP cache after attack: =>00-AA-BB-CC-DD =>00-AA-BB-CC-DD-02 Row 4. Device: Victim 2 IP and MAC address: AA-BB-CC-DD-04 ARP cache before attack: =>00-AA-BB-CC-DD =>00-AA-BB-CC-DD-03 ARP cache after attack: =>00-AA-BB-CC-DD =>00-AA-BB-CC-DD-02
Table 3-4 ARP poisoning attack
Security+ Guide to Network Security Fundamentals, Fifth Edition

51. Attacks From ARP Poisoning (Table 3-5)
A table with two columns and five rows. The first row is composed of column headers: Attack and Description. Row 2. Attack: Steal data Description: An attacker can substitute her own MAC address and steal data intended for another device. Row 3. Attack: Prevent Internet access Description: An attacker can substitute an invalid MAC address for the network gateway so that no users can access external networks. Row 4. Attack: Man-in-the-middle Description: A man-in-the-middle device can be set to receive all communications by substituting that MAC address. Row 5. Attack: DoS attack Description: The valid IP address of the DoS target can be substituted with an invalid MAC address, causing all traffic destined for the target to fail.
Table 3-5 Attacks from ARP poisoning
Security+ Guide to Network Security Fundamentals, Fifth Edition

52. DNS Poisoning
Domain Name System - Current basis for name resolution to IP address
DNS poisoning - Substitutes DNS addresses to redirect computer to another device
DNS poisoning
Two locations for DNS poisoning:
Local host table
External DNS server
DNS Poisoning
Domain Name System - Current basis for name resolution to IP address
DNS poisoning - Substitutes DNS addresses to redirect computer to another device
DNS poisoning
Two locations for DNS poisoning:
Local host table
External DNS server
Security+ Guide to Network Security Fundamentals, Fifth Edition

53. Sample HOSTS file (Figure 3-11)
A figure of a sample hosts file. The IP addresses relate the domain names: – localhost; – – – –
Security+ Guide to Network Security Fundamentals, Fifth Edition

54. DNS Poisoning (Figure 3-12)
The attacker’s computer has a line to the Valid DNS server labeled, “1. What is the address of Lines form the Valid DNS server to the Attacker’s DNS server ns.evil.net is labeled, “2. Please send IP address of A box is labeled “3. Here are all evil addresses: , – , – ” A line connects the Valid DNS server to the Victim’s computer is labeled “4. What is the address of with the response “ (An attacker’s address.”
Security+ Guide to Network Security Fundamentals, Fifth Edition

55. Attacks on Access Rights
Privilege escalation - Exploiting software vulnerability to gain access to restricted data
Two types of privilege escalation:
Vertical privilege escalation exist - User with lower privilege uses privilege escalation to grant self access functions reserved for higher-privilege users
Horizontal privilege escalation - User with restricted privileges accesses the different restricted functions of a similar user
Attacks on Access Rights
Privilege escalation - Exploiting software vulnerability to gain access to restricted data
Two types of privilege escalation:
Vertical privilege escalation exist - User with lower privilege uses privilege escalation to grant self access functions reserved for higher-privilege users
Horizontal privilege escalation - User with restricted privileges accesses the different restricted functions of a similar user
Security+ Guide to Network Security Fundamentals, Fifth Edition

56. Transitive Trust
Transitive - Relation with a property so that if a relation exists been A and B, and there is also a relation between B and C, then there is a relation between A and C
Transitive trust - If Alice trusts Bob, and Bob trusts Carol, then Alice trusts Carol
Transitive Trust
Transitive - Relation with a property so that if a relation exists been A and B, and there is also a relation between B and C, then there is a relation between A and C
Transitive trust - If Alice trusts Bob, and Bob trusts Carol, then Alice trusts Carol
Security+ Guide to Network Security Fundamentals, Fifth Edition

57. Transitive Access
Transitive trust can result in transitive access: System 1 can access System 2, and because System 2 can access System 3, then System 1 can access System 3
Intention may not be for System 1 to access System 3, but instead for System 1 to be restricted to accessing only System 2
Inadvertent and unauthorized access can result in serious security risks
Transitive Access
Transitive trust can result in transitive access: System 1 can access System 2, and because System 2 can access System 3, then System 1 can access System 3
Intention may not be for System 1 to access System 3, but instead for System 1 to be restricted to accessing only System 2
Inadvertent and unauthorized access can result in serious security risks
Security+ Guide to Network Security Fundamentals, Fifth Edition

58. Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 3
Application and Networking-Based Attacks
Chapter 3
Application and Networking-Based Attacks