Scribd Logo
Upload

Welcome to Scribd!

  • 501 CH 7 Advanced Attacks.V2pptx

    Uploaded by

    something
    25 views53 pages

    Original Title

    501 Ch 7 Advanced Attacks.V2pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    25 views53 pages

    501 CH 7 Advanced Attacks.V2pptx

    Uploaded by

    something

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 53

    Chapter 7

    Protecting Against Advanced Attacks

    CompTIA Security+
    Get Certified Get Ahead
    By Darril Gibson

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Introduction
    • Comparing common attacks

    • Summarizing secure coding concepts

    • Identifying application attacks

    • Understanding frameworks and guides

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Common Attacks
    • Denial-of-service (DoS)
    – Comes from one system

    • Distributed denial-of-service (DDoS)


    – Multiple attacking computers
    – Typically include sustained,
    abnormally high network traffic

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Common Attacks
    • Privilege escalation
    – Gain additional privileges after initial exploit

    • Spoofing
    – Impersonating or masquerading
    as someone or something else
    • MAC spoofing
    • IP spoofing

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Common Attacks
    • SYN flood attack
    – Common attack against Internet servers
    – Disrupts the TCP three-way handshake
    – Withholds 3rd packet

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Common Attacks
    • Man-in-the-middle
    – Active interception
    – Active eavesdropping

    • ARP poisoning

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    ARP Poisoning
    • ARP request
    • ARP reply
    Normal operation

    Switch Internet

    Router

    User

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    ARP Man-in-the-Middle
    Traffic redirected after ARP poisoning

    Switch
    Router
    192.168.1.1
    01-23-45-01-01-01
    Victim
    192.168.1.5
    01-23-45-55-55-55
    Consider
    VLAN
    Man in the Middle Attacker segregation
    192.168.1.66
    01-23-45-66-66-66

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    DNS Attacks
    • DNS poisoning
    – Attempt to corrupt DNS data
    – Protect against with DNSSEC
    • Pharming
    – Redirects a web site’s traffic to another web site
    • DDoS DNS attacks
    – DNS amplification attack

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Amplification Attack
    • Smurf
    – A ping is normally unicast
    – Smurf attack sends the ping out as a broadcast
    – Smurf attack spoofs the source IP
    – Directed broadcast through an amplifying network
    – Disable directed broadcasts on border routers

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Amplification Attack
    • DNS
    – Request as much zone data as possible
    – Mirai attack did this

    • NTP
    – Monlist command

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Password Attacks
    • Online password attack
    – Attempts to discover a password from an online
    system

    • Online password attack


    – Attempts to discover passwords from a captured
    database or captured packet scan

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Password Attacks
    • Brute force
    – Prevent online attacks with account lockout
    policies
    – Protect against offline attacks with strong complex
    passwords and encryption or hashing

    • Dictionary
    – Prevent with complex passwords

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Password Attacks
    • Password hashes
    Password: IC@nP@$$S3curity+
    Hash 75c8ac11c86ca966b58166187589cc15

    – http://www.md5online.org/ Demo
    Password 12345
    Hash 827ccb0eea8a706c4c34a16891f84e7b
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Password Attacks
    • Pass the hash
    – Attacker discovers the hash
    – Attacker uses the hash to log on

    – Older protocols susceptible


    • Microsoft LAN Manager (LM)
    • NT LAN Manager (NTLM)

    • Use NTMLv2 instead


    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Password Attacks
    • Birthday attack
    – Birthday paradox
    – Hash collision
    – Prevent attack with strong hashing

    • Rainbow table attack


    – Prevent with salted hashes

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Common Attacks
    • Replay
    – Replays data in an attempt to impersonate client
    – Timestamps and sequence numbers are effective
    countermeasures

    – Can be
    • An application/service attack
    • A wireless attack
    • A cryptographic attack
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Common Attacks
    • Known plaintext
    – Attacker has samples of both the plaintext and the ciphertext

    • Compare with chosen plaintext

    The information contained in this email and any accompanying attachments may
    contain proprietary information about the Pay & Park & Pay parking garage.

    Nr55tySu3IFIf7f3Cjn540fSs0j0QbshCN0yOAvhN3UKr85uEkvawEPG3lhLIklwBz7h
    BzhaRZ96KUYIT3wQbf2cSkWHtN8ZQrQ+ZGJHhe8HkL42CPjHIGc0HW4urJ+NNLn
    NxqHyRo34azbnXsd3qd3Ce5GE7blWtY0duwNKy0xqhmDihUJs9nDhXBV4nBkZ6s
    hcmKGEUSyvCr/hOEpAYw==

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Common Attacks
    • Typo squatting / URL hijacking
    – Attackers purchase similar domain names for
    various malicious purposes
    – Users visit the typo squatting domain when they
    enter the URL incorrectly with a common typo

    • Clickjacking
    – Tricks users into clicking something different
    – Typically uses frames
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Common Attacks
    • Session hijacking
    – Impersonate the user with the session ID
    – Session IDs stored in cookies

    • Domain hijacking
    – Attacker changes the registration of the domain
    name
    – Typically done by using social engineering techniques
    to guess owner’s password
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Common Attacks
    • Man-in-the-browser attack
    – Type of proxy Trojan horse
    – Can capture browser session data

    • Driver manipulation
    – Shimming
    – Refactoring

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Common Attacks
    • Zero-day vulnerabilities
    – Undocumented and unknown to the public
    – Vendor might know about it, but has not yet
    released a patch to address it

    • Zero day attack


    – Attempts to exploit zero-day vulnerabilities
    – Also known as zero day- exploit
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Memory Buffer Vulnerabilities
    Application bugs
    • Memory leak
    – App consumes more and more memory
    – Can crash operating system
    • Integer overflow
    – App attempts to use or create numeric value too big
    for the available storage
    – 8-bit storage
    – 95 x 59 = 5,605 (needs at least 13 bits to store)
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Memory Buffer Vulnerabilities
    • Buffer overflow and buffer overflow attack
    – Occur when an application receives data that it
    can’t handle
    – Exposes system memory
    – Often includes NOP instructions (such as x90)
    – Can then insert malicious code into memory
    – Input validation helps prevent buffer overflow
    attacks

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Memory Buffer Vulnerabilities
    Array
    • Pointer dereference Pointer
    ptrZip arrZip

    – Failed dereference operation 94025


    can cause app to crash 20500
    10001
    98052
    • DLL injection 92307
    23456
    – Modifies DLL with malicious code 65619
    – When DLL runs, malicious code runs 22150

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    DLL injection

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Secure Coding Concepts
    • Compiled code
    – Optimized
    – Run as an executable
    – Compiler checks the program for errors and

    • Runtime code
    – Code is evaluated, interpreted, and executed when the
    code is run
    – HTML is interpreted by web browsers and displayed as web
    pages
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Input Validation
    • Verifies validity of data before using it
    – Verifies proper characters
    – Uses boundary and/or range checking
    – Blocks HTML code
    – Prevents the use of certain characters
    • Client-side vs server-side
    – Server-side is more secure (many sites use both)
    • Input validation prevents
    – Buffer overflow, SQL injection, command injection, and
    cross-site scripting attacks
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Secure Coding Concepts
    • Avoid race conditions
    – Occur when two modules attempt to access the
    same resource
    – First module to complete the process wins
    – Database locks prevent race conditions

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Error and Exception Handling
    • Catch errors and provides feedback
    – Prevent improper input from crashing an
    application providing information to attackers

    – Errors to users should be general

    – Logged information should be detailed

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Secure Coding Concepts
    Cryptographic techniques

    • Encryption

    • Authentication

    • Code signing

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Secure Coding Concepts
    • Code reuse
    – Avoid dead code

    • Software development codes (SDKs)


    – Provide software tools easy to reuse

    • Code obfuscation
    – Camouflage code
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Code Quality and Testing
    • Static code analyzers
    • Dynamic analysis
    • Stress testing
    • Sandboxing
    • Model verification

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    SDLC Models
    Software development life cycle (SDLC) models
    • Waterfall
    – Multiple stages going from top to bottom
    – Strict
    • Agile
    – Starts with set of principles
    – Uses iterative cycles with incremental changes
    – Flexible
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Secure DevOps
    • Security automation
    • Continuous integration
    • Baselining
    • Immutable systems
    • Infrastructure as code

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Secure Coding Concepts
    • Change management
    – Ensures developers do not make unauthorized
    changes
    – Provides accounting structure
    • Version control
    – Tracks software versions
    – Identifies who made the change and when

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Secure Coding Concepts
    • Provisioning (an application)
    – Preparing to deploy it
    – Configuring for different applications

    • Deprovisioning (an application)


    – Removing it completely

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Application Attacks
    • Web servers host web sites
    – Apache
    – IIS

    • Protected by
    placing in DMZ

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Database concepts
    • Tables related to each other with keys
    • Database schema

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Database concepts
    Tables
    • Rows (also called records or tuples)
    • Columns (also called attributes)
    • Cells hold individual values (such as “Lisa”)
    are cells

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Database concepts
    Normalization
    • Organizing tables and columns to reduce
    redundant data and improve performance

    • First normal form (1NF)


    • Second normal form (3NF)
    • Third normal form (3NF)

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Database concepts
    1NF
    • Each row within a table is unique
    and identified with a primary key
    • Related data is contained in a
    separate table
    • None of the columns include
    repeating groups

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Database concepts
    2NF (must be in 1NF)
    • Non-primary key attributes are completely
    dependent on the composite primary key

    Composite key Publisher column in this


    table violates this rule

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Database concepts
    3NF (must be in 2NF and 1NF)
    • All columns that aren’t primary keys are only
    dependent on the primary key
    • None of the columns in the table
    are dependent on
    non-primary key attributes.
    PublisherCity column violates this rule
    It is dependent on the BookID column
    It is dependent on the Publisher column
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    SQL Queries
    • Used to access data
    • Commonly used with web pages
    SELECT * FROM Books WHERE Author = ‘Darril Gibson’

    Attackers enter this instead: Darril Gibson'; SELECT * FROM Customers;--


    Result:
    SELECT * FROM Books WHERE Author = ‘Darril Gibson’;
    SELECT * FROM Customers
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    SQL Queries
    SELECT * FROM Customers WHERE name = 'Homer Simpson‘

    • Using SQL Injection

    SELECT * FROM Customers WHERE name = ' ' or '1'='1' --'

    • Result
    SELECT * FROM Customers WHERE name = ' '
    SELECT * FROM Customers WHERE '1'='1'

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    SQL Injection Attack
    • Used on unprotected web pages
    to access backend databases
    • Often use the phrase ' or '1'='1 '
    • Tricks database into providing information
    • Best protection
    – Input validation & stored procedures
    • XML injection (similar to SQL injection)

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    SQL Injection Attack
    • Protecting against SQL injection attacks

    – Input validation

    – Stored procedures

    • Group of SQL statements that execute as a whole

    – Parameterized stored procedures


    • Stored procedure that accepts input as a parameter
    • Stored procedure can perform input validation
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Application Attacks
    • Other injection attacks

    – Command injection attack

    • Attempts to run operating system commands from


    within an application

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Application Attacks
    • Cross-site scripting (XSS)
    – Attackers embed malicious HTML or JavaScript
    code
    – Can be in web site or links in email
    – Prevented with server-side input validation
    – OWASP recommends use of library

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Application Attacks
    • Cross-site request forgery (XSRF)
    – Causes users to perform actions on websites
    without their knowledge
    – Attackers can use to steal cookies and harvest
    passwords
    – XSRF tokens successfully block this attack

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Frameworks and Guides
    • Frameworks
    – Regulatory
    – Non-regulatory
    – National versus international
    – Industry-specific
    • Guides
    – Vendor-specific
    – Platform-specific
    – Role- or goal-specific
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Chapter 7 Summary
    • Comparing common attacks

    • Summarizing secure coding concepts

    • Identifying application attacks

    • Understanding frameworks and guides

    • Labs http://gcgapremium.com/501labs/
    GetCertifiedGetAhead.com © 2017 YCDA, LLC

    You might also like