MIS risk and security project
NETWORKING AND SERVER ATTACKS
Objectives
Describe the different types of networking-based attacks
Explain how servers are attacked
Networking-Based Attacks
Man-in-the-Middle (MITM)
Man-in-the-Browser (MITB)
Replay
Man-in-the-Middle (MITM)
intercepting legitimate communication and forging a false response to the sender
It involves a threat actor who inserts himself into a conversation between two parties. The actor impersonates both parties to gain access to information they are sending to each other.
Neither of the legitimate parties is aware of the presence of the threat actor and thus communicate freely, thinking they are talking only to the authentic party.
Many MITM attacks are between a user and a server.
Man-in-the-Browser (MITB)
An attack intercepts communication between parties to steal or manipulate the data.
Occurs between a browser and the underlying computer.
MITB attack seeks to intercept and then manipulate the communication between the web browser and the security mechanisms of the computer
Con’t
MITB attack begins with a Trojan infecting the computer and installing an “extension” into the browser configuration, so that when the browser is launched the extension is activated.
When a user enters the URL of a site, the extension checks to determine if this is a site that is targeted for attack.
After the user logs in to the site, the extension waits for a specific webpage to be displayed in which a user enters information, such as the account number and password for an online financial institution
When the user clicks “Submit” the extension captures all the data from the fields on the form and may even modify some of the entered data.
Con’t
The browser then proceeds to send the data to the server, which performs the transaction and generates a receipt that is sent back to the browser.
The malicious extension again captures the receipt data and modifies it (with the data the user originally entered) so that it appears that a legitimate transaction has occurred.
Strengths of MITB attack:
Most MITB attacks are distributed through a Trojan browser extension, which provides a valid function to the user but also installs the MITB malware, making it difficult to recognize that malicious code has been installed.
Because MITB malware is selective as to which websites are targeted, an infected MITB browser might remain dormant for months until triggered by the user visiting a targeted site.
MITB software resides exclusively within the web browser, making it difficult for standard anti-malware software to detect it
Replay
An attack is a variation of a MITM attack. Whereas a MITM attack alters and then sends the transmission immediately, a replay attack makes a copy of the legitimate transmission before sending it to the recipient.
This copy is then used at a later time (the MITM “replays” the transmission).
A simple replay would involve the MITM capturing logon credentials between the user’s computer and the server.
Once that session has ended, the MITM would attempt to log on and replay the captured user credentials
Poisoning
Is the act of introducing a substance that harms or destroys a functional living organism.
Three types of attacks inject “poison” into a normal network process to facilitate an attack:
ARP poisoning
DNS poisoning
privilege escalation.
ARP Poisoning
The TCP/IP protocol suite requires that logical Internet Protocol (IP) addresses be assigned to each host on a network.
However, an Ethernet LAN uses the physical media access control (MAC) address to send packets.
In order for a host using TCP/IP on an Ethernet network to find the MAC address of another device based on the IP address, it uses the Address Resolution Protocol (ARP).
If the IP address for a device is known but the MAC address is not, the sending computer sends an ARP packet to all computers on the network that in effect says, “If this is your IP address, send me back your MAC address.”
The computer with that IP address sends back a packet with the MAC address so the packet can be correctly addressed.
This IP address and the corresponding MAC address are stored in an ARP cache for future reference.
In addition, all other computers that hear the ARP reply also cache that data.
A MAC address is permanently “burned” into a network interface card (NIC) so that there is not a means of altering the MAC address on a NIC.
However, because the MAC address is stored in a software ARP cache, it can be changed there, which would then result in the corresponding IP address pointing to a different computer.
This attack is known as ARP poisoning and relies upon MAC spoofing (or imitating another computer by means of changing the MAC address).
Con’t
DNS poisoning
Substitutes a DNS address so that the computer is automatically redirected to another device
DNS poisoning can be done in two different locations: the local host table, or the external DNS server.
TCP/IP still uses host tables stored on the local computer.
When a user enters a symbolic name, TCP/IP first checks the local host table to determine if there is an entry; if no entry exists, then the external DNS system is used.
Attackers can target a local HOSTS file to create new entries that will redirect users to a fraudulent site.
Host tables are found in the /etc/ directory in UNIX, Linux, and macOS, and are located in the Windows\System32\drivers\etc directory in Windows
DNS poisoning
attacks in the external DNS server:
Because DNS servers exchange information among themselves (known as zone transfers), attackers attempt to exploit a protocol flaw and convince the authentic DNS server to accept fraudulent DNS entries sent from the attacker’s DNS server.
If the DNS server does not correctly validate DNS responses to ensure that they have come from an authoritative source, it will store the fraudulent entries locally, serve them to users, and spread them to other DNS servers.
The process of a DNS poisoning attack from an attacker who has a domain name of www.evil.net with her own DNS server ns.evil.net is shown in Figure 5-4:
The attacker sends a request to a valid DNS server asking it to resolve the name www.evil.net.
Because the valid DNS server does not know the address, it asks the responsible name server, which is the attacker’s ns.evil.net, for the address.
The name server ns.evil.net sends the address of not only www.evil.net but also all of its records (a zone transfer) to the valid DNS server, which then accepts them.
Any requests to the valid DNS server will now respond with the fraudulent addresses entered by the attacker.
Privilege escalation
Is exploiting a vulnerability in software to gain access to resources that the user normally would be restricted from accessing.
There are different types of privilege escalation:
One type is when a user with a lower privilege uses privilege escalation to grant herself access to functions reserved for higher-privilege users (sometimes called vertical privilege escalation).
Another type of privilege escalation is when a user with restricted privileges accesses the different restricted functions of a similar user;
Mia does not have privileges to access a payroll program but uses privilege escalation to access Li’s account that does have these privileges (horizontal privilege escalation)
Sometimes privilege escalation is the result of an unintentional relationship between multiple systems.
System 1 can access System 2, and because System 2 can access System 3, then System 1 can access System 3.
However, the intention may not be for System 1 to access System 3, but instead for System 1 to be restricted to accessing only System 2.
This sometimes inadvertent and unauthorized access can result in a privilege escalation, in which threat actors take advantage of access that occurs through succeeding systems.
By exploiting the sometimes confusing nature of this access, attackers can often reach restricted resources.
Server Attacks
Denial of service
Web server application attacks
Hijacking
Overflow attacks
Advertising attacks
Exploiting browser vulnerabilities
Denial of Service (Dos) Attack
An attempt to prevent authorized users from accessing a system.
It overwhelms that system with very high number of “bogus” requests that the system cannot respond to legitimate requests.
Most DoS attacks today are distributed denial of service (DDoS) attacks:
instead of only one computer making a bogus request, a DDoS involves hundreds or even tens of thousands of devices flooding the server with requests
Types of DoS attacks
Smurf attack: attackers broadcast a network request to multiple computers but changes the address from which the request came (called IP spoofing because it imitates another computer’s IP address) to the victim’s computer.
This makes it appear as if it is asking for a response.
Each of the computers then sends a response to the victim’s computer so that it is quickly overwhelmed.
Types of DoS attacks
DNS amplification attack: floods the victim by redirecting valid responses to it.
It uses publicly accessible and open DNS servers to flood a system with DNS response traffic.
Attacker sends a DNS name lookup request to an open DNS server with the source address spoofed to the victim’s address.
When the DNS server sends the DNS record response, it is instead sent to the target.
Types of DoS attacks
SYN flood attack takes advantage of the procedures for initiating a session.
To initialize the connection between a device and a server, it uses a control message, called a synchronize message (SYN).
The server responds with its own SYN along with an acknowledgment (ACK) that it received the initial request, called a SYN+ACK.
The server then waits for a reply ACK from the device indicating that it received the server’s SYN.
To allow for a slow connection, the server might wait for a period of time for the reply.
In an SYN flood attack the attacker sends SYN segments in IP packets to the server but modifies the source address of each packet to computer addresses that do not exist or cannot be reached.
The server continues to “hold the line open” and wait for a response (which is never coming) while receiving more false requests and keeping more lines open for responses.
After a period of time, the server runs out of resources and can no longer respond to legitimate requests or function properly.
Web Server Application Attacks
Most web applications create dynamic content based on input from the user.
For example, a webpage might ask a user to enter a zip code of his vacation destination to receive the latest weather forecast for that region.
These dynamic operations of a web application depend heavily upon inputs provided by users.
Securing web applications is more difficult than protecting other systems:
By design the dynamic web applications accept user input (the zip code). Most other systems would categorically reject any user input as being potentially dangerous
Many web application attacks attempt to exploit previously unknown vulnerabilities known as zero day attacks, these attacks give victims no time—zero days—to defend against the attacks.
Traditional network security devices can block traditional network attacks, they cannot always block web application attacks. This is because many traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks
Web server application can be grouped into two categories:
Cross-site attacks
Cross-Site scripting attacks(XXS) : an attack using scripting that originates on one site (the web server) to impact another site (the user’s computer).
Takes advantage of web applications that accept user input without validating it before presenting it back to the user.
Cross-Site Request Forgery (XSRF): This attack uses the user’s web browser settings to impersonate that user. If a user is currently authenticated on a website and is then tricked into loading another webpage, the new page inherits the identity and privileges of the victim to perform an undesired function on the attacker’s behalf
Injection attacks
XSS attack: Input used in response
Injection Attacks
Introduces new input to exploit a vulnerability.
SQL injection: one of the most common injection attacks which inserts statements to manipulate a database server
3
Hijacking
Means to illegally seize, commandeer, or take control over something to use it for a different purpose.
Hijacking attacks include:
Session hijacking
URL hijacking
Domain hijacking
Clickjacking
Session Hijacking
It is important that a user who is accessing a secure web application, such as an online retailer order form, can be verified so as to prevent an imposter from “jumping in” to the interaction and ordering items that are charged to the victim but are sent to another address.
This verification is accomplished through a unique session token:
Is usually a string of letters and numbers of variable length such as (64da9DACOqgoipxqQDdywg).
It can be transmitted in different ways: in the URL, in the header of the HTTP requisition, or in the body of the HTTP requisition.
Session hijacking is an attack in which an attacker attempts to impersonate the user by using her session token
URL Hijacking
When user accidentally enters a wrong website address into the browser, the entered address may redirect the user to an alternate website that is usually designed by the hackers for malicious purposes.
The alternate website owner gets free traffic.
The hackers usually target well-known domains like Facebook, Google etc.