Basic Network Attacks
The active and passive attacks can be differentiated on the basis of what are they, how they are performed and how much extent of damage they cause to the system resources. But, majorly the active attack modifies the information and causes a lot of damage to the system resources and can affect its operation. Conversely, the passive attack does not make any changes to the system resources and therefore doesn’t causes any damage.
7. Active Attack
Active attack tries to change the system resources or affect their operation. Always
causes damage to the system.
8. Passive Attack
Passive attack tries to read or make use of information from the system but does not
influence system resources.
9. Basic Network Attack
Password Based Attack
Malware Attack
DOS Attack
IP Spoofing
Man in the Middle Attack
SQL injection Attack
XSS Attack
10. Password Based Attack
An attack in which repetitive attempts are made to duplicate a
valid logon or password sequence.
19. Network Attack Prevention Tips
Install Software Updates
Use Unique Password
Use Two Factor AUTHENTICATION
USE STRONG PASSSWORD
USE A PASSWORD MANAGER
Use a firewall for your Internet connection.
Browse Safely Online
Clear Browser after Leaving Computer
Editor's Notes
Definition of Active Attacks
Active attacks are the attacks in which the attacker tries to modify the information or creates a false message. The prevention of these attacks is quite difficult because of a broad range of potential physical, network and software vulnerabilities. Instead of prevention, it emphasizes on the detection of the attack and recovery from any disruption or delay caused by it.An active attack usually requires more effort and often more dangerous implication. When the hacker attempts to attack, the victim gets aware of it.
The active attacks are in the form of interruption, modification and fabrication.
Interruption is known as masquerade attack in which unauthorizpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppedattacker tries to pose as another entity.
Modification can be done using two ways replay attack and alteration. In the replay attack, a sequence of events or some data units is captured and resent by them. While alteration of the message involves some change to the original message, either one of them can cause alteration.
Fabrication causes Denial Of Service (DOS) attacks in which attacker strive to prevent licit users from accessing some services, which they are permitted to or in simple words the attacker gain access to the network and then lock the authorized user out.
Definition of Passive Attacks
Passive attacks are the attacks where the attacker indulges in unauthorized eavesdropping, just monitoring the transmission or gathering information. The eavesdropper does not make any changes to the data or the system.
Unlike active attack, the passive attack is hard to detect because it doesn’t involve any alteration in the data or system resources. Thus, the attacked entity doesn’t get any clue about the attack. Although, it can be prevented using encryption methods in which the data is firstly encoded in the unintelligible language at the sender’s end and then at the receivers end it is again converted into human understandable language.In this way, at the time of transit, the message is in an unintelligible form which could not be understood by the hackers. That is the reason, in passive attacks, the prevention has more concern than detection. The passive attacks entangle the open ports that are not protected by firewalls. The attacker continuously searches for the vulnerabilities and once it is found the attacker gains access to network and system.
The passive attacks are further classified into two types, first is the release of message content and second is traffic analysis.
The release of message content can be expressed with an example, in which the sender wants to send a confidential message or email to the receiver. The sender doesn’t want the contents of that message to be read by some interceptor.
By using encryption a message could be masked in order to prevent the extraction of the information from the message, even if the message is captured. Though still attacker can analyse the traffic and observe the pattern to retrieve the information. This type of passive attack refers to as traffic analysis.
Key Differences Between Active and Passive Attacks
The active attack includes modification of the message. On the other hand, in passive attacks, the attacker doesn’t commit any changes to the intercepted information.
The active attack causes a huge amount of harm to the system while the passive attack doesn’t cause any harm to the system resources.
A passive attack is considered as a threat to data confidentiality. In contrast, an active attack is a threat to the integrity and availability of the data.
The attacked entity is aware of the attack in case of active attack. As against, the victim is unaware of the attack in the passive attack.
The active attack is accomplished by gaining the physical control over the communication link to capture and insert transmission. On the contrary, in a passive attack, the attacker just needs to observe the transmission.
Conclusion
The active and passive attacks can be differentiated on the basis of what are they, how they are performed and how much extent of damage they cause to the system resources. But, majorly the active attack modifies the information and causes a lot of damage to the system resources and can affect its operation. Conversely, the passive attack does not make any changes to the system resources and therefore doesn’t causes any damage.
Brute-force password guessing means using a random approach by trying different passwords and hoping that one work Some logic can be applied by trying passwords related to the person’s name, job title, hobbies or similar items.
In a dictionary attack, a dictionary of common passwords is used to attempt to gain access to a user’s computer and network. One approach is to copy an encrypted file that contains the passwords, apply the same encryption to a dictionary of commonly used passwords, and compare the results.
Hybrid attack:
Hybrid password guessing attacks assume that network administrators push users to make their passwords at least slightly different from a word that appears in a dictionary. Hybrid guessing rules vary from tool to tool, but most mix uppercase and lowercase characters, add numbers at the end of the password, spell the password backward or slightly misspell it, and include characters such as @!# in the mix. Both John the Ripper (http://www.openwall.com/john) and Cain & Abel (http://www.oxid.it) can do hybrid guessing.
“Malware” refers to various forms of harmful software, such as viruses and ransomware. Once malware is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker's home base.
Attackers will use a variety of methods to get malware into your computer, but at some stage it often requires the user to take an action to install the malware. This can include clicking a link to download a file, or opening an attachment that may look harmless (like a Word document or PDF attachment), but actually has a malware installer hidden within.
Here are some of the most common types of malware:
Macro viruses — These viruses infect applications such as Microsoft Word or Excel. Macro viruses attach to an application’s initialization sequence. When the application is opened, the virus executes instructions before transferring control to the application. The virus replicates itself and attaches to other code in the computer system.
File infectors — File infector viruses usually attach themselves to executable code, such as .exe files. The virus is installed when the code is loaded. Another version of a file infector associates itself with a file by creating a virus file with the same name, but an .exe extension. Therefore, when the file is opened, the virus code will execute.
System or boot-record infectors — A boot-record virus attaches to the master boot record on hard disks. When the system is started, it will look at the boot sector and load the virus into memory, where it can propagate to other disks and computers.
Polymorphic viruses — These viruses conceal themselves through varying cycles of encryption and decryption. The encrypted virus and an associated mutation engine are initially decrypted by a decryption program. The virus proceeds to infect an area of code. The mutation engine then develops a new decryption routine and the virus encrypts the mutation engine and a copy of the virus with an algorithm corresponding to the new decryption routine. The encrypted package of mutation engine and virus is attached to new code, and the process repeats. Such viruses are difficult to detect but have a high level of entropy because of the many modifications of their source code. Anti-virus software or free tools like Process Hacker can use this feature to detect them.
Stealth viruses — Stealth viruses take over system functions to conceal themselves. They do this by compromising malware detection software so that the software will report an infected area as being uninfected. These viruses conceal any increase in the size of an infected file or changes to the file’s date and time of last modification.
Trojans — A Trojan or a Trojan horse is a program that hides in a useful program and usually has a malicious function. A major difference between viruses and Trojans is that Trojans do not self-replicate. In addition to launching attacks on a system, a Trojan can establish a back door that can be exploited by attackers. For example, a Trojan can be programmed to open a high-numbered port so the hacker can use it to listen and then perform an attack.
Logic bombs — A logic bomb is a type of malicious software that is appended to an application and is triggered by a specific occurrence, such as a logical condition or a specific date and time.
Worms — Worms differ from viruses in that they do not attach to a host file, but are self-contained programs that propagate across networks and computers. Worms are commonly spread through email attachments; opening the attachment activates the worm program. A typical worm exploit involves the worm sending a copy of itself to every contact in an infected computer’s email address In addition to conducting malicious activities, a worm spreading across the internet and overloading email servers can result in denial-of-service attacks against nodes on the network.
Droppers — A dropper is a program used to install viruses on computers. In many instances, the dropper is not infected with malicious code and, therefore might not be detected by virus-scanning software. A dropper can also connect to the internet and download updates to virus software that is resident on a compromised system.
Ransomware — Ransomware is a type of malware that blocks access to the victim’s data and threatens to publish or delete it unless a ransom is paid. While some simple computer ransomware can lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, which encrypts the victim’s files in a way that makes them nearly impossible to recover without the decryption key.
Adware — Adware is a software application used by companies for marketing purposes; advertising banners are displayed while any program is running. Adware can be automatically downloaded to your system while browsing any website and can be viewed through pop-up windows or through a bar that appears on the computer screen automatically.
Spyware — Spyware is a type of program that is installed to collect information about users, their computers or their browsing habits. It tracks everything you do without your knowledge and sends the data to a remote user. It also can download and install other malicious programs from the internet. Spyware works like adware but is usually a separate program that is installed unknowingly when you install another freeware application
The attacker can do any of the following after gaining access to your network:
• Block the traffic, resulting in a loss of access to the network by authorized users.
• Send invalid data to applications or network services causing unexpected behavior of the applications or services.
• Flood a computer or the entire network with traffic until an overload happens causing shutdown.
DOS ATTACK TYPES
1. (S)SYN floodA SYN flood is a type of DOS attack in which an attacker sends a series of SYN requests to a target’s system in an attempt to use vast amounts of server resources to make the system unresponsive to legitimate traffic.
2. Teardrop attacksA teardrop attack involves the hacker sending broken and disorganized IP fragments with overlapping, over-sized payloads to the victims machine. The intention is to obviously crash operating systems and servers due to a bug in the way TCP/IP fragmentation is re-assembled. All operating systems many types of servers are vulnerable to this type of DOS attack, including Linux.
3. Low-rate Denial-of-Service attacksDon’t be fooled by the title, this is still a deadly DoS attack! The Low-rate DoS (LDoS) attack is designed to exploit TCP’s slow-time-scale dynamics of being able to execute the retransmission time-out (RTO) mechanism to reduce TCP throughput. In short, a hacker can create a TCP overflow by repeatedly entering a RTO state through sending high-rate and intensive bursts – whilst at slow RTO time-scales. The TCP throughput at the victim node will be drastically reduced while the hacker will have low average rate thus making it difficult to be detected.
4. Internet Control Message Protocol (ICMP) floodInternet Control Message Protocol (ICMP) is a connectionless protocol used for IP operations, diagnostics, and errors. An ICMP Flood – the sending of an abnormally large number of ICMP packets of any type (especially network latency testing “ping” packets) – can overwhelm a target server that attempts to process every incoming ICMP request, and this can result in a denial-of-service condition for the target server.
5. Peer-to-peer attacksA peer-to-peer (P2P) network is a distributed network in which individual nodes in the network (called “peers”) act as both suppliers (seeds) and consumers (leeches) of resources, in contrast to the centralized client–server model where the client server or operating system nodes request access to resources provided by central servers
Security Solutions
Monitoring the packets to save your server from the entrance of the counterfeit packets.
Timely upgrading of the security patches on your host’s operating system.
Beware of running of your server very close to the last level of the capacity.
Attacker is monitoring, capturing and controlling data sent between you and the person whom you are communicating with transparently
At low levels of communication on the network layer, computers might not be able to determine with whom they are exchanging data.
Attacker assumes your identity and attempts to gather as much information as possible, while the person you’re communicating with thinks it is you.
Man-In-The-Middle (MITM) attack is the type of attack where attackers intrude into an existing communication between two computers and then monitor, capture, and control the communication. In Man-in-the-middle attack, an intruder assumes a legitimate users identity to gain control of the network communication. The other end of the communication path might believe it is you and keep on exchanging the data.
Man-in-the-Middle (MITM) attacks are also known as "session hijacking attacks", which means that the attacker hijacks a legitimate user's session to control the communication.
A man-in-the-middle attack occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently.
When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data exactly.
For example, the attacker can re-route a data exchange.
Man-in-the-middle attacks are like someone assuming your identity in order to read your communications. The person on the other end may believe it is you because the attacker might be actively replying as you to keep the exchange going and get the desired information.
This attack is capable of the same damage as an application-layer attack.
Security Solutions
Many preventive methods are available for Man-In-The-Middle (MITM) attack and some are listed below.
• Public Key Infrastructure (PKI) technologies,
• Verifying delay in communication
• Stronger mutual authentication
Using Public Key Infrastructures based authentications. It not only protects the applications from eavesdropping and other attacks but also validates the applications as a trusted one. Both the ends are authenticated hence preventing (MITM) Man-in-the-middle-attack.
Setting up passwords and other high level secret keys in order to strengthen the mutual authentication.
Time testing techniques such as Latency examination with long cryptographic hash functions confirming the time taken in receiving a message by both the ends. Suppose if the time taken by a message to be delivered at one end is 20 seconds and if the total time taken exceeds up to 60 seconds then it proves the existence of an attacker.
The ability to inject packets into the Internet with a false source address is known as IP spoofing,
IP spoofing is used by an attacker to convince a system that it is communicating with a known, trusted entity and provide the attacker with access to the system. The attacker sends a packet with the IP source address of a known, trusted host instead of its own IP source address to a target host. The target host might accept the packet and act upon it.
IP Address Spoofing Attacks
IP address spoofing is one of the most frequently used spoofing attack methods. In an IP address spoofing attack, an attacker sends IP packets from a false (or “spoofed”) source address in order to disguise itself. Denial-of-service attacks often use IP spoofing to overload networks and devices with packets that appear to be from legitimate source IP addresses.
There are two ways that IP spoofing attacks can be used to overload targets with traffic. One method is to simply flood a selected target with packets from multiple spoofed addresses. This method works by directly sending a victim more data than it can handle. The other method is to spoof the target’s IP address and send packets from that address to many different recipients on the network. When another machine receives a packet, it will automatically transmit a packet to the sender in response. Since the spoofed packets appear to be sent from the target’s IP address, all responses to the spoofed packets will be sent to (and flood) the target’s IP address.
IP spoofing attacks can also be used to bypass IP address-based authentication. This process can be very difficult and is primarily used when trust relationships are in place between machines on a network and internal systems. Trust relationships use IP addresses (rather than user logins) to verify machines’ identities when attempting to access systems. This enables malicious parties to use spoofing attacks to impersonate machines with access permissions and bypass trust-based network security measures.
Security Solutions
Filtering of packets entering into the network is one of the methods of preventing Spoofing. In other hand, filtering of incoming and outgoing traffic should also be implemented.
ACLs helps prevent Spoofing by not allowing falsified IP addresses to enter.
Accreditation to encryption should be provided in order to allow only trusted hosts to communicate with.
SSL certificates should be used to reduce the risk of spoofing at a greater extent.
SQL (pronounced “sequel”) stands for structured query language; it’s a programming language used to communicate with databases. Many of the servers that store critical data for websites and services use SQL to manage the data in their databases. A SQL injection attack specifically targets this kind of server, using malicious code to get the server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website, such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker.
An SQL injection attack works by exploiting any one of the known SQL vulnerabilities that allow the SQL server to run malicious code. For example, if a SQL server is vulnerable to an injection attack, it may be possible for an attacker to go to a website's search box and type in code that would force the site's SQL server to dump all of its stored usernames and passwords for the site.
SQL injection attack is another type of attack to exploit applications that use client-supplied data in SQL statements. Here malicious code is inserted into strings that are later passed to database application for parsing and execution. The common method of SQL injection attack is direct insertion of malicious code into user-input variables that are concatenated with SQL commands and executed. Another type of SQL injection attack injects malicious code into strings and are stored in tables. An SQL injection attack is made later by the attacker.
Following example shows the simplest form of SQL injection.
var UserID;UserID = Request.form ("UserID");var InfoUser = "select * from UserInfo where UserID = '" + UserID + "'";
If the user fills the field with correct information of his UserID (F827781), after the script execution the above SQL query will look like
SELECT * FROM UserInfo WHERE UserID = 'F827781'
Consider a case when a user fills the field with the below entry.
F827781; drop table UserInfo--
After the execution of the script, the SQL code will look like
SELECT * FROM UserInfo WHERE UserID = ' F827781';drop table UserInfo--
This will ultimately result in deletion of table UserInfo
XSS attacks use third-party web resources to run scripts in the victim’s web browser or scriptable application. Specifically, the attacker injects a payload with malicious JavaScript into a website’s database. When the victim requests a page from the website, the website transmits the page, with the attacker’s payload as part of the HTML body, to the victim’s browser, which executes the malicious script. For example, it might send the victim’s cookie to the attacker’s server, and the attacker can extract it and use it for session hijacking. The most dangerous consequences occur when XSS is used to exploit additional vulnerabilities. These vulnerabilities can enable an attacker to not only steal cookies, but also log key strokes, capture screenshots, discover and collect network information, and remotely access and control the victim’s machine.
1.Metasploit Framework – an open source tool for exploit development and penetration testing Metasploit is well known in the security community. Metasploit has exploits for both server and client based attacks; with feature packed communication modules (meterpreter) that make pwning systems fun! The framework now includes Armitage for point and click network exploitation. This is the go to tool if you want to break into a network or computer system.
Defending against Metasploit:
Keep all software updated with the latest security patches.
Use strong passwords on all systems.
Deploy network services with secure configurations.
2.Ettercap – a suite of tools for man in the middle attacks (MITM). Once you have initiated a man in the middle attack with Ettercap use the modules and scripting capabilities to manipulate or inject traffic on the fly. Sniffing data and passwords are just the beginning; inject to exploit FTW!
Defending against Ettercap:
Understand that ARP poisoning is not difficult in a typical switched network.
Lock down network ports.
Use secure switch configurations and NAC if risk is sufficient.
3.sslstrip – using HTTPS makes people feel warm, fuzzy and secure. Using sslstrip this security can be attacked, reducing the connection to an unencrypted HTTP session, whereby all the traffic is readable. Banking details, passwords and emails from your boss all in the clear. Even includes a nifty feature where the favicon on the unencrypted connection is replaced with a padlock just to make the user keep that warm and fuzzy feeling.
Defending against sslstrip:
Be aware of the possibility of MITM attacks (arp, proxies / gateway, wireless).
Look for sudden protocol changes in browser bar. Not really a technical mitigation!
4.evilgrade – another man in the middle attack. Everyone knows that keeping software updated is the way to stay secure. This little utility fakes the upgrade and provides the user with a not so good update. Can exploit the upgrade functionality on around 63 pieces of software including Opera, Notepad++, VMware, Virtualbox, itunes, quicktime and winamp! It really whips the llamas ass!
Defending against evilgrade:
Be aware of the possibility of MITM attacks (arp attacks, proxy / gateway, wireless).
Only perform updates to your system or applications on a trusted network.
5. 5.Social Engineer Toolkit – makes creating a social engineered client side attack way too easy. Creates the spear phish, sends the email and serves the malicious exploit. SET is the open source client side attack weapon of choice.
Defending against SET:
User awareness training around spear phishing attacks.
Strong Email and Web filtering controls.
6.sqlmap – SQL Injection is an attack vector that has been around for over 10 years. Yet it is still the easiest way to get dumps of entire databases of information. Sqlmap is not only a highly accurate tool for detecting sql injection; but also has the capability to dump information from the database and to even launch attacks that can result in operating system shell access on the vulnerable system.
Defending against sqlmap:
Filter all input on dynamic websites (secure the web applications).
Use mod_proxy or other web based filtering controls to help block malicious injection attacks (not ideal as often able to bypass these web application firewalls (WAF).
7. Cain and Abel – Cracking passwords, sniffing VOIP and Man in the Middle (MITM) attacks against RDP are just a few examples of the many features of this Windows only tool.
Defending against Cain and Abel:
Be aware of the possibility of MITM attacks (arp attacks, untrusted proxy / gateway, wireless).
Use strong passwords everywhere.