1.4 Given a Scenario Analyse potential indicators associated with network attacks
Definitions
| Evil Twin | Access point which looks like a legitimate access point but is actually malicious Often copies SSID |
| Rogue Access Point | Unauthorized access point on a network |
| Bluesnarfing | Unauthorized access to data on a device via bluetooth |
| Bluejacking | Sending unsolicited messages to another device via Bluetooth |
| Disassociation Attacks | Denial of service attack which prevents WAP from being able to communicate to network |
| Deauthentication | Alternative name for disassociation |
| Jamming | Transmissing interfering wireless signals to disrupt signal |
| Constant Jamming | Constant non-stop jamming |
| Sporadic Jamming | Sporadically containing random/legit data |
| Reactive Jamming | Jamming only activates when someone tries to communicate |
| Fox Hunt | Term for locating a wireless jammer |
| RFID | Radio frequency identifier – short range technology based on radar |
| IV | Random sequence of numbers added to an encryption key to complicate decryption |
| On-path attack | Alternatively known as man-in-the-middle attack Attacker sits in middle of conversation and intercepts traffic Often modifies and redirects |
| Layer 2 attacks | Attacks which occur on the data-link OSI level |
| ARP Poisoning | Address resolution poisoningSpoofing an access point to intercept data |
| MAC Flooding | When a switch is flooded with MAC addresses to overload the MAC address table |
| Frame Switching | When a Switch uses it’s MAC address table to determine where to route traffic |
| MAC Cloning | Spoofing a clients MAC address to appear as an existing device |
| Domain Jacking | Gaining access to domain host account to change destination IP |
| DNS Poisoning | Modifying the configuration of the DNS server so it provides incorrect IP address ranges for a destination |
| Domain Reputation | The trustworthiness of your domain across the web |
| Friendly DDOS | An unintentional DDOS |
| DDOS Amplification | Attack aimed at causing victims server to use larger amounts of resources per response |
| Application DOS | DOS attack aimed at breaking application or exhausting all resources |
| Operational Technology DOS | Attack aimed at knocking out industrial hardware or software |
| Bash | Name for Linux Shell Scripts |
| Shell | Name of Linux version of CMD |
| Macros | Scripts which automate function within an application |
| Cmdlets | Term for commands executed on powershell using CMD |
Given a Scenario Analyse potential indicators associated with network attacks
Questions
| What’s the danger of an unintended Rogue Access Point? | Not managed by company security so cannot be secured |
| What are the two types of rogue access point? | Wireless Access PointWireless sharing on an OS |
| How can you detect a Rogue Access Point? | Periodic survey round the office detecting and comparing wireless devices |
| How can you prevent a Rogue Access Point? | Network Access Control |
| What is an example of Network Access Control? | 801.1x |
| How can an Evil Twin be prefered over a legitimate Access Point? | Rogue access point overpowers signal of legitimate access point |
| Where are Evil Twin attacks most effective? | Open networks (e.g. coffee shop) |
| How can you secure traffic over an open network? | HTTPSVPN |
| What is the range for Bluejacking? | 10 meters |
| What is an alternative use for Bluejacking? | Add action prompts to message (e.g. add to contacts) |
| What kind of attack is wireless deauthentication? | Type of DDOS |
| Why is wireless deauthentication possible? | Older methods of 802.1x sent management frames in unencrypted format |
| How do you protect against deauthenticaion attacks? | Use modern version of 802.1x (802.1w on) as the management frames are now encrypted |
| Is jamming always intentional? | No, accidental jamming can be caused by:Fluorescent lightsMicrowave |
| What are the three jamming types? | Constant Sporadic Reactive |
| What reduces jamming effectiveness? | Distance |
| How do you eliminate jamming? | Find and stop source Directional antennae |
| What technology does RFID rely on? | Radar |
| Four types of RFID attacks | Data Capture Reader spoofing (modify contents) Signal Jamming Decryption of data |
| What is the issue of cryptography without randomisation? | If you know the encryption key it can be decrypted |
| How do you add randomisation to a cryptograph? | Cryptographic Nonce |
| What type of attack does Cryptographic Nonce stop? | Replay Attack |
| What is typically used to provide cryptographic nonce? | IVSalting |
| What is the difference between IV and Salting when providing Nonce? | IV = transmitting password hashes Salting = Storing password hashes |
| How would you achieve a on-path attack? | ARP Poisoning |
| How does ARP Poisoning work? | Attacker sends out unsolicited broadcast to client spoofing AP details. Client updates DNS records to recognise attackers device as the AP Attacker spoofs client address data to relay between itself and legitimate AP |
| How many bits in a MAC address? | 48 |
| How many bytes in a MAC address? | 6 |
| What the makeup of a MAC address? | First 3 bytes are OUI Last 3 bytes are Network Interface Controller Specific |
| What does OUI signify? | The Manufacturer |
| What does Network Interface Controller Specific signify? | Serial number |
| How does a MAC address work in a network? | Data is sent to different devices on LAN by referencing the MAC address |
| How does a switch keep track of MAC addresses? | Builds a MAC address table |
| What is also recorded to a MAC address table | Output interface |
| What is an Output Interface | Which interface to send data out of to reach the MAC address |
| What happens when a MAC address table becomes full? | It’ll default to acting like a hub and send traffic down all available interfaces |
| How can MAC flooding be exploited? | Can listen at a unprotected interface to collect traffic not intended for them |
| How can you protect against MAC flooding? | Switch port security (e.g. disable all unused ports!) |
| What are the 5 ways attackers can profit of URL highjacking? | Advertising sites Sell badly spelt domain to actual owner Redirect to competitor PhishingMalware |
| Two examples of domain reputation | Email reputation: if reported as spam too frequently your emails will be flagged as spam Domains with malware at destination are flagged and blocked |
| Examples of friendly DOS | Layer 2 loopBandwidth DOS |
| Three examples of Operating Technology | Electric Grids Traffic Control Industrial equipment |
| What are the five main types of scripts used in attacks? | Powershell Python Shell Script Macros Visual Basic (VBA) |