Attacks

Question 1

Attacker exploits connectionless nature of UDP. attacker sends small packet that appears to originate from victim’s IP address to a vulnerable UDP. Server then sends a significantly larger package of info back to victim’s address.

Answer 1

Amplified DDoS Attack

Question 2

Targets weakness within OS or installed application

Answer 2

Application Attack

Question 3

Respond to DNS queries with spoofed replies

Answer 3

ARP Poisoning

Question 4

• Used to regain access to network once company thinks foothold is gone
• does not capture login credentials

Answer 4

Backdoor Virus

Question 5

• Collection of compromised computers used or sold to another hacker
• • attackers use botnets for distributed denial of service attacks

Answer 5

Botnet

Question 6

Taking control of a device

Answer 6

Bluebugging

Question 7

control or theft of data, Unauthorized access to information on a wireless device through Bluetooth connection, implies control or theft of data

Answer 7

Bluesnarfing

Question 8

Sending unsolicited messages over Bluetooth without taking control

Answer 8

Bluejacking

Question 9

• Attempt to circumvent web server command filtrations by using the canonicalization of plaintext (might allow code injection or directory traversal)

Answer 9

Canonicalization Attack

Question 10

Attacker exe shell commands on host via vulnerable web application (via input fields)

Answer 10

Command Injection
Attacker exe shell commands

Question 11

• Computers increased memory usage
• Repeatedly sending requests out to random IP ranges

Answer 11

Computer Worm

Question 12

Malicious scripts inserted into websites and executed in the browser of any user viewing data, to stolen info or malicious redirection

Ex. User posts a comment on a blog. The website does not sanitize input

alert("XSS")

Script is stored in the db
Anyone who views the comments page triggers the alert pop up

Answer 12

Cross Site Scripting

Question 13

Is a type of web security attack where a malicious website tricks a user’s browser into performing actions on another website where the user is already logged in.

Answer 13

Cross-Site Request Forgery (CSRF)

Question 14

Resource consumption and resource instability

Answer 14

Denial of Service

Question 15

Attackers attempts of getting to the parent directory
- uptick in requests for files not listed on the site
- Sometimes uses canonicalization
Ex.
18:02:00 | 198.51.100.2 | /images/logo.png | 200
18:02:10 | 198.51.100.2 | /css/style.css | 200
18:02:15 | 198.51.100.2 | /api/products | 200
18:02:20 | 198.51.100.2 | /../../../etc/passwd | 404
18:02:25 | 198.51.100.2 | /images/../../../../etc/shadow | 404

Answer 15

Directory Traversal attack

Question 16

large number of simultaneous connections are being attempted from various IP addresses towards the company’s web server.
several hundred concurrent connections are all being attempted within just a few seconds.

20:00:00 | 192.0.2.10 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
20:00:01 | 192.0.2.11 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
20:00:01 | 192.0.2.12 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
20:00:01 | 192.0.2.13 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
20:00:01 | 192.0.2.14 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000

Answer 16

Distributed Denial Of Service

Question 17

• Attacker edits local client HOSTS file, causing traffic to be redirected to malicious web site instead

Answer 17

Domain name system client cache poisoning

Question 18

Traffic appears to be coming from another location that does not exist (to confuse company looking for an infection)

Answer 18

Domain name system (DNS) poisoning attack

Question 19

Adowngrade attackmakes a server or client use a lower specification protocol with weaker ciphers and key lengths.

Answer 19

downgrade attack

Question 20

Attacker attempts to get a copy of entire DNS zone data, all DNS records for a domain, by pretending to be an authorized system. This can expose sensitive information of a domain.

Answer 20

DNS Zone Transfer

Question 21

Attempts to hijack ongoing authenticated session to perform an action without users consent
- Look un URL analysis and web server logs to detect

Answer 21

Forgery Attack

Question 22

Multiple attempts from same source IP, same username, various complex and random passwords in short time
- Its a combo of dictionary words, with variations that include chars so they adhere to complexity requirements
15:32:00 | 203.0.113.7 | Admin | Authentication Attempt | admin1
15:32:01 | 203.0.113.7 | Admin | Authentication Attempt | Xyz@123
15:32:02 | 203.0.113.7 | Admin | Authentication Attempt | qwertyABCD!
15:32:02 | 203.0.113.7 | Admin | Authentication Attempt | 1Adm!nP@ss
15:32:03 | 203.0.113.7 | Admin | Authentication Attempt | $ecUr3P@55

Answer 22

Hybrid Password Attack

Question 23

Exploits unsecure way in which the application processes requests and queries
- Common example attack attempts to cause the server to run OS shell commands and return the output to the browser
- Look un URL analysis and web server logs to detect

Answer 23

Injection Attack

Question 24

After Clean Up, More Logins at Varying Times
Installed key logger compromised user accounts

Answer 24

KeyLogger

Question 25

- Data change after transmission. Ex. Client says numbers changed after verbal agreement. - Eavesdropping, attacker intercepts info, modifies, and sends to recipient

Answer 25

On path Attack (man in the middle)

Question 26

Potentially unwanted

Answer 26

PUPS

Question 27

Attack that uses large recomputed tables of hash values to quickly look up the original plaintext from its hash - Attacker builds a huge table of hashed values - Works on simple or common passwords, or if passwords aren’t salted, or weak ales

Answer 27

Rainbow Attack

Question 28

- Frequent common with an unknown external IP address - Unauthorized software on the workstation - Actively transmitting sensitive system data to external address (exfiltrate data) - Possibly receiving commands or files in return

Answer 28

Remote Access Trojan (RAT)

Question 29

A replay attack works by capturing or guessing the token value, and then submitting it to reestablish the session illegitimately. “Replaying the login session” - Session ending and then immediately reestablishing would most likely be this type - Attackers can capture cookies by sniffing network traffic via an on-path attack or when they are sent over an unsecured network, like a public Wi-Fi hotspot.  - Session cookies can also be compromised via cross-site scripting (XSS).Cross-site scripting (XSS) is an attack technique that runs malicious code in a browser in the context of a trusted site or application. - Look un URL analysis and web server logs to detect

Answer 29

Replay Attack

Question 30

Attack gained SYSTEM level access, cleaning logs, uses variations on known files names to remain unfound.

Answer 30

Rootkit

Question 31

Email with file attachment with odd double extension .ps1 Powershelgl script implies executable

Answer 31

Script Virus

Question 32

A shoulder surfing attack is a visual eavesdropping technique where an attacker observes someone’s screen, keyboard, or device to steal sensitive information.

Answer 32

Shoulder Surfing Attack

Question 33

Password spraying - trying small number of commonly used passwords against large number of usernames and accounts. attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames.

Answer 33

Spraying

Question 34

Malware from a vendor in the supply chain

Answer 34

Supply Chain

Question 35

2023-11-02 14:23:56 [IP:192.168.1.101] [ERROR] User login failed for username: 'admin' OR '1'='1'; - SQL injection, manipulates queries 'admin' OR '1'='1'; Ex. SELECT * FROM users WHERE username = 'admin' OR '1'='1'; AND password = ''; 12:30:15 | 203.0.113.5 | /products?category=' OR '1'='1 | 200 | Allowed 12:30:16 | 203.0.113.5 | /login?username=admin'-- | 200 | Allowed 12:30:17 | 203.0.113.5 | /search?query=laptops | 200 | Allowed 12:30:18 | 203.0.113.5 | /products?category='; DROP TABLE users; -- | 403 | Blocked

Answer 35

SQL injection

Question 36

Malformed XML payloads in request URLs ----------------------------------------------------------------------------------------------------- 21:45:00 | 203.0.113.4 | /api/createUser | 200 | Johnabc123 21:45:05 | 203.0.113.4 | /api/createUser | 200 | Janexyz789 21:45:10 | 203.0.113.4 | /api/createUser | 400 | Bob123&1 21:45:15 | 203.0.113.4 | /api/createUser | 400 | Alice456

Answer 36

XML Injection

Question 37

- Targets a group at a company to steal proprietary information - Attacker compromises a 3rd party site that the group visits - Waits for them to visit - Victims think they are signing up for an event Instead, when they click MS Office File link, trojan installed

Answer 37

Watering Hole

Question 38

Large increase in logins, failed intrusion attempts Gain control of host, steal data, gain further access

Answer 38

Web Server Under Attack