Attack Basics
or Basic Attack
(Chapter 2)

Definition

Understand the type of
attack based on a particular scenario

Password Attacks

MITIGATE Encrypt and Hash stored
passwords, lockouts

Attacks affect
attack vectors

Vectors can be exploited
via Vulnerabilities

Physical Vulnerabilities,
via social Engineering

Technical Vulnerabilities

Systems(attack vectors)
can be attacked via social engineering
or technical attacks

Technical attacks
are direct attacks on
software, system/networks,
hardware

Internal Attack
requires deployment in
system/attack vector

Malware
(Malicious Software)

Instead of physical attack like
phishing, attacker can attack
via malware

Malware attacks/infects different
parts of system,
registry, memory, macros
and other networks

Different types of malware
infects different system components and
has different behaviour

Virus
is type of malware

Viruses infects system,
by spreading copies of itself

Executed by some kind of
action, (opening infected file)

once opened/executed,
virus is then able to
replicate across system

Copies(replicates) itself by attaching
itself to files

Every copy uses up
system resources,
makes system unusable
(like DoS)

Different viruses
infect and cover different system areas

System is up and
running aka
System is started

(Post Start Up)

Network
(Non-Resident)

then opposite of resident
a non-resident virus

Memory
(resident)

Virus that is always active/available
from system startup

known as
Resident Virus

resides or lives in the memory
hence Resident

Another similar virus that
loads into memory,
but exists before system startup is

Documents
(Files)

Macro Viruses

Before System/Machine
Startup

(Pre Startup)

Bootsector Virus

Trys to Replicate outside of the
system

Associated with
MS office files (like ms word),
spreads via emails or file share

Boot Sector
(Sector of Hard Drive)

All categorised as
program or file infecting viruses.
Finds files to infect and activates in memory.

Easily detected via signature or binary code

Deploys itself in hard drives
first sector,
and spreads via floppy disk
so when the machine
is booting up

not always active/available,
doesn't live in memory but copies itself
elsewhere (other networks), non-local
hence its non-resident

To avoid detection,
viruses have evolved to be more evasive
i.e. viruses have different defenses
or protections,
different ways of hiding

Some viruses change themselves,
each time it infects file

Polymorphic Virus,
like many forms/shapes

changing its code (change internal)
means
theres no recognisable signature,
makes it difficult to be detected

to detect, could use
heuristic scan, to analyse the code

instead of constantly changing,
some use an amour/shield, like extra
layer of protection

known as
Armoured Viruses

Layer of amour, makes functions
difficult to analyse (with heuristic)

does this by preventing
disassembly or debugging.
so heuristic scan can't even
get to the code to decipher it

Instead of amour, or change,
instead of allowing itself(virus)
to be found,
a virus can just hide itself

Stealth Virus

Whenever it infects,
may hide the size, so
it appears like hasn't changed

or removes itself from a file,
and infects a different file.


so perhaps scanner has already scanned and marked
the different file as safe, so now virus is
free to infect this file

Infects multiple areas/parts,
to make things difficult

Multipartite
Virus

Basically combines
different(multiple) attributes

Similar to boot sector
virus

Infects both boot sector
and regular executable files (like word docs)

More advanced
memory resident,

Fileless Viruses

uses available tools
on machine to create itself and infect

so may use python
or PowerShell to
download further resources
and create infection

More dangerous type of
malware, more so than virus,
requires no user
interaction

other types of malware,
that don't replicate
but instead just hides itself in plain sight

Worm

once its deployed on machine
it can self-replicate, continuously
copy itself

spreads itself to other machines,
across network and internet

Does this by exploiting
vulnerabilities, e.g. email attachments,
malicious links, file sharing.
Any feasible way of passing itself

Once it infects machine,
uses system resources,
adds possible backdoor,
modify or delete files

We call these
Trojans

Instead of replicating, they
hide in a popular tool

When Tool is sent to others,
those machines are also infected

like a trojan horse,
hides itself, and gives backdoor
access to originator

backdoor, can be used
to steal information, log keys (key logger),
or download more malicious files

Lets say remote access
trojan is used for backdoor,
attacker may want
more access(permissions)

trojan downloads
malicious code for more permissions

This malicious code
is a RootKit

since backdoors trojans, allow access
they are also known as
RAT(Remote Access Trojans)
allows attacker to remotely control
system

used to give the attacker
root or admin privileges

basically performs privilege
escalation

like viruses, and trojans,
rootkit's like to hide themselves
to escape detection.

May find them in system processes
or outgoing network traffic.
They can attach to other processes
via process hooking

Specialised software may be needed,
to remove rootkits, as they can
be complex to remove

Some viruses and trojans,
don't only replicate and allow backdoors,
instead have other malicious behaviour

trigger
actions after an event
or after certain logic has
happen

known as Logic Bomb

logic could be set to
delete files at a certain time

allows
control of system (similar to RAT)

System becomes a robot
that is controlled by attacker

know as a Bot

multiple bot controlled systems
is botnet aka
bot network (network of bots)

attacker(botnet master) can send
commands to bot and instruct bot
to perform the action

So it can be used to
do DDoS and distrupts
a service

so bots just
computers under attackers control

malware that aims to stop or prevent
valuable files from being used.

valuable files
are encrypted,
and requires key to decrypt

known as Crypto-malware

to decrypt and regain access to
encrypted files, a ransom must be paid

so this now becomes
Ransomware

APT encrypt files and hold
victims to ransom
to decrypt.
e.g. WannaCry as in wannaCrypto

Alternative malware
not used for attacks,
but a nuisance

Known as
Personally Unwanted Programs
(PUPs)

usually bundled in software

comes in different forms
aka has different behaviours

Spy on the user,
collect personal info (PII) from machine,
websites they visit, location etc

call this
Spyware

tracks user activity and
reports back to originator
(like a trojan)

it changes browser homepage,
adds a bunch of sites to favourites

tracking of user
activity slows down the system

can say
adware is type of spyware
but more for advertising

known as Adware

basically tracks user interests,
like sites you visit.
aka web surfing habits

based on interests,
it displays associated ad,
so if browsing shoe sites,
will display show ad

ads might popups

adware violates
privacy laws

Another type of
crypto malware
used for mining

malicious crypto-mining
used for crypto-jacking attacks

Attackers use targets system
to mine crypto currencies

similar to other types of malware,
it hides within the system, unknown the user
and uses systems resources to mine

system resource usages
slows down the systems,
increases electricity use and
shortens device life span

deployed like typical malware, through malicious links or infected online ad (using javascript) to load code

Instead of deploying
malware,
attack happens external,
from outside (rather than
internal disruption)

External Disruption or Attack

Different External
Attack Vectors

Device/Machine
(Physically/in-person)

a direct attack on
physical device,
(like shoulder surfing
in social engineering),

Physical (in-person) Device Attacks

different physical
devices

Attacking system machine
or network

Attack on ATM
aka cash machines

A specially modified
swipe mechanism on ATM

could be installed over
the legit one
and used to steal the cards data

aka Skimming

once card data is skimmed
the card can be cloned

Card Cloning

(Training)
Data

instead of physically
disrupting systems,
can affect/pollute data sources of systems
and applications

can attack systems,
by manipulating AI and Machine
learning algorithms

Data source of ML
is training data

training data for
autonomous vehicle can be tainted/changed
by modifying road signs

vehicle now uses incorrect
data to process,
this disrupt the vehicles functionality

Similar attack on
fraudulent detection system

Passwords

Instead of disruption and manipulation,
or after trying those two,
attacker may try to gain access
via attack on login

External, in that
trying to gain access
to system

Password attacks

if password is too simple,
aka, short, or is a common word pass,
could be vulnerable

weak passwords are vulnerable.
unencrypted passwords are vulnerable

weak pass, could allow
attacker to attempt login
trying every word in dictionary as password

aka
Dictionary Attack

there's More advance
type of attack,
relies on crypto analysis and
advanced algorithms

Traditional/Simple
Brute-Force attack

uses algorithms to
attempt different combinations
of letters and numbers (where as dictionary,
is straight forward word list)

So using crytpo analysis,
and mathematical methods
to generate different combinations of
passwords

combinations make it
slower

combine both
brute-force and dictionary
into tool

basically an automated attack
uses a list of words (words list) and
attempts login with each word

Hybrid Attack

Builds upon dictionary word list,
by adding various characters
and numbers for different
combinations.

So wordlist is combined
with the cryptanalysis to
generate different
pass combinations

Attacker doesn't have
plain passwords,
but has password hashes

Attacker
gets password hashes.

Hash can be used
to retrieve password via
finding
pass in precomputed hash database

known as Rainbow table

essentially cracking hash
to get password

use hashes to look up
pass within table and chains.
(More details in comments)

if rainbow table doesn't work,
then try birthday attack

All attacks can be made easier
using older versions

For web protocols,
recent versions have latest
fixes applied. Older versions
will not, therefore has more vulnerabilities

Possible to force an older
version aka
Downgrade attack

Maybe possible to downgrade,
by using older browser,
as older browser wont have
update protocols

browser sends requests to server
(using older protocol versions)

instead of password,
attack attempts login
using hash

this is known as
Pass The Hash Attack

Vulnerability found
in NTLM
(NT LAN Manager)

opposite

so even when executables
are cleaned, virus remains in bootsector

like a zombie malware

Bots could be used
to mine crypto

leave malware infected
usb devices (flash drives, charging cables)
around environment

feed poisoned data
to fraud system,
causing system to ignore
certain fraudulent actions/behaviours

Brute forcing can lead to
account lockouts

eventually someone will pick it up
and insert into machine,
causing malware to spread

Possible to escape this
using
password spraying

spraying(or trying) a single password
across different accounts
to avoid account lockout

instead of repeatedly trying different passes
for one account, try
the same pass for different login account

Reverse/Opposite of Password attack,
threat actor tries different user names
instead of passwords

birthday attack looks for matching
hash collisions.
Instead of looking
for one specific hash collision, looks for
any matches. (more chance of finding any matches
than one specific match),

NTLM authentication
protocols

So instead of looking for
one specific hash match(collision),
this attack looks for any match(collision)

So putting some value
through hash function,
there is more likely to be a collision

putting random passwords
into hash function, likely to find
match for one of attackers hashes

So instead of phishing
attack can use
malware to get into system

So instead having
an actual physical file, with
virus infection.
This virus creates itself

So external here,
means attacker doesn't
yet have access to system (so can't deploy malware)

Attacking
from outside permiter,
outside the system