Wireless Network Security
One of the first things you need to consider when designing a secure network is how it could be attacked.
Attackers may pose as legitimate wireless networks, add their own wireless devices to your network, interfere with the network, use protocol flaws or attacks, or take other steps to attack your network. Evil Twin
An Evil Twin is a malicious fake access point that is set up to appear to be a legitimate, trusted network.
Sometimes it can be as simple as placing a an ‘Evil Twin AP’ closer to the target. The attacker provides Internet connectivity so that the victim does not realize that something has gone wrong. The attacker will then capture all of the victim's network traffic and look for sensitive data, passwords, or other information that they can use.
Rogue Access Point
Rogue Access Points are APs added to your network either intentionally or unintentionally.
Once they are connected to your network, they can offer a point of entry to attackers or other unwanted users. Many devices have built-in wireless connectivity and may show up as an accessible network It’s important to monitor your network and facilities for rogue access points.
Bluetooth Attacks
There are two types of Bluetooth attacks for the Security+ exam: bluejacking and bluesnarfing.
Bluejacking simply sends unsolicited messages to Bluetooth-enabled devices. Bluesnarfing is unauthorized access to a Bluetooth device, typically aimed at gathering information like contact lists or other details the device contains. Bluetooth impersonation attacks (BIAS) take advantages of weaknesses in the Bluetooth specification, which means that all devices that implement Bluetooth as expected are likely to be vulnerable to them. They exploit a lack of mutual authentication, authentication procedure downgrade options, and the ability to switch roles. The security model for Bluetooth has not significantly improved. Therefore, your best option to secure Bluetooth devices is to turn off Bluetooth if it is not absolutely needed and to leave it off except when in use. Disassociation
Attackers who want to conduct evil twin attacks, or who want systems to disconnect from a wireless network for any reason, have two primary options to help with that goal: disassociation attacks and jamming.
Disassociation describes what happens when a device disconnects from an access point. Many wireless attacks work better if the target system can be forced to disassociate from the access point that it is using when the attack starts. That will cause the system to attempt to reconnect, providing an attacker with a window of opportunity to set up a more powerful evil twin or to capture information as the system tries to reconnect. De-authentication Frame The best way for attackers to force a system to disassociate is typically to send a de-authentication frame, a specific wireless protocol element that can be sent to the access point by spoofing the victim's wireless MAC address. When the AP receives it, it will disassociate the device, requiring it to then reconnect to continue. Since management frames for networks that are using WPA2 are often not encrypted, this type of attack is relatively easy to conduct. WPA3, however, requires protected management frames and will prevent this type of deauthentication attack from working.
Jamming
Jamming will block all the traffic in the range or frequency it is conducted against. This is another means of attacking radio frequency networks like Wi-Fi and Bluetooth.
Jamming is essentially wireless interference, so it may not always be intentional. Running into devices that are sending out signals in the same frequency range as Wi-Fi devicesn is not uncommon. Jamming is also seen as a form of DoS (Denial of Service). They difference is distinguishing between Jamming and Deuathers. A Deauther will send deauthentication frames, whereas a jammer sends out powerful traffic to drown out traffic. Jammers are generally prohibited in the United States by FCC regulations, whereas deauthers are not since they operate within typical wireless power and protocol norms. Initialization Vector (IV) Attack.
Wired Equivalent Privacy was the original Wi-Fi standard used. WEP used a 24-bit Initialization Vector, which could be reverse-engineered once enough traffic from a network was captured.
Initialization Vector (IV) Attacks occur when the initialization vector used to generate the RC4 encryption key could be decrypted and the information exposed. Initialization Vectors are used for randomizing an encryption scheme – The more random the better Used in encryption ciphers, WEP, and some SSL implementations This attack is no more than historical knowledge now thanks to the newer Wi-Fi standards being equipped with stronger initialization vectors. Radio Frequency Identification Attacks
Radio frequency identification (RFID) is a relatively short-range (from less than a foot of some passive tags to about 100 meters for active tags)wireless technology that uses a tag and a receiver to exchange information.
Most of the time it is used to track + identify.
RFID tags also use one of three frequency ranges. Used for short-range, low-power tags and are commonly used for entry access and identification purposes, where they are scanned by a nearby reader High-frequency RFID tags have a longer readable range at up to a meter under normal circumstances and can communicate more quickly The fastest to read and with the longest range; This means that high frequency RFID tags are used in circumstances where readers need to be further away. High-frequency tags have found broad implementation for inventory and antitheft purposes as well as a multitude of other uses where a tag that can be remotely queried from meters away can be useful. RFID Attacks happen in a multitude of ways, from simple destruction or damage of the tag so that it cannot be read, to modification of tags, some of which can be reprogrammed. Tags can be cloned, modified, or spoofed; readers can be impersonated; and traffic can be captured. Near-Field Communication Attacks
Near-field communication (NFC) is used for very short-range communication between devices. You've likely seen NFC used for payment terminals using Apple Pay or Google Wallet with cell phones.
NFC is limited to about 4 inches of range, meaning that it is not used to build networks of devices and instead is primarily used for low-bandwidth, device-to-device purposes. Any threats will typically be in close proximity to an NFC device Intercepting NFC traffic, replay attacks, and spoofing attacks are all issues that NFC implementations deal with. NFC devices must also ensure that they do not respond to queries except when desired so that an attacker cannot simply bring a receiver into range and activate an NFC transaction or response.
Layer 2 Attacks
Attacking the Data Link layer can be an effective technique for attackers who have access to a network. Unlike attacks at higher layers, local access to the network or a system that is on the network are required for these attacks because Layer 2 traffic is bounded by the local broadcast domain.
Address Resolution Protocol (ARP) poisoning attacks send malicious ARP packets to the default gateway of a network with the intent of changing the pairings of MAC addresses to IP addresses that the gateway maintains. Attackers will send ARP replies that claim that the IP address for a target machine is associated with their MAC address, causing systems and the gateway to send traffic intended for the target system to the attacker's system, therefore mapping a foreign system to an internal MAC address. ARP poisoning can be detected by tools like Wireshark as well as purpose-built network security devices that perform protocol analysis and network monitoring. Media Access Control (MAC) flooding targets switches by sending so many MAC addresses to the switch that the CAM or MAC table that stores pairings of ports and MAC addresses is filled. Since these tables have a limited amount of space, flooding them results in a default behavior that sends out traffic to all ports when the destination is not known to ensure traffic continues to flow. Attackers can then capture and view the data for their own nefarious purposes. MAC flooding can be prevented by using port security, which limits how many MAC addresses can be learned for ports that are expected to be used by workstations or devices. In addition, tools like NAC or other network authentication and authorization tools can match MAC addresses to known or authenticated systems. MAC Cloning duplicates the media access control address (hardware address) of a device. Tools like the Linux macchanger and iproute2 allow a system's MAC address to be manually changed. Attackers do this to bypass MAC address–restricted networks or to acquire access that is limited by MAC address. Network access control (NAC) capabilities or other machine authentication and validation technologies can help identify systems that are presenting a cloned or spurious MAC address.
Man-in-the-Middle Attack (On-Path Attack)
Man-in-the-Middle Attack (On-Path Attack) attack occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls.
Once the attacker has traffic flowing through that system, they can eavesdrop or even alter the communications as they wish. Figure 12.2 shows how traffic flow is altered from normal after an on-path attack has succeeded. When an aggressor that sits in the center between two stations and can catch, and sometimes, change that data that is being sent intelligently across the organization.
Domain Name System Attacks
The base purpose of a DNS attack is to have all of your traffic sent to a system an attacker has full control over.
Domain Hijacking changes the registration of a domain, either through technical means like a vulnerability with a domain registrar or control of a system belonging to an authorized user, or through nontechnical means such as social engineering.
The end result of domain hijacking is that the domain's settings and configuration can be changed by an attacker, allowing them to intercept traffic, send and receive email, or otherwise take action while appearing to be the legitimate domain holder. Domain Name Non-Renewal is another way domain names end up in the hands of attackers. Each Domain Name has a certain lease time and failure to renew it will result in the domain name being ‘up for grab’ or ‘free game’ for anyone that buys it first. DNS Poisoning is when hackers redirect web traffic toward fake web servers and phishing websites. These fake sites typically look like the user’s intended destination, making it easy for hackers to trick visitors into sharing sensitive information. Can be accomplished by using a ‘on-path attack’ like method; An attacker provides a DNS response while pretending to be an authoritative DNS server. Vulnerabilities in DNS protocols or implementations can also permit DNS poisoning, but they are rarer due to ever-increasing DNS security awareness. DNS Caching occurs whenever a local copy (temporary copy) is stored in a DNS database to speed up the DNS resolution process. Attackers can place their false DNS information in the cache to trick the DNS database. A DNS cache becomes “poisoned” or polluted when unauthorized domain names or IP addresses are inserted into it. URL Redirection is when an attacker inserts alternate IP addresses into a system's hosts file. The hosts file is checked when a system looks up a site via DNS and will be used first, making a modified hosts file a powerful tool for attackers who can change it. In most organizations, the hosts file for the majority of machines will never be modified from its default, making changes easy to spot. DNS Attacks Preventative measures Using Domain reputation services and tools can provide information about whether a domain is a trusted email sender or sends a lot of spam email. Referring to URL Redirection, modified hosts files can be manually checked, or they can be monitored by system security antimalware tools that know the hosts file is a common target.
Distributed Denial-of-Service (DDoS)
A Distributed Denial-of-Service is conducted from multiple locations, networks, or systems, making it difficult to stop and hard to detect. At the same time, the distributed nature of the DDoS means that it will bring the full force of some resource of request on a targeted system or network, potentially overwhelming the target through its sheer size.
Malicious actors commonly use large-scale botnets to conduct network DDoS attacks, and commercial services exist that conduct DDoS attacks and DDoS-like behavior for stress- and load-testing purposes. Some ISPs provide internal defense against DDoS attacks. Knowing what triggers this internal DDoS defense to respond and for how long is critical to your organization’s network security. If your ISP does not have any internal DDoS defense options, the next step would be to place security on your network’s border devices (Routers, Firewalls, Workstations, Servers). 4 Types of Network distributed denial-of-service attacks Volume-Based DDoS Attacks focus on the sheer amount of traffic causing a denial-of-service condition. Some volume-based DDoS attacks rely on amplification techniques that leverage flaws or features in protocols and services to create significantly more traffic than the attacker sends. Examples include UDP Floods & ICMP Floods UDP Floods take advantage of the fact that UDP doesn't use a three-way handshake like TCP does, allowing UDP floods to be executed simply by sending massive amounts of traffic that the target host will receive and attempt to process. Preventative Measures UDP floods can be detected using IDSs and IPSs and other network defenses that have a UDP flood detection rule or module. ICMP Floods, sometimes called ping floods, send massive numbers of ICMP packets, with each requesting a response. Preventative Measures Many organizations rate-limit or block ping at network ingress points to prevent this type of attack, and they may rate-limit ICMP between security zones as well. Protocol-based Network DDoS Attacks focus on the underlying protocols used for networking. Protocol attacks look to exhaust resources of a server or those of its networking systems like firewalls, routing engines, or load-balancers by using the protocols used. Ping Of Death is an older protocol-based network DDoS attack that used ICMP to send an godly amount of ping requests to a server in efforts to overwhelm it. Smurf Attack leveraged ICMP broadcast messages with a spoofed (fake) sender address, causing systems throughout the broadcast domain to send traffic to the purported sender and thus overwhelming it TCP Flag Attack is a DDoS method that uses Fragmented Packets, which are packets with all of their TCP Flags turned on. By continuously sending ALL TCP Flags packets towards a target, stateful defenses can go down (In some cases into a fail open mode). This flood could also be used as a smoke screen for more advanced attacks. SYN Floor Attack (Half-Open Attack) is makes a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.
Operational technology (OT) is the software and hardware that controls devices and systems in buildings, factories, powerplants, electric grids, traffic control, and industrial equipment. OT will typically have less reporting, less management, and fewer security capabilities built in, meaning that detecting and responding to network DDoS and other attacks against OT devices and systems will need to be handled using external devices and tools. An Application Layer Attack occurs when a hacker uses different bots/machines to repeatedly request the same resource from the server, eventually overwhelming it. The most common type of application layer attacks are the HTTP flood attacks in which malicious actors just keep sending various HTTP requests to a server using different IP addresses
Malicious code or script Execution
PowerShell, the built-in Windows scripting language, is a popular target for malicious actors because of the powerful capabilities it provides. PowerShell allows remote and local execution, network access, and many other capabilities. It is available by default on Windows systems and is often not carefully monitored, attackers can leverage it in many different ways, including for fileless malware attacks where PowerShell scripts are executed locally once a browser or plug-in is compromised. Constrained Language Mode, which limits sensitive commands in PowerShell. Windows Defender's built-in Application Control tool or AppLocker validates scripts Also limit which modules and plug-ins can be run. It is also a good idea to turn on logging for PowerShell as well as Windows command-line auditing. Macros embedded in Office documents and similar functionality in other applications are potential targets for attackers, and if new vulnerabilities are discovered in Office, the popularity of macro viruses could increase. Microsoft Office disables macros by default. The primary defense against macro-based malware is educating users to not enable macros on unknown or untrusted documents, Provide appropriate scanning of any Office documents that are received by the organization via email or other means. Python is a is high-level language, object-oriented interpreted programming language used for automation and Can be used in making payloads Used for malware analysis, decoding of packets, accessing servers, network scanning, port scanning and many more. Python in cyber security can be used for automation too which makes cybersecurity’s reconnaissance (information gathering) much more effortless and time saving. Can be used to create persistent remote access using bind or reverse shells, as well as a multitude of other useful exploit tools. Shell Scripts like Bash, Bourne, Korn, and C are used in the Linux environment for command terminal navigation. Scripting Automation Sometimes you must perform the same command across tens or hundreds of different IP addresses; this makes it useful to create a computer script rather than manually type that command repeatedly. Visual Basic for Applications
1.4 Given a scenario, analyze potential indicators associated with network attacks.
