Skip navigation

Tag Archives: Wardriving

Pentesters Thought of Attack!

(This was created on 19 August 2010)

The Following article is for educational use ONLY!!!!! Any use for illegal use or use on a computer/network/website/ service/ application (program, code, Operating System) or any other that is not mentioned. The owner of the article takes no responsibility for use of this information such as tools, attacks or terminology used. Like I said The Following article is for educational use ONLY!!!!!

This article is about how basic pentesters/White Hat Hacker’s /Black Hat Hacker’s try to gain control of a computer/network. This article is basic terminology and ways to gain control. I will not show you how to use them but I will not give examples of of the tools used by pentesters for the reason that people may miss use, I will give tools that will help you protect you from some of these attacks. Some information in this article might be redundant to higher computer savvy people or people in the computer security field. This is for anyone to try to understand many types of attack and how pentesters gain access to a system/network.

I will have an article to help CSO’s to get an idea on how to protect with tools, services, needs, knowledge for the users of the environment for all enterprises from home based to large enterprises. I will add after it is finished. You can also look at my other articles that have many ways to protect users in many ways.

Please enjoy my talk’s.

Basic Terminology

Target – The machine/network/subnet/website/database, etc… the attacker is looking for.

Physical Access – This is when the attacker will have access in the location near the target.

Remote Access – This is when the attacker will not have access in a location not near the target.

Vulnerability – This is a flaw in a system that can be exploited for a purpose of gaining access.

Exploit – This is a way of gaining access of a system through a flaw.

Client Side Exploit – A way of gaining access of a system usually by social engineering, they convince you to click on a link/click a button/ go to a web site/ open a file. They evoke possibility of java script if a web site is the means of this attack to evoke an exploit to send info to the server that was not meant or open a connection to the server to gain access of your system.

Server Side Exploit – A way of gaining access of a system usually by a server application on a web page using an auxiliary scanner to scan your system for a flaw to gain access.

Scanner – A tool looking for something example a port scanner, vulnerability scanner or a network mapping scanner.

Module – This is an add-on to something like a tool, usually a scanner.

Payload – This is what the attacker will you to do after they exploit a system they will send information that identifies the source and destination of the material. The payload is the actual data sent after the exploit is used.

Trigger – What is used to exploit a system by the user or the attacker.

Injection – This can be used to inject the payload into thew system. Usually

Pivoting – Moving from one machine/network/subnet or IP range to another.

Spoof – This is when an attacker will mask their IP address to seem to be someone else a proxy is an example.

Honey Pot – This is usually a sand-boxed application that will have a intentional flaw to lour a automated pentest tool or hacker to monitor their activity to better protect a system or network.

Shellcode – This is a piece of code that used as the payload in the exploitation of a software vulnerability.

Types Of Attack

Social Engineering – This is when the attacker convinces you/someone that there someone that they are not and will try to get information or credentials to get a foot hold on their target.

Session Hijacking – This is when an attacker will impersonate your/someone’s credentials to gain information or access. This is used on systems via tokens or user names and passwords or another vector is websites via cookies on peoples computers or an attack prior to gain this attack as a payload.

Network Mapping – This is where the attacker will try to scan the network for operating systems,services, servers, applications, ARP Sniffing, looking for machines, IP ranges, subnets, etc… they will try to find even more information to gain a better foot hold after they had gained access from a source to get into the network. This type of attack is also used to gain access from the outer perimeter.

Fuzzing – Common way to use Fuzzing is on an application. They will first inject an exploit and a payload into an application that will look trusted. Next they usually try to use “Social Engineering” to get you/someone to open the application, this will result into an application running that was intended to crash and then they can now inject the payload and gain full access most of the time of the system. This process is usually all automated.

Vulnerability Scanning – This is done by an attacker will use “Network Mapping” and “Scanner’s” to “Pivot” from one machine/network to another to see if any exploits are known to the application. Many applications that do this incorporate into “Pentesting” applications to give the attacker a better understanding of the network and how to gain access.

0Day/Zero Day – This is an attack that is not disclosed to the vendor of the product or the public. If someone has been compromised by a “0Day” this means that know one has a fix yet and a new way of attack.

SQL Injection – This attack is used on databases via injecting maliciously crafted SQL responses and scripts that should not access the database to try to gain access to the machine.

Brute Force – This will try to find out a password of a user (website, local, etc…) this is a type of ”Password Cracking” and can take many hours to accomplish if the person has a long password with multiple special characters. This attack is highly noticeable if you attack on a website because you cause many password attempts and possibility of lock out and high traffic to one account.

Dictionary Attack – This attack is when you get a text file full of dictionary words and common passwords and try them on a target. If the password is not in the dictionary then it will fail but it is faster then a “Brute Force” attack.

Password Cracking – This is a attack where the goal is to gain the targets password. You can gain it by trying to receive an md5 hash or the password then cracking it via rainbow tables. You can also “Brute Force” and also “Dictionary attack”.

DNS Poisoning – This is usually done if the attacker has “physical access” to the network. If done any URL in the browser can be “spoofed”. This website domain looks right but the server is at another IP address.

ARP Poisoning – This is usually done if the attacker has “physical access” to the network. The attacker will insert them self in between the router and the clients to trick everyone on the network to pass all the traffic through them. If done the attacker can see/change any data they want to on both sides of the conversation. If you have the connection encrypted with at least a 125 -bit connection preferbily AES encryption you should be safe but never fully trust your connection. It can still be decrypted, all they need is time.

Wardriving – This attack is when an attacker will be close to an encrypted access point and capture the encrypted packets. They will then try to decrypt them at a later time to try to gain the key then they will have access to the network. This is also on open access points they just need to establish a connection to the access point and join the network.

Types of Exploits

Many exploits are designed to provide superuser-level access to a computer system. However, it is also possible to use several exploits, first to gain low-level access, then to escalate privileges repeatedly until one reaches root.

Privilege-confusion bugs – such as: Cross-site request forgery in web applications, Clickjacking, FTP bounce attack, Privilege escalation.

Unauthorized Data Access – It refers to when someone/something has access to a location that was not intended or not wanted.

Denial-of-Service attack (DoS attack)– This can also be know distributed denial-of-service attack (DDoS attack) this attack will ask a server for information from multiple sources at the same time, this will result in to much allocated memory and server will crash to the amount of traffic. This will result in a shutdown, or reboot, or total system crash, services corrupted or crashed, you may have many issues if this attack is done on your system.

Application Exploitation/Flaws

Arbitrary Code Execution – It is used to execute any commands of an attacker’s choice on a target machine or a process. This is a bug in software that gives an attacker a way to execute arbitrary code.

Buffer Overflow – This is also know as a buffer overrun, this is where writing data to a buffer in a computer program, overruns the buffer’s boundary and overwrites adjacent memory. This may result in rouge program behaviour, this may include, incorrect results, memory access errors, program termination, or a breach of system security.

Code Injection – It is the exploitation of a bug in a system that is caused by processing invalid data. Code injection can be used by an attacker to inject code into a computer program to change the course of execution.

Heap Spraying – This is when an attacker will use arbitrary code execution or attempts to put a sequence of bytes located in the memory to target allocated large blocks filled with the right values to try to crash the application as fast as possible to try and gain a foot hold in the system and have possible privilege evaluation.

Web Exploitation (client-side)
Cross-site scripting – XSS, an acronym for cross-site scripting, it is a type of computer security vulnerability it is typically found in web applications. That enables malicious attackers to inject client-side script into web sites viewed by other users. The attacker can bypass access controls such as the same origin policy. If so they can gain a privilege-escalation and will have more access to the web server or application server.

HTTP header injection – This is a general class of web application vulnerability. When HTTP headers are dynamically generated based on user input. HTTP responses can allow “HTTP response splitting” and “cross-site scripting”. This is a new type of web-based attacks.

HTTP Request Smuggling – also known as HRS is a result of a device failure to stop deformed inbound HTTP requests.

Web Exploitation (server-side)

DNS Rebinding – In this attack, code embedded in a compromised or malicious web page alters the way a web browser user side and confuse a DNS system. The attack may be used by invoking typically JavaScript, Java or Flash. DNS rebinding can increase the ability of JavaScript-based malware to infiltrate private networks. It can also be used to harness many users’ browsers to make many requests on the attacker’s behalf for the purpose of data scraping or DDoS attacks. It can also be used to attack private routers and use default user names and passwords in their database to try to gain access to your network. If they do gain access they can do anything they want (ARP poisoning, network mapping or possible infiltrate systems).

Clickjacking -This is a way that an attacker can try and trick the user into revealing confidential information or taking control over a system wile clicking on a web page. This is vulnerable to many browsers and operating systems. It can take form of embedded code or a script that can execute without any user’s knowledge. They can use a link, button that will preform another function or now even two buttons, if the user clicks one they are also clicking the other. The term “clickjacking” was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.

CSRF – (Cross-site request forgery) as known as a one-click attack or session riding (“sea-surf”) or XSRF. This type of malicious exploit of a website is done by having the user trust a site that they will brows to and will exploit them. This can be done by having the attacker do some Cross-site scripting, pentesting, or any exploitation to gain access of the website that they want access. Then they will use this attack to embed maliciously crafted code or a script on a website. When the user accesses the site they will be exploited. The attacker can also own the site to exploit the user with this attack.

Types of Hackers (Hats)

Black Hat – It refers to a hacker that breaks into networks or computers systems. They will not notify on any findings on flaws on systems and will exploit it for their benefit.

Gray Hat – They may notify on any findings on flaws on systems and might exploit it for their benefit. Most times they will notify a network or computer system but later that day/week/month will disclose it to the world or the internet.

White Hat – It refers to an penetration tester or ethical hacker who’s main goal is on securing and protecting systems. They will notify on any findings on flaws on systems and will not exploit it for their benefit.

Red Hat – It refers to a type of hacker who try’s to find or change the UNIX/Linux platform and usually open source software to make it better.

Tools for Protection

NoScript – This is a plug-in found at http://noscript.net/ and works with Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash, Silverlight, Cross-site scripting POST requests into data-less GET requests (Anti-XSS protection),Quicktime clips, PDF documents, FRAME’s, IFRAME’s,Block JAR remote resources being loaded as documents,JAR document blocking Exceptions, HTTPS enforcement, Clickjacking protection,Application Boundaries Enforcer (ABE) and more.

Conclusions

Ok, now you know that there is many types of attacks of a system/server/network, but we still need to fix the flaws in software if so then most of these attacks will be no more. I say keep your software patched and think twice before you click a link or open a file or go to a site be cautious. There are many ways to save a system also just have a firewall, av-software, and stay up-to-date. There is many more ways to keep safe but I will fill in the rest in my next article. If you have nay questions just leave a comment.

Automated Infection

Some people think someone will create some virus and it will be a program that looks for systems/network’s to infect. This is semi-true, a virus is a application but it still needs some form of attack and needs a payload after a successful attack. The only reason a virus is created and used is for doing work to try an infiltrate a system easier. But, there are many holes in applications and also viruses such as many have the same signatures that will be detected by anti-virus vendors and security research facility. Viruses are becoming more difficult to remove and detect. There are many ways to try an stop an infection or a pentester if you asked one to do a test on your network. A virus these days are very deceiving. If you remove one via anti virus or manual methods, this will not be 100% effective. You should think how did it get in? There is always some type of exploit that must of happened on your system to give them the upper hand on getting on your system. Also if you remove one there will be a backdoor made most of the time by the virus or the attacker. It could be in the registry, process, another application, another exploit, fuzzed another application (uncommon but still in the wild). There are to many vectors of attack so I say an infection is an infection. You should do a format on any condition. Do many scans on your data with many trusted products in the anti-virus market on a trusted machine before you return it to your newly formatted machine. Also viruses these days most of the time will attack other computers on your network to heighten the infection. If you have an infection do multiple scans and use a trusted security support technician that you trust on your hole network.

Resources
Rechecked all links on the 19 August 2010

NoScript
http://noscript.net/
http://en.wikipedia.org/wiki/NoScript

Exploit (Computer_Security)
http://en.wikipedia.org/wiki/Exploit_%28computer_security%29

Vulnerability (Computing)
http://en.wikipedia.org/wiki/Vulnerability_%28computing%29

Physical Access
http://en.wikipedia.org/wiki/Physical_access

Remote Access
http://en.wikipedia.org/wiki/Remote_access

Vulnerability
http://en.wikipedia.org/wiki/Vulnerability

http://en.wikipedia.org/wiki/Vulnerability_%28computing%29

Exploit
http://en.wikipedia.org/wiki/Exploit_%28computer_security%29

Client-Side Exploit
http://www.offensive-security.com/metasploit-unleashed/Client-Side-Exploits
http://www.coresecurity.com/content/client-side-exploits

Server-Side Exploit
http://www.microsoft.com/technet/security/bulletin/ms00-025.mspx
http://projects.webappsec.org/SSI-Injection

Scanner
http://en.wikipedia.org/wiki/Port_scanner
http://en.wikipedia.org/wiki/Scanner

Module
http://www.thefreedictionary.com/module
http://ruby-doc.org/core/classes/Module.html

Payload
http://en.wikipedia.org/wiki/Payload_%28software%29

Trigger
http://www.yourdictionary.com/computer/trigger
http://www.webopedia.com/TERM/T/trigger.html

Injection
http://en.wikipedia.org/wiki/E-mail_injection
http://en.wikipedia.org/wiki/Code_injection

Pivoting
http://www.thefreedictionary.com/pivoting

Spoof
http://en.wikipedia.org/wiki/Spoofing_attack

Honey Pot
http://en.wikipedia.org/wiki/Honeypot_%28computing%29

Shellcode
http://en.wikipedia.org/wiki/Shellcode

Types Of Attack

Social Engineering
http://en.wikipedia.org/wiki/Social_engineering_%28security%29

Session Hijacking
http://www.owasp.org/index.php/Session_hijacking_attack
http://en.wikipedia.org/wiki/Session_hijacking
http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm

Network Mapping
http://en.wikipedia.org/wiki/Network_mapping

Fuzzing
http://en.wikipedia.org/wiki/Fuzzing

Vulnerability Scanning
http://en.wikipedia.org/wiki/Vulnerability_scanner

0Day/Zero Day
http://en.wikipedia.org/wiki/0day

SQL Injection
http://www.yourdictionary.com/computer/sql-injection

Brute Force
http://en.wikipedia.org/wiki/Brute_force_attack

Dictionary Attack
http://en.wikipedia.org/wiki/Dictionary_attack

Password Cracking
http://en.wikipedia.org/wiki/Password_cracking

DNS Poisoning
http://en.wikipedia.org/wiki/Dns_poisoning

ARP Poisoning
http://en.wikipedia.org/wiki/ARP_spoofing
http://www.watchguard.com/infocenter/editorial/135324.asp
http://www.grc.com/nat/arp.htm

Wardriving
http://en.wikipedia.org/wiki/Wardriving
http://searchmobilecomputing.techtarget.com/definition/war-driving

Types of Exploits

Privilege-confusion bugs
http://en.wikipedia.org/wiki/Vulnerability_(computing)

Unauthorized Data Access
http://findarticles.com/p/articles/mi_m0BRZ/is_2_23/ai_98709772/

Denial-of-Service attack (DoS attack)
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.us-cert.gov/cas/tips/ST04-015.html
http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci213591,00.html

Application Exploitation/Flaws

Arbitrary Code Execution
http://en.wikipedia.org/wiki/Arbitrary_code_execution

Buffer Overflow
http://en.wikipedia.org/wiki/Buffer_overflow
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci549024,00.html
http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html
http://www.owasp.org/index.php/Buffer_overflow

Code Injection
http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html
http://www.owasp.org/index.php/Code_Injection
http://en.wikipedia.org/wiki/Code_injection

Heap Spraying
http://en.wikipedia.org/wiki/Heap_spraying

Web Exploitation (client-side)

Cross-site scripting (XSS)
http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

HTTP header injection
http://en.wikipedia.org/wiki/HTTP_header_injection
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html
http://blogs.msdn.com/b/esiu/archive/2007/09/22/http-header-injection-vulnerabilities.aspx

HTTP Request Smuggling
http://palisade.plynt.com/issues/2006Sep/http-request-smuggling/
http://blogs.msdn.com/b/esiu/archive/2007/09/22/http-header-injection-vulnerabilities.aspx

Web Exploitation (server-side)

DNS Rebinding
http://crypto.stanford.edu/dns/
http://en.wikipedia.org/wiki/DNS_rebinding

Clickjacking
http://en.wikipedia.org/wiki/Clickjacking
http://ha.ckers.org/blog/20080915/clickjacking/

CSRF (Cross-site request forgery)
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
http://www.cgisecurity.com/csrf-faq.html

Black Hat
http://en.wikipedia.org/wiki/Black_hat

Gray Hat
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci555449,00.html
http://en.wikipedia.org/wiki/Grey_hat

White Hat
http://en.wikipedia.org/wiki/White_hat

Red Hat
http://en.wikipedia.org/wiki/Red_Hat_Linux

Extra Information
http://en.wikipedia.org/wiki/Network_security
http://en.wikipedia.org/wiki/Security_Architecture
http://en.wikipedia.org/wiki/Coloured_hat
http://www.comptechdoc.org/independent/security/recommendations/secattacks.html
http://en.wikipedia.org/wiki/Penetration_test