• IAS.

Attacks
o Topics:
▪ Social engineering
▪ Denial of service
▪ Protocol attacks
▪ Active attacks
▪ Passive attacks
▪ Buffer overflow attacks
▪ Malware (viruses, Trojan horses, worms)

SOCIAL ENGINEERING

▪ Social engineering is a term used to describe the manipulation of individuals to gain access to sensitive
information, systems, or networks. Unlike traditional hacking methods that rely on exploiting technical
vulnerabilities, social engineering exploits human psychology and behavior. Attackers use various
techniques to deceive, manipulate, or trick individuals into divulging confidential information, performing
actions, or providing access to secure resources.

▪ Social engineering attacks can take many forms, including phishing emails, pretexting phone calls, baiting
with malicious downloads, tailgating into secure areas, impersonation of authority figures, and dumpster
diving for discarded documents containing valuable information.

▪ The success of social engineering attacks often depends on exploiting common human traits such as trust,
curiosity, fear, or desire for reward. By understanding these psychological triggers, attackers can craft
convincing scenarios that persuade individuals to act against their better judgment.

Different types of social engineering with examples and descriptions:

▪ Phishing:
o Description: Phishing involves sending fraudulent emails or messages that appear to come from
legitimate sources, aiming to trick recipients into divulging sensitive information or clicking on
malicious links.
o Example: An attacker sends an email posing as a bank, requesting the recipient to verify their
account details by clicking on a link. The link directs the victim to a fake website that resembles
the bank's login page, where they unwittingly enter their username and password.
▪ Pretexting:
o Description: Pretexting involves creating a fabricated scenario or pretext to manipulate
individuals into disclosing information or performing actions.
o Example: An attacker calls a company's employee claiming to be from the IT department and
explains that there's a security breach. They request the employee's login credentials under the
guise of verifying their account to secure it, exploiting the employee's concern for security.
▪ Baiting:
o Description: Baiting involves enticing victims with something desirable to trick them into
revealing sensitive information or performing actions.
o Example: An attacker leaves infected USB drives labeled "Employee Bonus Details" in a
company's common areas. An unsuspecting employee finds the USB drive, plugs it into their
computer to view the contents, and inadvertently installs malware, compromising the system.
▪ Tailgating:
o Description: Tailgating, or piggybacking, exploits physical security by following an authorized
person into a restricted area without proper authentication.
o Example: An attacker waits near a secure entrance of a building and follows closely behind an
employee as they swipe their access card to gain entry. The attacker relies on the employee's
politeness or distraction to gain unauthorized access to the building.
 ▪ Impersonation:
o Description: Impersonation involves pretending to be someone else to gain trust or access.
o Example: An attacker poses as a vendor representative and calls a company's accounting
department, claiming there's an issue with their payment system. They request sensitive financial
information under the guise of resolving the issue, exploiting the department's trust in external
vendors.
▪ Quid Pro Quo:
o Description: Quid pro quo involves offering a benefit or service in exchange for sensitive information
or access.
o Example: An attacker calls employees within a company, posing as a tech support representative,
and offers free software upgrades in exchange for their login credentials. The employees, enticed by
the offer, willingly provide their credentials, enabling the attacker to gain unauthorized access.
▪ Dumpster Diving:
o Description: Dumpster diving involves searching through trash or recycling bins to find discarded
documents or materials containing valuable information.
o Example: An attacker rummages through the company's dumpsters and finds printed documents
containing usernames and passwords. They use this information to gain unauthorized access to the
company's systems or networks.

DENIAL-OF-SERVICE (DOS)

• A Denial-of-Service (DoS) attack is a cyberattack in which the perpetrator seeks to make a machine or
network resource unavailable to its intended users by temporarily or indefinitely disrupting services of
a host connected to the internet.

• Denial-of-Service (DoS) attacks are malicious attempts to disrupt the normal functioning of a targeted
server, service, or network by flooding it with a high volume of illegitimate requests or traffic. These
attacks aim to exhaust the target's resources, such as bandwidth, CPU, memory, or network
connections, rendering it unavailable to legitimate users.

HISTORY:

• DoS attacks have been around since the early days of the internet. One of the earliest recorded instances
dates back to 1974 when a group of students at the Massachusetts Institute of Technology (MIT)
attempted to overload the school's ARPANET connection by flooding it with bogus traffic.

• In the late 1990s and early 2000s, DoS attacks gained widespread attention with high-profile incidents such
as the attacks against prominent websites like Yahoo, eBay, and CNN. These attacks highlighted the
vulnerability of online services to disruption.

Here are some common techniques along with examples:

• UDP Flood: The attacker floods
the target server with a high
volume of User Datagram
Protocol (UDP) packets,
overwhelming its capacity to
handle incoming requests.
o For example, an
attacker might flood a
gaming server with
UDP packets, causing it
to become
unresponsive to
legitimate players.

• TCP SYN Flood: In this attack,

the attacker floods the target
server with TCP SYN
(synchronization) packets,
exhausting its resources by
initiating numerous half-open
connections that are not
completed. This prevents
legitimate users from
establishing connections with
the server.
o For instance, an
attacker might flood a
web server with TCP
SYN packets, causing it to become unresponsive to incoming HTTP requests.

• HTTP Flood: Also known as an

HTTP flood attack or Layer 7
attack, the attacker
overwhelms the target server
with a large volume of HTTP
requests. These requests often
mimic legitimate user traffic,
making them difficult to
distinguish. This can lead to
slow response times or server
crashes.
o An example would be
flooding an e-
commerce website
with HTTP requests,
causing it to become
unavailable to
legitimate shoppers.
 TWO MODE OF HTTP FLOD

• HTTP GET Flood:

o An HTTP GET flood attack involves an attacker sending a large number of HTTP GET requests to the
target server. Each GET request typically aims to retrieve a specific resource from the server, such
as a web page, image, or file. The objective of the attacker is to overwhelm the server's resources by
generating a high volume of requests, thereby causing it to slow down or become unresponsive to
legitimate users.

• HTTP POST Flood:

o In contrast, an HTTP POST flood attack involves the attacker sending numerous HTTP POST
requests to the target server. Unlike GET requests that retrieve data from the server, POST
requests typically submit data to the server, such as form submissions or file uploads. The
attacker floods the server with POST requests, often containing large amounts of data, with the aim
of overwhelming its processing capabilities.

• Ping of Death: The attacker sends

malformed or oversized Internet
Control Message Protocol (ICMP)
packets to the target system, causing
it to crash or become unstable when
attempting to process them.
o For instance, an attacker
might send a ping of death
packet to a network router,
causing it to crash and disrupt
network connectivity for
legitimate users.

• Slowloris: In this attack, the attacker opens multiple

connections to the target server and sends partial HTTP requests
at a very slow rate, keeping the connections open for as long as
possible. This consumes the server's resources, preventing it
from serving legitimate users.
o For example, an attacker might use Slowloris to target a web
server, causing it to become unresponsive to incoming HTTP
requests from legitimate users.
• DNS Amplification:
The attacker sends a
large volume of DNS
(Domain Name
System) lookup
requests with spoofed
source IP addresses
to open DNS
resolvers. These
resolvers respond to
the spoofed IP
addresses with much
larger responses, overwhelming the
target's network bandwidth.
 o An example would be launching a DNS amplification attack against a target website, causing it to
become inaccessible to legitimate users due to the flood of incoming traffic.

LIST SOME DIFFERENT PROTOCOL ATTACKS TO WHICH TCP/IP IS SUSCEPTIBLE.

• SYN Flood Attack:

o How it works: In a SYN flood attack, the attacker sends a barrage of TCP SYN packets to the target
server, but does not complete the three-way handshake process. This causes the server to allocate
resources for each incomplete connection attempt. Eventually, the server's resources are
exhausted, making it unable to process legitimate connection requests.
o Impact on organization's network: SYN flood attacks can overwhelm network resources such as
firewalls, routers, and servers. This can lead to denial of service (DoS) or distributed denial of
service (DDoS) conditions, rendering critical services inaccessible to legitimate users.

• UDP Flood Attack:

o How it works: In a UDP flood attack, the attacker sends a large volume of UDP packets to the
target server. Since UDP is connectionless and does not require a handshake process, the server
may become overwhelmed trying to process and respond to the flood of incoming packets.
o Impact on organization's network: UDP flood attacks can saturate network bandwidth, consume
server resources, and disrupt network operations. This can result in service degradation or outage,
impacting the availability of essential services.

• DNS Amplification Attack:

o How it works: In a DNS amplification attack, the attacker sends DNS queries with a spoofed
source IP address to open DNS resolvers. These resolvers then respond with large DNS responses
to the victim's IP address, amplifying the volume of traffic directed towards the victim.
o Impact on organization's network: DNS amplification attacks can generate a significant amount
of traffic directed towards the victim's network, overwhelming its infrastructure and causing a DoS
condition. This can disrupt normal business operations and lead to financial losses.

• Smurf Attack:

o How it works: In a Smurf attack, the attacker sends ICMP echo request (ping) packets with the
victim's IP address spoofed as the source address to IP broadcast addresses. This causes multiple
hosts on the network to reply to the victim's IP address, flooding it with ICMP replies.
o Impact on organization's network: Smurf attacks can consume network bandwidth and
overwhelm network devices, such as routers and switches. This can result in degraded network
performance, loss of connectivity, and disruptions to critical services.

Explain some techniques used during an ACTIVE ATTACK. During an active attack, perpetrators employ various
techniques to compromise systems, steal data, disrupt operations, or achieve another malicious object

1. Phishing: Attackers send deceptive emails, messages, or websites designed to trick users into revealing
sensitive information such as login credentials, financial details, or personal information.

2. Social Engineering: This involves manipulating individuals into divulging confidential information or
performing actions that compromise security. Attackers may impersonate trusted individuals, exploit
human psychology, or use pretexting to gain access to sensitive information.
 3. Malware Injection: Attackers inject malicious software (malware) into systems to gain unauthorized
access, steal data, or disrupt operations. Common types of malwares include viruses, worms, trojans,
ransomware, and spyware.

4. SQL Injection (SQLi): In SQL injection attacks, attackers exploit vulnerabilities in web applications by
injecting malicious SQL queries into input fields. This can allow attackers to access, modify, or delete data
stored in databases.

5. Cross-Site Scripting (XSS): XSS attacks involve injecting malicious scripts into web pages viewed by other
users. When unsuspecting users interact with these pages, the malicious scripts execute in their
browsers, allowing attackers to steal session cookies, redirect users to malicious sites, or deface
websites.

6. Man-in-the-Middle (MitM) Attack: In MitM attacks, attackers intercept and possibly alter communication
between two parties without their knowledge. This allows attackers to eavesdrop on sensitive information,
manipulate data, or impersonate one of the parties involved.

7. Brute Force Attack: Attackers use automated tools to systematically try every possible combination of
usernames and passwords until they find the correct credentials to access a system or account.

8. Denial-of-Service (DoS) Attack: In DoS attacks, attackers flood a target system, network, or service with a
high volume of traffic or requests, rendering it inaccessible to legitimate users. Distributed Denial-of-
Service (DDoS) attacks involve multiple compromised systems coordinated to launch a DoS attack
simultaneously.

9. Eavesdropping/Snooping: Attackers passively intercept and monitor network communications to gather

sensitive information such as usernames, passwords, or financial data.

10. Session Hijacking: Attackers steal session cookies or session tokens to impersonate authenticated users
and gain unauthorized access to web applications or services.

Explain some techniques used during a PASSIVE ATTACK. Passive attacks involve unauthorized access to
information without affecting the system's resources or altering the data. These attacks typically aim to gather
sensitive information without the knowledge of the system's owner or users.

1. Eavesdropping: This involves intercepting data as it travels across a network. Attackers may use packet
sniffers or network monitoring tools to capture data packets containing sensitive information like
usernames, passwords, or financial details.

2. Packet Analysis: Attackers analyze captured packets to extract valuable information such as usernames,
passwords, IP addresses, and communication patterns. By examining packet headers and payloads,
attackers can gain insights into the structure and content of network traffic.
 3. Traffic Analysis: Attackers observe patterns and trends in network traffic without necessarily intercepting
the content of the communication. By analyzing the timing, frequency, and size of data packets, attackers
can infer valuable information such as user behavior, organizational structure, or operational activities.

4. Passive Scanning: Attackers passively scan networks to identify hosts, services, and vulnerabilities
without actively probing or initiating connections. This involves observing network traffic, analyzing public
information, and conducting reconnaissance to gather intelligence about potential targets.

5. Social Engineering: Although social engineering is not strictly a passive attack, it often involves
manipulating individuals to divulge sensitive information without their knowledge. Attackers may use
pretexting, phishing, or impersonation techniques to trick users into revealing passwords, account
numbers, or other confidential data.

6. Wiretapping: This involves physically tapping into communication lines or network cables to intercept
data as it travels between devices. While less common in modern digital networks, wiretapping remains a
potent technique in targeted attacks against specific individuals or organizations.

7. Cryptanalysis: Cryptanalysis techniques involve analyzing encrypted data to decipher its original plaintext
without access to the encryption key. While cryptanalysis can be resource-intensive and time-consuming,
skilled attackers may exploit weaknesses in cryptographic algorithms or implementation flaws to recover
sensitive information.

8. DNS Spoofing: Attackers may intercept DNS (Domain Name System) queries and responses to redirect
users to malicious websites or phishing pages. By spoofing DNS responses, attackers can deceive users
into visiting fraudulent websites and unknowingly disclose sensitive information.

ACTIVE ATTACKS involve direct actions to compromise systems or networks, often causing immediate harm or
disruption, while PASSIVE ATTACKS focus on covertly gathering sensitive information without altering system
resources or triggering alarms. Both types of attacks pose significant risks to cybersecurity and require robust
preventive measures and mitigation strategies to defend against effectively.

Explain how an ACTIVE ATTACK MIGHT USE INFORMATION FROM A PASSIVE ATTACK to compromise a
system.

1. Credential Harvesting: Suppose during a passive attack, an attacker successfully intercepts network
traffic containing usernames and passwords through techniques like packet sniffing or network
reconnaissance. With this information in hand, the attacker can launch an active attack by attempting to
use these stolen credentials to gain unauthorized access to systems or accounts.

2. Social Engineering: In a passive attack, attackers may gather information about employees or
organizational practices through methods like eavesdropping on conversations or monitoring social media
profiles. Armed with this knowledge, the attacker can craft convincing phishing emails or conduct targeted
spear-phishing attacks during an active phase. By tailoring messages with specific details obtained
passively, such as mentioning familiar coworkers or referencing internal processes, attackers increase the
likelihood of success in tricking users into disclosing sensitive information or executing malicious actions.

3. Exploiting Vulnerabilities: Passive reconnaissance may reveal information about software versions,
system configurations, or network architecture. Attackers can use this intelligence to identify potential
vulnerabilities or misconfigurations that could be exploited during an active attack. For example, knowing
that a particular server is running outdated software with known security flaws obtained passively, the
attacker can launch targeted exploits to gain unauthorized access or execute malicious code.
 4. Targeted Attacks: In some cases, passive reconnaissance provides insights into the organizational
structure, key personnel, or critical assets within a target environment. Armed with this knowledge,
attackers can tailor their active attack strategies to focus on high-value targets or exploit specific
weaknesses identified during passive reconnaissance. For instance, if passive reconnaissance reveals
that a particular executive regularly accesses sensitive financial data, the attacker might prioritize
compromising that individual's account through methods like phishing or credential stuffing to gain access
to valuable information or systems.

A Buffer Overflow Attack occurs when a program writes more data to a buffer (a temporary storage area) than it
can hold. This extra data can overflow into adjacent memory locations, potentially overwriting other data,
including critical system information, control data, or even executable code.

Buffer Overflow Attacks represent a serious security risk as they can lead to unauthorized code execution,
system compromise, and data breaches. To mitigate the risk of buffer overflow attacks, developers should
implement secure coding practices, utilize memory-safe programming languages, and regularly update software
to patch known vulnerabilities. Additionally, network administrators should employ intrusion detection/prevention
systems and implement access controls to limit the impact of successful buffer overflow exploits.

• One infamous example of a Buffer Overflow Attack is the Morris Worm, also known as the Great Worm,
which targeted Unix-based systems in 1988. Created by Robert Tappan Morris, a graduate student at
Cornell University, the worm exploited a vulnerability in the Unix sendmail utility to propagate itself
across the internet.

• Here's how the Morris Worm executed a buffer overflow attack:

o Exploiting Vulnerability: The Morris Worm took advantage of a buffer overflow vulnerability in
the fingerd daemon, a service used to provide information about users logged into a Unix system.
▪ The fingerd daemon is a software program that runs on a computer and provides
information about users on that computer to other computers on a networ

o Crafted Payload: Morris crafted a payload consisting of excessively long input strings that
overflowed the buffer allocated for processing user requests by the fingerd daemon.

o Control Hijacking: By overflowing the buffer, Morris was able to overwrite critical memory
locations, including the return address on the stack, with the memory address of his malicious
code.

o Payload Execution: Upon successful exploitation, the Morris Worm's payload executed arbitrary
code, allowing it to gain unauthorized access to the compromised system.

o Propagation: Once inside a system, the worm attempted to spread further by exploiting the
same vulnerability in other vulnerable systems connected to the internet. It did this by
randomly generating IP addresses and attempting to establish connections to them, a
technique known as "brute-forcing."

▪ Brute-forcing is a method used in cybersecurity to systematically guess passwords or

encryption keys by trying all possible combinations until the correct one is found.

o Impact: The Morris Worm's rapid spread overwhelmed many systems, causing significant
disruptions to network operations and leading to estimates of thousands of Unix systems being
affected.
 • SOME EXAMPLES OF NOTABLE BUFFER OVERFLOW ATTACKS:
o Code Red Worm (2001): The Code Red Worm targeted Microsoft IIS web servers by exploiting a
buffer overflow vulnerability in the Indexing Service DLL (idq.dll). It propagated by sending HTTP
requests containing specially crafted payloads, which allowed attackers to gain remote access to
compromised servers.
o SQL Slammer (2003): Also known as the Sapphire Worm, SQL Slammer exploited a buffer
overflow vulnerability in Microsoft SQL Server. It propagated rapidly by sending malicious UDP
packets to random IP addresses, causing widespread internet congestion and disrupting services.
o Blaster Worm (2003): The Blaster Worm, also known as MSBlast or Lovesan, exploited a buffer
overflow vulnerability in the Remote Procedure Call (RPC) service of Windows operating systems. It
propagated by scanning randomly selected IP addresses and infecting vulnerable systems with
malware.
o Heartbleed (2014): Heartbleed was a serious security vulnerability in the OpenSSL cryptographic
library, which could be exploited to leak sensitive information from the memory of servers. While
not a traditional buffer overflow attack, Heartbleed involved reading beyond the bounds of a buffer,
potentially exposing private keys, usernames, passwords, and other sensitive data.
o Shellshock (2014): Shellshock was a vulnerability in the Bash shell found in Unix-based operating
systems. Attackers exploited a flaw in Bash's handling of environment variables to execute
arbitrary commands remotely. While not strictly a buffer overflow attack, Shellshock allowed for
unauthorized code execution by manipulating input data.

MALWARE, short for "malicious software," refers to any software specifically designed to disrupt, damage, or
gain unauthorized access to computer systems, networks, or devices. While there are many types of malwares,
three common categories include VIRUSES, TROJAN HORSES, AND WORMS.

• VIRUSES:
o Method of Propagation: Viruses attach themselves to legitimate programs or files and infect other
files when the infected program is executed. They typically spread through infected email
attachments, downloaded files, or compromised software.
o Behavior: Viruses can cause a variety of harmful effects, including corrupting or deleting files,
stealing personal information, or disrupting system operations. Some viruses may also replicate
themselves to spread further within a system or network.
o Examples: Notable viruses include the Melissa virus, which spread via email attachments, and the
ILOVEYOU virus, which caused widespread damage by overwriting files and stealing passwords.

• TROJAN HORSES:
o Method of Infection: Trojan horses disguise themselves as legitimate software or files to trick
users into executing them. Unlike viruses, Trojan horses do not replicate themselves but rely on
social engineering tactics to convince users to install or run them.
o Behavior: Once executed, Trojan horses can perform a variety of malicious actions, such as
stealing sensitive information, providing backdoor access to attackers, or installing other malware
onto the infected system.
o Examples: Common examples of Trojan horses include banking Trojans designed to steal financial
information, remote access Trojans (RATs) used for unauthorized access and control of systems,
and keyloggers that record user keystrokes.’

• WORMS:
o Method of Propagation: Worms are standalone malware programs that replicate themselves and
spread independently across networks or systems without requiring user interaction. They exploit
vulnerabilities in network services or software to infect vulnerable devices.
o Behavior: Worms can rapidly spread across interconnected systems, causing network congestion,
system slowdowns, or service disruptions. They may also carry payloads that perform additional
malicious actions, such as data theft or system exploitation.
o Examples: Notable worm examples include the Morris Worm, one of the earliest internet worms
that exploited vulnerabilities in Unix systems, and the Conficker worm, which targeted Windows-
based systems and infected millions of computers worldwide.