CompTIA Security+: Application/Service Attacks

This blog post is a continuation of the CompTIA Security+ “Attacks” chapter.  Earlier in the chapter, we covered social engineering attacks.  Next up is application/service attacks, which is a little bit closer to public image of hacking.  Some shadowy figure hunched over a keyboard, exploiting weird technical vulnerabilities… of course.  Get your hoodies on, folks.

Later on in this chapter, wireless attacks and cryptographic attacks are covered.  I’ll put those in a separate blog post, as there’s plenty to cover here.

This portion of the chapter has a LOT of topics.  As with the malware section, it’s broad but shallow.

This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.

Application/Service Attacks

This portion begins with a brief history lesson.  In the beginning, most attacks where against the network and operating system levels.  This, the book says, is where the low-hanging fruit was.  Now that these levels have started to get their shit together, hackers have turned to the application level.  The application level offers a “less homogenous target” but with lots of vulnerabilities.  As software continues to eat the world, opportunities will undoubtedly continue for attackers.

The book then jumps head first into a long list of attack types.  Let’s get going…

DoS

Denial-of-service (DoS) is just what it sounds like.  Attackers exploit some vulnerability to deny authorized users access to specific functionality, or to an entire system.  Sometimes this is an end in itself (a website is unavailable, for example).  Sometimes this is a cover for other malicious activity, which we’ll see later.

DoS attacks are done by exploiting a vulnerability in a specific application, operating system, or protocol.  One such example is SYN flooding, where an attacker abuses the TCP three-way handshake.  The attacker pretends to be someone else, sends a SYN packet, and the target machine responds to the non-existent address. Of course, this eventually times out. But, if you do it enough times, valid handshake requests will be ignored. Another example is a ping of death”  This is where a malformed ping packet causes issues or crashes in the target system.  Much like social engineering attacks, these vulnerabilities stem from unverified trust in others.

DDoS

You’ve seen DoS, now get ready for distributed denial-of-service attacks.  If one attacking system is not enough, you can assemble multiple systems to work together.  This often leverages malware or botnets, and can take down big targets.

Sysadmins can protect themselves by applying patches and updates as soon as they’re available, changing time-out settings for TCP connections, distributing workload, and blocking ICMP packets at the network border.  However, just about any network can be successfully attacked.

Right now, students are being accused of DDoSing university networks in the UK.  There’s reportedly a 40% increase in DDoS attacks over 2017, including attacks on political candidates.

Man-in-the-Middle

Man-in-the-middle, or MitM attacks, are a class of attacks.  They occur when an attacker places himself (or herself) between two hosts that are communicating.  This allows the attacker to observe all traffic, including modifying or blocking traffic.  The attacker then forwards the traffic to the intended recipient, and they are none the wiser.

One way MitM attacks can happen is through session hijacking. This is where an attacker steals a cookie and uses it to (falsely) authenticate themselves. Here’s a recent news story about a Bluetooth MitM attack. It was possible because there was apparently no authentication implemented.  Oops.

Buffer Overflow

According to CERT, over half of all exploits have come from some kind of buffer overflow. A buffer overflow is where an input buffer is overwritten with more data than that buffer can hold. As a result, the user input spills into other parts of memory. This allows attackers to crash the program, or overwrite values. Even worse, buffer overflows typically inherit the privilege level of the program. The book lists poor programming practice and programming language weaknesses as causes.

Just this week, there have been news stories about buffer overflow vulnerabilities in Atlantis Word Processor, Microsoft Jet Database Engine, and NUUO CCTV cameras.

Injection

There’s several forms of injection, which the book doesn’t really get into.  Instead, it briefly talks about SQL injection, XML and LDAP injection, and command line injection.  Like the buffer overflow attack, injection vulnerabilities are the result of poor or no input validation.  Injection means that an attacker can provide input that is interpreted/executed by an application to malicious ends.

About a year ago, CMS Joomla was in the news for a LDAP injection vulnerability.  And just today, there was a news story about how a Canadian ISP’s website has a SQL injection vulnerability that revealed all of its users.

Cross-Site Scripting

More user input validation, or lack thereof.  Cross-site scripting (XSS) is where an attacker can include a script in their input.  The injected script might be immediately executed by the backend but not persisted, making it a non-persistent XSS attack.  It could be stored on the backend and then used against others later (making it a persistent attack).  Or it could be executed in the browser, making it a DOM-based attack.

Despite being a solved problem (libraries exist to sanitize inputs), news stories still abound.  Earlier this summer, Signal’s desktop app was found to have an XSS vulnerability.  Last month, it was British Airways and NewEgg.  And even more recently, dynamic web ads.

Cross-Site Request Forgery

Cross-site request forgery (XSRF or CSRF) is “an attack that forces an end-user to execute unwanted actions on a web application in which they’re currently authenticated.”  If a user logs into a website, the browser receives a cookie.  This cookie is then used for subsequent requests to prove that the user is still logged in.  However, this can be abused by bad actors by sending a request from another source (with that cookie).

These attacks can be prevented or limited by including XSRF tokens to make certain actions a one-time event.  Cookie values can be set to limit usage as well.

Recent CSRF vulnerabilities include Western Digital, Asda and phpMyAdmin.

Privilege Escalation

From CSRF attacks, we take a completely different turn into privilege escalation.  Privilege escalation refers to starting an ordinary privilege level and working your way up to root or admin level.  This can be done by stealing credentials (possibly left in plaintext somewhere).  This can also be done in conjunction with other attacks on processes running with elevated privileges.

RedHat and CentOS are in the news for a privilege escalation vulnerability.  Likewise, so are VPN services ProtonVPN and NordVPN.

ARP Poisoning

ARP, or Address Resolution Protocol, helps translate between IP addresses and MAC addresses of devices.  The answer to a “who owns [address]?  please identify yourself” question is stored in an ARP lookup table.  Unfortunately, this protocol doesn’t include verification of the responses.  So, an attacker can (quickly) provide fake data in response.  This is called ARP poisoning, and results in malicious address misdirection.

Apparently the airport in San Diego has “risky wifi”.  Reporters found an ARP poisoning attack happening there.

Amplification

Amplification is another section kind of randomly stuffed in here.  It refers to using a protocol in such a way that the result is amplified.  An example of this would be using ping to get all devices on a network to respond to a forged address.  By using the protocol in this way, an attacker can generate more traffic/etc than they could do with a single machine.

DNS Poisoning and Spoofing

The DNS system converts domain names to IP addresses, because it’s easier for humans to remember domain addresses.  The DNS system is not a set of authoritative servers.  Instead, there’s a hierarchy which stores data in its cache, and looks “upstream” to update information.  See this post for more info.

DNS poisoning or spoofing is where you (similar to ARP poisoning) change a DNS record.  This results in wrongly diverted traffic.  There’s a task force called DNSSEC working on authentication with DNS records.

There have been recent DNS poisoning attacks on MyEtherWallet and WikiLeaks.

Domain Hijacking

Domain hijacking is the (unauthorized) act of changing a domain name’s registration.

Man-in-the-Browser

Man-in-the-browser (MitB) is kind of like man-in-the-middle (MitM).  MitB attacks involve malware that change browser behavior through helpers or extensions.  One such example is Kronos variant “Osiris”.

Zero Days

We continue our whirlwind tour of ALL the attack types by skipping to zero days… as a concept. A zero day is a vulnerability for which there’s no previous knowledge, aside from the hacker or vendor.

Hackers can sell this information through bug bounty programs or the dark web.   Just because a zero day is now made public doesn’t mean that it isn’t dangerous.  A Windows Task Scheduler zero day is still causing problems weeks later.  Apple MacOS and Tor also find themselves in the news for zero day vulns.

someone pls send me a gif of him saying “I was Zero Cool.

Replay

Replay attacks occur when an attacker captures some communication between two parties, and then re-transmits it later.  This might get them authenticated, or repeat a transaction.  Encryption and timestamps (expiration) can help prevent these attacks.  Replay attacks are an entire class of attacks, but the book only dedicates two paragraphs.  Tesla and other car manufacturers have been in the news for replay attacks with key fobs.

Pass the Hash

Yes, the CompTIA+ book really does have a section heading called “pass the hash.”  Websites do (or should) use hashed passwords and not passwords in plaintext.  If a hacker can capture the hashed value, they might be able to use that to authenticate without ever knowing the password.

We’re going to take another turn and go into a group of hijacking-related attacks.  Yes, we mentioned hijacking previously.  We’re going to do it again now.

Clickjacking

Clickjacking is where elements on the website result in a the user clicking something they didn’t want to.  This might be a translucent overlay, for example.  A real-life example is this poor fellow who was subscribed to a service through a clickjacking attack, and then had to make a ton of phone calls to fix it all.

Session Hijacking

Also called TCP/IP hijacking.  This is where an attacker takes over an existing session between a client and server.  Since the user (likely) already authenticated, the attacker can carry on with full privileges once the attack is complete.  They might also use a DoS attack against the original client to keep them occupied.

Apparently, anti-virus company Kaspersky was in the news this spring for session hijacking issues.  More recently, so was Google Chrome.

URL Hijacking and Typo Squatting

URL hijacking is a class of attacks that tamper with or alter a URL.  This could include typo squatting, or tricking the user into thinking they’re clicking the correct URL.  This could also involve malware.

Typo squatting is where attackers capitalize on common typos.  This has been especially relevant lately, as political candidates deal with typo squatting attacks.  (Or, they can buy up potential typo-squatting domain names to prevent future issues).

Driver Manipulation

Drivers are software programs that interface between the operating system and peripherals.  Driver manipulation, then, is an attack by changing drivers (and thus, driver behavior).

One such way of doing this is by shimming.  Shimming refers to putting another layer of code between the driver and OS.  This can be a way for developers to abstract functionality and make future improvements easier.  It can also open the door to malicious behavior.

Drivers can also be refactored.  Refactoring is another legitimate software development process.  It means to restructure existing code without changing the overall behavior (so the OS and user won’t notice a difference).  Attackers could also refactor driver code to add malicious features while maintaining the original functionality.

Spoofing

Spoofing refers to making something look like it has come from a different source.  This usually means impersonating a well-known, reputable or authenticated source.  The book notes:  “when [network] protocols were developed, it was assumed that individuals who had access to the network layer would be privileged users who could be trusted.”

MAC Spoofing

MAC spoofing refers to changing a MAC address to bypass security checks that are looking for a specific MAC address.  A few years ago, MAC address spoofing (or rather, randomization) was used as evidence against activist Aaron Swartz.  Now, it’s an Apple privacy feature.

IP Address Spoofing

As mentioned previously, you can fill in the “from” field when sending IP packets.  This can, of course, lead to some problems.

Smurf Attack

If an attacker sends a spoofed packet to the broadcast address on a network, that packet will be distributed to everyone on the network.  Typically, this means that other devices will send an echo reply to this echo request.  The (forged) sender of the original echo request packet now gets a ton of responses.  This is called a smurf attack.

Spoofing and Trusted Relationships

You can spoof a packet from a system to another system that already trusts that source.  This has some obvious advantages.  It also has some obvious mitigations–set your firewall to disallow packets from outside the network masquerading as packets from inside the network, etc.

Spoofing and Sequence Numbers

The TCP three-way handshake generates two sequence numbers.  These numbers are needed for future communication.  So, if you’re outside the network, it’s harder to see (and thus spoof) packet sequence numbers.  For more info on the handshake, here’s a blog post.