2.3 Attack Vectors and Techniques
3 min read•july 18, 2024
Cyber attacks unfold in stages: , , and . Attackers gather info, exploit vulnerabilities, and maintain access. Understanding these stages helps organizations better protect their systems and respond to threats effectively.
Network-based attacks use techniques like , , and man-in-the-middle attacks. Web-based attacks include , , and . Wireless attacks target Wi-Fi networks through eavesdropping, , and encryption cracking.
Stages of a Cyber Attack
Stages of cyber attacks
Top images from around the web for Stages of cyber attacks
Frontiers | Cyberbiosecurity: A Call for Cooperation in a New Threat Landscape View original
Is this image relevant?
Cyberattack: The lack of serious intent for the NHS is not a role model • NHC View original
Is this image relevant?
Troy Hunt: Your website has never been hacked! (except for all the times that it has) View original
Is this image relevant?
Frontiers | Cyberbiosecurity: A Call for Cooperation in a New Threat Landscape View original
Is this image relevant?
Cyberattack: The lack of serious intent for the NHS is not a role model • NHC View original
Is this image relevant?
1 of 3
Top images from around the web for Stages of cyber attacks
Frontiers | Cyberbiosecurity: A Call for Cooperation in a New Threat Landscape View original
Is this image relevant?
Cyberattack: The lack of serious intent for the NHS is not a role model • NHC View original
Is this image relevant?
Troy Hunt: Your website has never been hacked! (except for all the times that it has) View original
Is this image relevant?
Frontiers | Cyberbiosecurity: A Call for Cooperation in a New Threat Landscape View original
Is this image relevant?
Cyberattack: The lack of serious intent for the NHS is not a role model • NHC View original
Is this image relevant?
1 of 3
- Reconnaissance involves gathering information about the target system or network
- Identifies potential vulnerabilities and attack vectors that can be exploited
- Employs techniques such as (OSINT), , and and enumeration (, )
- Exploitation attempts to gain unauthorized access to the target system by leveraging identified vulnerabilities
- Executes the attack using methods like exploiting software vulnerabilities (), brute-force attacks (password guessing), and malware deployment (, )
- Post-exploitation focuses on maintaining access and control over the compromised system to execute additional malicious activities
- Actions include (gaining higher-level permissions), (stealing sensitive information), within the network (compromising additional systems), and establishing (, )
Network-based Attacks
Techniques in network-based attacks
- Port scanning identifies open ports and services running on a target system to gather information for potential vulnerabilities
- Utilizes tools such as Nmap, Unicornscan, and Angry IP Scanner to scan network ports (, )
- Packet sniffing intercepts and analyzes network traffic to capture sensitive information such as passwords and confidential data
- Employs techniques like enabling on network interfaces, , and using tools like or to monitor network communication
- Man-in-the-middle (MITM) attacks intercept communication between two parties to eavesdrop, modify, or inject data into the communication channel
- Utilizes methods such as ARP spoofing (poisoning the ARP cache), (manipulating DNS responses), and (downgrading HTTPS connections to HTTP) to intercept traffic (email, instant messaging)
Web-based Attacks
Risks of web-based attacks
- Cross-site scripting () injects malicious scripts into web pages viewed by other users to steal sensitive information or perform unauthorized actions
- Types include (script is part of the request), (script is stored on the server), and (script is executed in the browser)
- SQL injection inserts malicious SQL queries into application input fields to manipulate the database and retrieve sensitive information
- Techniques include (combining results), (triggering database errors), and (inferring information based on responses)
- Cross-site request forgery () tricks authenticated users into performing unintended actions by exploiting the trust between a user's browser and a web application
- Mitigated by implementing anti-CSRF tokens (unique tokens), (restricting cookie access), and verifying the origin of requests (checking referrer headers)
Wireless Attacks
Methods of wireless attacks
- Wi-Fi eavesdropping intercepts and captures wireless network traffic to monitor unencrypted communication or weak encryption
- Utilizes tools like Wireshark, , and to capture and analyze wireless packets (802.11 frames)
- Rogue access points involve setting up unauthorized wireless access points to trick users into connecting to the attacker-controlled network
- Risks include stealing sensitive information (credentials), performing MITM attacks, and distributing malware (infected downloads)
- attempts to crack the encryption of Wi-Fi Protected Access (WPA/WPA2) by exploiting vulnerabilities or weak passwords
- Methods include (using word lists), brute-force attacks (trying all possible combinations), capturing the four-way handshake (authentication process), and using tools like Aircrack-ng or Hashcat to crack the captured handshakes (PSK)
Key Terms to Review (45)
Aircrack-ng suite: The aircrack-ng suite is a collection of tools designed for assessing the security of wireless networks. It primarily focuses on different aspects of Wi-Fi security, including monitoring, attacking, testing, and cracking WEP and WPA/WPA2 encryption keys. By leveraging various attack vectors and techniques, it allows users to exploit vulnerabilities in wireless networks and understand the weaknesses that may be present.
Arp spoofing: ARP spoofing is a type of cyber attack that involves sending false Address Resolution Protocol (ARP) messages over a local area network. By doing this, an attacker associates their MAC address with the IP address of another device on the network, allowing them to intercept, modify, or redirect traffic intended for that device. This technique exploits the way ARP operates, where devices trust incoming ARP messages without authentication, making it a powerful tool in various attack vectors.
Backdoors: Backdoors are hidden methods of bypassing normal authentication or encryption in a system, allowing unauthorized access to data or functions. They are often exploited by attackers to maintain access to a compromised system without detection. Backdoors can be intentionally created by developers for troubleshooting purposes or maliciously introduced by cybercriminals to execute commands, steal information, or manipulate systems undetected.
Blind sql injection: Blind SQL injection is a type of attack where an attacker manipulates a web application's database queries without being able to see the direct output of the query results. Instead of receiving visible data from the database, the attacker deduces information based on the application's behavior, such as response times or error messages. This technique is crucial in understanding attack vectors because it demonstrates how attackers can exploit vulnerabilities in applications even when they don't have full access to the data being queried.
Buffer Overflow: A buffer overflow occurs when a program writes more data to a block of memory, or buffer, than it can hold, causing data to overflow into adjacent memory. This vulnerability can be exploited by attackers to overwrite critical data, execute arbitrary code, or crash the system. Understanding buffer overflow is crucial for recognizing potential attack vectors and implementing secure software practices throughout the software development lifecycle.
Cross-site request forgery: Cross-site request forgery (CSRF) is a type of security vulnerability that allows an attacker to trick a victim into submitting unauthorized requests to a web application on which the victim is authenticated. This can lead to unwanted actions being performed without the user's consent, such as changing account settings or initiating transactions. It exploits the trust that a web application has in the user's browser, making it a serious concern when evaluating attack vectors and techniques.
Cross-Site Scripting: Cross-site scripting (XSS) is a security vulnerability that allows an attacker to inject malicious scripts into webpages viewed by other users. This type of attack exploits the trust a user has in a website, enabling the attacker to manipulate client-side scripts and execute harmful actions without the user's consent. It is crucial to understand XSS as it falls under various attack vectors and techniques while also being an essential consideration in the secure software development lifecycle.
CSRF: Cross-Site Request Forgery (CSRF) is a type of attack that tricks a user into executing unwanted actions on a different website where they are authenticated. This type of vulnerability exploits the trust that a web application has in the user's browser, allowing an attacker to send unauthorized commands on behalf of the user. CSRF attacks can lead to significant damage, such as unauthorized fund transfers or changes to user account settings, and they highlight the need for robust security measures in web applications.
Data exfiltration: Data exfiltration is the unauthorized transfer of data from a computer or network, often with malicious intent. This can involve sensitive information such as personal identification, financial records, or proprietary company data being extracted by cybercriminals. Understanding data exfiltration is crucial as it highlights the risks associated with various types of cyber threats and the attack vectors used to exploit vulnerabilities in systems.
Dictionary Attacks: A dictionary attack is a method used by attackers to gain unauthorized access to a system by systematically entering every word from a predefined list or dictionary as potential passwords. This technique exploits the tendency of users to choose common words, phrases, or predictable combinations as their passwords, making it easier for attackers to guess correctly. Dictionary attacks are a type of brute-force attack but are more efficient as they use a curated list of likely passwords instead of random combinations.
Dns spoofing: DNS spoofing is a cyber attack where false DNS (Domain Name System) responses are sent to redirect users from legitimate websites to malicious ones. By manipulating the DNS resolution process, attackers can compromise the integrity of user traffic and potentially steal sensitive information or install malware on victim devices.
Dom-based xss: DOM-based XSS is a type of cross-site scripting vulnerability that occurs when the client-side scripts of a web application modify the DOM without proper validation or sanitization. This vulnerability allows attackers to inject malicious scripts into a webpage that executes in the user's browser, leading to unauthorized actions or data theft. Unlike traditional XSS, which typically involves server-side processing, DOM-based XSS exploits vulnerabilities in client-side code, making it particularly tricky to detect and mitigate.
Error-based SQL injection: Error-based SQL injection is a technique used by attackers to exploit vulnerabilities in an application's database layer by intentionally causing errors. This method allows them to gain insight into the structure of the database and extract sensitive information, like table names and column data, through error messages generated by the database server. By analyzing these error messages, an attacker can craft further queries to manipulate the database or access unauthorized data.
Exploitation: Exploitation refers to the act of taking advantage of vulnerabilities in a system, application, or network to gain unauthorized access or control. This term is central to understanding how attackers leverage weaknesses through various techniques, which can range from social engineering to technical methods, ultimately compromising the integrity and security of systems.
Kismet: Kismet refers to a type of wireless networking tool used primarily for wireless network monitoring and penetration testing. It enables users to discover networks, capture packets, and analyze data, making it a significant tool in the realm of cybersecurity, especially when dealing with wireless communications. Understanding kismet is essential for grasping various attack vectors and techniques used by malicious actors as well as for implementing effective wireless network security measures.
Lateral Movement: Lateral movement refers to the techniques that cyber attackers use to spread within a network after gaining initial access. This movement allows them to navigate from one compromised device or system to another in order to gather information, maintain access, or escalate privileges. By exploiting vulnerabilities in business systems, attackers can traverse a network stealthily, making it crucial for organizations to recognize the signs and implement robust defenses.
Man-in-the-middle attack: A man-in-the-middle attack is a cybersecurity breach where an attacker secretly intercepts and relays communication between two parties who believe they are directly communicating with each other. This type of attack can lead to data theft, eavesdropping, and manipulation of information, making it essential to understand its implications in various digital interactions, including those involving mobile applications and broader attack techniques.
Network scanning: Network scanning is the process of systematically identifying active devices on a network, along with their IP addresses and open ports, to understand network topology and security vulnerabilities. This technique is vital for assessing potential attack vectors and understanding the overall security posture of a network. By uncovering devices and their configurations, it helps inform the design of defensive measures against potential intrusions.
Nmap: nmap, or Network Mapper, is a powerful open-source tool used for network discovery and security auditing. It enables users to scan networks and identify hosts, services, operating systems, and open ports, making it an essential tool for understanding attack vectors and techniques used by cybercriminals. By providing detailed information about the network environment, nmap helps security professionals assess vulnerabilities and implement necessary protections.
Open-source intelligence: Open-source intelligence (OSINT) is the process of collecting, analyzing, and utilizing publicly available information from various sources to support decision-making and enhance security. This type of intelligence is crucial for identifying potential threats and understanding adversaries, as it allows organizations to gather insights without requiring covert methods. It involves sifting through diverse materials such as social media, news articles, government reports, and other accessible data to compile actionable information.
Packet Sniffing: Packet sniffing is the process of capturing and analyzing data packets that travel over a network. This technique can be used for legitimate network management and monitoring, but it can also be exploited by attackers to intercept sensitive information such as passwords, credit card numbers, and other personal data. Understanding packet sniffing is essential for recognizing potential vulnerabilities within a network and protecting against unauthorized access.
Persistence Mechanisms: Persistence mechanisms are techniques used by attackers to maintain access to a compromised system even after initial exploitation has been detected and mitigated. These methods enable adversaries to survive system reboots, updates, and other security measures, making them a crucial part of an attacker's toolkit. By leveraging various persistence techniques, attackers can ensure that they can return to the system at will and continue their malicious activities without raising alarms.
Port Scanning: Port scanning is a technique used to identify open ports and services on a networked device, allowing an attacker or administrator to discover potential vulnerabilities. By sending packets to specific ports and analyzing the responses, it can reveal which services are running, their state, and help in assessing the security posture of a system. This technique is often employed as a preliminary step in exploiting network vulnerabilities.
Post-Exploitation: Post-exploitation refers to the phase that occurs after an attacker has successfully breached a system or network and gained access. This stage focuses on maintaining access, gathering sensitive information, and moving laterally within the environment to achieve further objectives, often involving data exfiltration or persistence mechanisms. Understanding post-exploitation is crucial for identifying how attackers can exploit vulnerabilities and cause significant harm to organizations.
Privilege Escalation: Privilege escalation is a type of security vulnerability that allows an attacker to gain elevated access to resources that are normally protected from a user. This means they can access and manipulate data or execute commands that they shouldn't be able to. It’s crucial to understand this concept because it often takes advantage of weaknesses in business systems, can be executed through various attack vectors, and highlights the importance of proper authorization measures based on the least privilege principle.
Promiscuous Mode: Promiscuous mode is a network interface configuration that allows a network device to intercept and read all packets transmitted over the network segment, regardless of the intended recipient. This capability is essential for network analysis and security monitoring, as it enables the collection of data that can reveal malicious activities or vulnerabilities in the network.
Ransomware: Ransomware is a type of malicious software that encrypts a victim's files or locks them out of their systems, demanding a ransom payment in exchange for the decryption key or restoration of access. This threat highlights the critical need for robust cybersecurity measures as businesses increasingly rely on digital systems and data.
Reconnaissance: Reconnaissance is the initial phase of information gathering during the process of a cyber attack, where an attacker collects data about a target system, network, or organization to identify vulnerabilities and weaknesses. This phase is critical as it sets the stage for subsequent attacks by providing valuable insights into potential entry points and targets. Effective reconnaissance can significantly increase the chances of a successful attack by allowing attackers to plan their strategies based on the gathered information.
Reflected XSS: Reflected XSS (Cross-Site Scripting) is a type of web vulnerability that occurs when an attacker injects malicious scripts into a webpage, and the server reflects this input back to the user's browser without proper validation or sanitization. This form of attack typically exploits web applications that return user input in their responses, enabling attackers to execute scripts in the context of the victim's browser, leading to potential data theft or session hijacking.
Rogue Access Points: Rogue access points are unauthorized wireless access points that are installed on a network without the knowledge or consent of the network administrator. They can be a significant security threat as they allow attackers to bypass security measures, intercept sensitive data, and gain unauthorized access to network resources. These devices can often masquerade as legitimate access points, tricking users into connecting to them and exposing their information.
Rootkits: Rootkits are a type of malicious software designed to enable continued privileged access to a computer while actively hiding their presence. They can alter system functionality, allowing attackers to execute commands, modify files, and install additional malware without detection. Rootkits are particularly dangerous because they can be installed at various levels of a system, making them difficult to detect and remove.
Same-Site Cookies: Same-site cookies are a type of HTTP cookie that restricts how cookies are sent with cross-site requests, enhancing security by preventing certain types of attacks, such as Cross-Site Request Forgery (CSRF). By setting the SameSite attribute in a cookie's properties, web developers can control whether a cookie should be sent along with requests initiated by third-party websites. This feature is crucial for maintaining user session security and privacy.
Shodan: Shodan is a search engine designed specifically for discovering internet-connected devices, such as webcams, servers, routers, and other IoT devices. It collects information about these devices from their publicly available metadata, allowing users to see what devices are online, their configurations, and potential vulnerabilities. This capability makes Shodan a powerful tool for understanding the landscape of connected devices and identifying potential attack vectors in cybersecurity.
Social Engineering: Social engineering is the psychological manipulation of individuals to perform actions or divulge confidential information, often used to breach security systems. This technique exploits human psychology rather than relying on technical hacking methods, making it a critical concern in modern cybersecurity strategies. Understanding social engineering is vital because it highlights vulnerabilities in human behavior that can lead to significant breaches, affecting organizations' security and trust.
SQL Injection: SQL injection is a type of cyber attack that allows an attacker to interfere with the queries that an application makes to its database. By injecting malicious SQL code into input fields, attackers can manipulate the database to retrieve, modify, or delete sensitive information. This kind of attack highlights vulnerabilities in web applications and their reliance on user input without proper validation and sanitization.
SSL Stripping: SSL stripping is a man-in-the-middle attack that downgrades a user's secure HTTPS connection to an unencrypted HTTP connection without their knowledge. This attack takes advantage of the fact that many users do not notice the difference between HTTP and HTTPS, allowing an attacker to intercept and manipulate the data transmitted between the user and the intended website. SSL stripping effectively compromises the integrity of data by making it accessible to unauthorized parties, highlighting the importance of secure communication protocols.
Stored XSS: Stored XSS, or Stored Cross-Site Scripting, is a web security vulnerability that allows an attacker to inject malicious scripts into content that is permanently stored on the target server, such as a database. When users access this compromised content, the injected scripts execute in their browsers without their consent. This type of attack is particularly dangerous because it can affect multiple users and persist over time, making it a significant risk in web applications.
TCP: TCP, or Transmission Control Protocol, is a core protocol of the Internet Protocol Suite that ensures reliable and ordered delivery of data between applications running on hosts communicating over an IP network. It establishes a connection between sender and receiver, handles error recovery, and guarantees that data is delivered in the correct sequence, making it essential for various internet applications such as web browsing and email.
Tcpdump: Tcpdump is a powerful command-line packet analyzer tool used to capture and display the packets being transmitted or received over a network. This tool is essential for network troubleshooting and analysis as it allows users to see the details of the data packets, including their headers and payloads. By analyzing the captured packets, network security professionals can identify suspicious activities and attack vectors, making tcpdump crucial in understanding network traffic and potential vulnerabilities.
Trojans: Trojans are a type of malicious software that disguise themselves as legitimate applications or files to trick users into installing them. They can perform a variety of harmful actions, such as stealing sensitive information, creating backdoors for further attacks, or enabling remote control by attackers. Understanding Trojans is crucial in recognizing the different forms of cyber threats and the techniques used to exploit vulnerabilities in systems.
UDP: UDP, or User Datagram Protocol, is a communication protocol used on the internet that allows data to be sent without establishing a connection. This makes UDP faster than TCP because it doesn’t require the overhead of connection management, but it also means that data can be lost or arrive out of order. In the context of attack vectors and techniques, UDP is often exploited for various types of attacks, including amplification and flooding, which can overwhelm targeted systems.
Union-based SQL Injection: Union-based SQL injection is a technique used by attackers to exploit vulnerabilities in web applications that interact with databases. By injecting malicious SQL code into an application's input fields, attackers can manipulate the database to return data from multiple tables, allowing them to access sensitive information. This method relies on the use of the SQL UNION operator, which combines the results of two or more SELECT queries into a single result set.
Wireshark: Wireshark is a widely used open-source network protocol analyzer that allows users to capture and inspect data packets traveling across a network in real-time. It provides detailed visibility into the various protocols being used and is an essential tool for troubleshooting network issues, analyzing traffic patterns, and identifying potential security threats.
WPA/WPA2 Cracking: WPA/WPA2 cracking refers to the process of exploiting vulnerabilities in the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) security protocols to gain unauthorized access to a wireless network. These protocols are designed to secure wireless communications, but weaknesses can be targeted using various techniques, making it essential for users and network administrators to understand the risks and mitigation strategies.
XSS: Cross-Site Scripting (XSS) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. This vulnerability often arises when web applications do not properly validate or encode user input, enabling an attacker to manipulate the content that is delivered to other users. XSS can lead to various harmful outcomes such as session hijacking, defacement, and distribution of malware.