Cyber attacks unfold in stages: reconnaissance, exploitation, and post-exploitation. Attackers gather info, exploit vulnerabilities, and maintain access. Understanding these stages helps organizations better protect their systems and respond to threats effectively.
Network-based attacks use techniques like port scanning, packet sniffing, and man-in-the-middle attacks. Web-based attacks include cross-site scripting, SQL injection, and cross-site request forgery. Wireless attacks target Wi-Fi networks through eavesdropping, rogue access points, and encryption cracking.
Stages of a Cyber Attack
Stages of cyber attacks
- Reconnaissance involves gathering information about the target system or network
- Identifies potential vulnerabilities and attack vectors that can be exploited
- Employs techniques such as open-source intelligence (OSINT), social engineering, and network scanning and enumeration (Nmap, Shodan)
- Exploitation attempts to gain unauthorized access to the target system by leveraging identified vulnerabilities
- Executes the attack using methods like exploiting software vulnerabilities (buffer overflow), brute-force attacks (password guessing), and malware deployment (ransomware, trojans)
- Post-exploitation focuses on maintaining access and control over the compromised system to execute additional malicious activities
- Actions include privilege escalation (gaining higher-level permissions), data exfiltration (stealing sensitive information), lateral movement within the network (compromising additional systems), and establishing persistence mechanisms (backdoors, rootkits)
Network-based Attacks
Techniques in network-based attacks
- Port scanning identifies open ports and services running on a target system to gather information for potential vulnerabilities
- Utilizes tools such as Nmap, Unicornscan, and Angry IP Scanner to scan network ports (TCP, UDP)
- Packet sniffing intercepts and analyzes network traffic to capture sensitive information such as passwords and confidential data
- Employs techniques like enabling promiscuous mode on network interfaces, ARP spoofing, and using tools like Wireshark or tcpdump to monitor network communication
- Man-in-the-middle (MITM) attacks intercept communication between two parties to eavesdrop, modify, or inject data into the communication channel
- Utilizes methods such as ARP spoofing (poisoning the ARP cache), DNS spoofing (manipulating DNS responses), and SSL stripping (downgrading HTTPS connections to HTTP) to intercept traffic (email, instant messaging)
Web-based Attacks
Risks of web-based attacks
- Cross-site scripting (XSS) injects malicious scripts into web pages viewed by other users to steal sensitive information or perform unauthorized actions
- Types include reflected XSS (script is part of the request), stored XSS (script is stored on the server), and DOM-based XSS (script is executed in the browser)
- SQL injection inserts malicious SQL queries into application input fields to manipulate the database and retrieve sensitive information
- Techniques include union-based SQL injection (combining results), error-based SQL injection (triggering database errors), and blind SQL injection (inferring information based on responses)
- Cross-site request forgery (CSRF) tricks authenticated users into performing unintended actions by exploiting the trust between a user's browser and a web application
- Mitigated by implementing anti-CSRF tokens (unique tokens), same-site cookies (restricting cookie access), and verifying the origin of requests (checking referrer headers)
Wireless Attacks
Methods of wireless attacks
- Wi-Fi eavesdropping intercepts and captures wireless network traffic to monitor unencrypted communication or weak encryption
- Utilizes tools like Wireshark, Kismet, and Aircrack-ng suite to capture and analyze wireless packets (802.11 frames)
- Rogue access points involve setting up unauthorized wireless access points to trick users into connecting to the attacker-controlled network
- Risks include stealing sensitive information (credentials), performing MITM attacks, and distributing malware (infected downloads)
- WPA/WPA2 cracking attempts to crack the encryption of Wi-Fi Protected Access (WPA/WPA2) by exploiting vulnerabilities or weak passwords
- Methods include dictionary attacks (using word lists), brute-force attacks (trying all possible combinations), capturing the four-way handshake (authentication process), and using tools like Aircrack-ng or Hashcat to crack the captured handshakes (PSK)